├── .gitignore ├── .sops.yaml ├── LICENSE.txt ├── README.md ├── core ├── ananicy-rules.nix ├── constants.nix ├── default.nix ├── installer.nix ├── network.nix ├── nix-channels.nix ├── nix.nix ├── nixos.nix ├── openssh.nix ├── secrets │ ├── default.nix │ └── secrets.yml └── workarounds.nix ├── default.nix ├── flake.lock ├── flake.nix ├── hosts ├── asiyah │ ├── backups.nix │ ├── clamav.nix │ ├── cloudflare.nix │ ├── cwa-convert_library-fixed.py │ ├── default.nix │ ├── duckdns.nix │ ├── esphome │ │ ├── bk7231n-ir-blaster.yaml │ │ ├── default.nix │ │ ├── espbell-lite.yaml │ │ ├── kaysun-ac-living-room.yaml │ │ ├── kaysun-ac-vera-bedroom.yaml │ │ ├── smart-air-freshener.yaml │ │ └── sonoff-rf-bridge-r2.yaml │ ├── fail2ban │ │ ├── actions │ │ │ ├── cloudflare-secure.nix │ │ │ └── default.nix │ │ ├── default.nix │ │ └── filters │ │ │ ├── default.nix │ │ │ ├── hass.nix │ │ │ ├── jellyfin.nix │ │ │ └── nginx-noagent.nix │ ├── filesystem.nix │ ├── forgejo.nix │ ├── gradient-generator.nix │ ├── grafana.nix │ ├── hardware-configuration.nix │ ├── home-assistant.nix │ ├── kanidm.nix │ ├── libvirtd │ │ ├── ange.nix │ │ ├── ange.xml │ │ └── default.nix │ ├── media-stack.nix │ ├── misc │ │ └── service-ports.nix │ ├── mqtt.nix │ ├── nextcloud.nix │ ├── nfs.nix │ ├── nginx │ │ ├── constellation-moe-internal.nix │ │ ├── constellation-moe-oauth2-proxy.nix │ │ ├── constellation-moe.nix │ │ ├── crp3092.nix │ │ ├── dashboard.html │ │ ├── default.nix │ │ ├── gradient-moe.nix │ │ └── gradientnet.nix │ ├── numad.nix │ ├── palworld-server.nix │ ├── paperless.nix │ ├── postgres.nix │ ├── project-zomboid-server.nix │ ├── radio.nix │ ├── redbot-stardream.nix │ ├── redis.nix │ ├── scrutiny.nix │ ├── searx.nix │ ├── secrets │ │ ├── Axios.js │ │ ├── default.nix │ │ ├── kanidm-provisioning.encjson │ │ ├── secrets.yml │ │ ├── syncthing-cert.pem │ │ └── syncthing-key.pem │ ├── trilium-memory-repository.nix │ ├── trmnl.nix │ ├── vaultwarden.nix │ ├── victoriametrics.nix │ └── zigbee.nix ├── atziluth │ ├── inventory-entry.nix │ └── playbook.nix ├── beatrice │ ├── backups.nix │ ├── default.nix │ ├── filesystems.nix │ ├── hardware-configuration.nix │ ├── misc │ │ └── service-ports.nix │ ├── programs.nix │ └── secrets │ │ ├── default.nix │ │ ├── secrets.yml │ │ ├── syncthing-cert.pem │ │ └── syncthing-key.pem ├── bernkastel │ ├── backups.nix │ ├── default.nix │ ├── filesystems.nix │ ├── hardware-configuration.nix │ ├── libvirtd │ │ ├── default.nix │ │ ├── vbios.rom │ │ ├── win10-hooks.sh │ │ ├── win10-no-passthrough.xml │ │ └── win10.xml │ ├── misc │ │ └── service-ports.nix │ ├── programs.nix │ └── secrets │ │ ├── default.nix │ │ ├── secrets.yml │ │ ├── syncthing-cert.pem │ │ └── syncthing-key.pem ├── briah │ ├── backups.nix │ ├── default.nix │ ├── filesystems.nix │ ├── hardware-configuration.nix │ ├── hostapd.nix │ ├── misc │ │ └── service-ports.nix │ ├── postgresql.nix │ ├── programs.nix │ ├── secrets │ │ ├── default.nix │ │ ├── secrets.yml │ │ ├── syncthing-cert.pem │ │ └── syncthing-key.pem │ └── ss14-watchdog.nix ├── erika │ ├── backups.nix │ ├── default.nix │ ├── filesystems.nix │ ├── hardware-configuration.nix │ ├── programs.nix │ └── secrets │ │ ├── default.nix │ │ ├── mura.tar │ │ ├── secrets.yml │ │ ├── syncthing-cert.pem │ │ └── syncthing-key.pem ├── featherine │ ├── backups.nix │ ├── default.nix │ ├── filesystems.nix │ ├── hardware-configuration.nix │ ├── programs.nix │ └── secrets │ │ ├── default.nix │ │ ├── secrets.yml │ │ ├── syncthing-cert.pem │ │ └── syncthing-key.pem ├── neith-deck │ ├── default.nix │ ├── filesystems.nix │ ├── hardware-configuration.nix │ ├── programs.nix │ └── secrets │ │ ├── default.nix │ │ ├── secrets.yml │ │ ├── syncthing-cert.pem │ │ └── syncthing-key.pem └── yetzirah │ ├── default.nix │ ├── filesystem.nix │ ├── hardware-configuration.nix │ ├── kiosk-session.nix │ ├── klipper.cfg │ ├── klipper.nix │ ├── mainsail.nix │ ├── misc │ └── service-ports.nix │ ├── moonraker.nix │ ├── secrets │ ├── default.nix │ └── secrets.yml │ └── ustreamer.nix ├── justfile ├── lib ├── default.nix └── mkFlake.nix ├── misc ├── ansible │ ├── apps.nix │ ├── inventory.nix │ └── playbook.nix ├── colmena-tags.nix ├── nix-pub-keys.nix ├── ssh-pub-keys.nix ├── syncthing-device-ids.nix ├── wireguard-addresses.nix └── wireguard-pub-keys.nix ├── mixins ├── binfmt-emulation.nix ├── declarative-flatpak.nix ├── gnupg.nix ├── graphical │ ├── steam.nix │ └── sunshine.nix ├── hardware │ ├── amdcpu.nix │ ├── amdgpu.nix │ ├── azure.nix │ ├── bluetooth.nix │ ├── eaton-ups.nix │ ├── home-dcp-l2530dw.nix │ ├── intelgpu-vaapi.nix │ ├── logitech-driving-wheels.nix │ ├── openrazer.nix │ ├── qmk.nix │ ├── raspberrypi4.nix │ ├── steamdeck-minimal.nix │ ├── steamdeck.nix │ ├── wacom.nix │ ├── webcam.nix │ └── xbox-one-controller.nix ├── home │ └── zsh.nix ├── jovian-decky-loader.nix ├── neith-locale.nix ├── networkd.nix ├── nix-store-serve.nix ├── plymouth.nix ├── podman.nix ├── restic │ └── repository-hokma.nix ├── steamcmd.nix ├── system76-scheduler.nix ├── tdarr-node.nix ├── tor.nix ├── upgrade-diff.nix ├── uwu-style.nix ├── v4l2loopback.nix ├── vera-locale.nix ├── virtualisation.nix ├── wine.nix └── wireguard.nix ├── modules ├── default.nix ├── hardware │ ├── default.nix │ └── steamdeck.nix ├── kernel │ ├── default.nix │ └── memory.nix ├── nginx-robots.nix ├── presets │ ├── default.nix │ └── syncthing.nix ├── profiles │ ├── audio │ │ ├── default.nix │ │ ├── input-normalizer.nix │ │ ├── rnnoise.nix │ │ ├── um2.nix │ │ └── virtual-sink.nix │ ├── catppuccin.nix │ ├── default.nix │ ├── desktop.nix │ ├── development.nix │ ├── gaming │ │ ├── default.nix │ │ ├── emulation.nix │ │ └── virtual-reality.nix │ └── graphics.nix ├── substituter-switcher.nix └── tmpfiles-check.nix ├── nixosMixins.nix ├── nixosModules.nix ├── overlays ├── gradientos.nix ├── gradientpkgs.nix └── kernel-allow-missing.nix ├── pkgs ├── amdgpu-kernel-module.nix ├── beyond-all-reason-launcher.nix ├── fbink.nix ├── fna3d.nix ├── godot-mono.nix ├── jack-matchmaker.nix ├── klipper-kusba-firmware │ └── config ├── klipper-np3pro-firmware │ └── config ├── moonraker-timelapse.nix ├── patches │ └── kanidm │ │ └── 0001-Set-oauth-refresh-token-expiry-to-a-month.patch ├── scripts │ └── force-xwayland.nix ├── starsector-gamescope-wrap.nix └── steam-deck-client.nix └── users ├── common ├── home.nix ├── misc │ └── nixpkgs-config.nix ├── nix-direnv.nix └── nix.nix ├── neith ├── default.nix ├── graphical │ └── default.nix ├── home.nix ├── nushell.nix ├── secrets │ ├── default.nix │ └── secrets.yml └── ssh.nix └── vera ├── default.nix ├── face.png ├── graphical ├── default.nix └── konsole │ ├── catppuccin-mocha.colorscheme │ ├── default.nix │ ├── konsolerc │ ├── vera.colorscheme │ └── vera.profile ├── home.nix ├── nushell.nix ├── programs.nix ├── secrets ├── default.nix └── secrets.yml ├── ssh.nix └── zsh ├── default.nix └── zshrc /.gitignore: -------------------------------------------------------------------------------- 1 | result-* 2 | result-* 3 | result 4 | /result 5 | .stfolder 6 | .stversions -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | keys: 2 | - &user_vera age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j 3 | - &user_neith age10h2dan2d3jgy8tjq4djhu5lg4krx2m735nxcvg2schkpkvht0ynsmpdqne 4 | - &host_bernkastel age1hl9999dlv29qejtac0sdw7nnm9d06uh4nzmgc029ndg40vllavyq5u0pqu 5 | - &host_neithdeck age1uj0nmmvdeajg0hqlahe839c5r4n6nz0r6ampcwa46yhetx32kgrqqky22x 6 | - &host_beatrice age1kvsa0ka66tzx3qdq6cacehyyfg80ecq6jfgqxgf8098mdah4earspnft40 7 | - &host_erika age1ttl5pp50xffh73y3ekutsret24gd3rn7w2yvvcrhu2ywkz867fes8ea2s7 8 | - &host_asiyah age1lkh89lus8pzd83m2gkvsmyr9uql6n6c0xgwtq69eh0wxeaynxa3qfyzps4 9 | - &host_briah age1mlznec0ruk9xgkzygpmetsfvutxk4qml636rqcvzpzudyp4wlcfqzgh2e2 10 | - &host_featherine age1ejpz2fma32t2ek20t3v2x6cyjrzm50lhd9gwqsqhvhnr9nkc0gpscgndk2 11 | - &host_yetzirah age1ca2ptgj50tdc9lf20mlsq64efqkczd7zlvt49fdnk0z8u7qy7v8sha9tsy 12 | creation_rules: 13 | 14 | - path_regex: 'core/secrets/*' 15 | key_groups: 16 | - age: 17 | - *user_vera 18 | - *user_neith 19 | - *host_bernkastel 20 | - *host_neithdeck 21 | - *host_beatrice 22 | - *host_erika 23 | - *host_asiyah 24 | - *host_briah 25 | - *host_featherine 26 | - *host_yetzirah 27 | 28 | - path_regex: 'users/vera/secrets/*' 29 | key_groups: 30 | - age: 31 | - *user_vera 32 | 33 | - path_regex: 'users/neith/secrets/*' 34 | key_groups: 35 | - age: 36 | - *user_neith 37 | - *user_vera 38 | 39 | - path_regex: 'hosts/bernkastel/secrets/*' 40 | key_groups: 41 | - age: 42 | - *user_vera 43 | - *host_bernkastel 44 | 45 | - path_regex: 'hosts/beatrice/secrets/*' 46 | key_groups: 47 | - age: 48 | - *user_vera 49 | - *host_beatrice 50 | 51 | - path_regex: 'hosts/erika/secrets/*' 52 | key_groups: 53 | - age: 54 | - *user_vera 55 | - *host_erika 56 | 57 | - path_regex: 'hosts/neith-deck/secrets/*' 58 | key_groups: 59 | - age: 60 | - *user_vera 61 | - *user_neith 62 | - *host_neithdeck 63 | 64 | - path_regex: 'hosts/asiyah/secrets/*' 65 | key_groups: 66 | - age: 67 | - *user_vera 68 | - *host_asiyah 69 | 70 | - path_regex: 'hosts/yetzirah/secrets/*' 71 | key_groups: 72 | - age: 73 | - *user_vera 74 | - *host_yetzirah 75 | 76 | - path_regex: 'hosts/briah/secrets/*' 77 | key_groups: 78 | - age: 79 | - *user_vera 80 | - *host_briah 81 | 82 | - path_regex: 'hosts/featherine/secrets/*' 83 | key_groups: 84 | - age: 85 | - *user_vera 86 | - *host_featherine -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Vera Aguilera Puerto 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /core/ananicy-rules.nix: -------------------------------------------------------------------------------- 1 | [ 2 | # Using cachyos types, see: https://github.com/CachyOS/ananicy-rules/blob/master/00-types.types 3 | { name = "colmena"; type = "BG_CPUIO"; } 4 | { name = "ustreamer"; type = "Player-Video"; } 5 | { name = "jellyfin"; type = "Player-Video"; } 6 | { name = "ErsatzTV"; type = "Player-Video"; } 7 | { name = "ffmpeg"; type = "Heavy_CPU"; } 8 | { name = "tdarr-ffmpeg"; type = "Heavy_CPU"; } 9 | 10 | # Set VR relevant programs to low-latency 11 | { name = "wivrn-server"; type = "LowLatency_RT"; } 12 | { name = "wivrn-dashboard"; type = "LowLatency_RT"; } 13 | { name = "alvr-dashboard"; type = "LowLatency_RT"; } 14 | { name = "vrserver"; type = "LowLatency_RT"; } 15 | { name = "vrstartup"; type = "LowLatency_RT"; } 16 | { name = "vrmonitor"; type = "LowLatency_RT"; } 17 | { name = "vrcompositor"; type = "LowLatency_RT"; } 18 | ] -------------------------------------------------------------------------------- /core/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, self, ... }: 2 | let 3 | cfg = config.gradient; 4 | in 5 | { 6 | 7 | imports = [ 8 | ./nix.nix 9 | ./nixos.nix 10 | ./constants.nix 11 | ./installer.nix 12 | ./secrets/default.nix 13 | ]; 14 | 15 | options = { 16 | gradient.core.enable = lib.mkOption { 17 | type = lib.types.bool; 18 | default = true; 19 | description = '' 20 | Whether to enable the core GradientOS configuration. 21 | ''; 22 | }; 23 | }; 24 | 25 | config = lib.mkIf cfg.core.enable { 26 | system.configurationRevision = lib.mkIf (self ? rev) self.rev; 27 | system.autoUpgrade.flake = "github:gradientvera/GradientOS"; 28 | }; 29 | 30 | } -------------------------------------------------------------------------------- /core/installer.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | let 3 | cfg = config.gradient; 4 | in 5 | { 6 | options = { 7 | gradient.installer.addSsh = lib.mkOption { 8 | type = lib.types.bool; 9 | default = true; 10 | description = '' 11 | Whether to enable root SSH access with my personal keys on a fresh install's config. 12 | ''; 13 | }; 14 | }; 15 | 16 | config = lib.mkMerge [ 17 | (lib.mkIf cfg.installer.addSsh { 18 | system.nixos-generate-config.desktopConfiguration = [ 19 | "services.openssh.enable = true;" 20 | "services.openssh.openFirewall = true;" 21 | "users.users.root.openssh.authorizedKeys.keys = [ \"${cfg.const.ssh.pubKeys.vera}\" ];" 22 | ]; 23 | }) 24 | ]; 25 | } -------------------------------------------------------------------------------- /core/network.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | networking.wireless.enable = lib.mkForce false; 5 | 6 | # Enable NetworkManager with dnsmasq 7 | networking.networkmanager = { 8 | enable = lib.mkDefault true; 9 | dns = "dnsmasq"; 10 | }; 11 | 12 | environment.etc."NetworkManager/dnsmasq.d/nameservers.conf".text = '' 13 | address=/.local/127.0.0.1 14 | server=1.1.1.1 15 | server=1.0.0.1 16 | server=8.8.8.8 17 | server=8.8.4.4 18 | ''; 19 | 20 | # Ignore loopback/virtual interfaces. 21 | systemd.network.wait-online.ignoredInterfaces = ["lo" "virbr0"]; 22 | } -------------------------------------------------------------------------------- /core/nix-channels.nix: -------------------------------------------------------------------------------- 1 | { self, ... }: 2 | with self.inputs; 3 | { 4 | 5 | # Pin channels to flake inputs. 6 | nix.registry.nixpkgs.flake = nixpkgs; 7 | nix.registry.nixpkgs-stable.flake = nixpkgs-stable; 8 | nix.registry.nixpkgs-master.flake = nixpkgs-master; 9 | nix.registry.self.flake = self; 10 | 11 | environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}"; 12 | environment.etc."nix/inputs/nixpkgs-master".source = "${nixpkgs-master}"; 13 | environment.etc."nix/inputs/nixpkgs-stable".source = "${nixpkgs-stable}"; 14 | environment.etc."nix/inputs/self".source = "${self}"; 15 | 16 | nix.nixPath = [ "/etc/nix/inputs" ]; 17 | 18 | } -------------------------------------------------------------------------------- /core/openssh.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | let 3 | ssh-pub-keys = import ../misc/ssh-pub-keys.nix; 4 | in { 5 | 6 | programs.mosh.enable = true; 7 | 8 | programs.ssh = { 9 | startAgent = true; 10 | hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ]; 11 | 12 | extraConfig = '' 13 | Host * 14 | IdentityFile /etc/ssh/ssh_host_ed25519_key 15 | IdentityFile ~/.ssh/id_ed25519 16 | ''; 17 | }; 18 | 19 | # Enable the OpenSSH daemon. 20 | services.openssh = { 21 | 22 | enable = true; 23 | openFirewall = true; 24 | 25 | settings = { 26 | PasswordAuthentication = false; 27 | KbdInteractiveAuthentication = false; 28 | PermitRootLogin = lib.mkForce "prohibit-password"; 29 | LogLevel = "VERBOSE"; 30 | X11Forwarding = false; 31 | }; 32 | 33 | extraConfig = '' 34 | AllowTcpForwarding yes 35 | AllowAgentForwarding no 36 | AllowStreamLocalForwarding no 37 | AuthenticationMethods publickey 38 | ''; 39 | 40 | knownHosts = { 41 | "github.com" = { 42 | publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; 43 | }; 44 | "git.lix.systems" = { 45 | publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+li7S+VH+O2F8lehYE9oBmx7SLGGLl+UQDaTRA7iMM"; 46 | }; 47 | "ssh.gradient.moe" = { 48 | publicKey = ssh-pub-keys.forgejo; 49 | }; 50 | "asiyah.gradient.moe" = { 51 | publicKey = ssh-pub-keys.asiyah; 52 | }; 53 | "briah.gradient.moe" = { 54 | publicKey = ssh-pub-keys.briah; 55 | }; 56 | "bernkastel.gradient.moe" = { 57 | publicKey = ssh-pub-keys.bernkastel; 58 | }; 59 | "featherine.gradient.moe" = { 60 | publicKey = ssh-pub-keys.featherine; 61 | }; 62 | "erika.gradient.moe" = { 63 | publicKey = ssh-pub-keys.erika; 64 | }; 65 | "beatrice.gradient.moe" = { 66 | publicKey = ssh-pub-keys.erika; 67 | }; 68 | }; 69 | 70 | hostKeys = [ 71 | { 72 | path = "/etc/ssh/ssh_host_ed25519_key"; 73 | type = "ed25519"; 74 | } 75 | ]; 76 | 77 | }; 78 | 79 | users.users.root.openssh.authorizedKeys.keys = with ssh-pub-keys; [ 80 | vera 81 | ]; 82 | } -------------------------------------------------------------------------------- /core/secrets/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, self, ... }: 2 | let 3 | cfg = config.gradient; 4 | in 5 | { 6 | imports = [ 7 | self.inputs.sops-nix.nixosModules.sops 8 | ]; 9 | 10 | options = { 11 | gradient.core.secrets.enable = lib.mkOption { 12 | type = lib.types.bool; 13 | default = cfg.core.enable; 14 | description = '' 15 | Whether to enable the core GradientOS secrets. 16 | ''; 17 | }; 18 | }; 19 | 20 | config = lib.mkIf cfg.core.secrets.enable ({ 21 | sops.secrets = { 22 | hokma-password = { 23 | sopsFile = ./secrets.yml; 24 | }; 25 | hokma-environment = { 26 | sopsFile = ./secrets.yml; 27 | }; 28 | upsmon-password = { 29 | sopsFile = ./secrets.yml; 30 | }; 31 | }; 32 | }); 33 | 34 | } -------------------------------------------------------------------------------- /core/workarounds.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | 5 | 6 | } -------------------------------------------------------------------------------- /default.nix: -------------------------------------------------------------------------------- 1 | (import 2 | ( 3 | let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in 4 | fetchTarball { 5 | url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; 6 | sha256 = lock.nodes.flake-compat.locked.narHash; 7 | } 8 | ) 9 | { src = builtins.path { path = ./.; name = "GradientOS"; }; } 10 | ).defaultNix -------------------------------------------------------------------------------- /hosts/asiyah/backups.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | services.restic.backups.hokma = { 5 | paths = [ 6 | "/home/vera" 7 | "/data/trilium" 8 | "/data/stardream" 9 | "/var/lib/mediarr" 10 | "/data/gradient-data" 11 | ]; 12 | }; 13 | 14 | } -------------------------------------------------------------------------------- /hosts/asiyah/clamav.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | services.clamav = { 5 | daemon.enable = true; 6 | updater.enable = true; 7 | fangfrisch.enable = true; 8 | scanner.enable = true; 9 | }; 10 | 11 | } -------------------------------------------------------------------------------- /hosts/asiyah/cloudflare.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | 4 | services.ddclient = { 5 | enable = true; 6 | verbose = true; 7 | protocol = "cloudflare"; 8 | ssl = true; 9 | username = "token"; 10 | usev4 = "webv4, webv4=https://cloudflare.com/cdn-cgi/trace, web-skip='ip='"; 11 | usev6 = "disabled"; # ISP does not support ipv6 :( 12 | passwordFile = config.sops.secrets.cfdyndns-token.path; 13 | extraConfig = '' 14 | zone=gradient.moe 15 | gradient.moe, 16 | *.gradient.moe, 17 | game.gradient.moe, 18 | vpn.gradient.moe, 19 | www.gradient.moe, 20 | ssh.gradient.moe 21 | 22 | zone=zumorica.es 23 | zumorica.es, 24 | *.zumorica.es, 25 | www.zumorica.es 26 | 27 | zone=constellation.moe 28 | constellation.moe, 29 | *.constellation.moe, 30 | calibre.constellation.moe, 31 | ftp.constellation.moe, 32 | www.constellation.moe 33 | ''; 34 | }; 35 | 36 | } -------------------------------------------------------------------------------- /hosts/asiyah/default.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | 4 | imports = [ 5 | ./nfs.nix 6 | ./mqtt.nix 7 | ./fail2ban 8 | ./searx.nix 9 | ./redis.nix 10 | ./trmnl.nix 11 | ./numad.nix 12 | ./radio.nix 13 | ./zigbee.nix 14 | ./clamav.nix 15 | ./kanidm.nix 16 | ./backups.nix 17 | ./grafana.nix 18 | ./forgejo.nix 19 | ./duckdns.nix 20 | ./postgres.nix 21 | ./scrutiny.nix 22 | ./nextcloud.nix 23 | ./paperless.nix 24 | ./cloudflare.nix 25 | ./filesystem.nix 26 | ./vaultwarden.nix 27 | ./media-stack.nix 28 | ./nginx/default.nix 29 | ./home-assistant.nix 30 | ./esphome/default.nix 31 | ./victoriametrics.nix 32 | ./palworld-server.nix 33 | ./secrets/default.nix 34 | ./libvirtd/default.nix 35 | ./redbot-stardream.nix 36 | ./gradient-generator.nix 37 | # ./project-zomboid-server.nix 38 | ./hardware-configuration.nix 39 | ./trilium-memory-repository.nix 40 | ]; 41 | 42 | networking.hostId = "b4ed7361"; 43 | 44 | gradient.presets.syncthing.enable = true; 45 | gradient.profiles.catppuccin.enable = true; 46 | gradient.profiles.graphics.enable = true; 47 | 48 | gradient.kernel.hugepages.enable = true; 49 | 50 | boot.kernel.sysctl = { 51 | # Increase max amount of connections 52 | "net.core.somaxconn" = "8192"; 53 | }; 54 | 55 | environment.systemPackages = with pkgs; [ 56 | numactl 57 | numatop 58 | jdupes 59 | numad 60 | ]; 61 | 62 | gradient.substituters = { 63 | briah = "ssh-ng://nix-ssh@briah.gradient?priority=60"; 64 | bernkastel = "ssh-ng://nix-ssh@bernkastel.gradient?priority=40"; 65 | beatrice = "ssh-ng://nix-ssh@beatrice.gradient?priority=45"; 66 | erika = "ssh-ng://nix-ssh@erika.gradient?priority=50"; 67 | neith-deck = "ssh-ng://nix-ssh@neith-deck.lily?priority=100"; 68 | }; 69 | 70 | } -------------------------------------------------------------------------------- /hosts/asiyah/duckdns.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | let 3 | script = config.sops.secrets.duckdns.path; 4 | in { 5 | systemd.timers.duckdns = { 6 | description = "Updates dynamic DNS every 10 minutes"; 7 | wantedBy = [ "timers.target" ]; 8 | timerConfig = { 9 | Unit = "duckdns.service"; 10 | OnCalendar = "*-*-* *:0/10:00"; 11 | Persistent = true; 12 | }; 13 | }; 14 | 15 | systemd.services.duckdns = { 16 | description = "Updates dynamic DNS."; 17 | after = [ "network-online.target" ]; 18 | wants = [ "duckdns.timer" "network-online.target" ]; 19 | serviceConfig = { 20 | Type = "oneshot"; 21 | ExecStart = script; 22 | User = config.users.users.duckdns.name; 23 | Environment="PATH=${pkgs.curl}/bin/"; 24 | }; 25 | }; 26 | 27 | users.users.duckdns = { 28 | description = "User for dynamic DNS renewal."; 29 | isSystemUser = true; 30 | group = "duckdns"; 31 | }; 32 | users.groups.duckdns = {}; 33 | } -------------------------------------------------------------------------------- /hosts/asiyah/esphome/bk7231n-ir-blaster.yaml: -------------------------------------------------------------------------------- 1 | esphome: 2 | name: bk7231n-ir-blaster 3 | friendly_name: BK7231N IR Blaster 4 | name_add_mac_suffix: false 5 | 6 | bk72xx: 7 | board: generic-bk7231n-qfn32-tuya 8 | framework: 9 | version: recommended 10 | 11 | api: 12 | logger: 13 | baud_rate: 9600 14 | level: VERBOSE 15 | 16 | wifi: 17 | ssid: !secret wifi_ssid 18 | password: !secret wifi_password 19 | fast_connect: on 20 | power_save_mode: none 21 | manual_ip: 22 | static_ip: 192.168.1.102 23 | gateway: 192.168.1.1 24 | subnet: 255.255.255.0 25 | ap: 26 | ssid: "BK7231N-IR-Blaster" 27 | password: !secret ap_password 28 | 29 | captive_portal: 30 | 31 | ota: 32 | - platform: esphome 33 | id: ota_esphome 34 | password: !secret ota_password 35 | 36 | remote_transmitter: 37 | pin: GPIO7 38 | carrier_duty_percent: 50% 39 | id: irtx 40 | 41 | remote_receiver: 42 | pin: 43 | number: GPIO8 44 | inverted: true 45 | dump: all 46 | tolerance: 50% 47 | id: irrx 48 | 49 | uart: 50 | rx_pin: RX1 51 | tx_pin: TX1 52 | baud_rate: 9600 53 | 54 | text_sensor: 55 | - platform: version 56 | hide_timestamp: true 57 | name: "ESPHome Version" 58 | - platform: wifi_info 59 | ip_address: 60 | name: "IP Address" 61 | icon: mdi:wifi 62 | ssid: 63 | name: "Connected SSID" 64 | icon: mdi:wifi-strength-2 65 | 66 | sensor: 67 | - platform: wifi_signal 68 | name: "WiFi Signal" 69 | update_interval: 120s 70 | - platform: uptime 71 | type: seconds 72 | name: Uptime Sensor 73 | 74 | binary_sensor: 75 | - platform: status 76 | name: IR Blaster Status -------------------------------------------------------------------------------- /hosts/asiyah/esphome/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in 5 | { 6 | 7 | services.esphome = { 8 | enable = true; 9 | usePing = true; 10 | address = "0.0.0.0"; 11 | port = ports.esphome; 12 | }; 13 | 14 | users.users.esphome = { 15 | isSystemUser = true; 16 | home = "/var/lib/esphome"; 17 | createHome = true; 18 | homeMode = "750"; 19 | group = config.users.groups.esphome.name; 20 | }; 21 | 22 | users.groups.esphome = {}; 23 | 24 | systemd.services.esphome = { 25 | serviceConfig = { 26 | # Needed to fix compilation 27 | DynamicUser = lib.mkForce false; 28 | User = lib.mkForce config.users.users.esphome.name; 29 | Group = lib.mkForce config.users.groups.esphome.name; 30 | PrivateTmp = lib.mkForce true; 31 | RemoveIPC = lib.mkForce true; 32 | RestrictSUIDSGID = lib.mkForce true; 33 | }; 34 | }; 35 | 36 | systemd.tmpfiles.settings."10-esphome" = 37 | let 38 | mkDevice = file: { 39 | argument = toString ./${file}; 40 | repoPath = "/etc/nixos/hosts/asiyah/esphome/${file}"; 41 | doCheck = true; 42 | user = config.systemd.services.esphome.serviceConfig.User; 43 | group = config.systemd.services.esphome.serviceConfig.Group; 44 | mode = "0755"; 45 | }; 46 | in 47 | { 48 | "/var/lib/esphome/bk7231n-ir-blaster.yaml".C = mkDevice "bk7231n-ir-blaster.yaml"; 49 | "/var/lib/esphome/kaysun-ac-living-room.yaml".C = mkDevice "kaysun-ac-living-room.yaml"; 50 | "/var/lib/esphome/kaysun-ac-vera-bedroom.yaml".C = mkDevice "kaysun-ac-vera-bedroom.yaml"; 51 | "/var/lib/esphome/sonoff-rf-bridge-r2.yaml".C = mkDevice "sonoff-rf-bridge-r2.yaml"; 52 | "/var/lib/esphome/smart-air-freshener.yaml".C = mkDevice "smart-air-freshener.yaml"; 53 | "/var/lib/esphome/espbell-lite.yaml".C = mkDevice "espbell-lite.yaml"; 54 | }; 55 | 56 | networking.firewall.interfaces.gradientnet.allowedTCPPorts = [ ports.esphome ]; 57 | networking.firewall.interfaces.gradientnet.allowedUDPPorts = [ ports.esphome ]; 58 | 59 | } -------------------------------------------------------------------------------- /hosts/asiyah/esphome/espbell-lite.yaml: -------------------------------------------------------------------------------- 1 | substitutions: 2 | name: ESPBell-LITE 3 | 4 | esphome: 5 | name: espbell-lite 6 | friendly_name: ESPBell LITE 7 | name_add_mac_suffix: false 8 | project: 9 | name: pricelesstoolkit.espbell-lite 10 | version: "1.0" 11 | 12 | esp8266: 13 | board: esp12e 14 | 15 | dashboard_import: 16 | package_import_url: github://PricelessToolkit/ESPBell-LITE/Code/ESPHome/espbell-lite.yaml@main 17 | import_full_config: true 18 | 19 | # Enable logging 20 | logger: 21 | 22 | # Enable Home Assistant API 23 | api: 24 | 25 | ota: 26 | - platform: esphome 27 | id: ota_esphome 28 | password: !secret ota_password 29 | 30 | wifi: 31 | fast_connect: on 32 | networks: 33 | - ssid: !secret wifi_ssid 34 | password: !secret wifi_password 35 | bssid: "80:AF:CA:56:F8:96" 36 | manual_ip: 37 | static_ip: "192.168.1.107" 38 | gateway: "192.168.1.1" 39 | subnet: "255.255.255.0" 40 | ap: 41 | ssid: "espbell-lite" 42 | password: !secret ap_password 43 | 44 | captive_portal: 45 | 46 | sensor: 47 | - platform: wifi_signal 48 | name: "WiFi Signal" 49 | update_interval: 120s 50 | - platform: uptime 51 | type: seconds 52 | name: Uptime Sensor 53 | 54 | binary_sensor: 55 | 56 | - platform: status 57 | name: ESPBell Lite Controller Status 58 | 59 | # Doorbell Sensor 60 | - platform: gpio 61 | pin: 62 | number: 4 63 | #inverted: true 64 | name: "DoorBell" 65 | icon: "mdi:bell" 66 | filters: 67 | delayed_on: 100ms 68 | 69 | - platform: status 70 | name: "${name} Status" 71 | 72 | # switch: 73 | 74 | # Door Lock Opener "Momentary Switch" Keeps SSR ON for 1.5s. 75 | # - platform: gpio 76 | # pin: 5 77 | # id: Lock 78 | # name: "Lock" 79 | # icon: "mdi:lock" 80 | # restore_mode: ALWAYS_OFF 81 | # on_turn_on: 82 | # - delay: 1500ms 83 | # - switch.turn_off: Lock 84 | 85 | button: 86 | - platform: restart 87 | name: ${name} restart -------------------------------------------------------------------------------- /hosts/asiyah/fail2ban/actions/cloudflare-secure.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | environment.etc."fail2ban/action.d/cloudflare-secure.conf".text = '' 5 | [Definition] 6 | actionstart = 7 | actionstop = 8 | actioncheck = 9 | actionban = TOKEN=$(cat ) 10 | ZONEID=$(curl -s <_cf_api_params> \ 11 | -X GET <_cf_api_url_zones> \ 12 | | jq -r '.result[] | select(.name=="") | .id') 13 | curl -s <_cf_api_params> \ 14 | -X POST "<_cf_api_url>" \ 15 | --data '{"mode":"","configuration":{"target":"","value":""},"notes":""}' 16 | actionunban = TOKEN=$(cat ) 17 | ZONEID=$(curl -s <_cf_api_params> \ 18 | -X GET <_cf_api_url_zones> \ 19 | | jq -r '.result[] | select(.name=="") | .id') 20 | id=$(curl -s -G -X GET "<_cf_api_url>" \ 21 | -d "mode=" -d "notes=" -d "configuration.target=" -d "configuration.value=" \ 22 | <_cf_api_params> \ 23 | | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \ 24 | | tr -d ' "' \ 25 | | head -n 1) 26 | if [ -z "$id" ]; then echo ": id for cannot be found using target "; exit 0; fi; \ 27 | curl -s -X DELETE "<_cf_api_url>/$id" \ 28 | <_cf_api_params> \ 29 | --data '{"cascade": "none"}' 30 | 31 | _cf_api_params = -H "Content-type: application/json" -H "Authorization: Bearer $TOKEN" 32 | _cf_api_url = https://api.cloudflare.com/client/v4/zones/''${ZONEID}/firewall/access_rules/rules 33 | _cf_api_url_zones = https://api.cloudflare.com/client/v4/zones 34 | 35 | [Init] 36 | notes = fail2ban 37 | cfmode = block 38 | cftarget = ip 39 | cftokenpath = 40 | cfzone = 41 | 42 | [Init?family=inet6] 43 | cftarget = ip6 44 | ''; 45 | 46 | } -------------------------------------------------------------------------------- /hosts/asiyah/fail2ban/actions/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | imports = [ 5 | ./cloudflare-secure.nix 6 | ]; 7 | 8 | } -------------------------------------------------------------------------------- /hosts/asiyah/fail2ban/filters/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | imports = [ 5 | ./hass.nix 6 | ./jellyfin.nix 7 | ./nginx-noagent.nix 8 | ]; 9 | 10 | } -------------------------------------------------------------------------------- /hosts/asiyah/fail2ban/filters/hass.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | # As per https://www.home-assistant.io/integrations/fail2ban/ 5 | environment.etc."fail2ban/filter.d/hass.conf".text = '' 6 | [INCLUDES] 7 | before = common.conf 8 | 9 | [Definition] 10 | failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from .*$ 11 | 12 | ignoreregex = 13 | 14 | [Init] 15 | datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S 16 | ''; 17 | 18 | } -------------------------------------------------------------------------------- /hosts/asiyah/fail2ban/filters/jellyfin.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | # As per https://jellyfin.org/docs/general/networking/fail2ban/ 5 | environment.etc."fail2ban/filter.d/jellyfin.conf".text = '' 6 | [Definition] 7 | failregex = ^.*Authentication request for .* has been denied \(IP: ""\)\. 8 | ''; 9 | 10 | 11 | } -------------------------------------------------------------------------------- /hosts/asiyah/fail2ban/filters/nginx-noagent.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | # As per https://notes.abhinavsarkar.net/2022/fail2ban-nginx-cloudflare-nixos 5 | environment.etc."fail2ban/filter.d/nginx-noagent.conf".text = '' 6 | [Definition] 7 | 8 | failregex = ^ -.*"-" "-"$ 9 | 10 | ignoreregex = 11 | ''; 12 | 13 | } -------------------------------------------------------------------------------- /hosts/asiyah/filesystem.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | 4 | # Bootloader. 5 | boot.loader.systemd-boot.enable = true; 6 | boot.loader.grub.enable = false; 7 | boot.loader.efi.canTouchEfiVariables = true; 8 | 9 | boot.supportedFilesystems = [ "zfs" ]; 10 | boot.zfs.forceImportRoot = false; 11 | services.zfs = { 12 | trim.enable = true; 13 | autoScrub.enable = true; 14 | }; 15 | 16 | fileSystems."/" = { 17 | device = "/dev/disk/by-partuuid/c9299d68-3b61-43d7-b234-e92ad1c47e78"; 18 | fsType = "ext4"; 19 | mountPoint = "/"; 20 | }; 21 | 22 | fileSystems."/data" = { 23 | device = "data"; 24 | fsType = "zfs"; 25 | options = [ "zfsutil" ]; 26 | }; 27 | 28 | fileSystems."/boot" = { 29 | device = "/dev/disk/by-partuuid/77de2f8b-6eea-49cc-b0d4-d13291232a45"; 30 | fsType = "vfat"; 31 | mountPoint = "/boot"; 32 | }; 33 | 34 | swapDevices = [ 35 | { device = "/dev/disk/by-partuuid/94a96e54-d944-4240-a59b-71c642a9e07e"; priority = 100; } 36 | ]; 37 | 38 | } -------------------------------------------------------------------------------- /hosts/asiyah/gradient-generator.nix: -------------------------------------------------------------------------------- 1 | { config, self, ... }: 2 | let 3 | secrets = config.sops.secrets; 4 | in { 5 | 6 | gradient-generator.services.daily-avatar = { 7 | enable = true; 8 | enableDiscordUpload = false; 9 | enableMastodonUpload = false; 10 | enableMastodonBotUpload = false; 11 | #mastodonBotUrl = "https://botsin.space"; # RIP botsin.space :( 12 | user = "vera"; 13 | }; 14 | 15 | environment.systemPackages = [ 16 | self.inputs.gradient-generator.packages.x86_64-linux.default 17 | ]; 18 | 19 | systemd.services."gradient-generator.daily-avatar".serviceConfig.EnvironmentFile = secrets.gradient-generator-environment.path; 20 | 21 | } -------------------------------------------------------------------------------- /hosts/asiyah/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, modulesPath, ... }: 2 | 3 | { 4 | imports = 5 | [ (modulesPath + "/installer/scan/not-detected.nix") 6 | ]; 7 | 8 | # Stable for ZFS 9 | boot.kernelPackages = pkgs.linuxPackages_xanmod; 10 | boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "xhci_hcd" ]; 11 | boot.initrd.kernelModules = [ ]; 12 | boot.kernelModules = [ "kvm-intel" "nfs" "corsair-psu" "iTCO_wdt" "xt_multiport" ]; 13 | boot.extraModulePackages = [ ]; 14 | 15 | boot.kernelParams = [ 16 | "pcie_aspm=off" 17 | "intel_iommu=on" 18 | ]; 19 | 20 | # We've got enough RAM to do this LET'S GOOO 21 | boot.tmp.useTmpfs = true; 22 | boot.tmp.tmpfsSize = "75%"; 23 | 24 | # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 25 | # (the default) this is the recommended approach. When using systemd-networkd it's 26 | # still possible to use this option, but it's recommended to use it in conjunction 27 | # with explicit per-interface declarations with `networking.interfaces..useDHCP`. 28 | networking.useDHCP = lib.mkDefault true; 29 | # networking.interfaces.eno1.useDHCP = lib.mkDefault true; 30 | 31 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 32 | powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; 33 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 34 | } -------------------------------------------------------------------------------- /hosts/asiyah/libvirtd/ange.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let ports = config.gradient.currentHost.ports; in 3 | { 4 | 5 | systemd.tmpfiles.settings."10-libvirtd" = { 6 | 7 | "/var/lib/libvirt/qemu/ange.xml".C = { 8 | argument = "${./ange.xml}"; 9 | repoPath = "/etc/nixos/hosts/asiyah/libvirtd/ange.xml"; 10 | doCheck = true; 11 | group = "libvirtd"; 12 | mode = "0666"; 13 | }; 14 | 15 | }; 16 | 17 | 18 | networking.firewall.interfaces.gradientnet.allowedTCPPorts = [ ports.ange-spice ]; 19 | networking.firewall.interfaces.gradientnet.allowedUDPPorts = [ ports.ange-spice ]; 20 | 21 | } -------------------------------------------------------------------------------- /hosts/asiyah/libvirtd/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | imports = [ 5 | ./ange.nix 6 | ]; 7 | 8 | virtualisation.libvirtd = { 9 | enable = true; 10 | onBoot = "ignore"; 11 | onShutdown = "suspend"; 12 | qemu = { 13 | package = pkgs.qemu_full; 14 | runAsRoot = true; 15 | ovmf.enable = true; 16 | swtpm.enable = true; 17 | vhostUserPackages = [ 18 | pkgs.virtiofsd 19 | ]; 20 | }; 21 | }; 22 | 23 | boot.kernelModules = [ "qxl" ]; 24 | 25 | } -------------------------------------------------------------------------------- /hosts/asiyah/misc/service-ports.nix: -------------------------------------------------------------------------------- 1 | { 2 | ssh = 22; 3 | 4 | # nginx 5 | nginx = 80; 6 | nginx-ssl = 443; 7 | oauth2-proxy = 4180; 8 | vdo-ninja = 8082; 9 | 10 | # wireguard 11 | gradientnet = 1194; 12 | lilynet = 1195; 13 | 14 | # kanidm 15 | kanidm = 8443; 16 | kanidm-ldap = 3636; 17 | 18 | # mediarr stack 19 | jellyfin-http = 8096; 20 | jellyfin-https = 8920; 21 | jellyfin-service-discovery = 1901; 22 | jellyfin-client-discovery = 7359; 23 | radarr = 7878; 24 | sonarr = 8989; 25 | lidarr = 8686; 26 | readarr = 8787; 27 | prowlarr = 9696; 28 | bazarr = 6767; 29 | jellyseerr = 5055; 30 | unpackerr = 5656; 31 | qbittorrent-webui = 8090; 32 | qbittorrent-peer = 36494; 33 | flaresolverr = 8191; 34 | ersatztv = 8409; 35 | tdarr-webui = 8265; 36 | tdarr-server = 8266; 37 | bitmagnet-webui = 3333; 38 | bitmagnet-peer = 3334; 39 | mikochi = 8091; 40 | cross-seed = 2468; 41 | sabnzbd = 8092; 42 | mediarr-openssh = 2222; 43 | slskd = 5030; 44 | slskd-peer = 26156; 45 | romm = 8095; 46 | neko = 8097; 47 | neko-epr-start = 52000; 48 | neko-epr-end = 52100; 49 | proxy-vpn = 1080; 50 | proxy-vpn-uk = 1081; 51 | calibre-web-automated = 8078; 52 | calibre-downloader = 8077; 53 | 54 | # NFS 55 | nfsd = 2049; 56 | statd = 4000; 57 | lockd = 4001; 58 | mountd = 4002; 59 | 60 | # misc 61 | home-assistant = 8123; 62 | zigbee2mqtt = 8124; 63 | esphome = 6052; 64 | redis-oauth2 = 6380; 65 | redis-forgejo = 6381; 66 | postgresql = 5432; 67 | trilium = 8081; 68 | searx = 8089; 69 | mqtt = 1883; 70 | tor = 9050; 71 | pufferpanel = 8098; 72 | pufferpanel-sftp = 5657; 73 | ange-spice = 5900; 74 | syncthing = 8384; 75 | vaultwarden = 8222; 76 | forgejo = 3000; 77 | forgejo-ssh = 222; 78 | trmnl = 2300; 79 | openwebrx = 8073; 80 | 81 | # Paperless-ngx 82 | paperless = 28981; 83 | tika = 9998; 84 | gotenberg = 9997; 85 | 86 | # grafana 87 | grafana = 8083; 88 | prometheus = 8084; 89 | prometheus-node-exporter = 8085; 90 | loki = 8086; 91 | promtail = 8087; 92 | victoriametrics = 8428; 93 | 94 | # scrutiny 95 | scrutiny = 8093; 96 | influxdb = 8094; 97 | 98 | # game servers 99 | palworld = 8211; 100 | project-zomboid = 16261; 101 | project-zomboid-direct = 16262; 102 | project-zomboid-steam-1 = 21971; 103 | project-zomboid-steam-2 = 21972; 104 | } -------------------------------------------------------------------------------- /hosts/asiyah/mqtt.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in 5 | { 6 | 7 | services.mosquitto = { 8 | enable = true; 9 | listeners = [ 10 | # Listener for internal gradientnet purposes only. Do NOT expose. 11 | { 12 | acl = [ "pattern readwrite #" ]; 13 | port = ports.mqtt; 14 | omitPasswordAuth = true; 15 | settings.allow_anonymous = true; 16 | } 17 | ]; 18 | }; 19 | 20 | networking.firewall.interfaces.gradientnet.allowedTCPPorts = [ ports.mqtt ]; 21 | networking.firewall.interfaces.gradientnet.allowedUDPPorts = [ ports.mqtt ]; 22 | 23 | } -------------------------------------------------------------------------------- /hosts/asiyah/nextcloud.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | 4 | services.nextcloud = { 5 | enable = true; 6 | package = pkgs.nextcloud31; 7 | hostName = "nextcloud.constellation.moe"; 8 | database.createLocally = true; 9 | maxUploadSize = "4G"; 10 | https = true; 11 | 12 | config = { 13 | dbtype = "pgsql"; 14 | adminpassFile = config.sops.secrets.nextcloud-admin-password.path; 15 | }; 16 | 17 | caching.redis = true; 18 | configureRedis = true; 19 | 20 | appstoreEnable = false; 21 | extraAppsEnable = true; 22 | extraApps = { 23 | inherit (config.services.nextcloud.package.packages.apps) 24 | news 25 | contacts 26 | calendar 27 | tasks; 28 | }; 29 | 30 | }; 31 | 32 | } -------------------------------------------------------------------------------- /hosts/asiyah/nfs.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | addresses = config.gradient.const.wireguard.addresses; 5 | in 6 | { 7 | 8 | services.rpcbind.enable = true; 9 | services.nfs.server = { 10 | enable = true; 11 | statdPort = ports.statd; 12 | lockdPort = ports.lockd; 13 | mountdPort = ports.mountd; 14 | createMountPoints = true; 15 | exports = let 16 | mediarrConfig = "${addresses.gradientnet.gradientnet}/24(rw,all_squash,anonuid=${toString config.users.users.mediarr.uid},anongid=${toString config.users.groups.mediarr.gid})"; 17 | in 18 | '' 19 | /export/downloads ${mediarrConfig} 20 | /export/mediarr ${mediarrConfig} 21 | ''; 22 | }; 23 | services.nfs.settings = { 24 | nfsd.udp = false; 25 | nfsd.vers3 = false; 26 | nfsd.vers4 = true; 27 | nfsd."vers4.0" = false; 28 | nfsd."vers4.1" = false; 29 | nfsd."vers4.2" = true; 30 | }; 31 | 32 | fileSystems."/export/downloads" = { 33 | device = "/data/downloads"; 34 | options = [ "bind" ]; 35 | }; 36 | 37 | fileSystems."/export/mediarr" = { 38 | device = "/var/lib/mediarr"; 39 | options = [ "bind" ]; 40 | }; 41 | 42 | networking.firewall.interfaces.gradientnet = { 43 | allowedTCPPorts = [ 44 | ports.nfsd 45 | ports.statd 46 | ports.lockd 47 | ports.mountd 48 | ]; 49 | allowedUDPPorts = [ 50 | ports.nfsd 51 | ports.statd 52 | ports.lockd 53 | ports.mountd 54 | ]; 55 | }; 56 | 57 | } -------------------------------------------------------------------------------- /hosts/asiyah/nginx/constellation-moe-oauth2-proxy.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | secrets = config.sops.secrets; 4 | ports = config.gradient.currentHost.ports; 5 | in { 6 | 7 | # TODO: Make this a container so we can have multiple instances of oauth2_proxy? 8 | # TODO-Followup: Might actually not be needed with kanidm, just use groups maybe? 9 | 10 | # OAuth2 Learning resources: 11 | # https://auth0.com/intro-to-iam/what-is-oauth-2 12 | # https://kanidm.github.io/kanidm/stable/integrations/oauth2.html 13 | # https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/openid_connect/ 14 | 15 | services.oauth2-proxy = { 16 | enable = true; 17 | httpAddress = "http://127.0.0.1:${toString ports.oauth2-proxy}"; 18 | upstream = [ "http://127.0.0.1:${toString ports.nginx}" ]; 19 | 20 | # -- github config -- 21 | #redirectURL = "https://polycule.constellation.moe/oauth2/callback"; 22 | #provider = "github"; 23 | #github.org = "ConstellationNRV"; 24 | #clientID = "05fb727827ad30eddf0d"; 25 | 26 | # -- kanidm config -- 27 | provider = "oidc"; 28 | clientID = "constellation-oauth2-proxy"; 29 | redirectURL = "https://polycule.constellation.moe/oauth2/callback"; 30 | oidcIssuerUrl = "https://identity.gradient.moe/oauth2/openid/constellation-oauth2-proxy"; 31 | profileURL = "https://identity.gradient.moe/oauth2/openid/constellation-oauth2-proxy/userinfo"; 32 | extraConfig.code-challenge-method = "S256"; 33 | 34 | # Needed for things that use header auth. 35 | setXauthrequest = true; 36 | 37 | keyFile = secrets.oauth2-proxy-secrets.path; 38 | reverseProxy = true; 39 | cookie.refresh = "14m"; 40 | cookie.expire = "720h0m0s"; 41 | cookie.secure = true; 42 | cookie.httpOnly = false; 43 | cookie.domain = ".constellation.moe"; 44 | cookie.name = "__Secure-oauth2_proxy_constellation"; 45 | extraConfig = { 46 | pass-user-headers = "true"; 47 | session-store-type = "redis"; 48 | redis-connection-url = "redis://127.0.0.1:${toString ports.redis-oauth2}/0"; 49 | }; 50 | nginx.domain = "polycule.constellation.moe"; 51 | }; 52 | 53 | services.redis.servers.oauth2 = { 54 | enable = true; 55 | databases = 1; 56 | openFirewall = false; 57 | port = ports.redis-oauth2; 58 | }; 59 | 60 | systemd.services.oauth2-proxy = { 61 | after = [ "redis-oauth2.service" "kanidm.service" ]; 62 | wants = [ "redis-oauth2.service" "kanidm.service" ]; 63 | }; 64 | 65 | networking.firewall.allowedTCPPorts = with ports; [ oauth2-proxy ]; 66 | 67 | } -------------------------------------------------------------------------------- /hosts/asiyah/nginx/constellation-moe.nix: -------------------------------------------------------------------------------- 1 | /* 2 | Public constellation.moe website. 3 | */ 4 | { self, lib, ... }: 5 | { 6 | 7 | security.acme.certs."constellation.moe" = { 8 | dnsProvider = "cloudflare"; 9 | extraDomainNames = lib.mkForce [ 10 | "*.constellation.moe" 11 | "*.asiyah.constellation.moe" 12 | ]; 13 | }; 14 | 15 | services.nginx.virtualHosts = { 16 | 17 | "constellation.moe" = { 18 | root = self.inputs.constellation-moe; 19 | enableACME = true; 20 | acmeRoot = null; 21 | forceSSL = true; 22 | serverAliases = [ 23 | "www.constellation.moe" 24 | ]; 25 | }; 26 | 27 | "neith.constellation.moe" = { 28 | useACMEHost = "constellation.moe"; 29 | forceSSL = true; 30 | 31 | locations."/" = { 32 | return = "301 https://constellation.moe$request_uri"; 33 | }; 34 | 35 | locations."/.well-known/discord" = { 36 | return = "200 dh=c6efaef2bdecf33aa37bf661e003f57442183211"; 37 | }; 38 | }; 39 | 40 | "remie.constellation.moe" = { 41 | useACMEHost = "constellation.moe"; 42 | forceSSL = true; 43 | 44 | locations."/" = { 45 | return = "301 https://constellation.moe$request_uri"; 46 | }; 47 | 48 | locations."/.well-known/discord" = { 49 | return = "200 dh=1bcf1ec16a3b9abcf5df802a38bf0de78075303a"; 50 | }; 51 | }; 52 | 53 | "vera.constellation.moe" = { 54 | useACMEHost = "constellation.moe"; 55 | forceSSL = true; 56 | 57 | locations."/" = { 58 | return = "301 https://constellation.moe$request_uri"; 59 | }; 60 | 61 | locations."/.well-known/discord" = { 62 | return = "200 dh=5d358d1a3d245e6375922193e53fdd0ab83b619b"; 63 | }; 64 | }; 65 | 66 | "adventure.constellation.moe" = { 67 | useACMEHost = "constellation.moe"; 68 | forceSSL = true; 69 | root = "/data/adventure"; 70 | extraConfig = '' 71 | auth_basic "Constellation Adventure: Extended Cut"; 72 | auth_basic_user_file /data/adventure/.htpasswd; 73 | ''; 74 | }; 75 | 76 | }; 77 | 78 | } -------------------------------------------------------------------------------- /hosts/asiyah/nginx/crp3092.nix: -------------------------------------------------------------------------------- 1 | /* 2 | I guess I do hosting for other people now? 3 | */ 4 | { self, ... }: 5 | { 6 | 7 | services.nginx.virtualHosts = { 8 | "crp3092.com" = { 9 | root = self.inputs.crp3092; 10 | enableACME = true; 11 | addSSL = true; 12 | serverAliases = [ 13 | "www.crp3092.com" 14 | ]; 15 | }; 16 | }; 17 | 18 | } -------------------------------------------------------------------------------- /hosts/asiyah/nginx/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, config, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in { 5 | 6 | imports = [ 7 | ./crp3092.nix 8 | ./gradientnet.nix 9 | ./gradient-moe.nix 10 | ./constellation-moe.nix 11 | ./constellation-moe-internal.nix 12 | ./constellation-moe-oauth2-proxy.nix 13 | ]; 14 | 15 | gradient.nginx.enableBlockAIBots = true; 16 | 17 | services.nginx = { 18 | enable = true; 19 | package = pkgs.nginxStable.override { 20 | withSlice = true; 21 | }; 22 | defaultHTTPListenPort = ports.nginx; 23 | defaultSSLListenPort = ports.nginx-ssl; 24 | recommendedGzipSettings = true; 25 | recommendedOptimisation = true; 26 | recommendedProxySettings = true; 27 | recommendedTlsSettings = true; 28 | recommendedZstdSettings = true; 29 | 30 | logError = "/var/log/nginx/error.log"; 31 | 32 | appendHttpConfig = '' 33 | set_real_ip_from 173.245.48.0/20; 34 | set_real_ip_from 103.21.244.0/22; 35 | set_real_ip_from 103.22.200.0/22; 36 | set_real_ip_from 103.31.4.0/22; 37 | set_real_ip_from 141.101.64.0/18; 38 | set_real_ip_from 108.162.192.0/18; 39 | set_real_ip_from 190.93.240.0/20; 40 | set_real_ip_from 188.114.96.0/20; 41 | set_real_ip_from 197.234.240.0/22; 42 | set_real_ip_from 198.41.128.0/17; 43 | set_real_ip_from 162.158.0.0/15; 44 | set_real_ip_from 104.16.0.0/13; 45 | set_real_ip_from 104.24.0.0/14; 46 | set_real_ip_from 172.64.0.0/13; 47 | set_real_ip_from 131.0.72.0/22; 48 | set_real_ip_from 2400:cb00::/32; 49 | set_real_ip_from 2606:4700::/32; 50 | set_real_ip_from 2803:f800::/32; 51 | set_real_ip_from 2405:b500::/32; 52 | set_real_ip_from 2405:8100::/32; 53 | set_real_ip_from 2a06:98c0::/29; 54 | set_real_ip_from 2c0f:f248::/32; 55 | real_ip_header CF-Connecting-IP; 56 | 57 | map $username $xusername { 58 | ~^(\w+)@identity.gradient.moe $1; 59 | default ""; 60 | } 61 | ''; 62 | }; 63 | 64 | security.acme = { 65 | acceptTerms = true; 66 | defaults = { 67 | email = "gradientvera+acme@outlook.com"; 68 | dnsResolver = "1.1.1.1:53"; 69 | # dnsProvider = "cloudflare"; # Apparently this default doesn't work lmao 70 | credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.acme-cf-token.path; 71 | }; 72 | }; 73 | 74 | networking.firewall.allowedTCPPorts = with ports; [ 75 | nginx nginx-ssl 76 | ]; 77 | 78 | } -------------------------------------------------------------------------------- /hosts/asiyah/numad.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | systemd.services.numad = { 5 | description = "numad - The NUMA daemon that manages application locality."; 6 | wantedBy = [ "multi-user.target" ]; 7 | serviceConfig = { 8 | Type = "forking"; 9 | ExecStart = "${pkgs.numad}/bin/numad -i 15"; 10 | Restart = "on-failure"; 11 | }; 12 | }; 13 | 14 | } -------------------------------------------------------------------------------- /hosts/asiyah/palworld-server.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | let 3 | steam-app = "2394010"; 4 | ports = config.gradient.currentHost.ports; 5 | in { 6 | 7 | users.users.palworld = { 8 | isSystemUser = true; 9 | home = "/var/lib/palworld"; 10 | createHome = true; 11 | homeMode = "750"; 12 | group = config.users.groups.palworld.name; 13 | extraGroups = [ config.users.groups.steamcmd.name ]; 14 | }; 15 | 16 | users.groups.palworld = {}; 17 | 18 | systemd.tmpfiles.rules = [ 19 | "d ${config.users.users.palworld.home}/.steam 0755 ${config.users.users.palworld.name} ${config.users.groups.palworld.name} - -" 20 | "L+ ${config.users.users.palworld.home}/.steam/sdk64 - - - - /var/lib/steamcmd/apps/1007/linux64" 21 | ]; 22 | 23 | systemd.services.palworld = { 24 | path = [ pkgs.xdg-user-dirs ]; 25 | 26 | # Manually start the server if needed, to save resources. 27 | wantedBy = [ ]; 28 | 29 | # Install the game before launching. 30 | wants = [ "steamcmd@${steam-app}.service" ]; 31 | after = [ "steamcmd@${steam-app}.service" ]; 32 | 33 | serviceConfig = { 34 | ExecStart = lib.escapeShellArgs [ 35 | "${pkgs.steam-run}/bin/steam-run" 36 | "/var/lib/steamcmd/apps/${steam-app}/PalServer.sh" 37 | "port=${toString ports.palworld}" 38 | "-useperfthreads" 39 | "-NoAsyncLoadingThread" 40 | "-UseMultithreadForDS" 41 | ]; 42 | Nice = "-5"; 43 | PrivateTmp = true; 44 | Restart = "on-failure"; 45 | User = config.users.users.palworld.name; 46 | WorkingDirectory = "~"; 47 | }; 48 | environment = { 49 | SteamAppId = "1623730"; 50 | }; 51 | }; 52 | 53 | networking.firewall.interfaces.lilynet.allowedTCPPorts = with ports; [ 54 | palworld 55 | ]; 56 | 57 | networking.firewall.interfaces.lilynet.allowedUDPPorts = with ports; [ 58 | palworld 59 | ]; 60 | } -------------------------------------------------------------------------------- /hosts/asiyah/paperless.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in 5 | { 6 | 7 | services.paperless = { 8 | enable = true; 9 | exporter.enable = true; 10 | database.createLocally = true; 11 | 12 | address = "127.0.0.1"; 13 | port = ports.paperless; 14 | 15 | consumptionDirIsPublic = true; 16 | 17 | environmentFile = config.sops.secrets.paperless-env.path; 18 | passwordFile = config.sops.secrets.paperless-admin-password.path; 19 | settings = { 20 | PAPERLESS_URL = "https://paperless.gradient.moe"; 21 | 22 | PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; 23 | 24 | PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON ({ 25 | openid_connect = { 26 | OAUTH_PKCE_ENABLED = true; 27 | APPS = [ 28 | { 29 | provider_id = "kanidm"; 30 | name = "Gradient Identity"; 31 | client_id = "paperless"; 32 | settings = { 33 | server_url = "https://identity.gradient.moe/oauth2/openid/paperless/.well-known/openid-configuration"; 34 | oauth_pkce_enabled = true; 35 | }; 36 | } 37 | ]; 38 | }; 39 | }); 40 | 41 | PAPERLESS_SOCIAL_AUTO_SIGNUP = true; 42 | PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS = true; 43 | PAPERLESS_ACCOUNT_ALLOW_SIGNUPS = false; 44 | PAPERLESS_ACCOUNT_EMAIL_VERIFICATION = "none"; 45 | PAPERLESS_DISABLE_REGULAR_LOGIN = true; 46 | PAPERLESS_REDIRECT_LOGIN_TO_SSO = true; 47 | PAPERLESS_ACCOUNT_SESSION_REMEMBER = true; 48 | 49 | PAPERLESS_OCR_LANGUAGE = "spa+eng"; 50 | PAPERLESS_TIKA_ENABLED = "true"; 51 | PAPERLESS_TIKA_ENDPOINT = "http://127.0.0.1:${toString ports.tika}"; 52 | PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://127.0.0.1:${toString ports.gotenberg}"; 53 | 54 | PAPERLESS_TASK_WORKERS = 4; 55 | PAPERLESS_THREADS_PER_WORKER = 4; 56 | 57 | PAPERLESS_ENABLE_NLTK = true; 58 | 59 | PAPERLESS_USE_X_FORWARD_HOST = true; 60 | PAPERLESS_USE_X_FORWARD_PORT = true; 61 | PAPERLESS_PROXY_SSL_HEADER = ''["HTTP_X_FORWARDED_PROTO", "https"]''; 62 | }; 63 | }; 64 | 65 | services.tika = { 66 | enable = true; 67 | port = ports.tika; 68 | enableOcr = true; 69 | }; 70 | 71 | services.gotenberg = { 72 | enable = true; 73 | port = ports.gotenberg; 74 | 75 | # libreoffice.autoStart = true; 76 | 77 | # It's just broken-- 78 | # chromium.autoStart = true; 79 | # chromium.disableJavascript = true; 80 | }; 81 | 82 | } -------------------------------------------------------------------------------- /hosts/asiyah/project-zomboid-server.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | let 3 | steam-app = "380870"; 4 | ports = config.gradient.currentHost.ports; 5 | in { 6 | 7 | users.users.project-zomboid = { 8 | isSystemUser = true; 9 | home = "/var/lib/project-zomboid"; 10 | createHome = true; 11 | homeMode = "750"; 12 | group = config.users.groups.project-zomboid.name; 13 | }; 14 | 15 | users.groups.project-zomboid = {}; 16 | 17 | systemd.services.project-zomboid = { 18 | wantedBy = [ "multi-user.target" ]; 19 | 20 | # Install the game before launching. 21 | wants = [ "steamcmd@${steam-app}.service" ]; 22 | after = [ "steamcmd@${steam-app}.service" ]; 23 | 24 | serviceConfig = { 25 | ExecStart = lib.escapeShellArgs [ 26 | "${pkgs.steam-run}/bin/steam-run" 27 | "/var/lib/steamcmd/apps/${steam-app}/start-server.sh" 28 | "--servername Asiyah" 29 | "--port ${toString ports.project-zomboid}" 30 | "--udpport ${toString ports.project-zomboid-direct}" 31 | "--steamport1 ${toString ports.project-zomboid-steam-1}" 32 | "--steamport2 ${toString ports.project-zomboid-steam-2}" 33 | ]; 34 | Nice = "-5"; 35 | PrivateTmp = true; 36 | Restart = "always"; 37 | User = config.users.users.project-zomboid.name; 38 | WorkingDirectory = "~"; 39 | }; 40 | environment = { 41 | SteamAppId = "108600"; 42 | }; 43 | }; 44 | 45 | networking.firewall.allowedTCPPorts = with ports; [ 46 | project-zomboid 47 | project-zomboid-direct 48 | project-zomboid-steam-1 49 | project-zomboid-steam-2 50 | ]; 51 | 52 | networking.firewall.allowedUDPPorts = with ports; [ 53 | project-zomboid 54 | project-zomboid-direct 55 | project-zomboid-steam-1 56 | project-zomboid-steam-2 57 | ]; 58 | } -------------------------------------------------------------------------------- /hosts/asiyah/radio.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | { 3 | 4 | hardware.rtl-sdr.enable = true; 5 | 6 | virtualisation.oci-containers.containers.openwebrxplus = { 7 | image = "slechev/openwebrxplus-softmbe:latest"; 8 | pull = "newer"; 9 | ports = [ "127.0.0.1:${toString config.gradient.currentHost.ports.openwebrx}:8073" ]; 10 | volumes = [ 11 | "/var/lib/openwebrx:/var/lib/openwebrx" 12 | "/var/lib/openwebrx/etc:/etc/openwebrx" 13 | "/var/lib/openwebrx/plugins:/usr/lib/python3/dist-packages/htdocs/plugins" 14 | ]; 15 | environment = { 16 | TZ = config.time.timeZone; 17 | OPENWEBRX_ADMIN_USER = "admin"; 18 | OPENWEBRX_ADMIN_PASSWORD = "password"; 19 | }; 20 | extraOptions = [ 21 | "--ip" "10.88.0.8" 22 | "--device" "/dev/bus/usb" 23 | ]; 24 | }; 25 | 26 | /*systemd.services.openwebrx.serviceConfig = { 27 | DynamicUser = lib.mkForce false; 28 | User = config.users.users.openwebrx.name; 29 | Group = config.users.users.openwebrx.group; 30 | }; 31 | 32 | users.users.openwebrx = { 33 | isSystemUser = true; 34 | home = "/var/lib/openwebrx"; 35 | createHome = true; 36 | homeMode = "750"; 37 | group = config.users.groups.openwebrx.name; 38 | # Allow access to RTL-SDR 39 | extraGroups = [ config.users.groups.plugdev.name ]; 40 | }; 41 | 42 | users.groups.openwebrx = {};*/ 43 | 44 | } -------------------------------------------------------------------------------- /hosts/asiyah/redbot-stardream.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | 4 | virtualisation.oci-containers.containers.stardream = { 5 | image = "ghcr.io/phasecorex/red-discordbot:extra-audio"; 6 | pull = "newer"; 7 | volumes = [ "/data/stardream:/data" ]; 8 | environment = { 9 | TZ = config.time.timeZone; 10 | OWNER = "132502019981180928"; 11 | EXTRA_ARGS = "--dev"; 12 | }; 13 | extraOptions = [ 14 | "--ip" "10.88.0.3" 15 | ]; 16 | }; 17 | 18 | } -------------------------------------------------------------------------------- /hosts/asiyah/redis.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | services.redis = { 5 | package = pkgs.valkey; 6 | vmOverCommit = true; 7 | }; 8 | 9 | } -------------------------------------------------------------------------------- /hosts/asiyah/scrutiny.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in 5 | { 6 | 7 | services.scrutiny = { 8 | enable = true; 9 | influxdb.enable = true; 10 | collector.enable = true; 11 | collector.settings.host.id = config.networking.hostName; 12 | settings.web.listen.port = ports.scrutiny; 13 | settings.web.influxdb.port = ports.influxdb; 14 | }; 15 | 16 | services.influxdb2.settings.http-bind-address = ":${toString ports.influxdb}"; 17 | 18 | networking.firewall.interfaces.gradientnet = with ports; { 19 | allowedTCPPorts = [ 20 | scrutiny 21 | influxdb 22 | ]; 23 | allowedUDPPorts = [ 24 | scrutiny 25 | influxdb 26 | ]; 27 | }; 28 | 29 | } -------------------------------------------------------------------------------- /hosts/asiyah/secrets/syncthing-key.pem: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:qVHwYNrRxFaRvgrr0ALmo37/iygUd3fEXEAm9tybqwegVk7G7Qp0a4Si1p352NNqypWX9+TtBhcHzGBKB5KPgVtKjPNwmZtzyI7QcsaxfaoLz0s7KltFi4AKzuPEW7+Tv7DGEcii8RHoXXL6idrHLEYy0Xq0oQZTSV6L//QU5IVjeKub2cTOwn0JlD0ROW/xAimvmLf1FTlZ+myRxiI9ARk6GvLMkatpfDzQ57NpaflrUEwu//rRp8Ry7BhFyBMdEK1HS7TSgiwtCW8+4yyqkS18tPtajF5YvWjQlMwaDXj71zCBnypU37Pchv7B7uoE4boUcdhIOZnZnxc4vh8vYe49b80kVG+kT5Rnkc+O7DejuXHQYPvwThZkTtuL6yiI,iv:edNyOIes3YTfVw5eC7oGIXrodyK23/H5nOymM85X9hg=,tag:MK4+Gf9LG9GUBN7p6hdJ3A==,type:str]", 3 | "sops": { 4 | "kms": null, 5 | "gcp_kms": null, 6 | "azure_kv": null, 7 | "hc_vault": null, 8 | "age": [ 9 | { 10 | "recipient": "age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VkdoS3Q1enVPd21vWmFw\nV3AzL3hkQzBTWHJkSlEvMDBjVkhSL3ptbmpzCmFKQ0NJMWdKU2ZSb1VubThvYmk5\nczF2OXk5NlpWbnQzSTRUWC9sOWJIbjAKLS0tIDNpYUJKcDE4eS9TK09uZVczMm1B\nMkczQTdhN0x2M2RFUmhnMHFnYkZuWUEKGCx4xBrJ2zqNVKqUWjw/GAPBIZtWAxyd\n4TO0Lc9OcaEcCxqbzleTCNhLXnuF8fjz11Mas9vWJuM7Llj+xQ0HWg==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1lkh89lus8pzd83m2gkvsmyr9uql6n6c0xgwtq69eh0wxeaynxa3qfyzps4", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dDBSZUVKT1BkcUJzZ0VW\nTDU4M2l5V3lsTWd5WGpNdENnVHJuVjNNTjBNCm1BYVoreUJYOW1TLy9zSXlacmsr\nelhPWDF4ZU9hR0w3WEVBZVpZb1VoaUEKLS0tIGZSb21URHhldHFwZWlaMys2MXRk\ndzVURXZyL0dlSUJyUWI1TE05UHJ2N28KIeK/7LDQPwLs0wgeBn3M264lGDSbBmcF\nd4rYpcZIZ0RnYPNF3R76ZsFtMLszP2HT5BFvQudxetpEzbN2l6uMzA==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2024-10-02T11:33:15Z", 19 | "mac": "ENC[AES256_GCM,data:oChM3pGIJlBUwJXXgJ0MO4RcPnDPAVBYZtm6nQdkcihzvrkYlqC1nOp6QlMFtC5Zh9F8Cz3aTfz0P32qdSUQ2XxTsdJF6W2h913ODoOS/Yp7vLaV1OmE+UACU9c0XihhjvdiwsWIPy5c0qMpudVXQIt43z18Pez+JIlRzW4B1Ho=,iv:fyFpwYdjzdTrDK9E0yn12XQkFhaSBR0zoDJDi4Ouin8=,tag:NmP21JRwzcz9XDZA3DpkGQ==,type:str]", 20 | "pgp": null, 21 | "unencrypted_suffix": "_unencrypted", 22 | "version": "3.9.0" 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /hosts/asiyah/trilium-memory-repository.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | name = "trilium-memory-repository"; 5 | tag = "0.62.6"; # Corresponds to original image tag. 6 | in { 7 | 8 | virtualisation.oci-containers.containers.memory-repository = { 9 | image = "${name}:${tag}"; 10 | pull = "newer"; 11 | imageFile = with pkgs.dockerTools; 12 | buildImage { 13 | inherit name tag; 14 | config.Cmd = [ "./start-memory-repository.sh" ]; 15 | config.WorkingDir = "/usr/src/app"; 16 | fromImage = pullImage { 17 | imageName = "zadam/trilium"; 18 | imageDigest = "sha256:cfc1e54c0cdc733e904eb2e3e49a248bc4b4c8a4ae393a0155d69acaa88d920f"; 19 | sha256 = "sha256-66tmPanpAZpddnm6tKDyl1dLBVHRU4m+Ghta+/7vNJw="; 20 | }; 21 | runAsRoot = '' 22 | #!${pkgs.runtimeShell} 23 | cd /usr/src/app 24 | cp ${(pkgs.writeScript "start-memory-repository" '' 25 | #!/bin/sh 26 | ./start-docker.sh 27 | '')} ./start-memory-repository.sh 28 | ''; 29 | }; 30 | ports = [ "127.0.0.1:${toString ports.trilium}:8080" ]; 31 | volumes = [ "/data/trilium:/home/node/trilium-data" ]; 32 | environment = { TZ = config.time.timeZone; }; 33 | extraOptions = [ 34 | "--ip" "10.88.0.4" 35 | ]; 36 | }; 37 | 38 | } -------------------------------------------------------------------------------- /hosts/asiyah/trmnl.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in 5 | { 6 | 7 | virtualisation.oci-containers.containers.trmnl = { 8 | image = "ghcr.io/usetrmnl/byos_hanami:latest"; 9 | pull = "newer"; 10 | ports = [ "${toString ports.trmnl}:2300" ]; 11 | environment = { 12 | TZ = config.time.timeZone; 13 | API_URI = "http://192.168.1.48:${toString ports.trmnl}"; 14 | DATABASE_URL = "postgres://trmnl@host.containers.internal/trmnl"; 15 | }; 16 | extraOptions = [ 17 | "--ip" "10.88.0.9" 18 | ]; 19 | }; 20 | 21 | systemd.services.podman-trmnl = { 22 | after = [ "postgresql.service" ]; 23 | wants = [ "postgresql.service" ]; 24 | }; 25 | 26 | networking.firewall.allowedTCPPorts = [ 27 | ports.trmnl 28 | ]; 29 | 30 | } -------------------------------------------------------------------------------- /hosts/asiyah/vaultwarden.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in 5 | { 6 | 7 | services.vaultwarden = { 8 | enable = true; 9 | dbBackend = "postgresql"; 10 | environmentFile = config.sops.secrets.vaultwarden-env.path; 11 | config = { 12 | DOMAIN = "https://bitwarden.asiyah.gradient.moe"; 13 | SIGNUPS_ALLOWED = false; 14 | ROCKET_ADDRESS = "127.0.0.1"; 15 | ROCKET_PORT = ports.vaultwarden; 16 | DATABASE_URL = "postgresql://vaultwarden@/vaultwarden"; 17 | }; 18 | }; 19 | 20 | } -------------------------------------------------------------------------------- /hosts/asiyah/victoriametrics.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in 5 | { 6 | 7 | services.victoriametrics = { 8 | enable = true; 9 | listenAddress = ":${toString ports.victoriametrics}"; 10 | }; 11 | 12 | } -------------------------------------------------------------------------------- /hosts/asiyah/zigbee.nix: -------------------------------------------------------------------------------- 1 | { pkgs, config, lib, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in 5 | { 6 | 7 | services.zigbee2mqtt = { 8 | enable = true; 9 | package = pkgs.zigbee2mqtt_2.overrideAttrs (prevAttrs: 10 | let 11 | pname = "zigbee2mqtt"; 12 | version = "693f0d0a35231b529261fe1652bb6e355d5854fe"; 13 | src = pkgs.fetchFromGitHub { 14 | owner = "Koenkk"; 15 | repo = pname; 16 | rev = version; 17 | hash = "sha256-iENB6+NEZDurS6zf/2lnJpPT9AKpXX6qqvewe21OEkU="; 18 | }; 19 | in { 20 | # TODO: Temporary, fixes a bug with my door/window sensors 21 | inherit src version; 22 | pnpmDeps = pkgs.pnpm_9.fetchDeps { 23 | inherit pname version src; 24 | hash = "sha256-SmCcubqmYta3GBF1EaAHQlH/rVLjVqbNDb/FQFMgp0M="; 25 | }; 26 | }); 27 | settings = { 28 | homeassistant = config.services.home-assistant.enable; 29 | mqtt = { 30 | server = "mqtt://127.0.0.1:${toString ports.mqtt}"; 31 | include_device_information = true; 32 | version = 5; 33 | }; 34 | serial = { 35 | port = "/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20231121193348-if00"; 36 | baudrate = 115200; 37 | adapter = "ember"; 38 | }; 39 | availability = true; 40 | frontend = { 41 | port = ports.zigbee2mqtt; 42 | }; 43 | advanced = { 44 | cache_state = true; 45 | last_seen = "ISO_8601"; 46 | elapsed = true; 47 | log_directories_to_keep = 10; 48 | log_level = "info"; 49 | log_namespaced_levels = { "z2m:mqtt" = "warning"; }; 50 | homeassistant_legacy_entity_attributes = false; 51 | homeassistant_legacy_triggers = false; 52 | legacy_api = false; 53 | legacy_availability_payload = false; 54 | }; 55 | device_options = { 56 | legacy = false; 57 | }; 58 | }; 59 | }; 60 | 61 | systemd.services.zigbee2mqtt.serviceConfig = { 62 | Restart = lib.mkForce "always"; # Sometimes fails with successful exit code 63 | RestartSec = 10; 64 | }; 65 | 66 | networking.firewall.interfaces.gradientnet.allowedTCPPorts = [ ports.zigbee2mqtt ]; 67 | networking.firewall.interfaces.gradientnet.allowedUDPPorts = [ ports.zigbee2mqtt ]; 68 | 69 | } -------------------------------------------------------------------------------- /hosts/atziluth/inventory-entry.nix: -------------------------------------------------------------------------------- 1 | addr: 2 | { 3 | ansible_host = addr.gradientnet.atziluth; 4 | } -------------------------------------------------------------------------------- /hosts/atziluth/playbook.nix: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | name = "Atziluth play"; 4 | hosts = [ "atziluth" ]; 5 | tasks = [ 6 | 7 | ]; 8 | } 9 | ] -------------------------------------------------------------------------------- /hosts/beatrice/backups.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | services.restic.backups.hokma = { 5 | paths = [ 6 | "/home/vera" 7 | "/var/lib/moonraker" 8 | ]; 9 | }; 10 | 11 | } -------------------------------------------------------------------------------- /hosts/beatrice/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | ./backups.nix 7 | ./programs.nix 8 | ./filesystems.nix 9 | ./secrets/default.nix 10 | ./hardware-configuration.nix 11 | ]; 12 | 13 | networking.hostName = "beatrice"; 14 | 15 | gradient.profiles.graphics.enable = true; 16 | gradient.profiles.catppuccin.enable = true; 17 | 18 | gradient.presets.syncthing.enable = true; 19 | 20 | services.handheld-daemon.enable = true; 21 | services.handheld-daemon.user = "vera"; 22 | 23 | gradient.profiles.gaming.enable = true; 24 | gradient.profiles.gaming.emulation.enable = false; 25 | gradient.profiles.gaming.emulation.romPath = "/run/media/deck/mmcblk0p1/roms"; 26 | gradient.profiles.desktop.enable = true; 27 | 28 | # Use Jovian's steam deck UI autostart. 29 | services.displayManager.sddm.enable = lib.mkForce false; 30 | jovian.steam.autoStart = true; 31 | jovian.steam.user = "vera"; 32 | jovian.decky-loader.user = "vera"; 33 | jovian.steam.desktopSession = "plasma"; 34 | 35 | gradient.substituters = { 36 | asiyah = "ssh-ng://nix-ssh@asiyah.gradient?priority=40"; 37 | briah = "ssh-ng://nix-ssh@briah.gradient?priority=60"; 38 | bernkastel = "ssh-ng://nix-ssh@bernkastel.gradient?priority=40"; 39 | erika = "ssh-ng://nix-ssh@erika.gradient?priority=50"; 40 | neith-deck = "ssh-ng://nix-ssh@neith-deck.lily?priority=100"; 41 | }; 42 | 43 | } -------------------------------------------------------------------------------- /hosts/beatrice/filesystems.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | 5 | # Bootloader. 6 | boot.loader.systemd-boot.enable = true; 7 | boot.loader.grub.enable = false; 8 | boot.loader.efi.canTouchEfiVariables = true; 9 | boot.loader.efi.efiSysMountPoint = "/boot/efi"; 10 | 11 | # Setup keyfile 12 | boot.initrd.secrets = { 13 | "/crypto_keyfile.bin" = null; 14 | }; 15 | 16 | # Enable swap on luks 17 | boot.initrd.luks.devices."luks-3053e826-9bee-46c6-b7ca-86d8a34fc307".device = "/dev/disk/by-uuid/3053e826-9bee-46c6-b7ca-86d8a34fc307"; 18 | boot.initrd.luks.devices."luks-3053e826-9bee-46c6-b7ca-86d8a34fc307".bypassWorkqueues = true; 19 | boot.initrd.luks.devices."luks-4ddc036e-9ff2-44a8-ad72-080243230631".device = "/dev/disk/by-uuid/4ddc036e-9ff2-44a8-ad72-080243230631"; 20 | boot.initrd.luks.devices."luks-4ddc036e-9ff2-44a8-ad72-080243230631".bypassWorkqueues = true; 21 | boot.initrd.luks.devices."luks-4ddc036e-9ff2-44a8-ad72-080243230631".keyFile = "/crypto_keyfile.bin"; 22 | 23 | fileSystems."/" = 24 | { device = "/dev/disk/by-uuid/ed52dbed-453d-4eb5-bc09-0cce0113f8a5"; 25 | fsType = "ext4"; 26 | mountPoint = "/"; 27 | }; 28 | 29 | 30 | fileSystems."/boot/efi" = 31 | { device = "/dev/disk/by-uuid/8F40-DE56"; 32 | fsType = "vfat"; 33 | mountPoint = "/boot/efi"; 34 | }; 35 | 36 | swapDevices = 37 | [ { device = "/dev/disk/by-uuid/7e7e4425-bdcf-437c-b7f0-a6849429bb36"; } 38 | ]; 39 | 40 | } -------------------------------------------------------------------------------- /hosts/beatrice/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, pkgs, lib, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | (modulesPath + "/installer/scan/not-detected.nix") 7 | ]; 8 | 9 | boot.kernelPackages = lib.mkForce pkgs.linuxPackages_xanmod_latest; 10 | boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" "sdhci_pci" "amdgpu" "xhci_hcd" "hid_generic" "atkbd" "hid-multitouch" "evdev" ]; 11 | boot.initrd.kernelModules = [ ]; 12 | boot.kernelModules = [ "kvm-amd" ]; 13 | boot.extraModulePackages = [ ]; 14 | 15 | boot.plymouth.enable = lib.mkForce false; 16 | boot.initrd.unl0kr.enable = true; 17 | hardware.amdgpu.initrd.enable = false; 18 | 19 | nixpkgs.hostPlatform = "x86_64-linux"; 20 | 21 | } -------------------------------------------------------------------------------- /hosts/beatrice/misc/service-ports.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | } -------------------------------------------------------------------------------- /hosts/beatrice/programs.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | environment.systemPackages = with pkgs; [ 5 | unstable.wlr-randr 6 | ]; 7 | 8 | services.flatpak.packages = [ 9 | # "flathub:app/com.moonlight_stream.Moonlight/x86_64/stable" 10 | ]; 11 | 12 | } -------------------------------------------------------------------------------- /hosts/beatrice/secrets/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | 5 | sops = { 6 | age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 7 | defaultSopsFile = ./secrets.yml; 8 | 9 | secrets = { 10 | 11 | wireguard-private-key = { restartUnits = [ "wireguard-*" ]; }; 12 | 13 | nix-private-key = { }; 14 | 15 | syncthing-cert = { 16 | format = "binary"; 17 | sopsFile = ./syncthing-cert.pem; 18 | restartUnits = [ "syncthing.service" ]; 19 | }; 20 | 21 | syncthing-key = { 22 | format = "binary"; 23 | sopsFile = ./syncthing-key.pem; 24 | restartUnits = [ "syncthing.service" ]; 25 | }; 26 | 27 | moonraker = { 28 | owner = config.services.moonraker.user; 29 | group = config.services.moonraker.group; 30 | path = "${config.services.moonraker.stateDir}/moonraker.secrets"; 31 | restartUnits = [ "moonraker.service" ]; 32 | }; 33 | 34 | }; 35 | }; 36 | 37 | } -------------------------------------------------------------------------------- /hosts/beatrice/secrets/secrets.yml: -------------------------------------------------------------------------------- 1 | wireguard-private-key: ENC[AES256_GCM,data:wW9BSesYJdQpedlNt5j/R067y2ZTkBEQ9JH+ttTlfotkGMrKqD5WqH7ZErI=,iv:+09tNwTHY4jSoCuTtEunpZM8+/IHbSoBwx/FYqGucNQ=,tag:W7ZqmyC0pGKJ+2g+TXkdyw==,type:str] 2 | nix-private-key: ENC[AES256_GCM,data:noOqmCjSre3ueCDMzQnwP1vWHXXOM45cgK9rtwYvZ8oE4d9/ulb34LK1bhFsXdBo70tJEz1Lep+ixrFJ7tl39OUZevFX2h1gACMHqCruEEiAPj9hSkgydD/RA6hLFR7gXB4=,iv:kNYsAVBqRnYm+kT7R7lClPwn4U1K2A4HzUVfuJ/IPeY=,tag:CP4MDi8cFVWil3cLefNmzg==,type:str] 3 | moonraker: ENC[AES256_GCM,data:qUEl0x6TA+W4mUFPe9JuhBQAsHcitXDT3p/agXBh6BJ/TdsgZtjU6binOglfblipEpYzePM0vjNdDGZI7RaxsWBruybJW9R5dnO0B8kTslc=,iv:hO5k32KNt02FdkW8IbO0tuRSpUvCR/JkrB74qJqy4WA=,tag:woZin/iAcM/eadTIAROSUg==,type:str] 4 | sops: 5 | kms: [] 6 | gcp_kms: [] 7 | azure_kv: [] 8 | hc_vault: [] 9 | age: 10 | - recipient: age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j 11 | enc: | 12 | -----BEGIN AGE ENCRYPTED FILE----- 13 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYa3phQXNVRnFsZ3hrMW1B 14 | eTVBWXF4SVFYUEpVTXhsZmxRZ3AyZStqYUdJCmJORWszM2hUUlN1ZGFIRGxzS21L 15 | R2p0UlpaL25OdHlRNnVSZ0RNbjhzSVUKLS0tIDFJdGtWSGEycy9TRXNYL09pSGVr 16 | QTBydndNRGdab2diaXlXWlY4RDhtbEUKS6m4d37kkNMizdY4oPk6b3LRvs5iRhxT 17 | ZlluBael7F3JlLksude3t4ZAnlLmdbWDSyp087012skNcCUkq+JFaQ== 18 | -----END AGE ENCRYPTED FILE----- 19 | - recipient: age1kvsa0ka66tzx3qdq6cacehyyfg80ecq6jfgqxgf8098mdah4earspnft40 20 | enc: | 21 | -----BEGIN AGE ENCRYPTED FILE----- 22 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcVNRb1ZWcUtwNUhkVldp 23 | bSs3RENjS0k0ZXVkb2hzNjVrMDFJWmlNZldrClJFck5pQW5nVVRWZG1GV2xqKzlF 24 | NDNyK3NabFE4bGN3ZXNSblVJNFhGZVEKLS0tIENUSUYxUjZvaExXNzVQVzVxR1E2 25 | YnZlRHY4NUJzWVFySVRMR2wvbnpTZU0KthbSvf9MRYAOChR75dNjLdHUdkVqON5A 26 | ChOtcvlmbOZ/pWSD4i4yU0/XKQXTiwcG8aloRdDNqT9WUM9seH/pvw== 27 | -----END AGE ENCRYPTED FILE----- 28 | lastmodified: "2024-05-17T12:18:26Z" 29 | mac: ENC[AES256_GCM,data:BgvR7oUneEWRbzaQ/cbI9aqFoSjbAq7Utd8dcuA98SvIRumMuYZOZ3QPpmKTuGUaUm2bY4co3hE3R0mRwXMGh3rUZunm05ATTSB1TBBD3QNWjPXapvkfYMB2Ns1KaqBbUXdWk3INQmEOsMLIeRZAAE70baIBM6GwTojpBsUe0vc=,iv:jgcHCEdmYzohKb75d31fHdV1tmkCeuA+3cTqJar7zQU=,tag:dbS6MYqnuJ3DCMwlEOpOdA==,type:str] 30 | pgp: [] 31 | unencrypted_suffix: _unencrypted 32 | version: 3.8.1 33 | -------------------------------------------------------------------------------- /hosts/beatrice/secrets/syncthing-key.pem: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:6uwkeIa0kpFyM8qFUpV3r6vyGh9uYbQC44tBjN5lwGJ/rDZ+XvJVOsHYZJfnpzCJbHvfUoKvTfqaiTkaoGS/HEQZ5t6BzypyxsiUE7iO8LcugKVG6zDA2hVOowyRn6mZoPzRjIikswssQR3FkTVkNZFQgGXKUdJzrMpOhVZ/pcN05G5yaELqpckJ8ZE2uaIX/3/jNBF7cZLAQVjoprdcNmSHXgrPQbZ6MC1TzO7GrSPCgcSxheT3T+Sb2Zj6zp3h4lPU3JEJPdqAVUdeeQvWMCDJaaCCHs7MjJPi+ILQM5gcojcUg/TIjV7NpEIR5oBXcf0FgHXXDeXxI4osQtUhZ+4SZo2oZNdSrW94v97XqYLpcLY6HAVXcdRJ1kbMdcb/,iv:dg8vK6s55vWvl+Vme8hbLHRalO8N7Q2rvKu3p0FZJOQ=,tag:I1iMi7w4/CHJvaxM1XTUNA==,type:str]", 3 | "sops": { 4 | "kms": null, 5 | "gcp_kms": null, 6 | "azure_kv": null, 7 | "hc_vault": null, 8 | "age": [ 9 | { 10 | "recipient": "age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxL3NWLzViVkt0MVU3Smdz\neStOSmtiWlBHSlJ2UHhNRlRaTG5XZnhodndvCjduUkZObU9vS2tOVHlZMFJXN245\nSW9Yb3Z2SWNqWVJvNVVUSjIvQ2lrNXcKLS0tIEE1Wk01dEJnbUQ5ZHNvUG5LQ3Fj\nVmplVUdCbS90Z0NjbVBzWFlCMzRlZzgKe0a7qtR3/8wgNlqz6w4L/+75nXE6k0M5\n3GUjpFl4L83K560JhJUUsUS2+s4vqNk9qLiWS66nrPdeh7riDD83EQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1kvsa0ka66tzx3qdq6cacehyyfg80ecq6jfgqxgf8098mdah4earspnft40", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhWm1CZmE1V2hxcjR1K2Vi\nbDlSdEltU1VaOFNHQ3djS2k2R1lEUkFrdFJBCldRK3BESE43aVJOUVBkVjhrVnZH\nTDF6SzZFbnlnWHR5RitUMDFpR2lCTk0KLS0tIGlxSElyNlBtN1NYd1BIQ25xdDhW\nZHp6M2N4ZUE4d1dDY08wdWd6LzZ6M0UKioD/X4enMXUaasvuUWSqp6o7qr94XKQT\n2XyHuP7a551icpthGKG3nUPbe71o0rtDB1mLpr9/sXM7pRQLwoW/Aw==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2023-04-22T10:09:20Z", 19 | "mac": "ENC[AES256_GCM,data:yVrYf0jzboUkzN0/IJKyqJCyQU9RYDRbEAO9+OaiKpUHdRCVtb4yJo1KNVWXwmTXd8JGouun7QmbvoDfaRSHu4kIcAVldqYrO0OgybeYmFOVVMJ8HiImpoBtMu7u1VoA+fKEY03vzLVbKswtX0Ay0A4DDsr/AJUFdUf7/J425cA=,iv:04TgYYJwjgColUJHaL2t9DcGW+8eE3YXd5S9JQvIvOg=,tag:p65V4gijoxXGAjO7S2h0CA==,type:str]", 20 | "pgp": null, 21 | "unencrypted_suffix": "_unencrypted", 22 | "version": "3.7.3" 23 | } 24 | } -------------------------------------------------------------------------------- /hosts/bernkastel/backups.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | services.restic.backups.hokma = { 5 | paths = [ 6 | "/home/vera" 7 | ]; 8 | }; 9 | 10 | } -------------------------------------------------------------------------------- /hosts/bernkastel/default.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in 5 | { 6 | 7 | imports = [ 8 | ./backups.nix 9 | ./programs.nix 10 | ./filesystems.nix 11 | ./secrets/default.nix 12 | # ./libvirtd/default.nix 13 | ./hardware-configuration.nix 14 | ]; 15 | 16 | networking.hostName = "bernkastel"; 17 | 18 | gradient.profiles.gaming.enable = true; 19 | gradient.profiles.gaming.emulation.romPath = "/data/roms"; 20 | gradient.profiles.desktop.enable = true; 21 | gradient.profiles.development.enable = true; 22 | gradient.profiles.catppuccin.enable = true; 23 | 24 | gradient.profiles.gaming.vr = { 25 | enable = true; 26 | patchAmdgpu = true; 27 | wivrn.enable = true; 28 | wivrn.default = true; 29 | monado.enable = true; 30 | monado.default = false; 31 | }; 32 | 33 | gradient.profiles.audio.um2.enable = true; 34 | 35 | gradient.presets.syncthing.enable = true; 36 | 37 | # Enable automatic login for the user. 38 | services.displayManager.autoLogin.enable = true; 39 | services.displayManager.autoLogin.user = "vera"; 40 | services.displayManager.defaultSession = "plasma"; 41 | 42 | services.hardware.openrgb = { 43 | enable = true; 44 | motherboard = "amd"; 45 | package = pkgs.openrgb-with-all-plugins; 46 | server.port = ports.openrgb; 47 | }; 48 | 49 | networking.firewall.interfaces.gradientnet.allowedTCPPorts = [ ports.openrgb ]; 50 | networking.firewall.interfaces.gradientnet.allowedUDPPorts = [ ports.openrgb ]; 51 | 52 | # Overclocking/underclocking AMD GPU support 53 | programs.corectrl = { 54 | enable = true; 55 | gpuOverclock.enable = true; 56 | }; 57 | 58 | # WOL support. 59 | networking.interfaces.enp16s0.wakeOnLan.enable = true; 60 | 61 | gradient.substituters = { 62 | asiyah = "ssh-ng://nix-ssh@asiyah.gradient?priority=40"; 63 | briah = "ssh-ng://nix-ssh@briah.gradient?priority=60"; 64 | beatrice = "ssh-ng://nix-ssh@beatrice.gradient?priority=45"; 65 | erika = "ssh-ng://nix-ssh@erika.gradient?priority=50"; 66 | neith-deck = "ssh-ng://nix-ssh@neith-deck.lily?priority=100"; 67 | }; 68 | 69 | # Share QL-600 printer! 70 | services.printing = { 71 | openFirewall = false; 72 | defaultShared = true; 73 | browsing = true; 74 | }; 75 | 76 | } 77 | -------------------------------------------------------------------------------- /hosts/bernkastel/filesystems.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | # Bootloader. 5 | boot.loader.systemd-boot.enable = true; 6 | boot.loader.grub.enable = false; 7 | boot.loader.efi.canTouchEfiVariables = true; 8 | boot.loader.efi.efiSysMountPoint = "/boot/efi"; 9 | 10 | # Setup keyfile 11 | boot.initrd.secrets = { 12 | "/crypto_keyfile.bin" = null; 13 | }; 14 | 15 | # Enable swap on luks 16 | boot.initrd.luks.devices."luks-723a41e3-725d-43ea-98f9-6e3be7908365" = { 17 | device = "/dev/disk/by-uuid/723a41e3-725d-43ea-98f9-6e3be7908365"; 18 | bypassWorkqueues = true; 19 | }; 20 | 21 | boot.initrd.luks.devices."luks-1338fa28-7856-4a33-9e7a-0b0f08d7ee22" = { 22 | device = "/dev/disk/by-uuid/1338fa28-7856-4a33-9e7a-0b0f08d7ee22"; 23 | bypassWorkqueues = true; 24 | }; 25 | 26 | fileSystems = { 27 | "/" = { 28 | device = "/dev/disk/by-uuid/45ba04fd-6c41-4a69-a613-cc4e0f6bf75a"; 29 | fsType = "ext4"; 30 | mountPoint = "/"; 31 | }; 32 | 33 | "/boot/efi" = { 34 | device = "/dev/disk/by-uuid/1073-6EE4"; 35 | fsType = "vfat"; 36 | mountPoint = "/boot/efi"; 37 | }; 38 | 39 | "/data" = { 40 | device = "/dev/disk/by-uuid/4bb789a6-064e-4d7e-80ea-5dd2093a04e2"; 41 | fsType = "ext4"; 42 | options = [ "rw" "noatime" "comment=x-gvfs-show" "nofail" ]; 43 | mountPoint = "/data"; 44 | }; 45 | 46 | "/data2" = { 47 | device = "/dev/disk/by-uuid/47e81cce-06cd-46e9-9717-224616fb4147"; 48 | fsType = "ext4"; 49 | options = [ "rw" "noatime" "comment=x-gvfs-show" "nofail" ]; 50 | mountPoint = "/data2"; 51 | }; 52 | 53 | "/home/vera/tmp" = { 54 | device = "tmpfs"; 55 | fsType = "tmpfs"; 56 | options = [ "rw" "nodev" "nosuid" "comment=x-gvfs-show" ]; 57 | mountPoint = "/home/vera/tmp"; 58 | }; 59 | }; 60 | 61 | swapDevices = [ 62 | { device = "/dev/disk/by-uuid/02626a2a-ecb6-455d-a258-e03a1bb896d4"; } 63 | ]; 64 | 65 | } -------------------------------------------------------------------------------- /hosts/bernkastel/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, modulesPath, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | (modulesPath + "/installer/scan/not-detected.nix") 7 | ]; 8 | 9 | boot.kernelPackages = pkgs.linuxPackages_zen; 10 | boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "amdgpu" "xhci_hcd" ]; 11 | boot.initrd.kernelModules = [ "amdgpu" ]; 12 | boot.kernelModules = [ "amdgpu-i2c" "kvm-amd" "i2c-dev" "i2c-piix4" "it87" ]; 13 | boot.kernelParams = [ 14 | # iommu stuff 15 | "amd_iommu=on" 16 | "iommu=pt" 17 | "iommu=1" 18 | "video=efifb:off" 19 | 20 | # needed for controlling RGB LEDs on RAM sticks 21 | "acpi_enforce_resources=lax" 22 | 23 | # enable amdgpu overclocking, see https://wiki.archlinux.org/title/AMDGPU#Boot_parameter 24 | "amdgpu.ppfeaturemask=0xfff7ffff" 25 | ]; 26 | boot.extraModulePackages = with config.boot.kernelPackages; [ amdgpu-i2c ]; 27 | boot.extraModprobeConfig = '' 28 | options it87 ignore_resource_conflict=1 force_id=0x8622 29 | ''; 30 | 31 | nixpkgs.hostPlatform = "x86_64-linux"; 32 | 33 | } 34 | 35 | -------------------------------------------------------------------------------- /hosts/bernkastel/libvirtd/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | let 3 | win10-hooks = pkgs.writeShellApplication { 4 | name = "win10-hooks"; 5 | runtimeInputs = with pkgs; [ libvirt kmod gawk lsof ]; 6 | text = builtins.readFile ./win10-hooks.sh; 7 | checkPhase = ""; 8 | }; 9 | in { 10 | 11 | virtualisation.libvirtd = { 12 | enable = true; 13 | onBoot = "ignore"; 14 | onShutdown = "shutdown"; 15 | qemu = { 16 | runAsRoot = true; 17 | ovmf.enable = true; 18 | }; 19 | hooks.qemu = { 20 | "win10-hooks.sh" = "${win10-hooks}/bin/win10-hooks"; 21 | }; 22 | }; 23 | 24 | boot.extraModprobeConfig = '' 25 | options vfio-pci ids=1002:73bf,1002:ab28,1002:73a6,1002:73a4 26 | ''; 27 | 28 | systemd.tmpfiles.settings."10-libvirtd" = { 29 | 30 | "/var/lib/libvirt/vbios.rom".C = { 31 | argument = "${./vbios.rom}"; 32 | repoPath = "/etc/nixos/hosts/bernkastel/libvirtd/vbios.rom"; 33 | doCheck = true; 34 | group = "libvirtd"; 35 | mode = "0664"; 36 | }; 37 | 38 | "/var/lib/libvirt/qemu/win10.xml".C = { 39 | argument = "${./win10.xml}"; 40 | repoPath = "/etc/nixos/hosts/bernkastel/libvirtd/win10.xml"; 41 | doCheck = true; 42 | group = "libvirtd"; 43 | mode = "0666"; 44 | }; 45 | 46 | "/var/lib/libvirt/qemu/win10-no-passthrough.xml".C = { 47 | argument = "${./win10-no-passthrough.xml}"; 48 | repoPath = "/etc/nixos/hosts/bernkastel/libvirtd/win10-no-passthrough.xml"; 49 | doCheck = true; 50 | group = "libvirtd"; 51 | mode = "0666"; 52 | }; 53 | 54 | }; 55 | } -------------------------------------------------------------------------------- /hosts/bernkastel/libvirtd/vbios.rom: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradientvera/GradientOS/8b258e08d7cfea1119268ea8240bc4df7b544957/hosts/bernkastel/libvirtd/vbios.rom -------------------------------------------------------------------------------- /hosts/bernkastel/libvirtd/win10-hooks.sh: -------------------------------------------------------------------------------- 1 | # Reset flags set by writeShellApplication 2 | set +o errexit 3 | set +o nounset 4 | set +o pipefail 5 | 6 | GUEST_NAME="$1" 7 | HOOK_NAME="$2" 8 | STATE_NAME="$3" 9 | 10 | if [ "$GUEST_NAME" != "win10" ]; then 11 | exit 0 12 | fi 13 | 14 | if [ "$HOOK_NAME" == "prepare" ] && [ "$STATE_NAME" == "begin" ]; then 15 | # Unbind VTconsoles 16 | echo 0 > /sys/class/vtconsole/vtcon0/bind 17 | echo 0 > /sys/class/vtconsole/vtcon1/bind 18 | 19 | # Unbind EFI Framebuffer 20 | echo efi-framebuffer.0 > /sys/bus/platform/drivers/efi-framebuffer/unbind 21 | 22 | # Stop plasma wayland 23 | systemctl --user --machine=vera@ stop plasma-\* 24 | systemctl stop display-manager.service 25 | 26 | sleep 5 27 | 28 | # Start default network 29 | virsh net-start default 30 | 31 | # Kill anything still using the GPU. 32 | kill -9 "$(lsof | grep amdgpu | awk '$2 != "PID" { print $2 }')" 33 | 34 | # Unload AMDGPU kernel module 35 | modprobe -r -a -f drm_kms_helper amdgpu drm 36 | 37 | # Detach GPU from host 38 | virsh nodedev-detach pci_0000_28_00_0 39 | virsh nodedev-detach pci_0000_28_00_1 40 | virsh nodedev-detach pci_0000_28_00_2 41 | virsh nodedev-detach pci_0000_28_00_3 42 | 43 | sleep 10 44 | 45 | # Load VFIO kernel modules 46 | modprobe -a -f vfio vfio_pci vfio_iommu_type1 47 | exit 0 48 | elif [ "$HOOK_NAME" == "release" ] && [ "$STATE_NAME" == "end" ]; then 49 | # Stop default network 50 | virsh net-destroy default 51 | 52 | # Unload VFIO kernel modules 53 | modprobe -r -a -f vfio vfio_pci vfio_iommu_type1 54 | 55 | # Reattach GPU TO host 56 | virsh nodedev-reattach pci_0000_28_00_0 57 | virsh nodedev-reattach pci_0000_28_00_1 58 | virsh nodedev-reattach pci_0000_28_00_2 59 | virsh nodedev-reattach pci_0000_28_00_3 60 | 61 | sleep 5 62 | 63 | # Load AMDGPU kernel module 64 | modprobe -a -f drm amdgpu drm_kms_helper 65 | 66 | sleep 5 67 | 68 | # Bind EFI Framebuffer 69 | echo efi-framebuffer.0 > /sys/bus/platform/drivers/efi-framebuffer/bind 70 | 71 | # Bind VTconsoles 72 | echo 1 > /sys/class/vtconsole/vtcon0/bind 73 | echo 1 > /sys/class/vtconsole/vtcon1/bind 74 | 75 | # Start plasma wayland 76 | systemctl --user --machine=vera@ restart plasma-\* 77 | systemctl restart display-manager.service 78 | fi -------------------------------------------------------------------------------- /hosts/bernkastel/misc/service-ports.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | openrgb = 6742; 4 | 5 | } -------------------------------------------------------------------------------- /hosts/bernkastel/programs.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | environment.systemPackages = with pkgs; [ 5 | gradient-generator 6 | losslesscut-bin 7 | prusa-slicer 8 | orca-slicer 9 | openscad 10 | freecad 11 | ]; 12 | 13 | services.flatpak.packages = [ 14 | # "flathub:app/com.moonlight_stream.Moonlight/x86_64/stable" 15 | ]; 16 | 17 | } -------------------------------------------------------------------------------- /hosts/bernkastel/secrets/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | 5 | sops = { 6 | age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 7 | defaultSopsFile = ./secrets.yml; 8 | 9 | secrets = { 10 | 11 | wireguard-private-key = { restartUnits = [ "wireguard-*" ]; }; 12 | 13 | nix-private-key = { }; 14 | 15 | syncthing-cert = { 16 | format = "binary"; 17 | sopsFile = ./syncthing-cert.pem; 18 | restartUnits = [ "syncthing.service" ]; 19 | }; 20 | 21 | syncthing-key = { 22 | format = "binary"; 23 | sopsFile = ./syncthing-key.pem; 24 | restartUnits = [ "syncthing.service" ]; 25 | }; 26 | 27 | }; 28 | }; 29 | 30 | } -------------------------------------------------------------------------------- /hosts/bernkastel/secrets/secrets.yml: -------------------------------------------------------------------------------- 1 | wireguard-private-key: ENC[AES256_GCM,data:ycK5ti9b/IpfFqgLSEdZUkw2tY4pdQmukgADllU/ESl3VXmojb9D3wtF2ak=,iv:gHEHbCdkV55R6oxB0TNKbwYf5TapeL/+xtJuhaImqX8=,tag:6RmHULiFdIom7SqoBIyqiw==,type:str] 2 | nix-private-key: ENC[AES256_GCM,data:onchVN4j5A0mzIz6oGMzoYMYiOk86bb9j/pZahhbE3WDcbMumW2W8rF6Dk/+GeeUCoL/aTN6q8tjA6PJOmLyaSVg1z697I2XbkR1tHXyCsI/JiKJHRP1riBmw7PCD2Z7hYKRn3JdLms=,iv:aFRCwXfUVBEpHbsGYDjMcAZOQENv/y7SUj+ErJ2r2XM=,tag:hgPJAodjNKuUYYfJzwnWIA==,type:str] 3 | sops: 4 | kms: [] 5 | gcp_kms: [] 6 | azure_kv: [] 7 | hc_vault: [] 8 | age: 9 | - recipient: age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j 10 | enc: | 11 | -----BEGIN AGE ENCRYPTED FILE----- 12 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQnE1dDV1RVpQdDdkdU5j 13 | SHZkTzh5d0JQN1dDa2dLakxqZnd0M0Q3K1hBCjJ4TGlSalMxeVg5YmxRZExicWJL 14 | Z0h1MmRHcDlvU2cxUWZ2THJlN2FYQnMKLS0tIDVRd3lDdjZUc2lrZlN2bkR5b0xB 15 | cVNpRVhwVnhmWjlVdjQ2N1dqT050YkkK5PtaWKwbD7l/4RvCqijgwDAt2LJVZS++ 16 | oeVG64OZCidd+XDEeixwyshEG2J5TisAPIMHP994UZwTSU3nDGwd+w== 17 | -----END AGE ENCRYPTED FILE----- 18 | - recipient: age1hl9999dlv29qejtac0sdw7nnm9d06uh4nzmgc029ndg40vllavyq5u0pqu 19 | enc: | 20 | -----BEGIN AGE ENCRYPTED FILE----- 21 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYMGNXNGVkNmcxdGc3MTVx 22 | dWhJdE1tN1FxM1FrdUpsTWJES3QzOWxDS3d3CklnT3h3OXphUlNHSjZQVW82dVR2 23 | U3BYVEhuMjhzRlZ5em5PcjdKY1U3VjAKLS0tIDROMStzeEJDQTJ0R21lZmlOSUcr 24 | YU12TEx3VEFnYnFFSHZVRHNxNGVyYjQKmha9joLJDbycv2kGWRunaWebAmIhcw8j 25 | 1DdFZtq/b48a0G9u7rH7dmm/5UHDzZxxBMuLz2at7t5STUtPqHiTTQ== 26 | -----END AGE ENCRYPTED FILE----- 27 | lastmodified: "2023-08-08T16:36:02Z" 28 | mac: ENC[AES256_GCM,data:uZnapdZM/A2HzCIC0fEbdSt8hyNLc6K5uw2wrIjOww2abJfFj7RjhtueyJ959bAPr0Je0+0yEvNnGTs90Z+Vo2OOOXcEndkEb4ENSNQEhY3T+J9YF4BSPNYZJSd2LGnoDTAjTwZ1MiCFhOAuuViaMtoGwsv1l1Vs5hlR2YfM9Yc=,iv:CDVBMNjhrcu5zRWshJWOHCpy/89cOyltT+82wHDh0DA=,tag:ZJdRMFBAYUBxzjYXy0LKnA==,type:str] 29 | pgp: [] 30 | unencrypted_suffix: _unencrypted 31 | version: 3.7.3 32 | -------------------------------------------------------------------------------- /hosts/bernkastel/secrets/syncthing-cert.pem: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:ooSz2hsTNHMOchyM9SKoXAobKQLvhHhYYF8Glhv21J/HnseRoGDsOglFJJJXM8w6cStyuNmFTzOgu6FvAhoy55KXlyapZUgccgiZ266r9fcPVolYjixnDCB3G7eqJfb6t4wNjdN3IDic0hw/gGkmZK179FxF4R6Fw3m9LAv3sFGDjEuW328AhHh3+9AZrevdEFZRw9gz4XwQ9K5iJJbIGpYqWeRs/+iB2pzJ6gIKh/1qHxE9oWWW9fB4GkarLDU0tLzKxYeMVeR6ET5LccEH5YczIXffP3EEzDPsDVIcUjPqP0p6oYtZHAYRXWrOAENSqN8AIMzZkhma4/iaMxsscnyf4mJHAZk2XIfK4VMktmNwLbbUS7sp5hn9AmiItstNcbOVrzT+4xJjN39PRnNmvwGyJb75l5mmdeeX3U3eSrbnc7yTA7EHKN88lrjSX140KgkJikdOPfgYJR7c4ZkOzUl+sgt1SzNlaH7ZUaxKXNDZYjTW53JFDDj+hOL8HKERoHK5Quk+JbZoXxgA2/Qp4HoKWTs8YTP1xXkzsS14vFIiySlUKYPxBoZ/TWoXVc7ADmAm6SYz8HB5LR0+Ng4ZyHdDMUAXdO3WKz9/PV2ec+k2hOsEGKs5tFUAR/qB7m/sILTloBTdVLSk+eq8UN7fiK9PcC1O/2zKmxB4hQq3l8qm1IYFOnUHVOuexWkbN0BcvXBcYVAJDYIJnSHRfoA7c35f7SD5QXSHkxAHL/YCJ7FspX7FIk5QyKe80a+TTl0rnywcqLMIjq1Mhf2iiOoGcSj47bB81Ayf24BgzCZeXkrrYAZTqas9,iv:+23V/8vZNx79WYWnPj91D/nn3byNsYBcT0jBZYv/3PI=,tag:yW5DE8UrKKABJcri7KwHUw==,type:str]", 3 | "sops": { 4 | "kms": null, 5 | "gcp_kms": null, 6 | "azure_kv": null, 7 | "hc_vault": null, 8 | "age": [ 9 | { 10 | "recipient": "age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdmFURFhjOG03S3k5eDZl\nRkhvV2VCK2RMK2JaZlZlV2FkSFNxMVE4bkVzCmVQOEpTalo5d2JWKzFLNkdvZlJw\nVUh4eUZhNzhHTzM3dVNTM1RYMXlHd1EKLS0tIGJ3VkpLZkdHTDZXNW5LWGNjS0pZ\nQjNUYWJqQTltV0RVejFCamZTbzJPWVEK3YTdy/IvUWCbnZW5XO41176dsne8vL3u\nHteLFDyASM62SkfTQiyKxqQ5BLarVTHMS68MgSFktsHxdnJYeQensg==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1hl9999dlv29qejtac0sdw7nnm9d06uh4nzmgc029ndg40vllavyq5u0pqu", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZUVGZnpENkxWY3l2UTJQ\nTkVIdnhzSlZXLzJwcWNWZm0wN25OVlMyR0dRCndZbG1pblU2bjQ1VVdLT1FpbFl5\nKzVlWkREZWhmVGVJL014SEFoT0MwaUUKLS0tIDd2OE42VThBNmZTSHgwcWRMZTNQ\nU2w2WDlrSjdXTzArYVg1THB0T01sU0EKGVMUwT95LfSER40fYXUxDlE7nl/y8YCr\ncvlOHBEkerhz/PREU3hUaYSgbeHN2Dtq44YEQNuVaF0ZNP4OZfc8Mw==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2023-04-18T11:36:12Z", 19 | "mac": "ENC[AES256_GCM,data:AOHa3GnjldjeKpt4Ja7nQVsb/5Nln6CYc1bV2R8PXintCVe9SfPcF8+F5fJyMvOtT/prnYUf1g6AhNPFkTL1ZiOk+SVwEld/FVTxG8024/vpvAIE3IISbVL1bku0of4onvAUrO/UR6MQjhBGRlVvqqE5dE7/8Xjl4LmpWUk+tsY=,iv:ZBvgcCATwxDQfyxlhzhQTeGETBpiyQXhCdaAiQAWY88=,tag:BVAb1Ni2z+D2p9Roq3bfjw==,type:str]", 20 | "pgp": null, 21 | "unencrypted_suffix": "_unencrypted", 22 | "version": "3.7.3" 23 | } 24 | } -------------------------------------------------------------------------------- /hosts/bernkastel/secrets/syncthing-key.pem: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:DDGrDtdj+LFoR0AWkVezBGr4nzhktxdseMU9vxpROI8b6Aw/vfBKJD6gDtz9lvNaERwzAq9H0+ixJh4EHmq6nkqSBhpKHNShFBPeodgV5lY1oN/B17j5b4M7aJP3GpRWCb7b++hHj+FYlqANztdaRUImXeS3z2kR6T8j9g95Hg6F6nIAG293rlZlDk3RIBAvlsXZ+Zrt3YOsIM8iRtfUZcVeWUqm0GfjmhCxbtggSeo0Y0vwhtnOZNhRZYxPWPgBFUo3udjP3eAJg6uYUKk0kGZz7815B8O5DeL8ABEHcR/qb2cO5oIwjx8fc7eCtOxdMvdGKCXTGt+w9mHv6388N/nd6Awks0yKwqEDqereql8jQGxJNQkvKuG9I5ezWXKS,iv:4CUpS8uV0tyef0ciYqDrOdVYlfr0SAliIlJdI8DnVeg=,tag:BMcV6t2IGUd3g6tSiq2nYA==,type:str]", 3 | "sops": { 4 | "kms": null, 5 | "gcp_kms": null, 6 | "azure_kv": null, 7 | "hc_vault": null, 8 | "age": [ 9 | { 10 | "recipient": "age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByQUp2UW5hOUNPdUlZbGFP\nZ0FvRjJsSVRFdUJjOTUxdVhlUUdaa3dJYTNvCmxCYnh0elhxb0dFU0MzZk9OeDJS\nOXN6NU1VZFlhQ3d6VjBaVlNscU1FT2MKLS0tIGxKVXU0T3g1TlNmYkxpMmNtb05E\nQ2ZGWVJyUGdKc0RYV1A1TGxZdUpGL0kKZijM+igUIEMJnPXRp6oUDDaoyc3GxjlB\nZpKpGaA4+TFNdmvDjA7VCAXcZTL83nBa8s0ldYpnV3tPNmHc02EDTQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1hl9999dlv29qejtac0sdw7nnm9d06uh4nzmgc029ndg40vllavyq5u0pqu", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZMXBLdkhualRYN3JGaDRm\nMTlhUkRvZEZhYVVVZVJXbXJreXc0YWtGOUhRCmdaMi9DaVpEcFBSYXJaQndUWDd4\nWWJIc01XYytybDhwNngxZWo0Y1IzL1UKLS0tIDU1YVllL2U2clJKTlNVUW85eUZL\neUJXUnFTTHJaSnhtSlZldjR3bVJvR0UKjMdj9tZTi9veIPfuLzB7t10vJvhnBJ1v\nYurG9/S+67fPHIpYy8Wrghu08/owKd+FRYIQIKyG3CJjHYaTNkk4/Q==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2023-04-18T11:36:19Z", 19 | "mac": "ENC[AES256_GCM,data:JQoT+WerSD9tjBcGKnZmu9YsEBI6ZsiKDqprOlzlymw3woe58BtbZkksu/2wUKrYW6uK4KT25aGnEUiRcV9LfohQmn6MSkvyWVjXtqblbuu8LIuJgr6gLRUcQrFnoTrPV3MW6zzHsrJ+BAbqJsUWvNk1Ipm2CnEH0y2QQvAG8Xk=,iv:JdtOCqOdoDTnMEibkMDTsj4GhMDnoFrxMBPr5Q3ncis=,tag:/OT4bfrZMh9yXUJyoeHmKg==,type:str]", 20 | "pgp": null, 21 | "unencrypted_suffix": "_unencrypted", 22 | "version": "3.7.3" 23 | } 24 | } -------------------------------------------------------------------------------- /hosts/briah/backups.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | 4 | services.restic.backups.hokma = { 5 | paths = [ 6 | "/home/vera" 7 | config.services.home-assistant.configDir 8 | config.services.zigbee2mqtt.dataDir 9 | ]; 10 | }; 11 | 12 | } -------------------------------------------------------------------------------- /hosts/briah/default.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | 4 | imports = [ 5 | ./backups.nix 6 | ./hostapd.nix 7 | ./programs.nix 8 | ./postgresql.nix 9 | ./filesystems.nix 10 | # ./ss14-watchdog.nix 11 | # ./esphome/default.nix 12 | ./secrets/default.nix 13 | ./hardware-configuration.nix 14 | ]; 15 | 16 | # Workaround, cross-compiling doesn't work so use the one from nixpkgs for now 17 | nix.package = pkgs.lix; 18 | 19 | gradient.presets.syncthing.enable = true; 20 | gradient.profiles.catppuccin.enable = true; 21 | 22 | gradient.substituters = { 23 | asiyah = "ssh-ng://nix-ssh@asiyah.gradient?priority=40"; 24 | bernkastel = "ssh-ng://nix-ssh@bernkastel.gradient?priority=40"; 25 | beatrice = "ssh-ng://nix-ssh@beatrice.gradient?priority=45"; 26 | erika = "ssh-ng://nix-ssh@erika.gradient?priority=50"; 27 | neith-deck = "ssh-ng://nix-ssh@neith-deck.lily?priority=100"; 28 | }; 29 | 30 | } -------------------------------------------------------------------------------- /hosts/briah/filesystems.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | { 3 | boot.loader.systemd-boot.enable = true; 4 | boot.loader.efi.canTouchEfiVariables = true; 5 | 6 | boot.loader.grub.enable = lib.mkForce false; 7 | boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; 8 | 9 | fileSystems."/" = { 10 | device = "/dev/disk/by-uuid/cfe1a8e0-8741-4baf-91d2-7ce49380512d"; 11 | fsType = "ext4"; 12 | }; 13 | 14 | fileSystems."/boot" = { 15 | device = "/dev/disk/by-uuid/8B8D-12F9"; 16 | fsType = "vfat"; 17 | options = [ "fmask=0022" "dmask=0022" ]; 18 | }; 19 | 20 | swapDevices = [ 21 | { 22 | device = "/swapfile"; 23 | size = 16*1024; 24 | } 25 | ]; 26 | 27 | } -------------------------------------------------------------------------------- /hosts/briah/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, modulesPath, ... }: 2 | { 3 | 4 | imports = [ 5 | (modulesPath + "/installer/scan/not-detected.nix") 6 | ]; 7 | 8 | boot.initrd.availableKernelModules = [ 9 | "uas" 10 | "xhci_pci" 11 | "pcie-brcmstb" 12 | "reset-raspberrypi" 13 | ]; 14 | boot.initrd.kernelModules = [ ]; 15 | boot.kernelModules = [ ]; 16 | boot.extraModulePackages = [ ]; 17 | 18 | boot.kernelPackages = pkgs.linuxPackages_rpi4; 19 | 20 | hardware.raspberry-pi."4".fkms-3d = { 21 | enable = true; 22 | cma = 256; 23 | }; 24 | 25 | networking.useDHCP = lib.mkDefault true; 26 | 27 | nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; 28 | 29 | } -------------------------------------------------------------------------------- /hosts/briah/hostapd.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | 4 | # Needed for hostapd to work 5 | networking.networkmanager.unmanaged = [ "wlan0" ]; 6 | 7 | services.hostapd = { 8 | enable = true; 9 | radios.wlan0 = { 10 | channel = 8; 11 | wifi4.capabilities = [ 12 | "HT40" 13 | "HT40-" 14 | "SHORT-GI-20" 15 | # Not supported: SHORT-GI-40 16 | ]; 17 | networks.wlan0 = { 18 | ssid = "Maya"; 19 | authentication.mode = "wpa3-sae"; 20 | authentication.saePasswordsFile = config.sops.secrets.hostapd-password.path; 21 | settings = { 22 | nas_identifier = "briah.gradient"; 23 | mobility_domain = "e621"; # hehe funny 24 | pmk_r1_push = 1; 25 | }; 26 | }; 27 | }; 28 | }; 29 | 30 | } -------------------------------------------------------------------------------- /hosts/briah/misc/service-ports.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | ssh = 22; 4 | 5 | # ss14 6 | #robust-pong = 1313; 7 | #ss14-watchdog = 5000; 8 | 9 | # misc 10 | syncthing = 8384; 11 | syncthing-transfers = 22000; 12 | 13 | } -------------------------------------------------------------------------------- /hosts/briah/postgresql.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | services.postgresql = { 5 | enable = true; 6 | ensureDatabases = [ 7 | "hass" 8 | ]; 9 | ensureUsers = [ 10 | { 11 | name = "hass"; 12 | ensureDBOwnership = true; 13 | } 14 | ]; 15 | }; 16 | 17 | } -------------------------------------------------------------------------------- /hosts/briah/programs.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | environment.systemPackages = with pkgs; [ 5 | v4l-utils 6 | ]; 7 | 8 | } -------------------------------------------------------------------------------- /hosts/briah/secrets/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | 5 | sops = { 6 | age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 7 | defaultSopsFile = ./secrets.yml; 8 | 9 | secrets = { 10 | 11 | wireguard-private-key = { restartUnits = [ "wireguard-*" ]; }; 12 | 13 | nix-private-key = { }; 14 | 15 | hostapd-password = { 16 | mode = "0444"; 17 | restartUnits = [ "hostapd.service" ]; 18 | }; 19 | 20 | #pong-api-token = { 21 | # mode = "0440"; 22 | # owner = config.users.users.ss14-watchdog.name; 23 | # group = config.users.users.ss14-watchdog.group; 24 | # restartUnits = [ "space-station-14-watchdog" ]; 25 | #}; 26 | 27 | syncthing-cert = { 28 | format = "binary"; 29 | sopsFile = ./syncthing-cert.pem; 30 | restartUnits = [ "syncthing.service" ]; 31 | }; 32 | 33 | syncthing-key = { 34 | format = "binary"; 35 | sopsFile = ./syncthing-key.pem; 36 | restartUnits = [ "syncthing.service" ]; 37 | }; 38 | 39 | }; 40 | }; 41 | 42 | } -------------------------------------------------------------------------------- /hosts/briah/secrets/secrets.yml: -------------------------------------------------------------------------------- 1 | wireguard-private-key: ENC[AES256_GCM,data:wowzTQEOBM4chO8cnf7168VzfIP2kB46bHZwRwhTTnTjH2UdzNtTdzENH8M=,iv:4oAKJwgmAemTsJRdXgxsbM20xiGBIGlV2y/5Qw24oto=,tag:S1CU2dLgb9xtL3dyBOEp8g==,type:str] 2 | nix-private-key: ENC[AES256_GCM,data:HQglHXdmTspj5OYQNwBbDNHFkYdYZ/aFV+bjAhDmnbob1IYcSCodThYAvrNpDIMJ0ZMNZvYHaVsYF+FCqkaCZZpVVFKrLjKKdaU/tBJuiyumsjf6OO1mcsduDsWmmQ==,iv:2NHBBZyxUpJpfH3iwdQe3laSBCvkNE44omqeSlGWW/8=,tag:2SgExQ+9VQcgatuY/7rNZg==,type:str] 3 | pong-api-token: ENC[AES256_GCM,data:XTnnBPayTtpdwqefyvj0WZ1/TtjGmR16pyveoDZIQI4=,iv:L9gEQpRp+ANH8klmeBJSkaPaBcRsrTdhqd8ZCAwl++M=,tag:US5FYzBbkcNg0RcoIYu6ZA==,type:str] 4 | hostapd-password: ENC[AES256_GCM,data:KcdaZK0XFLf/EHe/iBk=,iv:kc6aOx96vXnRrZR1oEczg0jaQeoo+pUMugFXynoYozU=,tag:p1fq6sH7LXzkfPmUPZ2lkw==,type:str] 5 | sops: 6 | age: 7 | - recipient: age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j 8 | enc: | 9 | -----BEGIN AGE ENCRYPTED FILE----- 10 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvY2NkSTBCTnA5VXNrWDEr 11 | MVVTL0Jjd1Mxa1M1dXpqU1d0TkhHU1QyM0FjCmxtZXhHZHl5UWNWYnJyOW1hRkFH 12 | TTVObm5yb3Y5TThFUGUwLzhSdFlHUTAKLS0tIGVPcG0vbGZHVGRUSTU0Ym1zdjlS 13 | Ty9CSTFWQ1dYUnJ3cWlVMUJSMjBYQ3MKxQd6Nnr/Jm0uErq2qouO8ffjQfi/hixb 14 | PQbji8cO6CSK837GAuT/LOsk2gc3uWrtwIEC3GyMEeCm64j/BC7CLg== 15 | -----END AGE ENCRYPTED FILE----- 16 | - recipient: age1mlznec0ruk9xgkzygpmetsfvutxk4qml636rqcvzpzudyp4wlcfqzgh2e2 17 | enc: | 18 | -----BEGIN AGE ENCRYPTED FILE----- 19 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpR0hQWUdXRXQyZXhDZXdY 20 | by9tOVFycE4vWTliUWxLUWJxMXJITzZVdjFjCmovcGErR2VrNXNsUHNsY1FQVy9o 21 | eldxTWtlNlp4TzB5OFRhclFvRGtBREUKLS0tIFR2b1ZTV003Q3NsVnNPbkdLV05a 22 | QzI5MjlQUkE3Sk9ORkRXbmtEYjVTZGMKURNm0IvTA1Ptm+Nqpo2YPmotMTIacFRW 23 | VC08uQPI+6N2brWZpEFOuctZ0rGcn1XcpgD69WuUrseu4rjVqioesA== 24 | -----END AGE ENCRYPTED FILE----- 25 | lastmodified: "2025-05-17T17:45:23Z" 26 | mac: ENC[AES256_GCM,data:4VOVC4kbB/ZLrZIXrHQFnYC7pJSzNmgAV33Kio/RiVVgFA+b7dMmNxd+yN80S/1tDN0iON71t4kyf6AX1J1DkMYLOt3IMr4c3nA68aywglcf5Uo+eYNPzYqJydLSXoIaappBwomlXAj4kOC+9hWljrOErM1eK1x70DUEmUoG9OQ=,iv:TVHQXj52nlMEUEypqX3TekWc7nKLJSgm0BCDFuafxaM=,tag:ms0h9aldITH6V/9HqWZruQ==,type:str] 27 | unencrypted_suffix: _unencrypted 28 | version: 3.10.2 29 | -------------------------------------------------------------------------------- /hosts/briah/secrets/syncthing-cert.pem: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:ObyPK8swx7Ej8O0PMayTvr4albg01q/dxURjPZhMFXK3l3i9/X06e8Y9K3Ozy+n66liOaY3jOWNBPa2OSOp8uPPCGBIyKalugQx5EelZBFnYbSPyEZonwSSQryIUbDqPVsjf5ba0PrvnsIt6H6XKz6wr/KhMYJ3s1c9pAX/rlZxO4UzXsCUAG3Qva403XPES9UppZF7W87PXBEJdw87XJ2xK3/My8FhMryk+ea8asl2eSyK3W8MmaapRM1cgwuaux48JSpRUO6icfyhMIZbFzj7ZrjRupADKfkuDsSG4ecgzfbzt1bi50TeIFBGPLKtRF16QVmDhDUc8LAG//eVdxcNCiYo/pb0BzIVbA3bbNuHQYdFhKZJBhNjB9zhdKc5Awgv+Eo1F6o8dSY0AG7qvt09SJyriCZoRc/ZzIr7wR1++BKtiGdbhM/L8/nkPCwbGrOOMvf3iHS3XmS5ek59BTFmIt2BCkg9Kg9WuY3jY1sVz6V13OnMUHME5x9Gx1qs1+CDFwVGY83rFmOMdUAMs/K9I49ZUBsFYliY+a2Q/wtpqC/FK83TZrTwQro5Y/IOjEYSGT/EBqW0YnedujGTteRhb7+AOnnhIU/CS1E6jmyDlZPmhTvKChA9hpR1FgiNTLEiD6pHEDekrrc1h4ziBPqiBzrdou5hGcV+z6unqaHksVo+2+0uH3Ra49KsNis5Abg3OD6fnBJVZOdiA1CFv8rO26Ua7q9vcv/x+KCqhEibv2dj8rnLCl5Meix+DOgMzdnp/b1OzFiWuqkM0XvEi3ogcXYeRAOWn0LhGXYcgCj2kz/P7MYqE,iv:np8x3bwz3jNm41x/PPXgpy+qiGuoD6faru4kKpx6an8=,tag:CzKvEomJVmwywDEU5UsCMg==,type:str]", 3 | "sops": { 4 | "kms": null, 5 | "gcp_kms": null, 6 | "azure_kv": null, 7 | "hc_vault": null, 8 | "age": [ 9 | { 10 | "recipient": "age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZ0s3RVF2ZWd3RHo3akIv\nbkg0NVBUUHpDM25zL01qc2JBZHhsSGF6emtJCm5LRUFUQlI5M2o5LzcrTnBDZGxv\nWFI5Nk5Ibm1yRXVpaVhINWlDTnlpdDAKLS0tIHRPNVRaOCt2M1dvZlRmMUVHRmlm\ndjhLTWtFcWxpMUFIblRDT3U3OEdwbU0KCA200yF/B/hKJNb4UORx/yKnDp8fCsdl\nJjibYwwsXIwioy3CJE7dTBac9cfWs8bVyuzFmzvv0qceR13FSt6Ibg==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1mlznec0ruk9xgkzygpmetsfvutxk4qml636rqcvzpzudyp4wlcfqzgh2e2", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeGxmMUFzMjBpMFFIR1BP\nTDkyd1JZTDVGSGNQRDhUT3ljdVRJM2VydnpnClBSclVmTFFaSEdvdGJ4aXN6ZWlI\nZmZYNmwwNDdjUEVtWW16dDVLMDUvWDQKLS0tIGdKS0s3OU5xci9ndjRaSWt0RlZP\nWitzZmZ6aFNhN2dubk1WVlBWdit4VWsKSJ9FiefMooOwWM1hlaXzJo6uHDw30QTg\nnA/8FzWu7mxFoCusgMLPtcHKS2hpuZ+I+ZIxRYk997uzg35xl+RRQw==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2023-07-19T08:57:50Z", 19 | "mac": "ENC[AES256_GCM,data:1i1LYQwoZWsusLNkOWvGDDSk968UoJIrK+Safpb29QKP3NO7A/v7uUBmd1xEZql5qDRr7Hq4pwH36vxdUjfNrT/DTkucUretBMvaKD/FrpaGpuOiho6QcAmQEXDwY8oPCxUWTQQo+ndagp8A6VtUm8F9ZE9lue+SoqSG/k4jMoI=,iv:ZbUhIKVCwnI1eLKoRDT4M8+PRuBwNVstqKlwOkuQfNE=,tag:iT94x51ccF3yrEA6/qHffA==,type:str]", 20 | "pgp": null, 21 | "unencrypted_suffix": "_unencrypted", 22 | "version": "3.7.3" 23 | } 24 | } -------------------------------------------------------------------------------- /hosts/briah/secrets/syncthing-key.pem: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:eBitFVKLinzED+kNe+AAVVupBTH8Z0spcj37JiW8HbUsABS+WM4z02MbTXzCzo9KjrQTUMVE4LScST2PtL+/aK6g874ksIbyqGy+K2p0xKRenXXTawGGv6F1JuKrDHclACFlOLuqHD8DC9PTmj9IUZGofHBhFujLwQTYN/0ZoBzdTf4qOMhaXCIi4XHIbJKh5yv4XNcnY8MK9lTs1nC4h2JX86fgUQqmTCVL+WnxnQ/kZgc749A6EBm+IK9hNbymmsLJ6PaoocsgSShyh/+OjGIolCg9li1W7of2awgCR7sIU3uvY2yOZPmDMlkMb3gT7b8n5prYIYlfjNqgDbTerLf8wItpxmIt6WG1ShxCfCBqHdhVihnb2UpvtGi7bLi5,iv:Zg4t9gc12owbl7MMBezvtzHvtGX3sHsUvbjMf9KUSSU=,tag:pXRHe7+/50gQ2BUSgMTUXw==,type:str]", 3 | "sops": { 4 | "kms": null, 5 | "gcp_kms": null, 6 | "azure_kv": null, 7 | "hc_vault": null, 8 | "age": [ 9 | { 10 | "recipient": "age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAva3NTVlYxSzN2TDJMWjZ1\nMHlQWFZTRE40MGxjbk94NXF2VnRvU2JIQ1JFCjZjb1l5Wkt0YTYrTkY2Mk4zMGRF\ncVJ5WmZNQ1VTcy9idDN2MmFGVzh1d2sKLS0tIDZyYXYxQUVoVnErT0lJTDdVYkxr\naGFGVHZDQS9Xb2R3T083ZTdoMHgyMlkKk1owscliza2r8QWojXgzplT/elK7faSE\n5Cv5IHP5ke53ylOgB62gJy7B5Enl91ut8MTxqr7iUST1cHdEpvM6Qw==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1mlznec0ruk9xgkzygpmetsfvutxk4qml636rqcvzpzudyp4wlcfqzgh2e2", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQSzNzWjhQZlRXUWhLa2lz\nOGk4TGVWYlZxRjhRUWRRUmpMNVZjcnhkUFdVCm00ODBqM013UjNWSVYwU05PdFAr\nbFRNaDJDZ2lYUXI4ck5aOWFkaFV5Y1kKLS0tIExGRVpUcjNBaitCMmR1T0VSUjVH\nVVNZT2IrRlExOUJLeWgvSFZIWmU0TGcK4QDi9K6v+iSsHq96OCOCyvZLwuJ8HbWL\nABdSq83RMNWbSeCtR0iap984/c23Y3N5jks9m66SECMTfv3fScrrWw==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2023-07-19T08:57:44Z", 19 | "mac": "ENC[AES256_GCM,data:mTtUHzY7LQHKEnwiPJ0fQb4Ij1VexFA22jh9xH3qqSFEj1l+V4o9qQTHrFUrHMZMO+vfObrq1y5Of9nlBQqSJ4JlRAyJt0X+OjfKaqo5eDv+1LP9iSrQjHMbO32sTqVtCjym4F5/hj1UAXzB6Zc/JxPgCqka1P51VNl5rngaQBo=,iv:djbu5k855Pm4c1KrwZjy7696tdVouNeQz5ksIrzLU0k=,tag:/H0gi8e8JMm1/x1a2lXQIQ==,type:str]", 20 | "pgp": null, 21 | "unencrypted_suffix": "_unencrypted", 22 | "version": "3.7.3" 23 | } 24 | } -------------------------------------------------------------------------------- /hosts/briah/ss14-watchdog.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | pong-api-token = config.sops.secrets.pong-api-token.path; 5 | in { 6 | 7 | services.space-station-14-watchdog = { 8 | enable = true; 9 | openApiFirewall = true; 10 | settings.Servers.Instances.Pong = { 11 | Name = "Robust Pong"; 12 | ApiPort = ports.robust-pong; 13 | ApiTokenFile = pong-api-token; 14 | TimeoutSeconds = 120; 15 | UpdateType = "Git"; 16 | Updates = { 17 | BaseUrl = "https://github.com/space-wizards/RobustToolbox-Examples-Pong.git"; 18 | Branch = "master"; 19 | }; 20 | }; 21 | instances.Pong.configuration = let 22 | port = toString ports.robust-pong; 23 | in { 24 | net = { 25 | tickrate = 60; 26 | port = ports.robust-pong; 27 | }; 28 | 29 | hub = { 30 | advertise = true; 31 | server_url = "ss14://ss14.gradient.moe:${port}"; 32 | tags = "region:eu_w,rp:none"; 33 | }; 34 | 35 | status = { 36 | enabled = true; 37 | connectaddress = "udp://ss14.gradient.moe:${port}"; 38 | bind = "*:${port}"; 39 | }; 40 | 41 | auth = { 42 | mode = 1; 43 | allowlocal = false; 44 | }; 45 | 46 | game = { 47 | hostname = "[EUW] Robust Pong"; 48 | desc = "It's literally just pong."; 49 | welcomemsg = "Welcome to Robust Pong!"; 50 | }; 51 | }; 52 | }; 53 | 54 | networking.firewall.allowedTCPPorts = with ports; [ ss14-watchdog ]; 55 | 56 | } -------------------------------------------------------------------------------- /hosts/erika/backups.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | services.restic.backups.hokma = { 5 | paths = [ 6 | "/home/vera" 7 | ]; 8 | }; 9 | 10 | } -------------------------------------------------------------------------------- /hosts/erika/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | 4 | imports = [ 5 | ./secrets 6 | ./backups.nix 7 | ./programs.nix 8 | ./filesystems.nix 9 | ./hardware-configuration.nix 10 | ]; 11 | 12 | gradient.profiles.gaming.enable = true; 13 | gradient.profiles.gaming.emulation.romPath = "/run/media/deck/mmcblk0p1/roms"; 14 | gradient.profiles.desktop.enable = true; 15 | gradient.profiles.development.enable = true; 16 | gradient.profiles.catppuccin.enable = true; 17 | 18 | gradient.presets.syncthing.enable = true; 19 | 20 | # Android app support with waydroid. 21 | virtualisation.waydroid.enable = true; 22 | 23 | # Use Jovian's steam deck UI autostart. 24 | services.displayManager.sddm.enable = lib.mkForce false; 25 | jovian.steam.autoStart = true; 26 | jovian.steam.user = "vera"; 27 | jovian.decky-loader.user = "vera"; 28 | jovian.steam.desktopSession = "plasma"; 29 | 30 | services.handheld-daemon.enable = true; 31 | services.handheld-daemon.user = "vera"; 32 | 33 | gradient.substituters = { 34 | asiyah = "ssh-ng://nix-ssh@asiyah.gradient?priority=40"; 35 | briah = "ssh-ng://nix-ssh@briah.gradient?priority=60"; 36 | beatrice = "ssh-ng://nix-ssh@beatrice.gradient?priority=45"; 37 | bernkastel = "ssh-ng://nix-ssh@bernkastel.gradient?priority=40"; 38 | neith-deck = "ssh-ng://nix-ssh@neith-deck.lily?priority=100"; 39 | }; 40 | 41 | } -------------------------------------------------------------------------------- /hosts/erika/filesystems.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | # Bootloader. 5 | boot.loader.systemd-boot.enable = true; 6 | boot.loader.efi.canTouchEfiVariables = true; 7 | 8 | boot.initrd.luks.devices."luks-c3cd1e3f-45ef-4009-bdf4-73dfab099aaa".device = "/dev/disk/by-uuid/c3cd1e3f-45ef-4009-bdf4-73dfab099aaa"; 9 | boot.initrd.luks.devices."luks-c3cd1e3f-45ef-4009-bdf4-73dfab099aaa".bypassWorkqueues = true; 10 | boot.initrd.luks.devices."luks-93e2669c-48fc-47e6-8a36-ed31eeda94b3".device = "/dev/disk/by-uuid/93e2669c-48fc-47e6-8a36-ed31eeda94b3"; 11 | boot.initrd.luks.devices."luks-93e2669c-48fc-47e6-8a36-ed31eeda94b3".bypassWorkqueues = true; 12 | 13 | fileSystems."/" = 14 | { device = "/dev/disk/by-uuid/8cf3b135-2696-4e08-9b0d-85205cde8321"; 15 | fsType = "ext4"; 16 | }; 17 | 18 | fileSystems."/boot" = 19 | { device = "/dev/disk/by-uuid/C773-7A18"; 20 | fsType = "vfat"; 21 | }; 22 | 23 | swapDevices = 24 | [ { device = "/dev/disk/by-uuid/46e82990-2470-4b76-afbb-99e21b12867e"; } 25 | ]; 26 | 27 | } -------------------------------------------------------------------------------- /hosts/erika/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { config, lib, modulesPath, ... }: 2 | { 3 | 4 | imports = [ 5 | (modulesPath + "/installer/scan/not-detected.nix") 6 | ]; 7 | 8 | boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "sdhci_pci" "hid-generic" "i2c_hid_api" "hid-multitouch" "evdev" ]; 9 | boot.initrd.kernelModules = [ ]; 10 | boot.kernelModules = [ "kvm-amd" ]; 11 | boot.extraModulePackages = [ ]; 12 | 13 | boot.plymouth.enable = lib.mkForce false; 14 | boot.initrd.unl0kr.enable = true; 15 | hardware.amdgpu.initrd.enable = false; 16 | 17 | # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 18 | # (the default) this is the recommended approach. When using systemd-networkd it's 19 | # still possible to use this option, but it's recommended to use it in conjunction 20 | # with explicit per-interface declarations with `networking.interfaces..useDHCP`. 21 | networking.useDHCP = lib.mkDefault true; 22 | # networking.interfaces.enp4s0f3u1u4.useDHCP = lib.mkDefault true; 23 | # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; 24 | 25 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 26 | hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 27 | 28 | } 29 | -------------------------------------------------------------------------------- /hosts/erika/programs.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | environment.systemPackages = with pkgs; [ 5 | wl-clipboard 6 | ]; 7 | 8 | services.flatpak.packages = [ 9 | # "flathub:app/com.moonlight_stream.Moonlight/x86_64/stable" 10 | ]; 11 | 12 | } -------------------------------------------------------------------------------- /hosts/erika/secrets/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | sops = { 5 | age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 6 | defaultSopsFile = ./secrets.yml; 7 | 8 | secrets = { 9 | 10 | wireguard-private-key = { restartUnits = [ "wireguard-*" ]; }; 11 | 12 | nix-private-key = { }; 13 | 14 | mura = { 15 | format = "binary"; 16 | sopsFile = ./mura.tar; 17 | }; 18 | 19 | syncthing-cert = { 20 | format = "binary"; 21 | sopsFile = ./syncthing-cert.pem; 22 | restartUnits = [ "syncthing.service" ]; 23 | }; 24 | 25 | syncthing-key = { 26 | format = "binary"; 27 | sopsFile = ./syncthing-key.pem; 28 | restartUnits = [ "syncthing.service" ]; 29 | }; 30 | 31 | }; 32 | }; 33 | 34 | } -------------------------------------------------------------------------------- /hosts/erika/secrets/secrets.yml: -------------------------------------------------------------------------------- 1 | wireguard-private-key: ENC[AES256_GCM,data:U9MmgyMbQ3NajUAMwvanSW/cgCfFC4H4hjv0/s374xnw1DOSSF0d5XEM6Zg=,iv:gDNzNB7nFl0l6gNkIM4XrrQrzHMcJaNiu6QcVIrsXDA=,tag:st+2ezqyeubaytE//ZJ94Q==,type:str] 2 | nix-private-key: ENC[AES256_GCM,data:BHSWj51UGUSH1boR+lKsgvS97a1xFaI1xVozOzigRVeiSDPgJyuP5tRybWR1OxDLm9TYdroQqq+ezmUp5NZ132hJfX7ZfhP2bngJsm0PBuO/bkfnc6dTl6PoYgHeonM9Rtf8cII6zA==,iv:OAlf2ccs/BzrHaIPATbE7kqcgoqNmQStKMLFDSEvK+E=,tag:ik8U1WcxaTqeAlKIuVkR8A==,type:str] 3 | sops: 4 | kms: [] 5 | gcp_kms: [] 6 | azure_kv: [] 7 | hc_vault: [] 8 | age: 9 | - recipient: age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j 10 | enc: | 11 | -----BEGIN AGE ENCRYPTED FILE----- 12 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZ0NCdzIzaFV0bzdnQk9Y 13 | bzlRWW5HQzkweGVhZ3VQWDRCcGE4OXRpTVNrCmVVa0J3NWdpUlkra0Fkd0hGZlNh 14 | T05IQkc1RXZDdFNhQ2pvcTJBTWZEQ2sKLS0tIFgvNGhLWEcyblZxQURNMTl6R0JT 15 | a3VUazZ6a1dHb291VVp1T1U5Syt4SU0KMHhZzGo77R3TB2/K7BfEl8O0ndQrLdPG 16 | +4ZMemVCKNJTH1d4q+aOvudFIV5QLPI1iWkur+BvgdcP0BHrEXGJWQ== 17 | -----END AGE ENCRYPTED FILE----- 18 | - recipient: age1ttl5pp50xffh73y3ekutsret24gd3rn7w2yvvcrhu2ywkz867fes8ea2s7 19 | enc: | 20 | -----BEGIN AGE ENCRYPTED FILE----- 21 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcUc3N2cvSkp1WmU5YVlr 22 | NUUwUmNIU0ltUXVXOEhNQUtrckJGcnM0SWpzCmJTbE9oZ2NLTlp4SEQveERGYVpu 23 | M3hVT2pPU0trUm5PbWZWMEc3NHhOdWcKLS0tIDZmVVVrWVVNVGp5TCtYajRXNWh4 24 | bVFRN2dTaTBSc1d3RVJFVzFhOGZBTkUK2leNhzlPSSWSiudFnTpvyUFY+Bclamdr 25 | V/GG4I0kxV6EP120iEEmJX5iDV7Lpuj227t+d1dLVK+JkLKF3o8FJg== 26 | -----END AGE ENCRYPTED FILE----- 27 | lastmodified: "2024-05-07T14:17:00Z" 28 | mac: ENC[AES256_GCM,data:+IBT7WOsQRdHR1nM1QrSQhmMH1HoUX6685r11WiHfMHg34tYwMVzahrXq2l3MbaP7sWqtB79DmjNGO++eqmmBOj0rO/+GVEEB1cyZecFCCeJ3c/zvdtOxbOJGZU9u26RYg8TCKaCtjn4Dq5r7lVdSpUp+1IlBOZ+LkhbxjkIijU=,iv:8mP9UdYxjRSbCP3WgjNIW5TyxqYKPKjVPFmMad0Jl04=,tag:h+vNWZNAyxM3S13LevZCfg==,type:str] 29 | pgp: [] 30 | unencrypted_suffix: _unencrypted 31 | version: 3.8.1 32 | -------------------------------------------------------------------------------- /hosts/erika/secrets/syncthing-key.pem: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:ge7ScgcW1HtwZx23G48BQQN9+CRc01N5+++C6Heu3KhybF87cIb108vLDeKgvrPMrvrYLJY9sJTlquBYotiP880zgZF1j16MuEwQNTnAxgzERLjan+hz5rTwdeYr0an8raxO5fJmGlO3LmrhQEDjQiFTE/7v6fqMdmu7cv2+Z7XkRydOUhFHzQd6pq9ZooUtYkmgTrRLDFfT2xzmAM7oT9C6+RlRh01gvO9HJaQZwIZODlrjKEP4rVdPv4Rf6e69lfM/MQrb9XIna6i5UT6lc0DN31iL1Zkw+fgeq3BzlMVFJl3xTatmBWub6H+yRxhlZ0awFZw6NbDrZHLIltttx/fr9K3MCzD6VrMxdEZbqbkGw4lat09gcTf5WumkYpI9,iv:DoDi0NEEDqVXN4irXpqsDoG5hWd2WYMu6TGEOETUSXw=,tag:lseo2zRO6bkP+bCXm4yA8w==,type:str]", 3 | "sops": { 4 | "kms": null, 5 | "gcp_kms": null, 6 | "azure_kv": null, 7 | "hc_vault": null, 8 | "age": [ 9 | { 10 | "recipient": "age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUWdtNGJhb2dBOWNHcko1\nOThmUXdpd1Y1bzVFcG9QMEMvTElQZXA2N3dRCnlYdGlkVmtCR1JGamxVQTVFaUZE\nSlhJUklNUEFOalhCYmFWcnlJTldROVkKLS0tIDRDQnRpalVPaGQ4VkpDWGxEeUpT\nNnRmZHp4UFhFTXhka0cvVXNkcmVCUEUK2ywGZNpxFQ6wiQF5b9TwtpOtUVcSG9nt\nDkbnDVPOqBvY9Ps2Hc1RFM2Uht3wSgcpHJCYzM/mYeZFCL3ZEwLTnA==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1ttl5pp50xffh73y3ekutsret24gd3rn7w2yvvcrhu2ywkz867fes8ea2s7", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMzk5b1VFWjM5SGpTY1FI\nRmI4Z0hFK25MS0NpamNka1l1N3RiQ2ppK2tjCk91Um1La1k4OUlXZG83MHVXMjdp\nbWU3QnpzajVhcnQ1cVVBVTRMdmJMR3MKLS0tIFNYOEJnRW0yVE9TYXdBUUVST3FM\nYXhEVk1DdXV0TzFnK1pxYVh3L2VFMFUK5DIwIcQiModZQzk5skHG2c2dB4YltQ5g\nhvVu4LU9WS15oCLxcyCwAu7CKICpxjdx2sGhZLHTi71L7qIbIukABA==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2024-02-23T09:55:41Z", 19 | "mac": "ENC[AES256_GCM,data:bm+oFYKHmtm8kXVtlzZhd3fL1QX2Tj6u+eq3VxEumHKLRpsaDdcX9dpZv+B2k7l224Ru99A/KlQellp/3Cw6/wERG6c1h/9GqmdyL9iO4aGEgq2jthLMAVrrjx5yWrIFkk84yWoFX2zKLpMeonWq3Eo6Z5AKnLBhA+/Hl2fe6yM=,iv:WShgJrn6QC9rOzhnLWsYFup9NL7IC0/bgzxamTNMyv4=,tag:JGg0NSbSngdudcl6O5g4Nw==,type:str]", 20 | "pgp": null, 21 | "unencrypted_suffix": "_unencrypted", 22 | "version": "3.8.1" 23 | } 24 | } -------------------------------------------------------------------------------- /hosts/featherine/backups.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | services.restic.backups.hokma = { 5 | paths = [ 6 | "/home/vera" 7 | ]; 8 | }; 9 | 10 | } -------------------------------------------------------------------------------- /hosts/featherine/filesystems.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | let 3 | auroraUuid = "e98ab311-b656-4421-971c-cbfdd6560829"; 4 | in 5 | { 6 | 7 | # Bootloader. 8 | boot.loader.systemd-boot.enable = true; 9 | boot.loader.efi.canTouchEfiVariables = true; 10 | 11 | boot.initrd.luks.devices."luks-4b159de8-a815-46ef-94bd-52a9d0e03e3a".device = "/dev/disk/by-uuid/4b159de8-a815-46ef-94bd-52a9d0e03e3a"; 12 | boot.initrd.luks.devices."luks-4b159de8-a815-46ef-94bd-52a9d0e03e3a".bypassWorkqueues = true; 13 | boot.initrd.luks.devices."luks-5300f6ce-cc89-429c-8656-50e5bf71f13d".device = "/dev/disk/by-uuid/5300f6ce-cc89-429c-8656-50e5bf71f13d"; 14 | boot.initrd.luks.devices."luks-5300f6ce-cc89-429c-8656-50e5bf71f13d".bypassWorkqueues = true; 15 | 16 | # SD Card 17 | boot.initrd.luks.devices."luks-${auroraUuid}".device = "/dev/disk/by-uuid/${auroraUuid}"; 18 | boot.initrd.luks.devices."luks-${auroraUuid}".bypassWorkqueues = true; 19 | 20 | boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ]; 21 | boot.initrd.kernelModules = [ ]; 22 | boot.kernelModules = [ "kvm-amd" ]; 23 | boot.extraModulePackages = [ ]; 24 | 25 | fileSystems."/" = { 26 | device = "/dev/disk/by-uuid/5931ef19-0224-4c5d-820b-269facdfa31b"; 27 | fsType = "ext4"; 28 | }; 29 | 30 | fileSystems."/boot" = { 31 | device = "/dev/disk/by-uuid/B871-5205"; 32 | fsType = "vfat"; 33 | }; 34 | 35 | fileSystems."/data" = { 36 | device = "/dev/disk/by-uuid/dc6de339-85ff-477b-b0b3-4324110fec51"; 37 | fsType = "btrfs"; 38 | options = [ "defaults" "rw" "nofail" "x-systemd.automount" "x-systemd.device-timeout=1ms" "comment=x-gvfs-show" ]; 39 | }; 40 | 41 | swapDevices = [ 42 | { device = "/dev/disk/by-uuid/08db435c-35ee-41ab-9373-e69a575e9955"; } 43 | ]; 44 | 45 | environment.systemPackages = [ 46 | (pkgs.writeShellScriptBin "decrypt-aurora" '' 47 | sudo ${pkgs.cryptsetup}/bin/cryptsetup luksOpen /dev/disk/by-uuid/${auroraUuid} luks-${auroraUuid} 48 | sudo ${pkgs.util-linux}/bin/mount /data 49 | '') 50 | (pkgs.writeShellScriptBin "encrypt-aurora" '' 51 | sudo ${pkgs.util-linux}/bin/umount /data 52 | sudo ${pkgs.cryptsetup}/bin/cryptsetup luksClose luks-${auroraUuid} 53 | '') 54 | ]; 55 | 56 | } -------------------------------------------------------------------------------- /hosts/featherine/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, modulesPath, ... }: 2 | { 3 | 4 | imports = [ 5 | (modulesPath + "/installer/scan/not-detected.nix") 6 | ]; 7 | 8 | boot.kernelPackages = pkgs.linuxPackages_zen; 9 | boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" "amdgpu" "xhci_hcd" ]; 10 | boot.initrd.kernelModules = [ "amdgpu" ]; 11 | boot.kernelModules = [ "kvm-amd" "i2c-dev" ]; 12 | boot.kernelParams = [ 13 | "pci=nommconf" 14 | "rtc_cmos.use_acpi_alarm=1" 15 | ]; 16 | boot.extraModulePackages = with config.boot.kernelPackages; [ ]; 17 | boot.extraModprobeConfig = ""; 18 | 19 | # Breaks suspend due to ppfeaturemask 20 | programs.corectrl = { 21 | enable = lib.mkForce false; 22 | gpuOverclock.enable = lib.mkForce false; 23 | }; 24 | 25 | hardware.sensor.iio.enable = true; 26 | 27 | nixpkgs.hostPlatform = "x86_64-linux"; 28 | 29 | } -------------------------------------------------------------------------------- /hosts/featherine/programs.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | environment.systemPackages = with pkgs; [ 5 | 6 | ]; 7 | 8 | services.flatpak.packages = [ 9 | 10 | ]; 11 | 12 | } -------------------------------------------------------------------------------- /hosts/featherine/secrets/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | sops = { 5 | age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 6 | defaultSopsFile = ./secrets.yml; 7 | 8 | secrets = { 9 | 10 | wireguard-private-key = { restartUnits = [ "wireguard-*" ]; }; 11 | 12 | syncthing-cert = { 13 | format = "binary"; 14 | sopsFile = ./syncthing-cert.pem; 15 | restartUnits = [ "syncthing.service" ]; 16 | }; 17 | 18 | syncthing-key = { 19 | format = "binary"; 20 | sopsFile = ./syncthing-key.pem; 21 | restartUnits = [ "syncthing.service" ]; 22 | }; 23 | 24 | }; 25 | }; 26 | 27 | } -------------------------------------------------------------------------------- /hosts/featherine/secrets/secrets.yml: -------------------------------------------------------------------------------- 1 | wireguard-private-key: ENC[AES256_GCM,data:o/90RdPkEmm8xPSjbiWJiv20JL1tVYPgCC1HmPIWZI3rC6y5YD310+FrmTY=,iv:kFb2y8PxAbDUjrv4SIxH3BxDYE3yWWXZFXolbWHcsU0=,tag:rx5sd0Io0RLxT6RMKtl3aw==,type:str] 2 | sops: 3 | kms: [] 4 | gcp_kms: [] 5 | azure_kv: [] 6 | hc_vault: [] 7 | age: 8 | - recipient: age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j 9 | enc: | 10 | -----BEGIN AGE ENCRYPTED FILE----- 11 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNG9WTzc0bWovMVZIVDZk 12 | TEw4L2NUa0FGY0lHWmYzc3BMMVQvdjVXNmd3CitDQ0ZQRUpuenN3eURMM3FXRUVO 13 | d28zdHRRdDVkYVk4YUJKN1RYdTduWVkKLS0tIE9OSUQyU3p2K25Zc0dFMHFrRThF 14 | blMzanNDN2JuSjBlV2ZnTWw3SzAzeTgKkaYn4p3QLi4BFxe/PU17ss0q9WQ52qVm 15 | 7lhQIrNO6ZxDsbtKqrEunuvy8AjGzO8NXxP+QGTkIG4lwQ08ElTcOA== 16 | -----END AGE ENCRYPTED FILE----- 17 | - recipient: age1ejpz2fma32t2ek20t3v2x6cyjrzm50lhd9gwqsqhvhnr9nkc0gpscgndk2 18 | enc: | 19 | -----BEGIN AGE ENCRYPTED FILE----- 20 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4aHpGTlZkRkpxVU1qOG5X 21 | MmdObHZFL0FEUHdPSm52Y0thWVRkVE1HV2l3CkU2emhOdThuRTdaM2FmcUVNSVlV 22 | QmlkNkRLTVhkdXlpRUhHY0s2NERsRVUKLS0tIEdDMmpSQmdtMVBWUkpXWVB1NlFk 23 | eTBJSm1MWkNHVXR1eWdGVGZWZVg5NTQKP5OYPR26GMc5+RPeTLe4jYZzRJFGcKGI 24 | 4RijNGCG4stMxCdrK6V5AMMAEzAfqY815tRB4d/fkuFbHJCUOG1WOQ== 25 | -----END AGE ENCRYPTED FILE----- 26 | lastmodified: "2024-10-02T06:31:17Z" 27 | mac: ENC[AES256_GCM,data:c1HowjEsj+Kgpq797BbHkqdoCgqAGJWS0tT0tdOc5bxicLMyX+15w9pCrkcmdr4qR6j1hFy+Pd6s43x/gBQwT9e/tKGpfyJ39BaaKQ6/eaqmJZyqwJxck2Q5bcEI9MSMXG5fVqKU5i4EL2YCGMNNhvsL+3vtj2lVL2+4RvUc0AU=,iv:rPMVNq2YG0y1sAb9uOo813w1IMk1pFy9pj+uqpNoLU0=,tag:J2s7sO3yRULwdCFVqsW+XA==,type:str] 28 | pgp: [] 29 | unencrypted_suffix: _unencrypted 30 | version: 3.9.0 31 | -------------------------------------------------------------------------------- /hosts/featherine/secrets/syncthing-key.pem: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:2g01RCvptWJuT0x6OsZ/OBv6K6/Kyn0grQPQOspNkjEyjRcbgz8KVbG7gUFZtzXJu0z+wf2BJUzetPU0SeO3BFelQ8hQZF4zOymYmdBWzMeQBHz903yevElJsdG0iZ4waa1jZQgLl4zDBnT48mlXdhjEqxE0fixarIXJ99GdgIYRj69XrWiKSgdb3jlU0wDkewU+z99jrxYxrwmGtsLac3gglDt+b412/WdChxSrzCy2eVa6q8Y7/uIUgN+dcfz95FTvbG5KAxWUdCRDsDXnCtCAuwgz9W3ztfszIoBOa2TeJ7EL18OX9kuwqn38QEBO4G9kyyyb4iDWTmpZLKuS5g4T7wuUtIRGeiWYtL1SHEGsQIEiqO1i/BaI6oiNsFVr,iv:BQeOrhHn/yvvojl5+DStYaAaXf0F5naSgzGihj5HcP4=,tag:tKlkXevFzyZt7Gj5bF2/8g==,type:str]", 3 | "sops": { 4 | "kms": null, 5 | "gcp_kms": null, 6 | "azure_kv": null, 7 | "hc_vault": null, 8 | "age": [ 9 | { 10 | "recipient": "age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBteE5SNVJYTEY0bXVkYWFF\nSUhIUHV4RnBjdE9jS2F3K3JLSkM3Nnhjc0g4CldqcHhRcTdtZFB2emRPMTZNaktT\nUXJWa0g5RU8yNVFnano0azZ1c2JEQmcKLS0tIGZZdnVjUmZINzV3L0UzUE1DcWcr\nTkc5RDNVNXVXNm11ZDRvdUxpL1V4YjQK7qaAultywiNQGCfa7BZsU22LP9Bt4buS\nfoeZIyOQMwTFQZGmbwJT594VgOIvFLjVygyFYfMdLCG36zaPMawBRQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1ejpz2fma32t2ek20t3v2x6cyjrzm50lhd9gwqsqhvhnr9nkc0gpscgndk2", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWnNhdGtaQTFTcFRRT3or\nYTBjV2E3aUpKdlJCVndoSk9RMmQ4Vkk2QXdvCkVrM0ZaNmtydTRkUXpKQUR6UmtV\nUnVjK2JLbVhGQkdXdjVRclByVjJYbFEKLS0tIGtiMzRmdTdNL0RpUC9sNlFCMkcv\nMEN1bFFvRnArY29iUS9FL0lUTHAwbkkKB5OjlrukNOjxIw5M+wHFhqjype5jBv3e\n/rJCwGxofFs88YHvZitu9JYQ8Pt+YsohgClaNw5tOK8tQW+QYGaYpA==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2024-10-02T11:39:04Z", 19 | "mac": "ENC[AES256_GCM,data:Rmi51tSt+7XyPc6PAo1d5deXXhxFx4W+NMdLSmrSnpMMf3Uunvn1lvo7xLk6Ho3ezZEZMSbsHHHUG80TN6tQAtU4VFyCgy+sCOYkBdRuDSwPrctau9MSAacz34ZTT7D5F9HuX+PVIYBXt/tLpdvbGEc0rDlpF40hV+gTacYZS5w=,iv:Ygbx5/plGYwu2R3AIqjfzjHmh7ribmG0GH/qpsOGHzs=,tag:9SLeG2w3/VFRuFP6ruMaNQ==,type:str]", 20 | "pgp": null, 21 | "unencrypted_suffix": "_unencrypted", 22 | "version": "3.9.0" 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /hosts/neith-deck/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | ./programs.nix 7 | ./filesystems.nix 8 | ./secrets/default.nix 9 | ./hardware-configuration.nix 10 | ]; 11 | 12 | networking.hostName = "neith-deck"; 13 | 14 | gradient.profiles.gaming.enable = true; 15 | gradient.profiles.gaming.emulation.enable = false; 16 | gradient.profiles.gaming.emulation.user = "neith"; 17 | gradient.profiles.desktop.enable = true; 18 | gradient.profiles.catppuccin.enable = false; 19 | 20 | gradient.presets.syncthing.enable = true; 21 | gradient.presets.syncthing.user = "neith"; 22 | 23 | # Use Jovian's steam deck UI autostart. 24 | services.displayManager.sddm.enable = lib.mkForce false; 25 | jovian.steam.autoStart = true; 26 | jovian.steam.user = "neith"; 27 | jovian.decky-loader.user = "neith"; 28 | jovian.steam.desktopSession = "plasma"; 29 | 30 | services.handheld-daemon.enable = true; 31 | services.handheld-daemon.user = "vera"; 32 | 33 | gradient.substituters = { 34 | asiyah = "ssh-ng://nix-ssh@asiyah.lily?priority=50"; 35 | briah = "ssh-ng://nix-ssh@briah.lily?priority=60"; 36 | bernkastel = "ssh-ng://nix-ssh@bernkastel.lily?priority=50"; 37 | beatrice = "ssh-ng://nix-ssh@beatrice.gradient?priority=45"; 38 | erika = "ssh-ng://nix-ssh@erika.lily?priority=50"; 39 | }; 40 | 41 | } -------------------------------------------------------------------------------- /hosts/neith-deck/filesystems.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | 5 | # Bootloader. 6 | boot.loader.systemd-boot.enable = true; 7 | boot.loader.grub.enable = false; 8 | boot.loader.efi.canTouchEfiVariables = true; 9 | boot.loader.efi.efiSysMountPoint = "/boot/efi"; 10 | 11 | fileSystems."/" = { 12 | device = "/dev/disk/by-uuid/5c03aea7-429f-4d50-80d0-b841db713659"; 13 | fsType = "ext4"; 14 | mountPoint = "/"; 15 | }; 16 | 17 | fileSystems."/boot/efi" = { 18 | device = "/dev/disk/by-uuid/C545-F839"; 19 | fsType = "vfat"; 20 | mountPoint = "/boot/efi"; 21 | }; 22 | 23 | swapDevices = [ 24 | { device = "/dev/disk/by-uuid/460910b0-38ce-4710-80ec-1ffb7c774c1e"; } 25 | ]; 26 | 27 | } -------------------------------------------------------------------------------- /hosts/neith-deck/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | (modulesPath + "/installer/scan/not-detected.nix") 7 | ]; 8 | 9 | boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" "sdhci_pci" "amdgpu" "xhci_hcd" "hid_generic" "atkbd" "evdev" ]; 10 | boot.initrd.kernelModules = [ ]; 11 | boot.kernelModules = [ "kvm-amd" ]; 12 | boot.extraModulePackages = [ ]; 13 | 14 | nixpkgs.hostPlatform = "x86_64-linux"; 15 | 16 | } -------------------------------------------------------------------------------- /hosts/neith-deck/programs.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | environment.systemPackages = with pkgs; [ 5 | ]; 6 | 7 | services.flatpak.packages = [ 8 | ]; 9 | 10 | } -------------------------------------------------------------------------------- /hosts/neith-deck/secrets/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | 5 | sops = { 6 | age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 7 | defaultSopsFile = ./secrets.yml; 8 | 9 | secrets = { 10 | 11 | wireguard-private-key = { restartUnits = [ "wireguard-*" ]; }; 12 | 13 | nix-private-key = { }; 14 | 15 | syncthing-cert = { 16 | format = "binary"; 17 | sopsFile = ./syncthing-cert.pem; 18 | restartUnits = [ "syncthing.service" ]; 19 | }; 20 | 21 | syncthing-key = { 22 | format = "binary"; 23 | sopsFile = ./syncthing-key.pem; 24 | restartUnits = [ "syncthing.service" ]; 25 | }; 26 | 27 | }; 28 | }; 29 | 30 | } -------------------------------------------------------------------------------- /hosts/neith-deck/secrets/syncthing-key.pem: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:Z0c4UPJBn44nnxiTQQBydvND2dpu7mKrN6XHm0Y/76plziRwdh2IDMoUUWkzuEbvn80NLHTxgdOgY2Q3MdtX/zqvWKWMTihhMX1bYIH56lTOrax+tZm/Em+Fqb/r/qm6pX5x79lAnADG6VTfljeQFMjlrFVGW39EzxEATOX4S7RkoGxBk/3bY36sulJM8qEeLredoFcPhZDq4QW7IkBM+OYeGbK/dNTPUvl8+J3sAxsPVlZIw6W7CV9niDvXNmkuiX9jbayjkzzjoESqKJpLIi2Na48xW32AvtLpNoBlgBT7s2oBt9lZRq2rDGEIWEp2/cPg1lyLVxXKW+/+hhqj95UqGA0Fy2FeAHipsAoI2HE7F6CNKx0AhrSEfwZ//TDw,iv:l7sH3EVfGhJ610WD9i51WTygCordMraLTBl/MDJWdqc=,tag:tQIS0f8YXCYbBNO8Xpw9EA==,type:str]", 3 | "sops": { 4 | "kms": null, 5 | "gcp_kms": null, 6 | "azure_kv": null, 7 | "hc_vault": null, 8 | "age": [ 9 | { 10 | "recipient": "age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1TUR0Y2J3WjRsM0FuRmNa\nME5DdVFLWEJJYzdkUm9Ta003ZDNiN3FybG5vCitkMm4wd29oY1B4Vys0NklrZmZs\nV2lBVmJ3Mkt0RTM1YTBrYW5YMVVzbHcKLS0tIG5FNlFGRjVJeFZ5MnlYZjV6VDRp\nM3ZLUlNwU0tTVFNRU0x0aUxoVjZCSmcKp/kkpvv8sOtaWRdrF9avMhKKj+c1swSd\nVNqAICvhkkpVw73Y1auUuyPKBb65RtGYXqwovh0RbdXH/63nuNLxFA==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age10h2dan2d3jgy8tjq4djhu5lg4krx2m735nxcvg2schkpkvht0ynsmpdqne", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeVZ6RTYxbzA1NzA1STNr\nSWZxNkc1UWYrUjJqcFQyT2JPMzI4V2J4ZUVnCjF2by93UVdxMSthOXVxaHh1RFRp\nWjJEWlBJYW9kdWhFS0Z2ejdMWGtubjAKLS0tIEdEVDB3d0N2OFhGdkxRYm1PQ1Bv\nV2dtWnkxVEhrSlNhUmFyazM1Uk1SM1EKI98URWMWyQqWqL/CNCTDtssJ4gL9JCmN\n3mcMDkpoi/A5RGdcDDyrnQp3w2udFkD/f1os6Ph/gw97v9i/7SCRCw==\n-----END AGE ENCRYPTED FILE-----\n" 16 | }, 17 | { 18 | "recipient": "age1uj0nmmvdeajg0hqlahe839c5r4n6nz0r6ampcwa46yhetx32kgrqqky22x", 19 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArUW5uNlo2ekFCY2diNXQy\ndFdhdGR3TTNUTVBMNzBGZ29zcTlydVJlam1NCnk5WjhUSFdnL3JDT1ltQnVGRzAy\nby95WFcwTUFOVWZOS0gxT1pXcVA2QkUKLS0tIGdhN2FFUVgvdUtDNUR3WUJER1du\nWGVrZks4bEdUdHVlamQ1NUY2cGtGQmsKp0y2jxqB8tskaIfo5kckDKLstAoPQLae\nL+VgC53PppDi5G/A8Kcj1PdgXNAMwFOmAvJxpLn6ETJ03naZilBg8Q==\n-----END AGE ENCRYPTED FILE-----\n" 20 | } 21 | ], 22 | "lastmodified": "2023-05-03T00:27:13Z", 23 | "mac": "ENC[AES256_GCM,data:H1u38FJ0Oeq2qACWMdBpc92QC47Xsm3U7JGs0zNKBViLdPHoHj+D2k2DZe4/cKoiUzpzznYs5ylRT0CQGt2GcI5LdeHNqdvLKdCCKWccnQDNo1Saq/vFpFOVEgZJQDHZ2XCsp3yLxmd6C+A69+jzZxV92N4LSEtsxwU/QJmF6pM=,iv:wv74ZMh5RTJaVe+G8FTSUqC0OMb2UyRDtCmCQH85/ks=,tag:U299FMVLCum141op6KRvOQ==,type:str]", 24 | "pgp": null, 25 | "unencrypted_suffix": "_unencrypted", 26 | "version": "3.7.3" 27 | } 28 | } -------------------------------------------------------------------------------- /hosts/yetzirah/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | imports = [ 5 | ./klipper.nix 6 | ./mainsail.nix 7 | ./moonraker.nix 8 | ./ustreamer.nix 9 | ./filesystem.nix 10 | ./kiosk-session.nix 11 | ./secrets/default.nix 12 | ./hardware-configuration.nix 13 | ]; 14 | 15 | gradient.profiles.catppuccin.enable = true; 16 | gradient.profiles.graphics.enable = true; 17 | gradient.kernel.hugepages.enable = true; 18 | 19 | } -------------------------------------------------------------------------------- /hosts/yetzirah/filesystem.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | # Bootloader. 5 | boot.loader.systemd-boot.enable = true; 6 | boot.loader.efi.canTouchEfiVariables = true; 7 | 8 | fileSystems."/" = 9 | { device = "/dev/disk/by-uuid/6c541d75-1ed6-4534-97ad-c0d0b341c3f7"; 10 | fsType = "ext4"; 11 | }; 12 | 13 | fileSystems."/boot" = 14 | { device = "/dev/disk/by-uuid/BC07-8C50"; 15 | fsType = "vfat"; 16 | options = [ "fmask=0077" "dmask=0077" ]; 17 | }; 18 | 19 | swapDevices = 20 | [ { device = "/dev/disk/by-uuid/8a13ff62-70d6-43eb-92f1-6db30dbc4bdf"; } 21 | ]; 22 | 23 | } -------------------------------------------------------------------------------- /hosts/yetzirah/kiosk-session.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | in { 5 | 6 | services.cage = { 7 | enable = true; 8 | user = "vera"; 9 | program = pkgs.writeScript "cage-script" '' 10 | ${pkgs.unstable.wlr-randr}/bin/wlr-randr --output DP-1 --mode 800x480@68.349998Hz 11 | ${pkgs.unstable.chromium}/bin/chromium --noerrdialogs --disable-infobars --incognito --kiosk http://127.0.0.1:${toString ports.mainsail} 12 | ''; 13 | extraArguments = [ "-d" ]; 14 | }; 15 | 16 | systemd.services."cage-tty1".after = [ "nginx.service" "moonraker.service" ]; 17 | 18 | systemd.services."serial-getty@ttyS0".enable = false; 19 | systemd.services."serial-getty@hvc0".enable = false; 20 | systemd.services."getty@tty1".enable = false; 21 | systemd.services."autovt@".enable = false; 22 | 23 | } -------------------------------------------------------------------------------- /hosts/yetzirah/klipper.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | # Same path as moonraker. 4 | baseCfgPath = config.services.moonraker.stateDir; 5 | cfgPath = "${baseCfgPath}/config"; 6 | in 7 | { 8 | 9 | services.klipper = { 10 | enable = true; 11 | user = config.services.moonraker.user; 12 | group = config.services.moonraker.group; 13 | mutableConfig = true; 14 | mutableConfigFolder = cfgPath; 15 | configFile = ./klipper.cfg; 16 | logFile = "${baseCfgPath}/logs/klipper.log"; 17 | }; 18 | 19 | # Do checks on config files, helps remind me to update them on git 20 | systemd.tmpfiles.settings."10-klipper"."${cfgPath}/printer.cfg".C = { 21 | argument = toString ./klipper.cfg; 22 | repoPath = "/etc/nixos/hosts/beatrice/klipper.cfg"; 23 | doCheck = true; 24 | user = config.services.moonraker.user; 25 | group = config.services.moonraker.group; 26 | mode = "0777"; 27 | }; 28 | 29 | } -------------------------------------------------------------------------------- /hosts/yetzirah/mainsail.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | ports = config.gradient.currentHost.ports; 4 | addresses = config.gradient.const.wireguard.addresses; 5 | hostName = config.networking.hostName; 6 | in { 7 | 8 | services.mainsail = { 9 | enable = true; 10 | nginx.listen = [ 11 | { 12 | addr = "127.0.0.1"; 13 | port = ports.mainsail; 14 | } 15 | { 16 | addr = addresses.gradientnet.${hostName}; 17 | port = ports.mainsail; 18 | } 19 | { 20 | addr = addresses.lilynet.${hostName}; 21 | port = ports.mainsail; 22 | } 23 | ]; 24 | nginx.serverAliases = [ 25 | "mainsail.${hostName}.constellation.moe" 26 | "mainsail.${hostName}.gradient.moe" 27 | "${hostName}.gradient" 28 | "${hostName}.lily" 29 | ]; 30 | }; 31 | 32 | # Increase max upload size for uploading gcode files from PrusaSlicer 33 | services.nginx.clientMaxBodySize = "4G"; 34 | 35 | networking.firewall.interfaces.gradientnet.allowedTCPPorts = [ ports.mainsail ]; 36 | networking.firewall.interfaces.gradientnet.allowedUDPPorts = [ ports.mainsail ]; 37 | 38 | networking.firewall.interfaces.lilynet.allowedTCPPorts = [ ports.mainsail ]; 39 | networking.firewall.interfaces.lilynet.allowedUDPPorts = [ ports.mainsail ]; 40 | 41 | } -------------------------------------------------------------------------------- /hosts/yetzirah/misc/service-ports.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | mainsail = 80; 4 | ustreamer = 5050; 5 | ustreamer-endoscope = 5051; 6 | moonraker = 7125; 7 | 8 | } -------------------------------------------------------------------------------- /hosts/yetzirah/secrets/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | 4 | sops = { 5 | age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 6 | defaultSopsFile = ./secrets.yml; 7 | 8 | secrets = { 9 | 10 | wireguard-private-key = { restartUnits = [ "wireguard-*" ]; }; 11 | 12 | /*moonraker = { 13 | owner = config.services.moonraker.user; 14 | group = config.services.moonraker.group; 15 | path = "${config.services.moonraker.stateDir}/moonraker.secrets"; 16 | restartUnits = [ "moonraker.service" ]; 17 | };*/ 18 | 19 | network-manager-env = { 20 | restartUnits = [ "NetworkManager.service" ]; 21 | }; 22 | 23 | }; 24 | }; 25 | 26 | 27 | } -------------------------------------------------------------------------------- /hosts/yetzirah/secrets/secrets.yml: -------------------------------------------------------------------------------- 1 | wireguard-private-key: ENC[AES256_GCM,data:P/qlHA36KDUOpThny+XLH8AFQkhRU6/CtIt9W+PEgshSTZ8C1AV/ieqYnIY=,iv:EDFxEkHNHDK+fSJMijSM/V9ZnoL7W2NJsoMcfopBND8=,tag:nBk27956yMoXtTopYB2q0w==,type:str] 2 | moonraker: ENC[AES256_GCM,data:jAInVfC3MHLtBhy94vIu+G0HvieiNvI9X1rH6WlC67AyH99eNi49DqpBDUaRU80rmqV+aP+AVnr5t52kdZxj4mGkTJAmW0zIkEOlx3DUF6o=,iv:ulyM4ZH86yuR3vGhwiMXjW0DNtL6t24QYi3bIhYjLnA=,tag:5E4XHOT/5NGA9tWmxUK9sg==,type:str] 3 | network-manager-env: ENC[AES256_GCM,data:FO55k93Eovy/MzKL87dlml03hPPPFgBPyLRZE9sr6znR,iv:Z+hPxVtqB4h6QW6o1Hzvd2DJoWfIyc7mxvcp7mB2U6Y=,tag:+0W+MQ42oxvCIiVOBiveaA==,type:str] 4 | sops: 5 | kms: [] 6 | gcp_kms: [] 7 | azure_kv: [] 8 | hc_vault: [] 9 | age: 10 | - recipient: age1w7xthmy2u80yp9jx98dnmcek0xcdcfmjx5at823m3536rkp5q3xqkqfw2j 11 | enc: | 12 | -----BEGIN AGE ENCRYPTED FILE----- 13 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArU2l6R0VkVXBGSkI4dnla 14 | N2hVWnNMbTV4WGgrbGtBd00xQlhHMFRxZWpvCkZLVUNabG1oL1BBbENqbHN3d0xW 15 | cWVjTDdldHl0dm5aZGg1V2JsS0xVclkKLS0tIFBlelhFcThoU3R6WE9GNWVybWJn 16 | UXIzMEdrMGRJbW42Ynp3aUM2ZFpydEUKCt7jbPP3eWb3tXA2p26iVb3PVGwwcf0t 17 | fnHPwMfy1oS9dfaaTxLk315GqXmFkCgvkU/g4RAGrNOgkk723C77HA== 18 | -----END AGE ENCRYPTED FILE----- 19 | - recipient: age1ca2ptgj50tdc9lf20mlsq64efqkczd7zlvt49fdnk0z8u7qy7v8sha9tsy 20 | enc: | 21 | -----BEGIN AGE ENCRYPTED FILE----- 22 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjNlJOeXF4NGVHRFlhMzN5 23 | bld1Njh6bm1MNkVDRUhJOFpreDc0RTQ1MDBRCnhCQnFkcmFJNFNJUElVMEFXNVNT 24 | SmtubXJiSFNBK0hCREs0cktJdkJGR3cKLS0tIDVONWdLbU9OcXpxZ2RJSmhYL2NV 25 | NnYwb1RORVFJM244Y29MYXkyaXdqblUKli/+qT7rEh/Uq1XvlEG1ABy5SCtMc3nQ 26 | oUz9u5lVfLpmsrDVeUs6dSm1RumCn7UhJu1qHHE4WXmCuiXNuASdJg== 27 | -----END AGE ENCRYPTED FILE----- 28 | lastmodified: "2025-04-01T08:54:26Z" 29 | mac: ENC[AES256_GCM,data:uweY8WktVuPABBLwA+3es0hU4lDwXwMEEd9qBJRXCV2wAlaSUsCtZR1GM6R+7f/JYesQs9tl/2V+djtefKobWhTdg2UxqMqPw/E0braVt9r7stL17AXwKHmRwPG+uNQNjuAjieoMZISld7jZgmJBg3/FYmwVv0jRqmQo3lXxugw=,iv:m8KMczClsQGUEcjhpMHpqghzyD4znu+pg9075gSO4Rw=,tag:ejWdCPobtmhYlXnM4+yJgA==,type:str] 30 | pgp: [] 31 | unencrypted_suffix: _unencrypted 32 | version: 3.9.4 33 | -------------------------------------------------------------------------------- /justfile: -------------------------------------------------------------------------------- 1 | @default $JUST_CHOOSER="nix run nixpkgs#fzf": 2 | just --choose 3 | 4 | run HOST *COMMAND: 5 | #! /usr/bin/env bash 6 | IP=$(nix eval --quiet --raw .#nixosConfigurations.{{HOST}}.config.deployment.targetHost) 7 | ssh -t $IP "{{COMMAND}}" 8 | 9 | logs HOST UNIT: (run HOST "sudo journalctl -xefu" UNIT) 10 | 11 | [group('deployment')] 12 | switch HOST: 13 | @just apply switch {{HOST}} 14 | 15 | [group('deployment')] 16 | apply OPERATION HOST: 17 | @if [ "{{HOST}}" = "local" ]; then \ 18 | just apply-local {{OPERATION}}; \ 19 | else \ 20 | colmena apply {{OPERATION}} --on={{HOST}} --evaluator=streaming --build-on-target; \ 21 | fi; 22 | 23 | [group('deployment')] 24 | apply-local OPERATION: 25 | @sudo colmena apply-local {{OPERATION}} --sudo --show-trace 26 | 27 | [group('secrets')] 28 | edit-secret HOST $EDITOR="code --wait": 29 | sops ./hosts/{{HOST}}/secrets/secrets.yml 30 | 31 | [group('secrets')] 32 | edit-secret-kanidm $EDITOR="code --wait": 33 | sops --input-type=binary ./hosts/asiyah/secrets/kanidm-provisioning.encjson 34 | 35 | [group('secrets')] 36 | edit-secret-core $EDITOR="code --wait": 37 | sops ./core/secrets/secrets.yml 38 | 39 | [group('secrets')] 40 | edit-secret-asiyah: 41 | just edit-secret asiyah 42 | 43 | [group('secrets')] 44 | edit-secret-briah: 45 | just edit-secret briah 46 | 47 | [group('secrets')] 48 | edit-secret-atziluth: 49 | just edit-secret atziluth 50 | 51 | [group('secrets')] 52 | edit-secret-beatrice: 53 | just edit-secret beatrice 54 | 55 | [group('secrets')] 56 | edit-secret-bernkastel: 57 | just edit-secret bernkastel 58 | 59 | [group('secrets')] 60 | edit-secret-erika: 61 | just edit-secret erika 62 | 63 | [group('secrets')] 64 | edit-secret-featherine: 65 | just edit-secret featherine 66 | 67 | [group('secrets')] 68 | edit-secret-neith-deck: 69 | just edit-secret neith-deck 70 | 71 | [group("editing")] 72 | edit-remote HOST PATH: 73 | code sftp://root@{{HOST}}{{PATH}} -------------------------------------------------------------------------------- /lib/mkFlake.nix: -------------------------------------------------------------------------------- 1 | /* 2 | gradientosConfigurations = [ 3 | { 4 | name = "example-machine"; 5 | modules = [ 6 | ./example-module.nix 7 | ]; 8 | users.example.modules = [ 9 | ./example-home-manager-module.nix 10 | ]; 11 | generators = []; 12 | deployment = {}; 13 | } 14 | ] 15 | */ 16 | self: { gradientosConfigurations ? [], ... }@args: 17 | let 18 | lib = import ./default.nix self; 19 | nixpkgsLib = self.inputs.nixpkgs.lib; 20 | in { 21 | inherit lib; 22 | 23 | nixosConfigurations = 24 | let 25 | configurations = builtins.filter (x: (x.makeSystem or true)) gradientosConfigurations; 26 | in builtins.listToAttrs 27 | (map (x: { name = x.name; value = lib.gradientosSystem x; }) configurations); 28 | 29 | colmena = nixpkgsLib.lists.foldr (a: b: (nixpkgsLib.attrsets.recursiveUpdate a b)) 30 | { 31 | meta = { 32 | description = "GradientOS machines"; 33 | nixpkgs = import self.inputs.nixpkgs { system = "x86_64-linux"; }; 34 | }; 35 | } 36 | (map (x: lib.gradientosSystemColmena x) (builtins.filter (x: x.makeSystem or true) gradientosConfigurations)); 37 | 38 | packages = 39 | let 40 | configurations = builtins.filter (x: (builtins.length x.generators or []) != 0) gradientosConfigurations; 41 | x86_64-linux-configurations = builtins.filter (x: x.system or "x86_64-linux" == "x86_64-linux") configurations; 42 | aarch64-linux-configurations = builtins.filter (x: x.system or "x86_64-linux" == "aarch64-linux") configurations; 43 | generate = config: (map (x: { name = config.name+"-"+x; value = lib.gradientosSystemGenerator (config // { format = x; }); }) 44 | (nixpkgsLib.lists.unique config.generators or [])); 45 | generateMany = configs: builtins.listToAttrs (nixpkgsLib.lists.flatten (map (x: generate x) configs)); 46 | in (nixpkgsLib.attrsets.recursiveUpdate ({ 47 | "x86_64-linux" = generateMany x86_64-linux-configurations; 48 | "aarch64-linux" = generateMany aarch64-linux-configurations; 49 | }) (args.packages or {})); 50 | 51 | } // removeAttrs args [ "gradientosConfigurations" "packages" ] -------------------------------------------------------------------------------- /misc/ansible/apps.nix: -------------------------------------------------------------------------------- 1 | pkgs: 2 | { 3 | ansible-playbook = { 4 | type = "app"; 5 | program = builtins.toString (pkgs.writeShellScript "gradient-ansible-playbook.sh" 6 | "${pkgs.ansible}/bin/ansible-playbook -i \"${pkgs.gradient-ansible-inventory}\" \"${pkgs.gradient-ansible-playbook}\""); 7 | }; 8 | } -------------------------------------------------------------------------------- /misc/ansible/inventory.nix: -------------------------------------------------------------------------------- 1 | let 2 | addr = import ../wireguard-addresses.nix; 3 | atziluth = import ../../hosts/atziluth/inventory-entry.nix addr; 4 | in 5 | { 6 | ungrouped = { 7 | hosts = { 8 | inherit atziluth; 9 | }; 10 | }; 11 | printers = { 12 | hosts = { 13 | inherit atziluth; 14 | }; 15 | }; 16 | } -------------------------------------------------------------------------------- /misc/ansible/playbook.nix: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | name = "Common GradientOS play"; 4 | hosts = "all"; 5 | tasks = [ 6 | 7 | ]; 8 | } 9 | ] ++ (import ../../hosts/atziluth/playbook.nix) -------------------------------------------------------------------------------- /misc/colmena-tags.nix: -------------------------------------------------------------------------------- 1 | { 2 | desktop = "desktop"; 3 | server = "server"; 4 | 5 | steam-deck = "steam-deck"; 6 | raspberry-pi = "raspberry-pi"; 7 | 8 | x86_64 = "x86_64"; 9 | aarch64 = "aarch64"; 10 | 11 | vera = "vera"; 12 | neith = "neith"; 13 | } -------------------------------------------------------------------------------- /misc/nix-pub-keys.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | asiyah = "asiyah:9YPCED8A1kqUZP+PHABoV1gTNhTNVrWMlyobS7GAroI="; 4 | briah = "briah:Y8aQ6cqf1BeSs2U4pPIOKzCNuyvqsWG53vkbfDxnns4="; 5 | bernkastel = "bernkastel:mGIiVrWzbBO8t7hYexRXGltpwOKqU0zDKU8HfmX0p1I="; 6 | beatrice = "beatrice:KG7C6YBmQh2RzxyH0Khu4mdT0Lia70H6Tiwo4JBDAv0="; 7 | erika = "erika:CmqRdnqjEGm/MWrqT9HkFGyC3JGXwrjll2YK9dVLeH0="; 8 | neith-deck = "neith-deck:IMdc2vNBne8FnGz4xjnSUcMeUptfz5SIWr52Qn4ewng="; 9 | 10 | } -------------------------------------------------------------------------------- /misc/ssh-pub-keys.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | vera = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOH4ZOMQX/C9x2s4D7mvP7ip1ll+Nhar+tCJiTpy1DuY vera"; 4 | neith = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvWBwM05NhjDy+TaXqwEXJws4wt3jmuoVWkdsmCSf75 neith"; 5 | remie = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkirGoSbSLBc3BCxhe4XuDfoHNrvQgoWijuQ6Uo4xeUFbJJG2BngzZit8POiJ+7mBKf2nkkCZb+2oCaGQX6QBMFQhEEI31IZotQYG+3NxGu8aLDyN2SJf6iPy+Ijju5dyeLcZOtkxU5zex72+IiDvLA9pZt0ZotFxOFha6OejHQKbJPe+bx+PkJyGnvp+6+VN1gIqqK5JR4oS4so0vWY9Ah/tIRDpJGNNgZDNAg+F2IL8D7mLqFt+dyW6rbZlpsIH2RMAn3KXGNMBFMlV55gezopahuphcAH7DjsTEPrxtNWOdAljyM3msIcl1vn6QfdWPly6SKJtYWK0T46aOnICZw=="; 6 | 7 | bernkastel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHASW3e0XJ7D5Dc1C5MZXzohXdwYxJVGrnoBFJO25/eT"; 8 | neith-deck = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJXQfijMhj17THId0OrI5/i+LHCK2FfGHRjyNgc8PRpZ"; 9 | beatrice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJxI6cJR0NmKFJxeE8YRQZpsewfVlzhVFgl7YEM8fw3"; 10 | erika = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZlsIdiy3tH4wPa29/TSxNAsxo8N6M3Im/GS7nwLTxm"; 11 | asiyah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBNAZrSsE32qK7TaAYaQs/XBsGOWN59Qz/lzYi6+zHzi"; 12 | briah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZY+PxoNSdjmjcpLPlNzUjL8M4YvX6AG/0Rf0yXr2kI"; 13 | featherine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8H187QhA3tbMFUf8Ht4BDJDbNvTB0+/0BtVK2cgCIl"; 14 | 15 | forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUcf1iQMcd4DQHdA8Y0EsG5Ci4ZAqKoR7Fhcx5uheL4 git-gradient-moe"; 16 | 17 | } -------------------------------------------------------------------------------- /misc/syncthing-device-ids.nix: -------------------------------------------------------------------------------- 1 | { 2 | bernkastel = "SXWKC5N-MKDTRAN-ZBA4SJQ-EACWWAJ-W75C5AE-EQ354MY-CNJRQMQ-OZ67TQY"; 3 | beatrice = "P455HV3-LLB6SKD-GABF3NX-A7Y3WCJ-NCUJ4LA-UAOHCVS-C6O3PXF-TKZXKAK"; 4 | erika = "DNHNL3K-UJEVV66-5KLBCPW-VQPDSJC-RER2AQP-LHYBJS6-R6MOJIP-XZYTXQX"; 5 | neith-deck = "SYZPJXZ-DXZGXDN-5HVLTP4-7MH45FI-YJSUP2A-ACLXJ24-MPGCSZT-IFFDRQ7"; 6 | asiyah = "XMGIYWF-IUTHHLG-6ME6UQW-2X3NCHD-H7A56LQ-F7EEZZ2-SYCQ2HN-2FPT3QT"; 7 | briah = "YGAS3YA-IXVU3R5-KQR6A2Z-Z5GQCSX-XXLRS4D-4WPJQHA-CKODYMV-KZSYUQO"; 8 | featherine = "KN7V4VD-HZUC4GX-4T2243K-KLF5XJT-ZIKKK72-4TKXW3X-MG6IR5Q-X32IVQ4"; 9 | vera-phone = "RQ67OI4-SPEED6T-SPS2ZEB-NRZHJJH-555V55A-OJTZO7I-CP4NTAD-USFV5A7"; 10 | work-laptop = "ZAWI35R-BHTHAVO-TPB4F6E-R65K2RD-5GN7RGC-ZRCDNUT-7LYPFE2-HUYRSAF"; 11 | hadal-rainbow = "Y7YKTCS-Z2ZNASV-3OMJXNS-SX4CQII-EBUQELI-UMDBXJP-YO4OP7Q-UELCPQD"; 12 | ange = "WSVTU6V-SIF5OU7-LKPIG34-NBJCI4O-UZWUPMY-UG7NMM4-2K2IVLN-5IV7MQ3"; 13 | } -------------------------------------------------------------------------------- /misc/wireguard-addresses.nix: -------------------------------------------------------------------------------- 1 | { 2 | gradientnet = { 3 | gradientnet = "192.168.24.0"; 4 | asiyah = "192.168.24.1"; 5 | yetzirah = "192.168.24.8"; 6 | briah = "192.168.24.24"; 7 | atziluth = "192.168.24.48"; 8 | bernkastel = "192.168.24.2"; 9 | beatrice = "192.168.24.3"; 10 | vera-phone = "192.168.24.4"; 11 | vera-laptop = "192.168.24.5"; 12 | erika = "192.168.24.6"; 13 | featherine = "192.168.24.7"; 14 | }; 15 | 16 | lilynet = { 17 | lilynet = "192.168.109.0"; 18 | asiyah = "192.168.109.1"; 19 | yetzirah = "192.168.109.10"; 20 | briah = "192.168.109.24"; 21 | bernkastel = "192.168.109.2"; 22 | neith-deck = "192.168.109.3"; 23 | beatrice = "192.168.109.5"; 24 | erika = "192.168.109.6"; 25 | neith = "192.168.109.7"; 26 | featherine = "192.168.109.8"; 27 | remie = "192.168.109.9"; 28 | }; 29 | } -------------------------------------------------------------------------------- /misc/wireguard-pub-keys.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | bernkastel = "pgPX/8I6p/6z19w4mP38VVNK9RQDXHI3rUdy9Zzv0gg="; 4 | beatrice = "3iA3etOZC+5J3zKjcFvQVw5bhiKKC0XGUQap43yMB1o="; 5 | erika = "okNBZAPQiNALnW0Z6AXz+pXv1CJfo+YfCTtnx07fLEo="; 6 | neith-deck = "p4dmhuDzBmzHvudnT2nnSTrGQY047ubuCEjEk2U2zFw="; 7 | asiyah = "sZ7toLMyaiDj/r2Lz9n7UNMs1tXeQn+qAP1hHclKiQs="; 8 | yetzirah = "5FPEWtc1C2nU3VpmLC7E6nHPrI0Z0+pZlvkjOHFVQFQ="; 9 | briah = "oIa6pYWG0rIZ0lYiLlOCiR74FSoXkQOfLHssz3iB/Rc="; 10 | atziluth = "TODO"; 11 | vera-phone = "yySbF5AY5dmoTp5v/e6wwhl9VZqTvhXufGAnUqbfZkg="; 12 | vera-laptop = "Ml8DDdUjufdmEc0//PATnJq007Sc6gfoiG2gIHD1mAw="; 13 | featherine = "ck7DAR0e7vBgAQ9atvzjHlXtBnuRqWPoPhmamw8ip0c="; 14 | 15 | neith = "VK93plqvZl1SOkgSjIuTCZBxj3TKw5it/NCZUTv8Ank="; 16 | remie = "5H/fvb3jGGoUBwp0c+OAUbsj0ujuIf+FBOwFxCNkPgc="; 17 | 18 | } -------------------------------------------------------------------------------- /mixins/binfmt-emulation.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | boot.binfmt.emulatedSystems = [ 4 | "aarch64-linux" 5 | "armv7l-linux" 6 | ]; 7 | 8 | boot.binfmt.preferStaticEmulators = true; 9 | } -------------------------------------------------------------------------------- /mixins/declarative-flatpak.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | services.flatpak.remotes = { 5 | flathub = "https://dl.flathub.org/repo/flathub.flatpakrepo"; 6 | flathub-beta = "https://dl.flathub.org/beta-repo/flathub-beta.flatpakrepo"; 7 | }; 8 | 9 | } -------------------------------------------------------------------------------- /mixins/gnupg.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | 3 | { 4 | 5 | services.pcscd.enable = true; 6 | 7 | programs.gnupg.agent = { 8 | enable = true; 9 | }; 10 | 11 | environment.systemPackages = with pkgs; [ 12 | gnupg 13 | pinentry 14 | pinentry-curses 15 | ]; 16 | } -------------------------------------------------------------------------------- /mixins/graphical/steam.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | hardware.steam-hardware.enable = true; 6 | 7 | programs.steam = { 8 | enable = true; 9 | remotePlay.openFirewall = true; 10 | dedicatedServer.openFirewall = true; 11 | extest.enable = true; 12 | protontricks.enable = true; 13 | extraCompatPackages = with pkgs; [ 14 | steam-play-none 15 | proton-ge-bin 16 | ]; 17 | }; 18 | 19 | # Workaround https://github.com/NixOS/nixpkgs/issues/45492 20 | systemd.extraConfig = "DefaultLimitNOFILE=1048576"; 21 | security.pam.loginLimits = [{ 22 | domain = "*"; 23 | type = "hard"; 24 | item = "nofile"; 25 | value = "1048576"; 26 | }]; 27 | 28 | # Helps some windows games running under Proton. 29 | boot.kernel.sysctl = { 30 | "vm.max_map_count" = 2147483642; 31 | }; 32 | 33 | environment.sessionVariables = { WINEDEBUG = "-all"; }; 34 | 35 | # See https://github.com/NixOS/nixpkgs/issues/230575 36 | # Breaks some other things... 37 | #environment.etc = { 38 | # "ssl/certs/f387163d.0".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/Starfield_Class_2_CA:0.crt"; 39 | # "ssl/certs/f081611a.0".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/Go_Daddy_Class_2_CA:0.crt"; 40 | #}; 41 | 42 | environment.systemPackages = with pkgs; [ 43 | steam-rom-manager 44 | steamtinkerlaunch 45 | proton-caller 46 | protontricks 47 | protonup-qt 48 | steam-run 49 | lutris 50 | ]; 51 | 52 | } -------------------------------------------------------------------------------- /mixins/graphical/sunshine.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | environment.systemPackages = with pkgs; [ 5 | sunshine 6 | ]; 7 | 8 | # Sunshine ports 9 | networking.firewall.allowedTCPPorts = [ 47989 ]; 10 | networking.firewall.allowedUDPPorts = [ 47989 ]; 11 | 12 | } -------------------------------------------------------------------------------- /mixins/hardware/amdcpu.nix: -------------------------------------------------------------------------------- 1 | { self, config, lib, pkgs, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | self.inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate 7 | ]; 8 | 9 | hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 10 | 11 | # System Management Unit 12 | hardware.cpu.amd.ryzen-smu.enable = true; 13 | 14 | environment.systemPackages = with pkgs; [ 15 | ryzenadj 16 | zenstates 17 | ]; 18 | 19 | } -------------------------------------------------------------------------------- /mixins/hardware/amdgpu.nix: -------------------------------------------------------------------------------- 1 | { self, pkgs, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | self.inputs.nixos-hardware.nixosModules.common-gpu-amd 7 | ]; 8 | 9 | environment.variables.AMD_VULKAN_ICD = "RADV"; 10 | 11 | systemd.packages = with pkgs; [ 12 | lact 13 | ]; 14 | 15 | hardware.graphics.extraPackages = with pkgs; [ 16 | lact 17 | vaapiVdpau 18 | libvdpau-va-gl 19 | rocmPackages.clr 20 | rocmPackages.rocm-runtime 21 | rocmPackages.rocm-device-libs 22 | ]; 23 | 24 | } -------------------------------------------------------------------------------- /mixins/hardware/azure.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, lib, ... }: 2 | { 3 | 4 | imports = [ 5 | "${modulesPath}/virtualisation/azure-common.nix" 6 | ../mixins/networkd.nix 7 | ]; 8 | 9 | # Forcibly disable NetworkManager. 10 | networking.networkmanager.enable = lib.mkForce false; 11 | 12 | } -------------------------------------------------------------------------------- /mixins/hardware/bluetooth.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | hardware.bluetooth = { 6 | enable = true; 7 | powerOnBoot = true; 8 | package = pkgs.bluez-experimental; 9 | settings = { 10 | General = { 11 | Class = "0x000100"; 12 | ControllerMode = "dual"; 13 | FastConnectable = true; 14 | JustWorksRepairing = "always"; 15 | Privacy = "device"; 16 | }; 17 | Policy = { 18 | ReconnectIntervals = "1,1,2,3,5,8,13,21,34,55"; 19 | AutoEnable = true; 20 | }; 21 | LE = { 22 | MinConnectionInterval = "7"; 23 | MaxConnectionInterval = "9"; 24 | ConnectionLatency = "0"; 25 | }; 26 | }; 27 | }; 28 | 29 | } -------------------------------------------------------------------------------- /mixins/hardware/eaton-ups.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | power.ups = { 4 | enable = true; 5 | 6 | ups."Eaton" = { 7 | driver = "usbhid-ups"; 8 | port = "auto"; 9 | summary = '' 10 | vendorid = 0463 11 | ''; 12 | }; 13 | 14 | users.upsmon = { 15 | passwordFile = config.sops.secrets.upsmon-password.path; 16 | upsmon = "primary"; 17 | }; 18 | 19 | upsmon.monitor."Eaton".user = "upsmon"; 20 | }; 21 | 22 | environment.systemPackages = [ 23 | pkgs.nut 24 | ]; 25 | 26 | } -------------------------------------------------------------------------------- /mixins/hardware/home-dcp-l2530dw.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | services.printing = { 6 | enable = true; 7 | drivers = [ pkgs.brlaser pkgs.ptouch-driver ]; 8 | }; 9 | 10 | hardware.sane = { 11 | enable = true; 12 | openFirewall = true; 13 | extraBackends = [ pkgs.sane-airscan ]; 14 | netConf = '' 15 | 192.168.1.12 16 | ''; 17 | brscan5 = { 18 | # enable = true; # TODO: Broken 19 | netDevices.brother = { 20 | model = "DCP-L2530DW"; 21 | nodename = "BRW4CD5776D8616"; 22 | }; 23 | }; 24 | }; 25 | 26 | environment.systemPackages = with pkgs; [ 27 | xsane 28 | ]; 29 | 30 | } -------------------------------------------------------------------------------- /mixins/hardware/intelgpu-vaapi.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | # Enable low-power encoding 5 | boot.extraModprobeConfig = '' 6 | options i915 enable_guc=2 7 | ''; 8 | 9 | environment.systemPackages = with pkgs; [ 10 | vdpauinfo 11 | libva-utils 12 | intel-gpu-tools 13 | ]; 14 | 15 | hardware.intelgpu.enableHybridCodec = true; 16 | 17 | hardware.graphics = { 18 | enable = true; 19 | enable32Bit = true; 20 | extraPackages = with pkgs; [ 21 | (intel-vaapi-driver.override { enableHybridCodec = true; }) 22 | intel-compute-runtime 23 | intel-media-driver 24 | libva-vdpau-driver 25 | intel-media-sdk 26 | libvdpau-va-gl 27 | vpl-gpu-rt 28 | ]; 29 | extraPackages32 = with pkgs.driversi686Linux; [ 30 | (intel-vaapi-driver.override { enableHybridCodec = true; }) 31 | intel-media-driver 32 | libvdpau-va-gl 33 | libva-vdpau-driver 34 | ]; 35 | }; 36 | 37 | } -------------------------------------------------------------------------------- /mixins/hardware/logitech-driving-wheels.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | # Better support 5 | hardware.new-lg4ff.enable = true; 6 | 7 | # Steering wheel manager 8 | environment.systemPackages = [ 9 | pkgs.oversteer 10 | ]; 11 | 12 | } -------------------------------------------------------------------------------- /mixins/hardware/openrazer.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | hardware.openrazer = { 5 | enable = true; 6 | keyStatistics = true; 7 | users = [ "vera" ]; 8 | }; 9 | 10 | } -------------------------------------------------------------------------------- /mixins/hardware/qmk.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | hardware.keyboard.qmk.enable = true; 5 | 6 | environment.systemPackages = [ 7 | pkgs.qmk_hid 8 | pkgs.vial 9 | pkgs.qmk 10 | ]; 11 | 12 | } -------------------------------------------------------------------------------- /mixins/hardware/raspberrypi4.nix: -------------------------------------------------------------------------------- 1 | { self, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | self.inputs.nixos-hardware.nixosModules.raspberry-pi-4 7 | ]; 8 | 9 | } -------------------------------------------------------------------------------- /mixins/hardware/steamdeck-minimal.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | # Enable hardware and Steam support. 5 | jovian.devices.steamdeck.enable = true; 6 | jovian.devices.steamdeck.autoUpdate = true; 7 | jovian.devices.steamdeck.enableXorgRotation = false; 8 | 9 | environment.systemPackages = with pkgs; [ 10 | galileo-mura 11 | steamdeck-firmware 12 | jupiter-dock-updater-bin 13 | ]; 14 | 15 | # Automount SD card. 16 | fileSystems."/run/media/deck/mmcblk0p1" = { 17 | device = "/dev/mmcblk0p1"; 18 | options = [ "defaults" "rw" "nofail" "x-systemd.automount" "x-systemd.device-timeout=1ms" "comment=x-gvfs-show" ]; 19 | }; 20 | 21 | # Symlink old Steam Deck SD card path to new one. 22 | systemd.tmpfiles.rules = [ "L+ /run/media/mmcblk0p1 - - - - /run/media/deck/mmcblk0p1" ]; 23 | 24 | } -------------------------------------------------------------------------------- /mixins/hardware/steamdeck.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | ./steamdeck-minimal.nix 7 | ../jovian-decky-loader.nix 8 | ]; 9 | 10 | jovian.steam.enable = true; 11 | 12 | # Add some useful packages. 13 | environment.systemPackages = with pkgs; [ 14 | mangohud 15 | ]; 16 | 17 | } 18 | -------------------------------------------------------------------------------- /mixins/hardware/wacom.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | services.xserver.wacom.enable = true; 6 | 7 | environment.systemPackages = with pkgs; [ 8 | wacomtablet 9 | libwacom 10 | ]; 11 | 12 | } -------------------------------------------------------------------------------- /mixins/hardware/webcam.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | services.uvcvideo.dynctrl = { 6 | enable = true; 7 | packages = [ pkgs.stable.tiscamera ]; # Workaround until nixpkgs unstable fixes tiscamera 8 | }; 9 | 10 | } -------------------------------------------------------------------------------- /mixins/hardware/xbox-one-controller.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | 5 | # Xbox one controller bluetooth workaround 6 | hardware.xpadneo.enable = true; 7 | boot.extraModprobeConfig = '' options bluetooth disable_ertm=1 ''; 8 | 9 | } -------------------------------------------------------------------------------- /mixins/home/zsh.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | programs.zsh = { 4 | enable = true; 5 | enableCompletion = true; 6 | enableAutosuggestions = true; 7 | enableVteIntegration = true; 8 | syntaxHighlighting.enable = true; 9 | historySubstringSearch.enable = true; 10 | oh-my-zsh = { 11 | enable = true; 12 | plugins = [ "git" "python" "man" ]; 13 | }; 14 | }; 15 | } -------------------------------------------------------------------------------- /mixins/jovian-decky-loader.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | { 3 | 4 | # Requires enabling CEF remote debugging on the Developer menu settings to work. 5 | jovian.decky-loader.enable = true; 6 | jovian.decky-loader.extraPackages = with pkgs; [ 7 | power-profiles-daemon 8 | inotify-tools 9 | libpulseaudio 10 | coreutils 11 | gamescope 12 | gamemode 13 | mangohud 14 | pciutils 15 | systemd 16 | gnugrep 17 | python3 18 | gnused 19 | procps 20 | steam 21 | gawk 22 | file 23 | ]; 24 | jovian.decky-loader.extraPythonPackages = pythonPkgs: with pythonPkgs; [ 25 | click 26 | ]; 27 | 28 | systemd.services.decky-loader.environment.LD_LIBRARY_PATH = lib.makeLibraryPath config.jovian.decky-loader.extraPackages; 29 | 30 | } -------------------------------------------------------------------------------- /mixins/neith-locale.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | # Set your time zone. 5 | time.timeZone = "America/Los_Angeles"; 6 | 7 | # Select internationalisation properties. 8 | i18n.defaultLocale = "en_US.UTF-8"; 9 | 10 | i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ]; 11 | 12 | i18n.extraLocaleSettings = { 13 | LC_ADDRESS = "en_US.UTF-8"; 14 | LC_IDENTIFICATION = "en_US.UTF-8"; 15 | LC_MEASUREMENT = "en_US.UTF-8"; 16 | LC_MONETARY = "en_US.UTF-8"; 17 | LC_NAME = "en_US.UTF-8"; 18 | LC_NUMERIC = "en_US.UTF-8"; 19 | LC_PAPER = "en_US.UTF-8"; 20 | LC_TELEPHONE = "en_US.UTF-8"; 21 | LC_TIME = "en_US.UTF-8"; 22 | }; 23 | 24 | # Configure console keymap 25 | console.keyMap = "us"; 26 | 27 | # Configure keymap in X11 28 | services.xserver.xkb = { 29 | layout = "us"; 30 | variant = ""; 31 | }; 32 | } -------------------------------------------------------------------------------- /mixins/networkd.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | { 3 | 4 | systemd.network.enable = true; 5 | 6 | services.dnsmasq = { 7 | enable = true; 8 | resolveLocalQueries = true; 9 | settings = { 10 | server = [ 11 | "1.1.1.1" 12 | "1.0.0.1" 13 | "8.8.8.8" 14 | "8.8.4.4" 15 | ]; 16 | }; 17 | }; 18 | 19 | } -------------------------------------------------------------------------------- /mixins/nix-store-serve.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | 4 | nix.sshServe = { 5 | enable = true; 6 | write = true; 7 | protocol = "ssh-ng"; 8 | keys = with config.gradient.const.ssh.pubKeys; [ 9 | vera 10 | neith 11 | bernkastel 12 | beatrice 13 | erika 14 | neith-deck 15 | asiyah 16 | briah 17 | ]; 18 | }; 19 | 20 | nix.settings.trusted-users = [ "nix-ssh" ]; 21 | nix.extraOptions = '' 22 | secret-key-files = ${config.sops.secrets.nix-private-key.path} 23 | ''; 24 | 25 | } -------------------------------------------------------------------------------- /mixins/plymouth.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | 5 | boot.plymouth.enable = true; 6 | 7 | } -------------------------------------------------------------------------------- /mixins/podman.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | virtualisation.podman = { 5 | enable = true; 6 | dockerCompat = true; 7 | autoPrune.enable = true; 8 | defaultNetwork.settings.dns_enabled = true; 9 | }; 10 | 11 | virtualisation.oci-containers.backend = "podman"; 12 | 13 | } -------------------------------------------------------------------------------- /mixins/restic/repository-hokma.nix: -------------------------------------------------------------------------------- 1 | /* 2 | Don't forget to add folders to back-up on your host-specific config after importing this! 3 | */ 4 | { config, ... }: 5 | let 6 | secrets = config.sops.secrets; 7 | in 8 | { 9 | 10 | services.restic.backups.hokma = { 11 | initialize = true; 12 | passwordFile = secrets.hokma-password.path; 13 | environmentFile = secrets.hokma-environment.path; 14 | repository = "azure:backup:/"; 15 | 16 | timerConfig = { 17 | OnCalendar = "Mon *-*-* 10:00:00"; 18 | # Prevent concurrent backups, as it can lead to duplicate files 19 | RandomizedDelaySec = "12h"; 20 | }; 21 | 22 | # Set these on your host! 23 | paths = []; 24 | 25 | # Sane defaults, but feel free to override 26 | exclude = [ 27 | ".git" 28 | 29 | # tmpfs, no point in backing up 30 | "/home/*/tmp" 31 | 32 | # Too heavy and unimportant to back up 33 | "/home/*/Games" 34 | "/home/*/Downloads" 35 | "/home/*/.xlcore/ffxiv/game" 36 | "/home/*/Documents/Unity" 37 | 38 | # No point in backing these up 39 | "/home/*/.cache" 40 | "/home/*/.local/share/Trash" 41 | "/home/*/.local/share/containers" 42 | 43 | # Steam games 44 | "/home/*/.steam/" 45 | "/home/*/.local/share/Steam/steamapps/temp" 46 | "/home/*/.local/share/Steam/steamapps/*.acf" 47 | "/home/*/.local/share/Steam/steamapps/common" 48 | "/home/*/.local/share/Steam/steamapps/workshop" 49 | "/home/*/.local/share/Steam/steamapps/sourcemods" 50 | "/home/*/.local/share/Steam/steamapps/downloading" 51 | "/home/*/.local/share/Steam/steamapps/shadercache" 52 | ]; 53 | }; 54 | 55 | sops.secrets = 56 | let 57 | secretCfg = { restartUnits = [ "restic-backups-hokma.service" ]; }; 58 | in { 59 | hokma-password = secretCfg; 60 | hokma-environment = secretCfg; 61 | }; 62 | 63 | } -------------------------------------------------------------------------------- /mixins/system76-scheduler.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | services.system76-scheduler = { 5 | enable = true; 6 | useStockConfig = true; 7 | }; 8 | 9 | } -------------------------------------------------------------------------------- /mixins/tdarr-node.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | asiyahPorts = config.gradient.hosts.asiyah.ports; 4 | addresses = config.gradient.const.wireguard.addresses; 5 | userUid = 976; 6 | groupGid = 972; 7 | in 8 | { 9 | 10 | imports = [ 11 | ./podman.nix 12 | ]; 13 | 14 | users.users.tdarr = { 15 | isSystemUser = true; 16 | linger = true; 17 | home = "/var/lib/tdarr"; 18 | createHome = true; 19 | uid = userUid; 20 | homeMode = "775"; 21 | group = "tdarr"; 22 | extraGroups = [ "render" ]; 23 | }; 24 | 25 | users.groups.tdarr = { 26 | gid = groupGid; 27 | }; 28 | 29 | boot.kernelModules = [ "nfs" ]; 30 | 31 | fileSystems = 32 | let 33 | nfsOptions = [ 34 | "nfsvers=4.2" 35 | "_netdev" 36 | "noauto" 37 | "x-systemd.automount" 38 | "x-systemd.mount-timeout=10" 39 | "x-systemd.idle-timeout=1min" 40 | "timeo=14" 41 | "nofail" 42 | "noatime" 43 | ]; 44 | in 45 | { 46 | "/var/lib/tdarr" = { 47 | device = "${addresses.gradientnet.asiyah}:/export/mediarr/tdarr/"; 48 | fsType = "nfs"; 49 | options = nfsOptions; 50 | }; 51 | 52 | "/asiyahMedia" = { 53 | device = "${addresses.gradientnet.asiyah}:/export/downloads/"; 54 | fsType = "nfs"; 55 | options = nfsOptions; 56 | }; 57 | }; 58 | 59 | virtualisation.oci-containers.containers.tdarrNode = { 60 | image = "ghcr.io/haveagitgat/tdarr_node:latest"; 61 | pull = "newer"; 62 | volumes = [ 63 | "/var/lib/tdarr/server:/app/server" 64 | "/var/lib/tdarr/config:/app/configs" 65 | "/var/lib/tdarr/logs:/app/logs" 66 | "/var/lib/tdarr/temp:/temp" 67 | "/asiyahMedia/tv:/media/tv" 68 | "/asiyahMedia/movies:/media/movies" 69 | "/asiyahMedia/adverts:/media/adverts" 70 | ]; 71 | environment = { 72 | TZ = config.time.timeZone; 73 | PUID = toString userUid; 74 | PGID = toString groupGid; 75 | serverIP = addresses.gradientnet.asiyah; 76 | serverPort = toString asiyahPorts.tdarr-server; 77 | ffmpegVersion = "6"; 78 | nodeName = config.networking.hostName; 79 | }; 80 | extraOptions = [ 81 | "--network=host" 82 | "--device=/dev/dri/:/dev/dri/" 83 | ]; 84 | }; 85 | 86 | systemd.services.podman-tdarrNode = { 87 | after = [ "var-lib-tdarr.mount" "asiyahMedia.mount" ]; 88 | bindsTo = [ "var-lib-tdarr.mount" "asiyahMedia.mount" ]; 89 | }; 90 | 91 | } -------------------------------------------------------------------------------- /mixins/tor.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | services.tor = { 5 | enable = true; 6 | client.enable = true; 7 | client.dns.enable = true; 8 | torsocks.enable = true; 9 | }; 10 | 11 | systemd.services.tor.after = [ "network-online.target" ]; 12 | systemd.services.tor.wants = [ "network-online.target" ]; 13 | 14 | environment.systemPackages = with pkgs; [ 15 | tor-browser 16 | ]; 17 | 18 | } -------------------------------------------------------------------------------- /mixins/uwu-style.nix: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2015 davidak 2 | 3 | # Permission is hereby granted, free of charge, to any person obtaining 4 | # a copy of this software and associated documentation files (the 5 | # "Software"), to deal in the Software without restriction, including 6 | # without limitation the rights to use, copy, modify, merge, publish, 7 | # distribute, sublicense, and/or sell copies of the Software, and to 8 | # permit persons to whom the Software is furnished to do so, subject to 9 | # the following conditions: 10 | 11 | # The above copyright notice and this permission notice shall be 12 | # included in all copies or substantial portions of the Software. 13 | 14 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 15 | # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 16 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 17 | # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 18 | # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 19 | # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 20 | # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | 22 | { pkgs, ... }: 23 | 24 | # UwU Style for NixOS 25 | 26 | let 27 | nixowo = pkgs.fetchFromGitHub { 28 | owner = "TilCreator"; 29 | repo = "NixOwO"; 30 | rev = "d2bc0591d78f95d1659da9d9f5e2f07615075fd7"; 31 | sha256 = "sha256-5H9PRSY77oMABvgNDZ/wBayEBXJTzE9sGeAjkFAqYIQ="; 32 | }; 33 | 34 | nixowo-icons = pkgs.runCommandLocal "nixowo-icons" { } 35 | '' 36 | install -m644 ${nixowo}/NixOwO_plain.svg -D $out/share/icons/hicolor/scalable/apps/nix-snowflake.svg 37 | ''; 38 | 39 | meta.priority = 10; 40 | 41 | nixowo-icon = pkgs.runCommandLocal "nixowo-icon" 42 | { nativeBuildInputs = [ pkgs.imagemagick ]; } 43 | '' 44 | mkdir $out 45 | # convert logo to png 46 | convert -background none ${nixowo}/NixOwO_plain.svg logo.png 47 | # resize logo 48 | convert logo.png -resize 256x256 $out/logo.png 49 | ''; 50 | in 51 | { 52 | boot.plymouth.logo = "${nixowo-icon}/logo.png"; 53 | 54 | environment.systemPackages = [ 55 | nixowo-icons 56 | ]; 57 | } -------------------------------------------------------------------------------- /mixins/v4l2loopback.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | 4 | boot.extraModulePackages = with config.boot.kernelPackages; [ 5 | v4l2loopback 6 | ]; 7 | 8 | environment.systemPackages = [ 9 | pkgs.v4l-utils 10 | ]; 11 | 12 | boot.kernelModules = [ "v4l2loopback" ]; 13 | 14 | # Allow using the virtual camera device with the browser. Also gives it a pretty name! 15 | boot.extraModprobeConfig = '' 16 | options v4l2loopback devices=1 video_nr=21 exclusive_caps=1 card_label="Virtual Webcam" 17 | ''; 18 | 19 | } -------------------------------------------------------------------------------- /mixins/vera-locale.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | 5 | # Set your time zone. 6 | time.timeZone = "Europe/Madrid"; 7 | 8 | # Select internationalisation properties. 9 | i18n.defaultLocale = "en_US.UTF-8"; 10 | 11 | i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" "es_ES.UTF-8/UTF-8" "en_DK.UTF-8/UTF-8" ]; 12 | 13 | i18n.extraLocaleSettings = { 14 | LC_ADDRESS = "es_ES.UTF-8"; 15 | LC_IDENTIFICATION = "es_ES.UTF-8"; 16 | LC_MEASUREMENT = "es_ES.UTF-8"; 17 | LC_MONETARY = "es_ES.UTF-8"; 18 | LC_NAME = "es_ES.UTF-8"; 19 | LC_NUMERIC = "es_ES.UTF-8"; 20 | LC_PAPER = "es_ES.UTF-8"; 21 | LC_TELEPHONE = "es_ES.UTF-8"; 22 | LC_TIME = "en_DK.UTF-8"; 23 | }; 24 | 25 | # Configure console keymap 26 | console.keyMap = "es"; 27 | 28 | # Configure keymap in X11 29 | services.xserver.xkb = { 30 | layout = "es"; 31 | variant = ""; 32 | }; 33 | } -------------------------------------------------------------------------------- /mixins/virtualisation.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | virtualisation.spiceUSBRedirection.enable = true; 6 | virtualisation.libvirtd.enable = true; 7 | programs.virt-manager.enable = true; 8 | 9 | } -------------------------------------------------------------------------------- /mixins/wine.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | environment.systemPackages = with pkgs; [ 6 | wineWowPackages.stagingFull 7 | winetricks 8 | cabextract 9 | ]; 10 | 11 | } -------------------------------------------------------------------------------- /modules/default.nix: -------------------------------------------------------------------------------- 1 | # Dummy module that imports every other module here. 2 | # Some of these require the "core" module. 3 | { ... }: 4 | { 5 | 6 | imports = [ 7 | ./kernel/default.nix 8 | ./presets/default.nix 9 | ./hardware/default.nix 10 | ./profiles/default.nix 11 | 12 | ./nginx-robots.nix 13 | ./tmpfiles-check.nix 14 | ./substituter-switcher.nix 15 | ]; 16 | 17 | } -------------------------------------------------------------------------------- /modules/hardware/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | imports = [ 4 | ./steamdeck.nix 5 | ]; 6 | } -------------------------------------------------------------------------------- /modules/hardware/steamdeck.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, self, ... }: 2 | let 3 | cfg = config.gradient; 4 | in 5 | { 6 | 7 | options = { 8 | gradient.hardware.steamdeck.enable = lib.mkOption { 9 | type = lib.types.bool; 10 | default = false; 11 | description = '' 12 | Whether to enable Steam Deck support, using Jovian-NixOS. 13 | ''; 14 | }; 15 | }; 16 | 17 | config = lib.mkMerge [ 18 | (lib.mkIf cfg.hardware.steamdeck.enable { 19 | 20 | }) 21 | ]; 22 | 23 | } -------------------------------------------------------------------------------- /modules/kernel/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | imports = [ 5 | ./memory.nix 6 | ]; 7 | 8 | } -------------------------------------------------------------------------------- /modules/nginx-robots.nix: -------------------------------------------------------------------------------- 1 | { self, config, lib, ... }: 2 | let 3 | cfg = config.gradient.nginx; 4 | robotsTxt = "${self.inputs.ai-robots-txt}/robots.txt"; 5 | nginxBlockAIBots = builtins.readFile "${self.inputs.ai-robots-txt}/nginx-block-ai-bots.conf"; 6 | in 7 | { 8 | 9 | options.gradient.nginx.enableBlockAIBots = lib.mkEnableOption "Whether to block AI scraper blocks."; 10 | 11 | options.services.nginx.virtualHosts = lib.mkOption { 12 | type = lib.types.attrsOf (lib.types.submodule { 13 | config = { 14 | extraConfig = nginxBlockAIBots; 15 | locations."= /robots.txt" = lib.mkIf cfg.enableBlockAIBots (lib.mkDefault { 16 | alias = robotsTxt; 17 | }); 18 | }; 19 | }); 20 | }; 21 | 22 | } -------------------------------------------------------------------------------- /modules/presets/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | 4 | imports = [ 5 | ./syncthing.nix 6 | ]; 7 | 8 | } -------------------------------------------------------------------------------- /modules/profiles/audio/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | let 3 | cfg = config.gradient; 4 | in 5 | { 6 | imports = [ 7 | ./um2.nix 8 | ./rnnoise.nix 9 | ./virtual-sink.nix 10 | ./input-normalizer.nix 11 | ]; 12 | 13 | options = { 14 | gradient.profiles.audio.enable = lib.mkOption { 15 | type = lib.types.bool; 16 | default = false; 17 | description = '' 18 | Whether to enable the GradientOS audio profile. 19 | Enables Pipewire, and adds ALSA, JACK and PulseAudio support for it. 20 | ''; 21 | }; 22 | }; 23 | 24 | config = lib.mkMerge [ 25 | (lib.mkIf cfg.profiles.audio.enable { 26 | services.pulseaudio.enable = lib.mkForce false; 27 | 28 | services.pipewire = { 29 | enable = true; 30 | alsa.enable = true; 31 | audio.enable = true; 32 | alsa.support32Bit = true; 33 | pulse.enable = true; 34 | jack.enable = true; 35 | wireplumber.enable = true; 36 | }; 37 | 38 | security.pam.loginLimits = 39 | let 40 | mkLimit = item: value: { 41 | inherit item value; 42 | domain = "@pipewire"; 43 | type = "-"; 44 | }; 45 | in 46 | [ 47 | # As per https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Performance-tuning#rlimits 48 | (mkLimit "rtprio" "95") 49 | (mkLimit "nice" "-19") 50 | (mkLimit "memlock" "4194304") 51 | ]; 52 | 53 | environment.systemPackages = with pkgs; [ 54 | jack-matchmaker 55 | qpwgraph 56 | ]; 57 | 58 | # Very permissive limits... But it fixes a race condition! 59 | systemd.services.wireplumber = { 60 | startLimitBurst = 100; 61 | startLimitIntervalSec = 60; 62 | }; 63 | systemd.user.services.wireplumber = { 64 | startLimitBurst = 100; 65 | startLimitIntervalSec = 60; 66 | }; 67 | }) 68 | 69 | (lib.mkIf config.system76-scheduler.enable { 70 | services.system76-scheduler.settings.processScheduler.pipewireBoost.profile = { 71 | nice = -19; 72 | ioClass = "realtime"; 73 | }; 74 | }) 75 | ]; 76 | 77 | } -------------------------------------------------------------------------------- /modules/profiles/audio/rnnoise.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | let 3 | cfg = config.gradient; 4 | in 5 | { 6 | options = { 7 | gradient.profiles.audio.rnnoise.enable = lib.mkOption { 8 | type = lib.types.bool; 9 | default = false; 10 | description = '' 11 | Whether to enable a Noise Cancelling Source. 12 | Requires the audio profile to be enabled. 13 | ''; 14 | }; 15 | }; 16 | 17 | config = lib.mkMerge [ 18 | (lib.mkIf (cfg.profiles.audio.enable && cfg.profiles.audio.rnnoise.enable) { 19 | services.pipewire.extraConfig.pipewire."00-rnnoise.conf" = { 20 | "context.modules" = [ 21 | { "name" = "libpipewire-module-filter-chain"; 22 | "args" = { 23 | "node.description" = "Noise Canceling source"; 24 | "media.name" = "Noise Canceling source"; 25 | "filter.graph" = { 26 | "nodes" = [ 27 | { 28 | "type" = "ladspa"; 29 | "name" = "rnnoise"; 30 | "plugin" = "${pkgs.rnnoise-plugin}/lib/ladspa/librnnoise_ladspa.so"; 31 | "label" = "noise_suppressor_stereo"; 32 | "control" = { 33 | "VAD Threshold (%)" = 50.0; 34 | "VAD Grace Period (ms)" = 1000; 35 | "Retroactive VAD Grace (ms)" = 100; 36 | }; 37 | } 38 | ]; 39 | }; 40 | "audio.position" = [ "FL" "FR" ]; 41 | "capture.props" = { 42 | "node.name" = "capture.rnnoise_source"; 43 | "node.passive" = true; 44 | "audio.rate" = 48000; 45 | }; 46 | "playback.props" = { 47 | "node.name" = "rnnoise_source"; 48 | "media.class" = "Audio/Source"; 49 | "media.role" = "Communication"; 50 | "audio.rate" = 48000; 51 | }; 52 | }; 53 | } 54 | ]; 55 | }; 56 | }) 57 | ]; 58 | 59 | } -------------------------------------------------------------------------------- /modules/profiles/audio/virtual-sink.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | let 3 | cfg = config.gradient; 4 | in 5 | { 6 | options = { 7 | gradient.profiles.audio.virtual-sink.enable = lib.mkOption { 8 | type = lib.types.bool; 9 | default = cfg.profiles.audio.enable; 10 | description = '' 11 | Whether to enable a Virtual Sink. Enabled by default when the audio profile is enabled. 12 | Requires the audio profile to be enabled. 13 | ''; 14 | }; 15 | }; 16 | 17 | config = lib.mkMerge [ 18 | (lib.mkIf (cfg.profiles.audio.enable && cfg.profiles.audio.virtual-sink.enable) { 19 | services.pipewire.extraConfig.pipewire."99-virtual-sink.conf" = { 20 | "context.modules" = [ 21 | { "name" = "libpipewire-module-loopback"; 22 | "args" = { 23 | "node.description" = "Virtual Sink"; 24 | "media.name" = "Virtual Sink"; 25 | "capture.props" = { 26 | "node.name" = "capture.virtual_sink"; 27 | "audio.position" = [ "FL" "FR" ]; 28 | "media.class" = "Audio/Sink"; 29 | }; 30 | "playback.props" = { 31 | "node.name" = "output.virtual_sink"; 32 | "audio.position" = [ "FL" "FR" ]; 33 | "stream.dont-remix" = true; 34 | "node.passive" = true; 35 | "media.class" = "Audio/Source"; 36 | "media.role" = "Communication"; 37 | }; 38 | }; 39 | } 40 | ]; 41 | }; 42 | }) 43 | ]; 44 | 45 | } -------------------------------------------------------------------------------- /modules/profiles/catppuccin.nix: -------------------------------------------------------------------------------- 1 | { self, config, pkgs, lib, ... }: 2 | let 3 | cfg = config.gradient.profiles.catppuccin; 4 | in 5 | { 6 | 7 | imports = [ 8 | self.inputs.catppuccin.nixosModules.catppuccin 9 | ]; 10 | 11 | options = { 12 | gradient.profiles.catppuccin.enable = lib.mkEnableOption "catppuccin theming across the system"; 13 | }; 14 | 15 | config = lib.mkMerge [ 16 | (lib.mkIf (cfg.enable) { 17 | catppuccin.enable = true; 18 | catppuccin.flavor = lib.mkDefault "mocha"; 19 | 20 | catppuccin.plymouth.enable = true; 21 | catppuccin.grub.enable = true; 22 | 23 | catppuccin.sddm.enable = true; 24 | 25 | environment.systemPackages = with pkgs; [ 26 | (catppuccin-kde.override { 27 | flavour = [ "mocha" ]; 28 | accents = [ "mauve" ]; 29 | }) 30 | (catppuccin-gtk.override { 31 | variant = "mocha"; 32 | accents = [ "mauve" ]; 33 | }) 34 | ]; 35 | }) 36 | ]; 37 | 38 | } -------------------------------------------------------------------------------- /modules/profiles/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | let 3 | cfg = config.gradient; 4 | in 5 | { 6 | 7 | imports = [ 8 | ./audio/default.nix 9 | ./gaming/default.nix 10 | 11 | ./desktop.nix 12 | ./graphics.nix 13 | ./catppuccin.nix 14 | ./development.nix 15 | ]; 16 | 17 | options = { 18 | gradient.profiles.default.enable = lib.mkOption { 19 | type = lib.types.bool; 20 | default = cfg.core.enable; 21 | description = '' 22 | Whether to enable the default GradientOS profile. 23 | Includes some pre-installed utilities and programs. 24 | ''; 25 | }; 26 | }; 27 | 28 | config = lib.mkIf cfg.profiles.default.enable { 29 | programs.git.enable = true; 30 | programs.git.lfs.enable = true; 31 | 32 | services.udev.packages = with pkgs; [ 33 | steam-devices-udev-rules 34 | game-devices-udev-rules 35 | android-udev-rules 36 | qmk-udev-rules 37 | ]; 38 | 39 | environment.systemPackages = with pkgs; [ 40 | (with dotnetCorePackages; combinePackages [ 41 | dotnet_8.sdk 42 | dotnet_8.aspnetcore 43 | dotnet_9.sdk 44 | dotnet_9.aspnetcore 45 | ]) 46 | smartmontools 47 | appimage-run 48 | imagemagick 49 | ffmpeg-full 50 | nix-weather 51 | lm_sensors 52 | ssh-to-age 53 | distrobox 54 | nfs-utils 55 | powertop 56 | usbutils 57 | pciutils 58 | nettools 59 | pmutils 60 | colmena 61 | tcpdump 62 | sysstat 63 | python3 64 | screen 65 | yt-dlp 66 | p7zip 67 | just 68 | sops 69 | gmic 70 | lsof 71 | htop 72 | btop 73 | file 74 | cloc 75 | nil 76 | age 77 | dig 78 | eza 79 | ] ++ (if pkgs.system == "x86_64-linux" then [ 80 | unrar 81 | rar 82 | ] else if pkgs.system == "aarch64-linux" then [ 83 | 84 | ] else []); 85 | }; 86 | 87 | } -------------------------------------------------------------------------------- /modules/profiles/graphics.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | let 3 | cfg = config.gradient; 4 | in 5 | { 6 | 7 | options = { 8 | gradient.profiles.graphics.enable = lib.mkOption { 9 | type = lib.types.bool; 10 | default = false; 11 | description = '' 12 | Whether to enable the GradientOS graphics profile. 13 | ''; 14 | }; 15 | }; 16 | 17 | config = lib.mkMerge [ 18 | (lib.mkIf cfg.profiles.graphics.enable { 19 | hardware.graphics.enable = true; 20 | hardware.graphics.enable32Bit = true; 21 | 22 | # Enable touchpad support 23 | services.libinput.enable = true; 24 | 25 | # Taken from Bazzite at https://github.com/ublue-os/bazzite/blob/17c869dc70eede3f7066a8ad9ed07f46798fa9b3/system_files/deck/shared/usr/lib/udev/rules.d/80-gpu-reset.rules 26 | services.udev.extraRules = '' 27 | ACTION=="change", ENV{DEVNAME}=="/dev/dri/card0", ENV{RESET}=="1", ENV{PID}!="0", RUN+="${pkgs.coreutils}/bin/kill -9 %E{PID}" 28 | ''; 29 | 30 | environment.systemPackages = [ 31 | pkgs.force-xwayland 32 | ]; 33 | }) 34 | ]; 35 | 36 | } -------------------------------------------------------------------------------- /nixosMixins.nix: -------------------------------------------------------------------------------- 1 | { 2 | core = ./core/default.nix; 3 | 4 | binfmt-emulation = ./mixins/binfmt-emulation.nix; 5 | declarative-flatpak = ./mixins/declarative-flatpak.nix; 6 | gnupg = ./mixins/gnupg.nix; 7 | jovian-decky-loader = ./mixins/jovian-decky-loader.nix; 8 | neith-locale = ./mixins/neith-locale.nix; 9 | networkd = ./mixins/networkd.nix; 10 | nix-store-serve = ./mixins/nix-store-serve.nix; 11 | plymouth = ./mixins/plymouth.nix; 12 | podman = ./mixins/podman.nix; 13 | steamcmd = ./mixins/steamcmd.nix; 14 | system76-scheduler = ./mixins/system76-scheduler.nix; 15 | tdarr-node = ./mixins/tdarr-node.nix; 16 | tor = ./mixins/tor.nix; 17 | upgrade-diff = ./mixins/upgrade-diff.nix; 18 | uwu-style = ./mixins/uwu-style.nix; 19 | v4l2loopback = ./mixins/v4l2loopback.nix; 20 | vera-locale = ./mixins/vera-locale.nix; 21 | virtualisation = ./mixins/virtualisation.nix; 22 | wine = ./mixins/wine.nix; 23 | wireguard = ./mixins/wireguard.nix; 24 | 25 | graphical-steam = ./mixins/graphical/steam.nix; 26 | graphical-sunshine = ./mixins/graphical/sunshine.nix; 27 | 28 | home-zsh = ./mixins/home/zsh.nix; 29 | 30 | restic-repository-hokma = ./mixins/restic/repository-hokma.nix; 31 | 32 | hardware-amdcpu = ./mixins/hardware/amdcpu.nix; 33 | hardware-amdgpu = ./mixins/hardware/amdgpu.nix; 34 | hardware-azure = ./mixins/hardware/azure.nix; 35 | hardware-bluetooth = ./mixins/hardware/bluetooth.nix; 36 | hardware-eaton-ups = ./mixins/hardware/eaton-ups.nix; 37 | hardware-home-dcp-l2530dw = ./mixins/hardware/home-dcp-l2530dw.nix; 38 | hardware-intelgpu-vaapi = ./mixins/hardware/intelgpu-vaapi.nix; 39 | hardware-logitech-driving-wheels = ./mixins/hardware/logitech-driving-wheels.nix; 40 | hardware-openrazer = ./mixins/hardware/openrazer.nix; 41 | hardware-qmk = ./mixins/hardware/qmk.nix; 42 | hardware-raspberrypi4 = ./mixins/hardware/raspberrypi4.nix; 43 | hardware-steamdeck = ./mixins/hardware/steamdeck.nix; 44 | hardware-steamdeck-minimal = ./mixins/hardware/steamdeck-minimal.nix; 45 | hardware-wacom = ./mixins/hardware/wacom.nix; 46 | hardware-webcam = ./mixins/hardware/webcam.nix; 47 | hardware-xbox-one-controller = ./mixins/hardware/xbox-one-controller.nix; 48 | } -------------------------------------------------------------------------------- /nixosModules.nix: -------------------------------------------------------------------------------- 1 | { 2 | default = ./modules/default.nix; 3 | nginx-robots = ./modules/nginx-robots.nix; 4 | tmpfiles-check = ./modules/tmpfiles-check.nix; 5 | substituter-switcher = ./modules/substituter-switcher.nix; 6 | } -------------------------------------------------------------------------------- /overlays/kernel-allow-missing.nix: -------------------------------------------------------------------------------- 1 | /* 2 | * Overlay which overrides makeModulesClosure to allow building the kernel with missing modules. 3 | */ 4 | final: prev: 5 | { 6 | makeModulesClosure = x: prev.makeModulesClosure (x // { allowMissing = true; }); 7 | } -------------------------------------------------------------------------------- /pkgs/amdgpu-kernel-module.nix: -------------------------------------------------------------------------------- 1 | { pkgs 2 | , lib 3 | , patches ? [] 4 | , kernel ? pkgs.linuxPackages_latest.kernel }: 5 | 6 | # As per https://wiki.nixos.org/wiki/Linux_kernel#Patching_a_single_In-tree_kernel_module 7 | pkgs.stdenv.mkDerivation { 8 | pname = "amdgpu-kernel-module"; 9 | inherit (kernel) src version postPatch nativeBuildInputs; 10 | inherit patches; 11 | 12 | kernel_dev = kernel.dev; 13 | kernelVersion = kernel.modDirVersion; 14 | 15 | modulePath = "drivers/gpu/drm/amd/amdgpu"; 16 | 17 | buildPhase = '' 18 | BUILT_KERNEL=$kernel_dev/lib/modules/$kernelVersion/build 19 | 20 | cp $BUILT_KERNEL/Module.symvers . 21 | cp $BUILT_KERNEL/.config . 22 | cp $kernel_dev/vmlinux . 23 | 24 | make "-j$NIX_BUILD_CORES" modules_prepare 25 | make "-j$NIX_BUILD_CORES" M=$modulePath modules 26 | ''; 27 | 28 | installPhase = '' 29 | make \ 30 | INSTALL_MOD_PATH="$out" \ 31 | XZ="xz -T$NIX_BUILD_CORES" \ 32 | M="$modulePath" \ 33 | modules_install 34 | ''; 35 | 36 | meta = { 37 | description = "AMD GPU kernel module"; 38 | license = lib.licenses.gpl3; 39 | }; 40 | } -------------------------------------------------------------------------------- /pkgs/beyond-all-reason-launcher.nix: -------------------------------------------------------------------------------- 1 | { fetchurl 2 | , appimageTools 3 | }: 4 | let 5 | pname = "byar"; 6 | version = "1.2988.0"; 7 | in 8 | appimageTools.wrapType2 { 9 | inherit pname version; 10 | name = "${pname}-${version}"; 11 | 12 | src = fetchurl { 13 | url = "https://github.com/beyond-all-reason/BYAR-Chobby/releases/download/v${version}/Beyond-All-Reason-${version}.AppImage"; 14 | hash = "sha256-ZJW5BdxxqyrM2TJTO0SBp4BXt3ILyi77EZx73X8hqJE="; 15 | }; 16 | 17 | extraPkgs = pkgs: [ pkgs.openal ]; 18 | 19 | meta = { 20 | mainProgram = "${pname}-${version}"; 21 | description = "Beyond All Reason"; 22 | homepage = "https://www.beyondallreason.info"; 23 | platforms = [ "x86_64-linux" ]; 24 | downloadPage = "https://www.beyondallreason.info/download"; 25 | }; 26 | } 27 | -------------------------------------------------------------------------------- /pkgs/fbink.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , stdenv 3 | , fetchFromGitHub 4 | 5 | # One of "KOBO", "LINUX", "KINDLE", 6 | # "KINDLE_LEGACY", "CERVANTES", "REMARKABLE", 7 | # or "POCKETBOOK" 8 | , device ? "KOBO" 9 | 10 | , MINIMAL ? false 11 | 12 | # The below options are only useful when MINIMAL = true 13 | , DRAW ? !MINIMAL 14 | , BITMAP ? !MINIMAL 15 | , FONTS ? !MINIMAL 16 | , IMAGE ? !MINIMAL 17 | , OPENTYPE ? !MINIMAL 18 | , INPUT ? !MINIMAL 19 | , BUTTON_SCAN ? !MINIMAL 20 | , UNIFONT ? !MINIMAL 21 | }: 22 | let 23 | repo = "FBInk"; 24 | rev = "94df13530be8bee12fa5af210ddfe0cf1223cdb3"; 25 | date = "2025-04-07"; 26 | in 27 | stdenv.mkDerivation { 28 | 29 | makeFlags = [ 30 | # Device support 31 | "${device}=1" 32 | ] ++ (if device == "kindle_legacy" then [ "LEGACY=1" ] else []) 33 | ++ (if MINIMAL then [ "MINIMAL=1" ] else []) 34 | ++ (if DRAW then [ "DRAW=1" ] else []) 35 | ++ (if BITMAP then [ "BITMAP=1" ] else []) 36 | ++ (if FONTS then [ "FONTS=1" ] else []) 37 | ++ (if IMAGE then [ "IMAGE=1" ] else []) 38 | ++ (if OPENTYPE then [ "OPENTYPE=1" ] else []) 39 | ++ (if INPUT then [ "INPUT=1" ] else []) 40 | ++ (if BUTTON_SCAN then [ "BUTTON_SCAN=1" ] else []) 41 | ++ (if UNIFONT then [ "UNIFONT=1" ] else []); 42 | 43 | name = "${repo}-git-unstable-${date}"; 44 | 45 | enableParallelBuilding = true; 46 | 47 | src = fetchFromGitHub { 48 | inherit repo rev; 49 | owner = "NiLuJe"; 50 | hash = "sha256-Z53Rqukyn1HTygGPU/YtNT6m1opG7wpc/tSFaBQwBh0="; 51 | fetchSubmodules = true; 52 | }; 53 | 54 | buildPhase = '' 55 | make static 56 | ''; 57 | 58 | installPhase = '' 59 | mkdir -p $out/bin 60 | cp ./Release/fbink $out/bin/ 61 | ''; 62 | 63 | # This is not meant to be ran on NixOS, thus... 64 | dontFixup = true; 65 | dontDisableStatic = true; 66 | 67 | meta = { 68 | mainProgram = "fbink"; 69 | description = "FrameBuffer eInker, a small tool & library to print text & images to an eInk Linux framebuffer"; 70 | homepage = "https://github.com/NiLuJe/FBInk"; 71 | downloadPage = "https://github.com/NiLuJe/FBInk/releases"; 72 | license = lib.licenses.gpl3; 73 | }; 74 | 75 | } -------------------------------------------------------------------------------- /pkgs/fna3d.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , SDL2 3 | , cmake 4 | , stdenv 5 | , fetchFromGitHub 6 | }: 7 | let 8 | repo = "FNA3D"; 9 | rev = "24.05"; 10 | in 11 | stdenv.mkDerivation { 12 | name = "${repo}-${rev}"; 13 | nativeBuildInputs = [ cmake ]; 14 | buildInputs = [ SDL2 ]; 15 | src = fetchFromGitHub { 16 | inherit repo rev; 17 | owner = "FNA-XNA"; 18 | hash = "sha256-elDnNYrAIfz0HDFGK5ruLhRN3FboaBSOAnNXOdX3F7E="; 19 | fetchSubmodules = true; 20 | }; 21 | installPhase = '' 22 | mkdir -p $out/lib 23 | cp libFNA3D.so $out/lib/libFNA3D.so.0 24 | ''; 25 | } -------------------------------------------------------------------------------- /pkgs/godot-mono.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , stdenv 3 | , fetchzip 4 | , makeWrapper 5 | , makeDesktopItem 6 | , steam-run 7 | }: 8 | let 9 | version = "4.3"; 10 | in 11 | stdenv.mkDerivation { 12 | inherit version; 13 | name = "godot-mono"; 14 | 15 | src = fetchzip { 16 | url = "https://github.com/godotengine/godot/releases/download/${version}-stable/Godot_v${version}-stable_mono_linux_x86_64.zip"; 17 | sha256 = "sha256-L32cwE/E1aEAz6t3SlO0k/QQuKRt/8lJntfdCYVdGCE="; 18 | }; 19 | 20 | nativeBuildInputs = [ makeWrapper ]; 21 | 22 | desktopItem = makeDesktopItem { 23 | name = "Godot Engine (Mono)"; 24 | desktopName = "Godot Engine (Mono)"; 25 | exec = "godot-mono"; 26 | icon = "godot"; 27 | terminal = false; 28 | prefersNonDefaultGPU = true; 29 | type = "Application"; 30 | mimeTypes = [ "application/x-godot-project" ]; 31 | comment = "Multi-platform 2D and 3D game engine with a feature-rich editor"; 32 | genericName = "Libre game engine"; 33 | categories = [ "Development" "IDE" ]; 34 | extraConfig.StartupWMClass = "Godot"; 35 | }; 36 | 37 | installPhase = '' 38 | mkdir -p $out/bin 39 | cp -r ./* $out/bin 40 | makeWrapper ${steam-run}/bin/steam-run $out/bin/godot-mono \ 41 | --add-flags $out/bin/Godot_v${version}-stable_mono_linux.x86_64 42 | 43 | # Desktop item 44 | mkdir -p $out/share/applications 45 | cp $desktopItem/share/applications/* $out/share/applications/ 46 | 47 | ''; 48 | 49 | } -------------------------------------------------------------------------------- /pkgs/jack-matchmaker.nix: -------------------------------------------------------------------------------- 1 | { lib, python3, pipewire }: 2 | 3 | python3.pkgs.buildPythonApplication rec { 4 | pname = "jack-matchmaker"; 5 | version = "0.10.0"; 6 | src = python3.pkgs.fetchPypi { 7 | inherit pname version; 8 | sha256 = "70b8f53b0c75e8351ccdad4bf37bee8b544643604e0db1938ed749a4c0fa6ba6"; 9 | }; 10 | makeWrapperArgs = ["--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ pipewire.jack ]}"]; 11 | doCheck = false; 12 | } -------------------------------------------------------------------------------- /pkgs/klipper-kusba-firmware/config: -------------------------------------------------------------------------------- 1 | # CONFIG_LOW_LEVEL_OPTIONS is not set 2 | # CONFIG_MACH_AVR is not set 3 | # CONFIG_MACH_ATSAM is not set 4 | # CONFIG_MACH_ATSAMD is not set 5 | # CONFIG_MACH_LPC176X is not set 6 | # CONFIG_MACH_STM32 is not set 7 | # CONFIG_MACH_HC32F460 is not set 8 | CONFIG_MACH_RP2040=y 9 | # CONFIG_MACH_PRU is not set 10 | # CONFIG_MACH_AR100 is not set 11 | # CONFIG_MACH_LINUX is not set 12 | # CONFIG_MACH_SIMU is not set 13 | CONFIG_BOARD_DIRECTORY="rp2040" 14 | CONFIG_MCU="rp2040" 15 | CONFIG_CLOCK_FREQ=12000000 16 | CONFIG_USBSERIAL=y 17 | CONFIG_FLASH_SIZE=0x200000 18 | CONFIG_FLASH_BOOT_ADDRESS=0x10000100 19 | CONFIG_RAM_START=0x20000000 20 | CONFIG_RAM_SIZE=0x42000 21 | CONFIG_STACK_SIZE=512 22 | CONFIG_FLASH_APPLICATION_ADDRESS=0x10000100 23 | CONFIG_RP2040_SELECT=y 24 | CONFIG_RP2040_HAVE_STAGE2=y 25 | CONFIG_RP2040_FLASH_START_0100=y 26 | # CONFIG_RP2040_FLASH_START_4000 is not set 27 | CONFIG_RP2040_STAGE2_FILE="boot2_w25q080.S" 28 | CONFIG_RP2040_STAGE2_CLKDIV=2 29 | CONFIG_RP2040_USB=y 30 | # CONFIG_RP2040_SERIAL_UART0 is not set 31 | # CONFIG_RP2040_CANBUS is not set 32 | # CONFIG_RP2040_USBCANBUS is not set 33 | CONFIG_RP2040_CANBUS_GPIO_RX=4 34 | CONFIG_RP2040_CANBUS_GPIO_TX=5 35 | CONFIG_USB=y 36 | CONFIG_USB_VENDOR_ID=0x1d50 37 | CONFIG_USB_DEVICE_ID=0x614e 38 | CONFIG_USB_SERIAL_NUMBER_CHIPID=y 39 | CONFIG_USB_SERIAL_NUMBER="12345" 40 | CONFIG_WANT_GPIO_BITBANGING=y 41 | CONFIG_WANT_DISPLAYS=y 42 | CONFIG_WANT_SENSORS=y 43 | CONFIG_WANT_LIS2DW=y 44 | CONFIG_WANT_LDC1612=y 45 | CONFIG_WANT_SOFTWARE_I2C=y 46 | CONFIG_WANT_SOFTWARE_SPI=y 47 | CONFIG_NEED_SENSOR_BULK=y 48 | CONFIG_CANBUS_FREQUENCY=1000000 49 | CONFIG_HAVE_GPIO=y 50 | CONFIG_HAVE_GPIO_ADC=y 51 | CONFIG_HAVE_GPIO_SPI=y 52 | CONFIG_HAVE_GPIO_I2C=y 53 | CONFIG_HAVE_GPIO_HARD_PWM=y 54 | CONFIG_HAVE_STRICT_TIMING=y 55 | CONFIG_HAVE_CHIPID=y 56 | CONFIG_HAVE_STEPPER_BOTH_EDGE=y 57 | CONFIG_HAVE_BOOTLOADER_REQUEST=y 58 | CONFIG_INLINE_STEPPER_HACK=y 59 | -------------------------------------------------------------------------------- /pkgs/moonraker-timelapse.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , wget 3 | , stdenvNoCC 4 | , fetchFromGitHub 5 | }: 6 | let 7 | name = "moonraker-timelapse"; 8 | revision = "c7fff11e542b95e0e15b8bb1443cea8159ac0274"; 9 | in 10 | stdenvNoCC.mkDerivation (finalAttrs: { 11 | pname = name; 12 | version = revision; 13 | 14 | dontBuild = true; 15 | installPhase = '' 16 | mkdir -p $out/lib/${name} 17 | cp -r ./* $out/lib/${name}/ 18 | ''; 19 | 20 | src = fetchFromGitHub { 21 | owner = "mainsail-crew"; 22 | repo = name; 23 | rev = revision; 24 | sha256 = "sha256-ZYSeSn3OTManyTbNOnCfhormjFMgomNk3VXOVqBr9zg="; 25 | }; 26 | 27 | passthru.moonrakerOverrideAttrs = let 28 | pkg = finalAttrs.finalPackage; 29 | in 30 | (prevAttrs: { 31 | installPhase = (prevAttrs.installPhase or "") + '' 32 | cp ${pkg}/lib/${name}/component/timelapse.py $out/lib/moonraker/components/timelapse.py 33 | substituteInPlace $out/lib/moonraker/components/timelapse.py \ 34 | --replace-fail '"wget "' '"${wget}/bin/wget "' 35 | ''; 36 | }); 37 | 38 | passthru.macroFile = "${finalAttrs.finalPackage}/lib/${name}/klipper_macro/timelapse.cfg"; 39 | }) -------------------------------------------------------------------------------- /pkgs/patches/kanidm/0001-Set-oauth-refresh-token-expiry-to-a-month.patch: -------------------------------------------------------------------------------- 1 | From cacc7a148fe6c5296ff16b7cfc72dc85989e204d Mon Sep 17 00:00:00 2001 2 | From: Vera Aguilera Puerto 3 | Date: Sun, 18 May 2025 13:04:20 +0200 4 | Subject: [PATCH] Set oauth refresh token expiry to a month. 5 | 6 | --- 7 | server/lib/src/constants/mod.rs | 4 ++-- 8 | 1 file changed, 2 insertions(+), 2 deletions(-) 9 | 10 | diff --git a/server/lib/src/constants/mod.rs b/server/lib/src/constants/mod.rs 11 | index 1e1fec51..0cabb493 100644 12 | --- a/server/lib/src/constants/mod.rs 13 | +++ b/server/lib/src/constants/mod.rs 14 | @@ -135,8 +135,8 @@ pub const MAXIMUM_AUTH_PRIVILEGE_EXPIRY: u32 = 3600; 15 | pub const DEFAULT_AUTH_PRIVILEGE_EXPIRY: u32 = 600; 16 | // Default - directly privileged sessions only last 1 hour. 17 | pub const DEFAULT_AUTH_SESSION_LIMITED_EXPIRY: u32 = 3600; 18 | -// Default - oauth refresh tokens last for 16 hours. 19 | -pub const OAUTH_REFRESH_TOKEN_EXPIRY: u64 = 3600 * 16; 20 | +// Default - oauth refresh tokens last for a month. 21 | +pub const OAUTH_REFRESH_TOKEN_EXPIRY: u64 = 3600 * 24 * 30; 22 | 23 | /// How long access tokens should last. This is NOT the length 24 | /// of the refresh token, which is bound to the issuing session. 25 | -- 26 | 2.49.0 27 | 28 | -------------------------------------------------------------------------------- /pkgs/scripts/force-xwayland.nix: -------------------------------------------------------------------------------- 1 | { writeShellApplication, coreutils, ... }: 2 | 3 | writeShellApplication { 4 | name = "force-xwayland"; 5 | 6 | runtimeInputs = [ coreutils ]; 7 | 8 | text = '' 9 | env -a NIXOS_OZONE_WL=0 -a XDG_SESSION_TYPE=x11 -u WAYLAND_DISPLAY -u GDK_BACKEND -u QT_QPA_PLATFORM "$@" 10 | ''; 11 | } -------------------------------------------------------------------------------- /pkgs/starsector-gamescope-wrap.nix: -------------------------------------------------------------------------------- 1 | { starsector 2 | , makeDesktopItem 3 | , gamescope 4 | , ... 5 | }: 6 | starsector.overrideAttrs (final: prev: { 7 | desktopItems = [ 8 | (makeDesktopItem { 9 | name = "starsector"; 10 | exec = "sh -c \"${gamescope}/bin/gamescope -W 1920 -H 1080 -- starsector\""; 11 | icon = "starsector"; 12 | comment = final.meta.description; 13 | genericName = "starsector"; 14 | desktopName = "Starsector"; 15 | categories = [ "Game" ]; 16 | }) 17 | ]; 18 | }) -------------------------------------------------------------------------------- /pkgs/steam-deck-client.nix: -------------------------------------------------------------------------------- 1 | { runCommand, steam }: 2 | 3 | runCommand "steam-deck-client" { } '' 4 | mkdir -p $out/share/applications 5 | cp ${steam}/share/applications/steam.desktop $out/share/applications/steam-deck-client.desktop 6 | substituteInPlace $out/share/applications/steam-deck-client.desktop \ 7 | --replace "Name=Steam" "Name=Steam (Deck Client)" \ 8 | --replace "Exec=steam" "Exec=steam -steamdeck" 9 | '' -------------------------------------------------------------------------------- /users/common/home.nix: -------------------------------------------------------------------------------- 1 | { self, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | self.inputs.catppuccin.homeModules.catppuccin 7 | 8 | ./nix.nix 9 | ./nix-direnv.nix 10 | ]; 11 | 12 | systemd.user.startServices = true; 13 | 14 | xdg.configFile."nixpkgs/config.nix".source = ./misc/nixpkgs-config.nix; 15 | 16 | } -------------------------------------------------------------------------------- /users/common/misc/nixpkgs-config.nix: -------------------------------------------------------------------------------- 1 | { 2 | allowUnfree = true; 3 | allowBroken = true; 4 | } -------------------------------------------------------------------------------- /users/common/nix-direnv.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | 5 | programs.direnv.enable = true; 6 | programs.direnv.nix-direnv.enable = true; 7 | 8 | } -------------------------------------------------------------------------------- /users/common/nix.nix: -------------------------------------------------------------------------------- 1 | { osConfig, ... }: 2 | { 3 | 4 | nix.registry = osConfig.nix.registry; 5 | 6 | home.sessionVariables.NIX_PATH = (builtins.concatStringsSep ":" osConfig.nix.nixPath); 7 | 8 | nix.gc = { 9 | automatic = true; 10 | persistent = true; 11 | frequency = "daily"; 12 | options = "--delete-older-than 7d"; 13 | }; 14 | 15 | } -------------------------------------------------------------------------------- /users/neith/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | users.users.neith = { 6 | isNormalUser = true; 7 | linger = true; 8 | description = "Neith"; 9 | shell = pkgs.nushell; 10 | extraGroups = [ "networkmanager" "wheel" "audio" "video" "pipewire" "scanner" "lp" ]; 11 | hashedPassword = "$6$7mwTIbQIbSE9s6h5$J1Z5xG3V5kY65pgSQKulKg5UpVUnKuHnZoXmZ98IMCRNXhLHWgEAbizz8g4d1IJvDMp/pLBl4EKK.0fzcyb6N0"; 12 | }; 13 | 14 | nix.settings.trusted-users = [ "neith" ]; 15 | } -------------------------------------------------------------------------------- /users/neith/graphical/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | home.packages = with pkgs; [ 6 | kdePackages.kolourpaint 7 | lxqt.pavucontrol-qt 8 | kdePackages.okular 9 | gimp-with-plugins 10 | kdePackages.kate 11 | discord-canary 12 | google-chrome 13 | moonlight-qt 14 | qbittorrent 15 | chromium 16 | tdesktop 17 | qpwgraph 18 | firefox 19 | discord 20 | spotify 21 | carla 22 | vlc 23 | mpv 24 | ]; 25 | 26 | } -------------------------------------------------------------------------------- /users/neith/home.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ./ssh.nix 6 | ./nushell.nix 7 | ./secrets/default.nix 8 | #../../mixins/home/zsh.nix 9 | ]; 10 | 11 | home.username = "neith"; 12 | home.homeDirectory = "/home/neith"; 13 | 14 | home.sessionPath = [ 15 | "$HOME/bin" 16 | ]; 17 | 18 | home.sessionVariables = { 19 | EDITOR = "nano"; 20 | VISUAL = "nano"; 21 | }; 22 | 23 | xdg.userDirs = { 24 | enable = true; 25 | createDirectories = true; 26 | }; 27 | 28 | # home.file.".face".source = ./face.png; 29 | 30 | # This value determines the Home Manager release that your 31 | # configuration is compatible with. This helps avoid breakage 32 | # when a new Home Manager release introduces backwards 33 | # incompatible changes. 34 | # 35 | # You can update Home Manager without changing this value. See 36 | # the Home Manager release notes for a list of state version 37 | # changes in each release. 38 | home.stateVersion = "22.11"; 39 | 40 | # Let Home Manager install and manage itself. 41 | programs.home-manager.enable = true; 42 | } -------------------------------------------------------------------------------- /users/neith/nushell.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | programs.nushell = { 5 | enable = true; 6 | package = pkgs.nushell; 7 | extraConfig = '' 8 | $env.config = { 9 | show_banner: false 10 | } 11 | ''; 12 | }; 13 | 14 | programs.carapace.enableNushellIntegration = true; 15 | programs.direnv.enableNushellIntegration = true; 16 | 17 | } -------------------------------------------------------------------------------- /users/neith/secrets/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | 5 | sops = { 6 | age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; 7 | defaultSopsFile = ./secrets.yml; 8 | 9 | secrets = { 10 | "ssh-neith/private-key" = { path = "${config.home.homeDirectory}/.ssh/id_ed25519"; }; 11 | "ssh-neith/authorized-keys" = { path = "${config.home.homeDirectory}/.ssh/authorized_keys"; }; 12 | }; 13 | 14 | }; 15 | 16 | } -------------------------------------------------------------------------------- /users/neith/ssh.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | let 3 | ssh-pub-keys = import ../../misc/ssh-pub-keys.nix; 4 | in { 5 | 6 | programs.ssh.enable = true; 7 | 8 | home.file.".ssh/id_ed25519.pub".text = ssh-pub-keys.neith; 9 | 10 | } -------------------------------------------------------------------------------- /users/vera/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | users.users.vera = { 6 | isNormalUser = true; 7 | linger = true; 8 | description = "Vera"; 9 | shell = pkgs.nushell; 10 | extraGroups = [ "networkmanager" "wheel" "audio" "video" "pipewire" "scanner" "lp" "libvirtd" "openrazer" "corectrl" "podman" "mediarr" "plugdev" ]; 11 | hashedPassword = "$6$mTrvQELm1M1xnRO3$C8.NuZcgEKqW.QHFjABHk4Wkufa4FT0VpAzzgbuF1nwpx719/91uOpnq5JgY1C9LOi55d49VSp7H.KJ/iy74r."; 12 | }; 13 | 14 | nix.settings.trusted-users = [ "vera" ]; 15 | } -------------------------------------------------------------------------------- /users/vera/face.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradientvera/GradientOS/8b258e08d7cfea1119268ea8240bc4df7b544957/users/vera/face.png -------------------------------------------------------------------------------- /users/vera/graphical/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | ./konsole/default.nix 7 | ]; 8 | 9 | home.packages = with pkgs; [ 10 | jellyfin-media-player 11 | lxqt.pavucontrol-qt 12 | whatsapp-for-linux 13 | kdePackages.okular 14 | libreoffice-fresh 15 | gimp-with-plugins 16 | element-desktop 17 | master.discord-canary 18 | kdePackages.kate 19 | google-chrome 20 | qbittorrent 21 | glabels-qt 22 | bitwarden 23 | tdesktop 24 | tenacity 25 | chromium 26 | inkscape 27 | firefox 28 | discord 29 | vesktop 30 | krita 31 | carla 32 | vmpk 33 | peek 34 | vlc 35 | mpv 36 | ]; 37 | 38 | programs.obs-studio = { 39 | enable = true; 40 | plugins = with pkgs.obs-studio-plugins; [ 41 | obs-vkcapture 42 | obs-vaapi 43 | ]; 44 | }; 45 | 46 | } -------------------------------------------------------------------------------- /users/vera/graphical/konsole/default.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | 5 | home.file = { 6 | ".local/share/konsole/vera.colorscheme".source = ./vera.colorscheme; 7 | 8 | # Taken from https://raw.githubusercontent.com/catppuccin/konsole/3b64040e3f4ae5afb2347e7be8a38bc3cd8c73a8/themes/catppuccin-mocha.colorscheme 9 | # Modified to my liking! 10 | ".local/share/konsole/catppuccin-mocha.colorscheme".source = ./catppuccin-mocha.colorscheme; 11 | 12 | 13 | ".local/share/konsole/vera.profile".source = ./vera.profile; 14 | ".config/konsolerc".source = ./konsolerc; 15 | }; 16 | 17 | } -------------------------------------------------------------------------------- /users/vera/graphical/konsole/konsolerc: -------------------------------------------------------------------------------- 1 | [Desktop Entry] 2 | DefaultProfile=vera.profile 3 | 4 | [General] 5 | ConfigVersion=1 6 | 7 | [KonsoleWindow] 8 | ShowMenuBarByDefault=false 9 | RememberWindowSize=false 10 | 11 | [MainWindow] 12 | RestorePositionForNextInstance=false 13 | State=AAAA/wAAAAD9AAAAAQAAAAAAAAAAAAAAAPwCAAAAAvsAAAAcAFMAUwBIAE0AYQBuAGEAZwBlAHIARABvAGMAawAAAAAA/////wAAARUBAAAD+wAAACIAUQB1AGkAYwBrAEMAbwBtAG0AYQBuAGQAcwBEAG8AYwBrAAAAAAD/////AAABfAEAAAMAAAMKAAABsgAAAAQAAAAEAAAACAAAAAj8AAAAAgAAAAIAAAABAAAAFgBtAGEAaQBuAFQAbwBvAGwAQgBhAHIAAAAAAP////8AAAAAAAAAAAAAAAMAAAABAAAAHABzAGUAcwBzAGkAbwBuAFQAbwBvAGwAYgBhAHIAAAAAAP////8ALRTLABaCTw== 14 | StatusBar=Disabled 15 | ToolBarsMovable=Disabled 16 | 17 | [Notification Messages] 18 | CloseAllTabs=true 19 | 20 | [UiSettings] 21 | ColorScheme= 22 | -------------------------------------------------------------------------------- /users/vera/graphical/konsole/vera.colorscheme: -------------------------------------------------------------------------------- 1 | [Background] 2 | Color=49,54,59 3 | 4 | [BackgroundFaint] 5 | Color=49,54,59 6 | 7 | [BackgroundIntense] 8 | Color=42,46,50 9 | 10 | [Color0] 11 | Color=35,38,39 12 | 13 | [Color0Faint] 14 | Color=49,54,59 15 | 16 | [Color0Intense] 17 | Color=127,140,141 18 | 19 | [Color1] 20 | Color=237,21,21 21 | 22 | [Color1Faint] 23 | Color=120,50,40 24 | 25 | [Color1Intense] 26 | Color=192,57,43 27 | 28 | [Color2] 29 | Color=17,209,22 30 | 31 | [Color2Faint] 32 | Color=23,162,98 33 | 34 | [Color2Intense] 35 | Color=28,220,154 36 | 37 | [Color3] 38 | Color=246,116,0 39 | 40 | [Color3Faint] 41 | Color=182,86,25 42 | 43 | [Color3Intense] 44 | Color=253,188,75 45 | 46 | [Color4] 47 | Color=29,153,243 48 | 49 | [Color4Faint] 50 | Color=27,102,143 51 | 52 | [Color4Intense] 53 | Color=61,174,233 54 | 55 | [Color5] 56 | Color=155,89,182 57 | 58 | [Color5Faint] 59 | Color=97,74,115 60 | 61 | [Color5Intense] 62 | Color=142,68,173 63 | 64 | [Color6] 65 | Color=26,188,156 66 | 67 | [Color6Faint] 68 | Color=24,108,96 69 | 70 | [Color6Intense] 71 | Color=22,160,133 72 | 73 | [Color7] 74 | Color=252,252,252 75 | 76 | [Color7Faint] 77 | Color=99,104,109 78 | 79 | [Color7Intense] 80 | Color=255,255,255 81 | 82 | [Foreground] 83 | Color=252,252,252 84 | 85 | [ForegroundFaint] 86 | Color=239,240,241 87 | 88 | [ForegroundIntense] 89 | Color=255,255,255 90 | 91 | [General] 92 | Blur=false 93 | ColorRandomization=false 94 | Description=vera 95 | Opacity=1 96 | Wallpaper= 97 | -------------------------------------------------------------------------------- /users/vera/graphical/konsole/vera.profile: -------------------------------------------------------------------------------- 1 | [Appearance] 2 | ColorScheme=catppuccin-mocha 3 | DimmValue=0 4 | Font=Roboto Mono Medium [GOOG],10,-1,5,57,0,0,0,0,0,Regular 5 | 6 | [General] 7 | DimWhenInactive=false 8 | Name=Vera Profile 9 | Parent=FALLBACK/ 10 | TerminalColumns=96 11 | TerminalRows=24 12 | 13 | [Scrolling] 14 | HistoryMode=2 15 | ScrollBarPosition=2 16 | -------------------------------------------------------------------------------- /users/vera/home.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | imports = [ 5 | ./ssh.nix 6 | ./nushell.nix 7 | ./programs.nix 8 | #./zsh/default.nix 9 | ./secrets/default.nix 10 | ]; 11 | 12 | home.username = "vera"; 13 | home.homeDirectory = "/home/vera"; 14 | 15 | catppuccin.enable = true; 16 | catppuccin.flavor = "mocha"; 17 | catppuccin.gtk.enable = true; 18 | catppuccin.kvantum.enable = true; 19 | catppuccin.kvantum.apply = true; 20 | 21 | home.sessionPath = [ 22 | "$HOME/bin" 23 | ]; 24 | 25 | home.sessionVariables = { 26 | EDITOR = "nano"; 27 | VISUAL = "nano"; 28 | }; 29 | 30 | xdg.userDirs = { 31 | enable = true; 32 | createDirectories = true; 33 | }; 34 | 35 | programs.carapace.enable = true; 36 | 37 | home.file.".face".source = ./face.png; 38 | 39 | # This value determines the Home Manager release that your 40 | # configuration is compatible with. This helps avoid breakage 41 | # when a new Home Manager release introduces backwards 42 | # incompatible changes. 43 | # 44 | # You can update Home Manager without changing this value. See 45 | # the Home Manager release notes for a list of state version 46 | # changes in each release. 47 | home.stateVersion = "22.11"; 48 | 49 | # Let Home Manager install and manage itself. 50 | programs.home-manager.enable = true; 51 | } -------------------------------------------------------------------------------- /users/vera/nushell.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | programs.nushell = { 5 | enable = true; 6 | package = pkgs.nushell; 7 | extraConfig = '' 8 | $env.config = { 9 | show_banner: false 10 | } 11 | $env.PATH = ( 12 | $env.PATH 13 | | split row (char esep) 14 | | append ($env.HOME | path join bin) 15 | | append ($env.HOME | path join .cargo bin) 16 | | uniq # filter so the paths are unique 17 | ) 18 | ''; 19 | }; 20 | 21 | programs.carapace.enableNushellIntegration = true; 22 | programs.direnv.enableNushellIntegration = true; 23 | 24 | } -------------------------------------------------------------------------------- /users/vera/programs.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | programs.git = { 6 | enable = true; 7 | userName = "Vera Aguilera Puerto"; 8 | userEmail = "gradientvera@outlook.com"; 9 | extraConfig = { 10 | init = { 11 | defaultBranch = "main"; 12 | }; 13 | }; 14 | }; 15 | 16 | home.packages = with pkgs; [ 17 | 18 | ]; 19 | 20 | } -------------------------------------------------------------------------------- /users/vera/secrets/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | 5 | sops = { 6 | age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; 7 | defaultSopsFile = ./secrets.yml; 8 | 9 | secrets = { 10 | "ssh-vera/private-key" = { path = "${config.home.homeDirectory}/.ssh/id_ed25519"; }; 11 | "ssh-vera/authorized-keys" = { path = "${config.home.homeDirectory}/.ssh/authorized_keys"; }; 12 | }; 13 | 14 | }; 15 | 16 | } -------------------------------------------------------------------------------- /users/vera/ssh.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | let 3 | ssh-pub-keys = import ../../misc/ssh-pub-keys.nix; 4 | in { 5 | 6 | programs.ssh.enable = true; 7 | 8 | home.file.".ssh/id_ed25519.pub".text = ssh-pub-keys.vera; 9 | 10 | } -------------------------------------------------------------------------------- /users/vera/zsh/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | 5 | imports = [ 6 | ../../../mixins/home/zsh.nix 7 | ]; 8 | 9 | programs.zsh.initExtra = builtins.readFile ./zshrc; 10 | 11 | } --------------------------------------------------------------------------------