├── .drone.jsonnet ├── .envrc ├── .github ├── FUNDING.yml └── workflows │ └── manual.yml ├── .gitignore ├── .pre-commit-config.yaml ├── .woodpecker.yaml ├── LICENSE ├── README.md ├── clan-service-modules └── wireguard.nix ├── flake.lock ├── flake.nix ├── home-manager ├── colorscheme.nix ├── modules │ ├── audio-recording │ │ └── default.nix │ ├── chromium │ │ └── default.nix │ ├── credentials │ │ └── default.nix │ ├── easyeffects │ │ └── default.nix │ ├── firefox │ │ ├── default.nix │ │ └── userchrome.css.mustache │ ├── fonts │ │ └── default.nix │ ├── foot │ │ └── default.nix │ ├── games │ │ └── default.nix │ ├── git │ │ └── default.nix │ ├── go │ │ └── default.nix │ ├── grobi │ │ └── default.nix │ ├── gtk │ │ ├── banana.nix │ │ └── default.nix │ ├── helix │ │ └── default.nix │ ├── k9s │ │ └── default.nix │ ├── kanshi │ │ └── default.nix │ ├── mako │ │ └── default.nix │ ├── neomutt │ │ └── default.nix │ ├── newsboat │ │ └── default.nix │ ├── obs-studio │ │ └── default.nix │ ├── pandoc │ │ └── default.nix │ ├── river │ │ ├── default.nix │ │ ├── json.lua │ │ ├── layout.lua │ │ └── river-config │ ├── shell │ │ ├── default.nix │ │ ├── fish.nix │ │ ├── prompt.sh │ │ ├── starship.nix │ │ ├── zellij-chooser │ │ ├── zsh.nix │ │ ├── zshrc │ │ └── zshrc-extra │ ├── ssh │ │ └── default.nix │ ├── sway │ │ ├── default.nix │ │ ├── nixos-wallpaper.png │ │ └── swaync │ │ │ ├── config.json │ │ │ ├── default.nix │ │ │ └── style.css │ ├── swaylock │ │ ├── default.nix │ │ └── style.css │ ├── taskwarrior │ │ └── default.nix │ ├── tmux │ │ ├── default.nix │ │ └── tmux.conf │ ├── waybar │ │ ├── default.nix │ │ └── style.css │ ├── xdg │ │ └── default.nix │ ├── zed │ │ └── default.nix │ ├── zellij │ │ └── default.nix │ └── zk │ │ ├── config.toml │ │ ├── default.md │ │ ├── default.nix │ │ └── journal.md └── profiles │ ├── common.nix │ ├── desktop │ └── default.nix │ └── server │ └── default.nix ├── images ├── configuration.nix └── raspi.nix ├── inventory.json ├── machines ├── birne │ ├── README.md │ ├── configuration.nix │ └── hardware-configuration.nix ├── kartoffel │ ├── configuration.nix │ ├── hardware-configuration.nix │ └── retiolum.nix ├── kfbox │ ├── README.md │ ├── configuration.nix │ ├── hardware-configuration.nix │ └── retiolum.nix ├── kiwi │ ├── configuration.nix │ ├── disko-config-btrfs.nix │ └── framework.nix ├── limette │ ├── configuration.nix │ ├── disko-config-btrfs.nix │ └── disko-config-zfs.nix └── porree │ ├── README.md │ ├── blog.nix │ ├── caddy.nix │ ├── configuration.nix │ ├── hardware-configuration.nix │ └── retiolum.nix ├── modules ├── activation-secrets │ └── default.nix ├── bluetooth │ └── default.nix ├── caddy-security │ └── default.nix ├── ci │ └── default.nix ├── clan-common │ └── default.nix ├── default-desktop │ ├── default.nix │ ├── nextcloud-desktop.nix │ └── scanners.nix ├── default-server │ └── default.nix ├── dex │ └── default.nix ├── ente │ └── default.nix ├── environment │ └── default.nix ├── fonts │ └── default.nix ├── gitea │ └── default.nix ├── hedgedoc │ └── default.nix ├── hello │ ├── default.nix │ └── test.nix ├── home-assistant │ └── default.nix ├── http2irc │ └── default.nix ├── jitsi-matrix-presence │ └── default.nix ├── kf-homepage │ ├── default.nix │ └── page │ │ ├── dance.gif │ │ └── index.html ├── locale │ └── default.nix ├── lvm-grub │ └── default.nix ├── miniflux │ └── default.nix ├── minio │ ├── default.nix │ └── policies │ │ ├── nextcloud-external.json │ │ └── restic.json ├── monitoring │ ├── alert-rules.nix │ ├── alertmanager-irc-relay.nix │ ├── default.nix │ ├── grafana.nix │ ├── loki.nix │ ├── metrics.nix │ └── prometheus.nix ├── networking │ └── default.nix ├── nextcloud │ └── default.nix ├── nix-common │ └── default.nix ├── ntfy-sh │ └── default.nix ├── openssh │ ├── ca.pub │ └── default.nix ├── owncast │ └── default.nix ├── radio │ └── default.nix ├── restic │ └── default.nix ├── screego │ └── default.nix ├── sound │ └── default.nix ├── thelounge │ └── default.nix ├── unbound-desktop │ └── default.nix ├── vaultwarden │ └── default.nix ├── vikunja │ └── default.nix ├── virtualisation │ └── default.nix ├── wastebin │ └── default.nix ├── wayland │ └── default.nix ├── yubikey │ └── default.nix └── zsh │ └── default.nix ├── overlays ├── default.nix └── nextcloud.patch ├── packages ├── ente │ └── web.nix ├── forgit │ └── default.nix ├── fritzbox_exporter │ └── default.nix ├── hello-custom │ └── default.nix ├── manual │ ├── default.nix │ └── template.html ├── mqtt2prometheus │ └── default.nix ├── raspi-image ├── river-luatile │ └── default.nix ├── smartmon-script │ ├── default.nix │ └── smartmon.py ├── woodpecker-pipeline │ └── default.nix ├── zsh-abbrev-alias │ └── default.nix └── zsh-colored-man-pages │ └── default.nix ├── users ├── pinpox.nix └── root.nix ├── utils └── default.nix └── vars ├── per-machine ├── birne │ ├── minio │ │ └── .validation-hash │ ├── restic-server │ │ └── .validation-hash │ ├── state-version │ │ └── version │ │ │ └── value │ ├── wireguard-wg-clan │ │ └── publickey │ │ │ └── value │ └── wireguard │ │ └── publickey │ │ └── value ├── kartoffel │ ├── state-version │ │ └── version │ │ │ └── value │ ├── wireguard-wg-clan │ │ └── publickey │ │ │ └── value │ └── wireguard │ │ └── publickey │ │ └── value ├── kfbox │ ├── caddy │ │ └── .validation-hash │ ├── dex │ │ └── .validation-hash │ ├── go-karma-bot │ │ └── .validation-hash │ ├── hedgedoc │ │ └── .validation-hash │ ├── jitsi-presence │ │ └── .validation-hash │ ├── restic-exporter │ │ └── .validation-hash │ ├── state-version │ │ └── version │ │ │ └── value │ ├── vikunja │ │ └── .validation-hash │ ├── wireguard-wg-clan │ │ └── publickey │ │ │ └── value │ └── wireguard │ │ └── publickey │ │ └── value ├── kiwi │ └── state-version │ │ └── version │ │ └── value ├── limette │ ├── state-version │ │ └── version │ │ │ └── value │ ├── wireguard-wg-clan │ │ └── publickey │ │ │ └── value │ └── wireguard │ │ └── publickey │ │ └── value └── porree │ ├── alertmanager-ntfy │ └── .validation-hash │ ├── caddy-basicauth │ └── .validation-hash │ ├── caddy │ └── .validation-hash │ ├── matrix-hook │ └── .validation-hash │ ├── prometheus │ └── .validation-hash │ ├── restic-exporter │ └── .validation-hash │ ├── state-version │ └── version │ │ └── value │ ├── vaultwarden │ └── .validation-hash │ ├── wireguard-wg-clan │ └── publickey │ │ └── value │ └── wireguard │ └── publickey │ └── value └── shared ├── restic-cert ├── .validation-hash └── restic-cert │ └── value ├── restic-credentials-backblaze └── .validation-hash ├── restic-credentials └── .validation-hash └── restic-kfbox └── .validation-hash /.drone.jsonnet: -------------------------------------------------------------------------------- 1 | // Create/Update flake info file with: 2 | // nix flake show --json > info.json 3 | 4 | local info = import 'info.json'; 5 | 6 | // Test configuration with: 7 | // nix-shell -p jsonnet --run 'jsonnet .drone.jsonnet' 8 | 9 | local hosts = std.objectFields(info.nixosConfigurations); 10 | local packages = std.objectFields(info.packages['x86_64-linux']); 11 | 12 | // To overerride the lists use: 13 | // local hosts = ['birne', 'bob', 'kartoffel', 'kfbox', 'porree']; 14 | // local packages = [ 'filebrowser', 'fritzbox_exporter', 'hello-custom', ]; 15 | 16 | local steps_hosts() = std.flatMap(function(host) [ 17 | { 18 | name: 'Build host: %s' % host, 19 | commands: [ 20 | "nix build '.#nixosConfigurations.%s.config.system.build.toplevel'" % host, 21 | ], 22 | }, 23 | { 24 | name: 'Upload host: %s' % host, 25 | commands: [ 26 | "nix run 'github:lounge-rocks/the-lounge#s3uploader' result" 27 | ], 28 | 29 | // depends_on: [ 'Build host: %s' % host ], 30 | 31 | environment: { 32 | AWS_ACCESS_KEY_ID: { from_secret: 's3_access_key' }, 33 | AWS_SECRET_ACCESS_KEY: { from_secret: 's3_secret_key' }, 34 | }, 35 | } 36 | ], hosts); 37 | 38 | local steps_packages() = std.flatMap(function(package) [ 39 | { 40 | name: 'Build package: %s' % package, 41 | commands: [ 42 | "nix build '.#%s'" % package, 43 | ], 44 | }, 45 | { 46 | name: 'Upload package: %s' % package, 47 | commands: [ 48 | "nix run 'github:lounge-rocks/the-lounge#s3uploader' result" 49 | ], 50 | 51 | // depends_on: [ 'Upload package: %s' % package ], 52 | 53 | environment: { 54 | AWS_ACCESS_KEY_ID: { from_secret: 's3_access_key' }, 55 | AWS_SECRET_ACCESS_KEY: { from_secret: 's3_secret_key' }, 56 | }, 57 | } 58 | ], packages); 59 | 60 | { 61 | 62 | kind: 'pipeline', 63 | type: 'exec', 64 | name: 'Build all hosts', 65 | 66 | platform: { 67 | os: 'linux', 68 | arch: 'amd64', 69 | }, 70 | 71 | clone: { depth: 1 }, 72 | 73 | steps: [ 74 | // { 75 | // name: 'Notify Test', 76 | // commands: [ 77 | // "nix run nixpkgs#curl -- -u $ntfy-user:$ntfy-pass -H 'Title: $DRONE_REPO build: $DRONE_BUILD_STATUS' -H 'Priority: low' -H 'Tags: drone,build,nixos' -d '[$DRONE_REPO] $DRONE_COMMIT '$DRONE_COMMIT_MESSAGE': $DRONE_BUILD_STATUS' https://push.pablo.tools/drone_build ", 78 | // ], 79 | // } 80 | { 81 | name: 'Show flake info', 82 | commands: [ 83 | "nix --experimental-features 'nix-command flakes' flake show", 84 | "nix --experimental-features 'nix-command flakes' flake metadata", 85 | ], 86 | }, 87 | { 88 | name: 'Run flake checks', 89 | commands: [ 90 | "nix --experimental-features 'nix-command flakes' flake check --show-trace", 91 | ], 92 | }, 93 | ] + steps_hosts() + steps_packages() + [ 94 | ], 95 | 96 | environment: { 97 | LOGNAME: 'drone', 98 | NOTIFY_TOKEN: { from_secret: 'notify_token' }, 99 | }, 100 | 101 | trigger: { 102 | branch: ['main', 'go-task'], 103 | event: ['push'], 104 | }, 105 | } 106 | -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | use flake 2 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: [pinpox] 2 | buy_me_a_coffee: pinpox 3 | -------------------------------------------------------------------------------- /.github/workflows/manual.yml: -------------------------------------------------------------------------------- 1 | name: Build and Deploy Manual 2 | on: 3 | push: 4 | branches: 5 | - main 6 | jobs: 7 | tests: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - name: Checkout 11 | uses: actions/checkout@v3 12 | - name: Install Nix 13 | uses: cachix/install-nix-action@v20 14 | - name: Build manual 15 | run: | 16 | nix build '.#manual' --show-trace -vv -L 17 | mkdir docs 18 | curl https://nixos.org/favicon.ico -o docs/favicon.ico 19 | cp result/index.html docs/index.html 20 | - name: Deploy 🚀 21 | uses: JamesIves/github-pages-deploy-action@4.1.0 22 | with: 23 | branch: gh-pages # The branch the action should deploy to. 24 | folder: docs # The folder the action should deploy. 25 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | result 2 | ### Vim 3 | # Swap 4 | [._]*.s[a-v][a-z] 5 | !*.svg # comment out if you don't need vector files 6 | [._]*.sw[a-p] 7 | [._]s[a-rt-v][a-z] 8 | [._]ss[a-gi-z] 9 | [._]sw[a-p] 10 | 11 | # Session 12 | Session.vim 13 | Sessionx.vim 14 | 15 | # Temporary 16 | .netrwhist 17 | *~ 18 | # Auto-generated tag files 19 | tags 20 | # Persistent undo 21 | [._]*.un~ 22 | 23 | tags.lock 24 | tags.temp 25 | .direnv 26 | .env 27 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: local 3 | hooks: 4 | - id: nix fmt 5 | name: Nix fmt 6 | entry: nix fmt 7 | files: \.nix$ 8 | language: system 9 | # - id: nix lint 10 | # name: Nix lint 11 | # entry: nix run 'nixpkgs#nix-linter' 12 | # files: \.nix$ 13 | # language: system 14 | -------------------------------------------------------------------------------- /.woodpecker.yaml: -------------------------------------------------------------------------------- 1 | { 2 | "labels": { 3 | "backend": "local", 4 | "platform": "linux/amd64" 5 | }, 6 | 7 | "steps": [ 8 | { 9 | "commands": [ 10 | "attic login lounge-rocks https://cache.lounge.rocks $ATTIC_KEY --set-default" 11 | ], 12 | "image": "bash", 13 | "name": "Setup Attic", 14 | "secrets": [ "attic_key" ] 15 | }, 16 | { 17 | "commands": [ 18 | "nix build '.#nixosConfigurations.ahorn.config.system.build.toplevel' -o 'result-ahorn'" 19 | ], 20 | "image": "bash", 21 | "name": "Build configuration for ahorn" 22 | }, 23 | { 24 | "commands": [ 25 | "attic push lounge-rocks:nix-cache 'result-ahorn'" 26 | ], 27 | "image": "bash", 28 | "name": "Push result-ahorn to Attic", 29 | "secrets": [ "attic_key" ] 30 | }, 31 | { 32 | "commands": [ 33 | "nix build '.#nixosConfigurations.birne.config.system.build.toplevel' -o 'result-birne'" 34 | ], 35 | "image": "bash", 36 | "name": "Build configuration for birne" 37 | }, 38 | { 39 | "commands": [ 40 | "attic push lounge-rocks:nix-cache 'result-birne'" 41 | ], 42 | "image": "bash", 43 | "name": "Push result-birne to Attic", 44 | "secrets": [ "attic_key" ] 45 | }, 46 | { 47 | "commands": [ 48 | "nix build '.#nixosConfigurations.kfbox.config.system.build.toplevel' -o 'result-kfbox'" 49 | ], 50 | "image": "bash", 51 | "name": "Build configuration for kfbox" 52 | }, 53 | { 54 | "commands": [ 55 | "attic push lounge-rocks:nix-cache 'result-kfbox'" 56 | ], 57 | "image": "bash", 58 | "name": "Push result-kfbox to Attic", 59 | "secrets": [ "attic_key" ] 60 | }, 61 | { 62 | "commands": [ 63 | "nix build '.#nixosConfigurations.porree.config.system.build.toplevel' -o 'result-porree'" 64 | ], 65 | "image": "bash", 66 | "name": "Build configuration for porree" 67 | }, 68 | { 69 | "commands": [ 70 | "attic push lounge-rocks:nix-cache 'result-porree'" 71 | ], 72 | "image": "bash", 73 | "name": "Push result-porree to Attic", 74 | "secrets": [ "attic_key" ] 75 | }, 76 | { 77 | "commands": [ 78 | "nix build '.#nixosConfigurations.limette.config.system.build.toplevel' -o 'result-limette'" 79 | ], 80 | "image": "bash", 81 | "name": "Build configuration for limette" 82 | }, 83 | { 84 | "commands": [ 85 | "attic push lounge-rocks:nix-cache 'result-limette'" 86 | ], 87 | "image": "bash", 88 | "name": "Push result-limette to Attic", 89 | "secrets": [ "attic_key" ] 90 | } 91 | ] 92 | } 93 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![nixos](https://socialify.git.ci/pinpox/nixos/image?description=1&font=Source%20Code%20Pro&forks=1&issues=1&logo=https%3A%2F%2Fpablo.tools%2Fnixoscolorful.svg&owner=1&pattern=Circuit%20Board&pulls=1&stargazers=1&theme=Light) 2 | 3 | **Configuration checks:** [![Build Status](https://build.lounge.rocks/api/badges/9/status.svg)](https://build.lounge.rocks/repos/9) 4 | 5 | All Module options are documented at: https://pinpox.github.io/nixos/ 6 | 7 | This repository includes all configurations for my NixOS machines. Feel free to 8 | use parts of it as you please, but keep it mind it is intended mostly for 9 | personal use. I've written posts about certain aspects of this setup on my 10 | [personal blog](https://pablo.tools/posts). 11 | 12 | # Initial Setup 13 | 14 | The structure of this repository is meant to allow easy manual deployment while being 15 | [clan](https://clan.lol) compatible. 16 | Individual hosts are defined in `/machines/` and will import re-usable 17 | parts of the configuration as needed. 18 | 19 | Deployment and management is done with [clan](https://clan.lol). 20 | Secrets are stored in [passage](https://github.com/FiloSottile/passage), 21 | a modern fork of [pass](https://www.passwordstore.org/) that uses age for encryption. 22 | 23 | # Current Hosts 24 | 25 | | Configuration | Type | Location | VPN IP | Description | 26 | | ----------------------------------- | --------- | ----------- | -------------- | ---------------------------- | 27 | | [kartoffel](./machines/kartoffel) | Desktop | local | `192.168.8.3` | Desktop | 28 | | [limette](./machines/limette) | Desktop | local | `192.168.8.8` | Notebook | 29 | | [kiwi](./machines/kiwi) | Desktop | local | - | Framework Laptop | 30 | | [birne](./machines/birne) | Server | local | `192.168.8.4` | Local NAS | 31 | | [porree](./machines/porree) | Server | netcup.de | `192.168.8.1` | Server for pablo.tools | 32 | | [kfbox](./machines/kfbox) | Server | netcup.de | `192.168.8.5` | Server for 0cx.de | 33 | 34 | # Deployment 35 | 36 | Deployment is done via [clan CLI](https://clan.lol) provided via the flake's 37 | default nix shell. I use [direnv](https://direnv.net/) to automatically start it 38 | when entering the repository's directory. Run `direnv allow` on the first time, 39 | after that, deployment can be done via: 40 | 41 | ```sh 42 | clan machines update 43 | ``` 44 | 45 | ## Repository Organization 46 | 47 | The configuration is organized as follows: 48 | 49 | - `/machines/`: Host-specific configurations 50 | - `/modules`: System-level NixOS modules 51 | - `/home-manager/modules`: User-level home-manager modules for specific applications 52 | - `/home-manager/profiles`: Profiles that combine multiple home-manager modules 53 | - `/home-manager/packages`: Custom packages for applications not present in nixpkgs 54 | ``` 55 | # Contributing? 56 | 57 | While contributions don't make much sense for a personal configuration repository, 58 | I'm always happy to get hints, tips and constructive criticism. If you find something 59 | that could be done in a better way, please let me know! 60 | 61 | 62 | -------------------------------------------------------------------------------- /home-manager/colorscheme.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | let 4 | colornames = [ 5 | "Black" 6 | "BrightBlack" 7 | "White" 8 | "BrightWhite" 9 | "Yellow" 10 | "BrightYellow" 11 | "Green" 12 | "BrightGreen" 13 | "Cyan" 14 | "BrightCyan" 15 | "Blue" 16 | "BrightBlue" 17 | "Magenta" 18 | "BrightMagenta" 19 | "Red" 20 | "BrightRed" 21 | ]; 22 | in 23 | { 24 | 25 | options.pinpox.colors = builtins.listToAttrs ( 26 | map (c: { 27 | name = c; 28 | value = mkOption { type = types.str; }; 29 | }) colornames 30 | ); 31 | 32 | config.pinpox.colors = { 33 | 34 | # Default neovim colorschmeme 35 | # Dark: 36 | # blue = "#005078" 37 | # cyan = "#007676" 38 | # green = "#015825" 39 | # grey1 = "#0a0b10" 40 | # grey2 = "#1c1d23" 41 | # grey3 = "#2c2e33" 42 | # grey4 = "#4f5258" 43 | # magenta = "#4c0049" 44 | # red = "#5e0009" 45 | # yellow = "#6e5600" 46 | # 47 | # Light: 48 | # blue = "#9fd8ff" 49 | # cyan = "#83efef" 50 | # green = "#aaedb7" 51 | # grey1 = "#ebeef5" 52 | # grey2 = "#d7dae1" 53 | # grey3 = "#c4c6cd" 54 | # grey4 = "#9b9ea4" 55 | # magenta = "#ffc3fa" 56 | # red = "#ffbcb5" 57 | # yellow = "#f4d88c" 58 | # 59 | 60 | Black = "24273a"; # 24273a 61 | BrightBlack = "5b6078"; # 5b6078 62 | White = "cad3f5"; # cad3f5 63 | BrightWhite = "747c9e"; # 747c9e 64 | Red = "ed8796"; # ed8796 65 | BrightRed = "ff5370"; # FF5370 66 | Green = "a6da95"; # a6da95 67 | BrightGreen = "68f288"; # 68f288 68 | Yellow = "eed49f"; # eed49f 69 | BrightYellow = "fab387"; # fab387 70 | Blue = "8aadf4"; # 8aadf4 71 | BrightBlue = "74c7ec"; # 74c7ec 72 | Magenta = "cba6f7"; # cba6f7 73 | BrightMagenta = "f5bde6"; # f5bde6 74 | Cyan = "8bd5ca"; # 8bd5ca 75 | BrightCyan = "aee2da"; # aee2da 76 | }; 77 | } 78 | -------------------------------------------------------------------------------- /home-manager/modules/audio-recording/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.defaults.audio-recording; 10 | plugins = with pkgs; [ 11 | # Instruments 12 | x42-avldrums 13 | zynaddsubfx 14 | 15 | # Effects 16 | calf 17 | lsp-plugins 18 | zam-plugins 19 | talentedhack 20 | gxplugins-lv2 21 | 22 | # TODO https://github.com/NixOS/nixpkgs/issues/348871 23 | # distrho 24 | ]; 25 | in 26 | { 27 | 28 | # These settings yield 10ms@1024 spls latency in reaper for me: 29 | # pw-metadata -n settings 0 clock.force-quantum 1024 30 | # pw-metadata -n settings 0 clock.force-rate 96000 31 | 32 | options.pinpox.defaults.audio-recording.enable = 33 | mkEnableOption "audio production setup (DAW and plugins)"; 34 | 35 | config = mkIf cfg.enable { 36 | 37 | home.packages = 38 | with pkgs; 39 | [ 40 | reaper 41 | alsa-scarlett-gui 42 | ] 43 | 44 | # Some plugins also have a binary, so we also add them to PATH 45 | ++ plugins; 46 | 47 | # Place vst, vst3, clap, lv2 and ladspa plugins in the according 48 | # directories where reaper will look for them 49 | home.file = 50 | let 51 | all-audio-plugins = pkgs.symlinkJoin { 52 | name = "all-audio-plugins"; 53 | paths = plugins; 54 | }; 55 | in 56 | { 57 | all-lv2 = { 58 | recursive = true; 59 | source = "${all-audio-plugins}/lib/lv2"; 60 | target = ".lv2"; 61 | }; 62 | all-clap = { 63 | recursive = true; 64 | source = "${all-audio-plugins}/lib/clap"; 65 | target = ".clap"; 66 | }; 67 | all-vst = { 68 | recursive = true; 69 | source = "${all-audio-plugins}/lib/vst"; 70 | target = ".vst"; 71 | }; 72 | all-vst3 = { 73 | recursive = true; 74 | source = "${all-audio-plugins}/lib/vst3"; 75 | target = ".vst3"; 76 | }; 77 | all-ladspa = { 78 | recursive = true; 79 | source = "${all-audio-plugins}/lib/ladspa"; 80 | target = ".ladspa"; 81 | }; 82 | }; 83 | }; 84 | } 85 | -------------------------------------------------------------------------------- /home-manager/modules/chromium/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.programs.chromium; 5 | in 6 | { 7 | options.pinpox.programs.chromium.enable = mkEnableOption "chromium browser"; 8 | 9 | config = mkIf cfg.enable { 10 | programs.chromium = { 11 | enable = true; 12 | extensions = [ 13 | { id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden 14 | { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # Ublock Origin 15 | { id = "gcbommkclmclpchllfjekcdonpmejbdp"; } # HTTPS everywhere 16 | { id = "mmpokgfcmbkfdeibafoafkiijdbfblfg"; } # Merge windows 17 | { id = "agldajbhchobfgjcmmigehfdcjbmipne"; } # Blank Dark New Tab 18 | ]; 19 | }; 20 | }; 21 | } 22 | -------------------------------------------------------------------------------- /home-manager/modules/credentials/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.defaults.credentials; 10 | in 11 | { 12 | options.pinpox.defaults.credentials.enable = mkEnableOption "credentials defaults"; 13 | 14 | config = mkIf cfg.enable { 15 | # Email 16 | 17 | accounts.email.maildirBasePath = "Mail"; 18 | 19 | accounts.email.accounts = { 20 | pablo_tools = { 21 | address = "mail@pablo.tools"; 22 | realName = "Pablo Ovelleiro Corral"; 23 | primary = true; 24 | # gpg = { 25 | # key = "D03B218CAE771F77D7F920D9823A6154426408D3"; 26 | # signByDefault = true; 27 | # }; 28 | mbsync.enable = false; 29 | msmtp.enable = false; 30 | # notmuch.enable = false; 31 | neomutt = { 32 | enable = true; 33 | mailboxName = "pablo_tools"; 34 | }; 35 | 36 | maildir = { 37 | path = "pablo_tools"; 38 | }; 39 | # himalaya.enable = true; 40 | 41 | # folders = { 42 | # # TODO 43 | # drafts = ""; 44 | # }; 45 | 46 | signature = { 47 | text = '' 48 | Pablo Ovelleiro Corral 49 | 50 | Web: https://pablo.tools 51 | XMPP: pablo1@mailbox.org 52 | GPG-Key: https://pablo.tools/gpg-key 53 | ''; 54 | showSignature = "append"; 55 | }; 56 | 57 | userName = "pablo1@mailbox.org"; 58 | passwordCommand = "pass mailbox.org/pablo1@mailbox.org"; 59 | imap = { 60 | host = "imap.mailbox.org"; 61 | tls.enable = true; 62 | }; 63 | smtp = { 64 | host = "smtp.mailbox.org"; 65 | port = 465; 66 | }; 67 | }; 68 | }; 69 | 70 | programs.password-store = { 71 | enable = true; 72 | package = pkgs.pass.withExtensions (exts: [ exts.pass-otp ]); 73 | }; 74 | 75 | # The nixos agent is better 76 | services.ssh-agent.enable = false; 77 | 78 | home.packages = with pkgs; [ 79 | tpm2-tools # To work with the TPM 80 | ]; 81 | 82 | # services.gpg-agent.pinentryPackage = pkgs.pinentry-qt; 83 | # programs.gpg.enable = true; 84 | # 85 | # services.gpg-agent = { 86 | # enable = true; 87 | # enableSshSupport = true; 88 | # }; 89 | }; 90 | } 91 | -------------------------------------------------------------------------------- /home-manager/modules/easyeffects/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | with lib; 4 | 5 | let cfg = config.pinpox.programs.easyeffects; 6 | 7 | in { 8 | options.pinpox.programs.easyeffects = { 9 | enable = mkEnableOption "EasyEffects audio effects"; 10 | }; 11 | 12 | config = mkIf cfg.enable { 13 | services.easyeffects = { 14 | enable = true; 15 | # preset = "my-preset"; 16 | # extraPresets = { 17 | # my-preset = { 18 | # input = { 19 | # blocklist = [ 20 | # 21 | # ]; 22 | # "plugins_order" = [ 23 | # "rnnoise#0" 24 | # ]; 25 | # "rnnoise#0" = { 26 | # bypass = false; 27 | # "enable-vad" = false; 28 | # "input-gain" = 0.0; 29 | # "model-path" = ""; 30 | # "output-gain" = 0.0; 31 | # release = 20.0; 32 | # "vad-thres" = 50.0; 33 | # wet = 0.0; 34 | # }; 35 | # }; 36 | # }; 37 | # }; 38 | }; 39 | 40 | # Add easyeffects to home packages 41 | home.packages = with pkgs; [ 42 | easyeffects 43 | ]; 44 | }; 45 | } 46 | -------------------------------------------------------------------------------- /home-manager/modules/fonts/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.defaults.fonts; 5 | in 6 | { 7 | 8 | options.pinpox = { 9 | 10 | defaults.fonts.enable = mkEnableOption "font defaults"; 11 | 12 | font = { 13 | normal = { 14 | family = mkOption { 15 | type = types.str; 16 | default = "Berkeley Mono"; 17 | }; 18 | style = mkOption { 19 | type = types.str; 20 | default = "Regular"; 21 | }; 22 | }; 23 | bold = { 24 | family = mkOption { 25 | type = types.str; 26 | default = "Berkeley Mono"; 27 | }; 28 | style = mkOption { 29 | type = types.str; 30 | default = "Bold"; 31 | }; 32 | }; 33 | italic = { 34 | family = mkOption { 35 | type = types.str; 36 | default = "Berkeley Mono"; 37 | }; 38 | style = mkOption { 39 | type = types.str; 40 | default = "Regular Italic"; 41 | }; 42 | }; 43 | size = 10; 44 | }; 45 | }; 46 | 47 | config = mkIf cfg.enable { 48 | 49 | fonts.fontconfig.enable = true; 50 | # home.packages = 51 | # [ flake-inputs.nix-apple-fonts.packages."x86_64-linux".sf-mono ]; 52 | }; 53 | } 54 | -------------------------------------------------------------------------------- /home-manager/modules/foot/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | config, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.programs.foot; 10 | in 11 | { 12 | options.pinpox.programs.foot.enable = mkEnableOption "foot terminal emulator"; 13 | 14 | config = mkIf cfg.enable { 15 | 16 | home.packages = with pkgs; [ 17 | nerd-fonts.inconsolata 18 | foot 19 | ]; 20 | 21 | programs.foot = { 22 | enable = true; 23 | server.enable = true; 24 | settings = { 25 | 26 | main = { 27 | term = "xterm-256color"; 28 | 29 | font = "Berkeley Mono:size=13"; 30 | # dpi-aware = "yes"; # Defaults to auto 31 | }; 32 | 33 | scrollback.lines = 10000; 34 | 35 | cursor = { 36 | style = "beam"; 37 | blink = "yes"; 38 | # beam-thickness = 39 | }; 40 | 41 | colors = { 42 | 43 | alpha = "0.9"; 44 | # background = "${config.pinpox.colors.White}"; 45 | # foreground = "${config.pinpox.colors.Black}"; 46 | background = "${config.pinpox.colors.Black}"; 47 | foreground = "${config.pinpox.colors.White}"; 48 | 49 | ## Normal/regular colors (color palette 0-7) 50 | regular0 = "${config.pinpox.colors.Black}"; # black 51 | regular1 = "${config.pinpox.colors.Red}"; # red 52 | regular2 = "${config.pinpox.colors.Green}"; # green 53 | regular3 = "${config.pinpox.colors.Yellow}"; # yellow 54 | regular4 = "${config.pinpox.colors.Blue}"; # blue 55 | regular5 = "${config.pinpox.colors.Magenta}"; # magenta 56 | regular6 = "${config.pinpox.colors.Cyan}"; # cyan 57 | regular7 = "${config.pinpox.colors.White}"; # white 58 | 59 | ## Bright colors (color palette 8-15) 60 | bright0 = "${config.pinpox.colors.BrightBlack}"; # black 61 | bright1 = "${config.pinpox.colors.BrightRed}"; # red 62 | bright2 = "${config.pinpox.colors.BrightGreen}"; # green 63 | bright3 = "${config.pinpox.colors.BrightYellow}"; # yellow 64 | bright4 = "${config.pinpox.colors.BrightBlue}"; # blue 65 | bright5 = "${config.pinpox.colors.BrightMagenta}"; # magenta 66 | bright6 = "${config.pinpox.colors.BrightCyan}"; # cyan 67 | bright7 = "${config.pinpox.colors.BrightWhite}"; # white 68 | }; 69 | 70 | # mouse = { 71 | # hide-when-typing = "yes"; 72 | # }; 73 | }; 74 | }; 75 | }; 76 | } 77 | -------------------------------------------------------------------------------- /home-manager/modules/games/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.programs.games; 5 | in 6 | { 7 | options.pinpox.programs.games.enable = mkEnableOption "games"; 8 | 9 | config = mkIf cfg.enable { 10 | nixpkgs.config.retroarch = { 11 | # All available cores can be found here: 12 | # https://github.com/NixOS/nixpkgs/pull/82633/files#diff-036410e9211b4336186fc613f7200b12 13 | enableBeetleLynx = true; 14 | enableBeetlePCEFast = true; 15 | enableBeetlePCFX = true; 16 | enableBeetlePSX = true; 17 | enableBeetlePSXHW = true; 18 | enableBeetleSNES = true; 19 | # enableBeetleSaturn = true; 20 | # enableBeetleSaturnHW = true; 21 | # enableBeetleSuperGrafx = true; 22 | # enableDolphin = true; 23 | enableGenesisPlusGX = true; 24 | # enableMAME = true; 25 | enableMBGA = true; 26 | enableMGBA = true; 27 | enableMupen64Plus = true; 28 | enablePCSXRearmed = true; 29 | enableParallelN64 = true; 30 | enableQuickNES = true; 31 | enableSnes9x = true; 32 | enableVbaM = true; 33 | }; 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /home-manager/modules/git/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.defaults.git; 5 | in 6 | { 7 | options.pinpox.defaults.git.enable = mkEnableOption "git defaults"; 8 | 9 | config = mkIf cfg.enable { 10 | 11 | programs = { 12 | 13 | lazygit = { 14 | enable = true; 15 | 16 | # https://github.com/jesseduffield/lazygit/blob/master/docs/Config.md 17 | settings = { 18 | 19 | # reporting = "off"; 20 | # update.method = "never"; 21 | 22 | shortTimeFormat = "15h:30:13"; 23 | gui.showFileTree = true; 24 | os = { 25 | edit = "nvim {{filename}}"; 26 | editAtLine = "nvim +{{line}} {{filename}}"; 27 | editAtLineAndWait = "nvim --remote-wait +{{line}} {{filename}}"; 28 | editInTerminal = true; 29 | }; 30 | }; 31 | }; 32 | 33 | git = { 34 | enable = true; 35 | lfs.enable = true; 36 | 37 | ignores = [ 38 | "tags" 39 | "*.swp" 40 | "result" 41 | ]; 42 | 43 | extraConfig = { 44 | init.defaultBranch = "main"; 45 | 46 | gpg.ssh.allowedSignersFile = "~/.ssh/allowed_signers"; 47 | pull = { 48 | rebase = true; 49 | autostash = true; 50 | twohead = "ort"; 51 | }; 52 | 53 | push = { 54 | default = "simple"; 55 | autoSetupRemote = true; 56 | }; 57 | 58 | # rerere = { 59 | # autoUpdate = true 60 | # enabled = true 61 | # }; 62 | 63 | branch = { 64 | autoSetupRebase = "always"; 65 | autoSetupMerge = "always"; 66 | }; 67 | 68 | rebase = { 69 | stat = true; 70 | autoStash = true; 71 | autoSquash = true; 72 | updateRefs = true; 73 | }; 74 | 75 | help.autocorrect = 10; 76 | }; 77 | 78 | signing = { 79 | format = "ssh"; 80 | key = "~/.ssh/key.pub"; 81 | signByDefault = true; 82 | }; 83 | 84 | aliases = { 85 | s = "status"; 86 | d = "diff"; 87 | a = "add"; 88 | c = "commit"; 89 | p = "push"; 90 | o = "checkout"; 91 | co = "checkout"; 92 | uncommit = "reset --soft HEAD^"; 93 | comma = "commit --amend"; 94 | reset-pr = "reset --hard FETCH_HEAD"; 95 | force-push = "push --force-with-lease"; 96 | }; 97 | 98 | userEmail = "git@pablo.tools"; 99 | userName = "pinpox"; 100 | }; 101 | }; 102 | 103 | programs.jujutsu = { 104 | enable = true; 105 | settings = { 106 | user = { 107 | email = "git@pablo.tools"; 108 | name = "pinpox"; 109 | }; 110 | }; 111 | }; 112 | }; 113 | } 114 | -------------------------------------------------------------------------------- /home-manager/modules/go/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.programs.go; 5 | in 6 | { 7 | options.pinpox.programs.go.enable = mkEnableOption "go compiler"; 8 | 9 | config = mkIf cfg.enable { 10 | 11 | programs = { 12 | go = { 13 | enable = true; 14 | goPath = ".go"; 15 | # packages = { 16 | # "golang.org/x/text" = 17 | # builtins.fetchGit "https://go.googlesource.com/text"; 18 | # "golang.org/x/time" = 19 | # builtins.fetchGit "https://go.googlesource.com/time"; 20 | # }; 21 | }; 22 | }; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /home-manager/modules/grobi/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.defaults.grobi; 10 | in 11 | { 12 | options.pinpox.defaults.grobi.enable = mkEnableOption "grobi defaults"; 13 | 14 | config = mkIf cfg.enable { 15 | services = { 16 | 17 | grobi = { 18 | # enable = true; 19 | enable = false; 20 | # executeAfter = [ " " ]; 21 | rules = [ 22 | { 23 | name = "kartoffel"; 24 | outputs_connected = [ 25 | "DVI-D-0" 26 | "DP-0" 27 | "DVI-D-1" 28 | ]; 29 | configure_row = [ 30 | "DVI-D-0" 31 | "DP-0" 32 | "DVI-D-1" 33 | ]; 34 | atomic = true; 35 | execute_after = [ 36 | '' 37 | ${pkgs.xorg.xrandr}/bin/xrandr \ 38 | --output DVI-D-0 --mode 1920x1200 --pos 3460x0 --rotate normal \ 39 | --output DP-0 --primary --mode 2560x1440 --pos 900x0 --rotate normal \ 40 | --output DVI-D-1 --mode 1440x900 --pos 0x0 --rotate right \ 41 | --output DP-1 --off \ 42 | --output HDMI-0 --off 43 | '' 44 | ]; 45 | } 46 | ]; 47 | }; 48 | }; 49 | }; 50 | } 51 | -------------------------------------------------------------------------------- /home-manager/modules/gtk/banana.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | ... 5 | }: 6 | { 7 | config = { 8 | home.pointerCursor = { 9 | name = "Banana"; 10 | size = 32; 11 | package = pkgs.banana-cursor; 12 | x11.enable = true; 13 | gtk.enable = true; 14 | }; 15 | 16 | wayland.windowManager.sway.config.seat."*".xcursor_theme = 17 | "${config.gtk.cursorTheme.name} ${toString config.gtk.cursorTheme.size}"; 18 | 19 | gtk.cursorTheme = { 20 | name = "Banana"; 21 | size = 32; 22 | package = pkgs.banana-cursor; 23 | }; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /home-manager/modules/helix/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | with lib; 4 | 5 | let cfg = config.pinpox.programs.helix; 6 | 7 | in { 8 | options.pinpox.programs.helix = { 9 | enable = mkEnableOption "Helix editor configuration"; 10 | }; 11 | 12 | config = mkIf cfg.enable { 13 | programs.helix = { 14 | enable = true; 15 | 16 | # https://docs.helix-editor.com/languages.html 17 | languages = { 18 | language = [ 19 | { 20 | name = "nix"; 21 | auto-format = false; 22 | formatter.command = "${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt"; 23 | } 24 | ]; 25 | }; 26 | 27 | settings = { 28 | editor = { 29 | indent-guides.render = true; 30 | bufferline = "multiple"; 31 | cursorline = true; 32 | cursor-shape = { 33 | insert = "bar"; 34 | normal = "block"; 35 | select = "underline"; 36 | }; 37 | 38 | lsp.display-messages = true; 39 | }; 40 | 41 | theme = "catppuccin_mocha"; 42 | 43 | keys = { 44 | normal = { 45 | ";" = "command_mode"; 46 | "C-g" = [ 47 | ":new" 48 | ":insert-output ${pkgs.lazygit}/bin/lazygit" 49 | ":buffer-close!" 50 | ":redraw" 51 | ]; 52 | }; 53 | select = { 54 | ";" = "command_mode"; 55 | }; 56 | }; 57 | }; 58 | }; 59 | 60 | # Add helix to home packages 61 | home.packages = with pkgs; [ 62 | helix 63 | ]; 64 | }; 65 | } -------------------------------------------------------------------------------- /home-manager/modules/k9s/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.programs.k9s; 10 | in 11 | { 12 | 13 | options.pinpox.programs.k9s.enable = mkEnableOption "k9s kubernetes CLI"; 14 | 15 | config = mkIf cfg.enable { 16 | 17 | home.packages = [ pkgs.k9s ]; 18 | 19 | xdg = { 20 | enable = true; 21 | configFile.k9s_theme = { 22 | target = "k9s/skin.yml"; 23 | text = builtins.toJSON { 24 | k9s = { 25 | body = { 26 | fgColor = "#cad3f5"; 27 | bgColor = "#24273a"; 28 | logoColor = "#cba6f7"; 29 | }; 30 | info = { 31 | fgColor = "#74c7ec"; 32 | sectionColor = "#8aadf4"; 33 | }; 34 | frame = { 35 | border = { 36 | fgColor = "#cba6f7"; 37 | focusColor = "#f5bde6"; 38 | }; 39 | menu = { 40 | fgColor = "#eed49f"; 41 | keyColor = "#8aadf4"; 42 | numKeyColor = "#f5bde6"; 43 | }; 44 | crumbs = { 45 | fgColor = "#cad3f5"; 46 | bgColor = "#8aadf4"; 47 | activeColor = "#74c7ec"; 48 | }; 49 | status = { 50 | newColor = "#a6da95"; 51 | modifyColor = "#68f288"; 52 | addColor = "#74c7ec"; 53 | errorColor = "#ed8796"; 54 | highlightcolor = "#8aadf4"; 55 | killColor = "#747c9e"; 56 | completedColor = "#5b6078"; 57 | }; 58 | title = { 59 | fgColor = "#8bd5ca"; 60 | bgColor = "#5b6078"; 61 | highlightColor = "#74c7ec"; 62 | counterColor = "#cba6f7"; 63 | filterColor = "#5b6078"; 64 | }; 65 | }; 66 | views = { 67 | table = { 68 | fgColor = "#cad3f5"; 69 | bgColor = "#24273a"; 70 | cursorColor = "#8bd5ca"; 71 | header = { 72 | fgColor = "#24273a"; 73 | bgColor = "#8aadf4"; 74 | }; 75 | }; 76 | yaml = { 77 | keyColor = "#8bd5ca"; 78 | colonColor = "#aee2da"; 79 | valueColor = "#a6da95"; 80 | }; 81 | logs = { 82 | fgColor = "#cad3f5"; 83 | bgColor = "#24273a"; 84 | }; 85 | }; 86 | }; 87 | }; 88 | }; 89 | }; 90 | }; 91 | } 92 | -------------------------------------------------------------------------------- /home-manager/modules/kanshi/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.programs.kanshi; 10 | in 11 | { 12 | options.pinpox.programs.kanshi.enable = mkEnableOption "kanshi screen setup"; 13 | 14 | config = mkIf cfg.enable { 15 | 16 | home.packages = with pkgs; [ kanshi ]; 17 | 18 | # output eDP-1 mode 1920x1080 position 0,0 19 | # output DP-1 mode 2560x1440 position 1080,0 20 | # output DP-2 mode 2560x1440 position 3640,0 21 | 22 | services.kanshi = { 23 | enable = true; 24 | settings = [ 25 | { 26 | profile.name = "laptop-only"; 27 | profile.outputs = [ 28 | { 29 | criteria = "eDP-1"; 30 | mode = "1920x1080@60Hz"; 31 | } 32 | ]; 33 | } 34 | { 35 | profile.name = "triple-home"; 36 | profile.outputs = [ 37 | # generate with wlay 38 | { 39 | criteria = "eDP-1"; 40 | mode = "1920x1080@60Hz"; 41 | position = "0,0"; 42 | status = "enable"; 43 | } 44 | { 45 | criteria = "DP-1"; 46 | mode = "2560x1440@60Hz"; 47 | position = "4480,0"; 48 | status = "enable"; 49 | } 50 | { 51 | criteria = "DP-2"; 52 | mode = "2560x1440@60Hz"; 53 | position = "1920,0"; 54 | status = "enable"; 55 | } 56 | ]; 57 | } 58 | ]; 59 | }; 60 | }; 61 | } 62 | -------------------------------------------------------------------------------- /home-manager/modules/mako/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | config, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.programs.mako; 10 | in 11 | { 12 | options.pinpox.programs.mako.enable = mkEnableOption "mako notifications"; 13 | 14 | config = mkIf cfg.enable { 15 | 16 | # Needed for firefox and thunderbird 17 | home.packages = [ pkgs.libnotify ]; 18 | 19 | services.mako = { 20 | enable = true; 21 | 22 | settings = { 23 | anchor = "top-right"; 24 | backgroundColor = "#285577FF"; 25 | borderColor = "#4C7899FF"; 26 | # progressColor = "over #5588AAFF"; 27 | textColor = "#FFFFFFFF"; 28 | borderRadius = "5"; 29 | borderSize = "5"; 30 | defaultTimeout = "10000"; # In milliseconds 31 | # extraConfig = ''''; 32 | font = "Berkeley Mono 12"; 33 | # %a Application name 34 | # %s Notification summary 35 | # %b Notification body 36 | # %g Number of notifications in the current group 37 | # %i Notification id 38 | # format = "%s\\n%b"; 39 | # groupBy = ""; 40 | height = "200"; 41 | width = "300"; 42 | # iconPath = ""; 43 | icons = "true"; 44 | margin = "10"; 45 | padding = "5"; 46 | }; 47 | }; 48 | }; 49 | } 50 | -------------------------------------------------------------------------------- /home-manager/modules/neomutt/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.programs.neomutt; 5 | in 6 | { 7 | options.pinpox.programs.neomutt.enable = mkEnableOption "neomutt mail client"; 8 | 9 | config = mkIf cfg.enable { 10 | programs.neomutt = { 11 | enable = true; 12 | sidebar = { 13 | enable = true; 14 | }; 15 | extraConfig = '' 16 | set imap_user = "pablo1@mailbox.org" 17 | set imap_pass = "`pass mailbox.org/pablo1@mailbox.org`" 18 | ''; 19 | }; 20 | }; 21 | } 22 | -------------------------------------------------------------------------------- /home-manager/modules/newsboat/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.programs.newsboat; 5 | splitString = str: builtins.filter builtins.isString (builtins.split "\n" str); 6 | in 7 | { 8 | options.pinpox.programs.newsboat.enable = mkEnableOption "newsboat RSS reader"; 9 | 10 | config = mkIf cfg.enable { 11 | 12 | programs.newsboat = { 13 | enable = true; 14 | autoReload = true; 15 | urls = 16 | [ 17 | # https://hackaday.com/blog/feed/ 18 | { 19 | title = "nixOS mobile"; 20 | tags = [ 21 | "nixos" 22 | "nix" 23 | ]; 24 | url = "https://mobile.nixos.org/index.xml"; 25 | } 26 | { 27 | title = "r/NixOS"; 28 | tags = [ 29 | "nixos" 30 | "nix" 31 | "reddit" 32 | ]; 33 | url = "https://www.reddit.com/r/NixOS.rss"; 34 | } 35 | { 36 | title = "NixOS weekly"; 37 | tags = [ 38 | "nixos" 39 | "nix" 40 | ]; 41 | url = "https://weekly.nixos.org/feeds/all.rss.xml"; 42 | } 43 | ] 44 | ++ (map (x: { 45 | url = x; 46 | tags = [ "rss" ]; 47 | }) (splitString (builtins.readFile ./newsboat/rss.txt))) 48 | 49 | ++ (map (x: { 50 | url = x; 51 | tags = [ "podcast" ]; 52 | }) (splitString (builtins.readFile ./newsboat/podcast.txt))) 53 | 54 | ++ (map (x: { 55 | url = x; 56 | tags = [ "youtube" ]; 57 | }) (splitString (builtins.readFile ./newsboat/youtube.txt))); 58 | }; 59 | }; 60 | } 61 | -------------------------------------------------------------------------------- /home-manager/modules/obs-studio/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | config, 5 | system-config, 6 | ... 7 | }: 8 | with lib; 9 | let 10 | cfg = config.pinpox.programs.obs-studio; 11 | droidcam-port = 5201; 12 | in 13 | { 14 | options.pinpox.programs.obs-studio.enable = mkEnableOption "obs-studio"; 15 | 16 | config = mkIf cfg.enable { 17 | 18 | assertions = [ 19 | { 20 | assertion = (builtins.elem droidcam-port system-config.networking.firewall.allowedTCPPorts); 21 | message = "Port ${toString droidcam-port}/tcp is not open in the firewall, but required by droidcam"; 22 | } 23 | ]; 24 | 25 | home.packages = [ 26 | pkgs.uxplay # AirPlay Unix mirroring server 27 | 28 | pkgs.slurp 29 | pkgs.xdg-desktop-portal 30 | pkgs.xdg-desktop-portal-gtk 31 | ]; 32 | 33 | programs.obs-studio = { 34 | enable = true; 35 | plugins = with pkgs.obs-studio-plugins; [ 36 | obs-pipewire-audio-capture 37 | 38 | # TODO add droidcam-obs again when https://github.com/NixOS/nixpkgs/pull/382559 is merged 39 | # droidcam-obs 40 | 41 | wlrobs 42 | # obs-vintage-filter 43 | # obs-teleport 44 | obs-backgroundremoval 45 | input-overlay 46 | ]; 47 | }; 48 | }; 49 | } 50 | -------------------------------------------------------------------------------- /home-manager/modules/pandoc/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | 5 | cfg = config.pinpox.programs.pandoc; 6 | in 7 | { 8 | options.pinpox.programs.pandoc.enable = mkEnableOption "pandoc config"; 9 | 10 | config = mkIf cfg.enable { 11 | 12 | programs.pandoc = { 13 | enable = true; 14 | citationStyles = [ ]; 15 | 16 | # templates = { 17 | # "default.latex" = path/to/your/template; 18 | # }; 19 | 20 | defaults = { 21 | metadata = { 22 | author = "Pablo Ovelleiro Corral"; 23 | }; 24 | # pdf-engine = "xelatex"; 25 | # citeproc = true; 26 | }; 27 | }; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /home-manager/modules/river/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.programs.river; 10 | start-river = 11 | pkgs.writeShellScriptBin "start-river" # sh 12 | '' 13 | export WLR_DRM_NO_MODIFIERS=1 14 | dbus-launch --sh-syntax --exit-with-session ${pkgs.river}/bin/river 15 | ''; 16 | 17 | screenshot-region = 18 | pkgs.writeShellScriptBin "screenshot-region" # sh 19 | '' 20 | ${pkgs.slurp}/bin/slurp | ${pkgs.grim}/bin/grim -g - - | ${pkgs.wl-clipboard}/bin/wl-copy -t image/png 21 | ''; 22 | 23 | screenshot-region-satty = 24 | pkgs.writeShellScriptBin "screenshot-region-satty" # sh 25 | '' 26 | ${pkgs.slurp}/bin/slurp | ${pkgs.grim}/bin/grim -g - - | ${pkgs.satty}/bin/satty --filename - --early-exit --initial-tool brush --font-family ${config.pinpox.font.normal.family} 27 | ''; 28 | 29 | screenshot-region-file = 30 | pkgs.writeShellScriptBin "screenshot-region-file" # sh 31 | '' 32 | ${pkgs.grim}/bin/grim -g "$(${pkgs.slurp}/bin/slurp)" $(date +'%s_grim.png') 33 | ''; 34 | in 35 | { 36 | options.pinpox.programs.river.enable = mkEnableOption "river window manager"; 37 | 38 | config = mkIf cfg.enable { 39 | 40 | # Sets --indicator for network-manager-applet, which makes it work in river 41 | xsession.preferStatusNotifierItems = true; 42 | 43 | # Install these packages for my user 44 | home.packages = with pkgs; [ 45 | river 46 | river-luatile 47 | # way-displays 48 | (waybar.override { wireplumberSupport = false; }) 49 | wl-clipboard 50 | wlr-randr 51 | start-river 52 | screenshot-region 53 | screenshot-region-satty 54 | screenshot-region-file 55 | ]; 56 | 57 | xdg = { 58 | enable = true; 59 | configFile = { 60 | 61 | # River configuration files 62 | river-config = { 63 | target = "river/init"; 64 | source = ./river-config; 65 | executable = true; 66 | }; 67 | 68 | river-config-extra = { 69 | target = "river/init_exta"; 70 | text = # sh 71 | '' 72 | riverctl map-switch normal lid close spawn ${pkgs.swaylock}/bin/swaylock 73 | # riverctl map normal Super F12 spawn '${pkgs.slurp}/bin/slurp | ${pkgs.grim}/bin/grim -g - - | ${pkgs.wl-clipboard}/bin/wl-copy -t image/png' 74 | # riverctl map normal Super F12 spawn ${screenshot-region} 75 | riverctl map normal Super p spawn "${pkgs.tofi}/bin/tofi-run" 76 | 77 | ${pkgs.mako}/bin/mako & 78 | waybar 79 | # ${pkgs.wlr-randr}/bin/wlr-randr --output eDP-1 --mode 1920x1080 --pos 0,0 \ 80 | # --output DP-1 --mode 2560x1440 --pos 4480,0 \ 81 | # --output DP-2 --mode 2560x1440@164.54 --pos 1920,0 82 | 83 | # wlr-randr --output eDP-1 --on --mode 1920x1080 --pos 0,0 --output DP-1 --on --mode 2560x1440 --pos 4480,0 --output DP-2 --on --mode 2560x1440 --pos 1920,0 84 | 85 | ''; 86 | executable = true; 87 | }; 88 | 89 | # river-luatile layouts 90 | luatile-layout = { 91 | target = "river-luatile/layout.lua"; 92 | source = ./layout.lua; 93 | }; 94 | 95 | luatile-json = { 96 | target = "river-luatile/json.lua"; 97 | source = ./json.lua; 98 | }; 99 | }; 100 | }; 101 | }; 102 | } 103 | -------------------------------------------------------------------------------- /home-manager/modules/shell/fish.nix: -------------------------------------------------------------------------------- 1 | { pkgs, promterm, ... }: 2 | { 3 | 4 | programs = { 5 | 6 | fzf.enableFishIntegration = true; 7 | dircolors.enableFishIntegration = true; 8 | pazi.enableFishIntegration = true; 9 | }; 10 | 11 | programs.fish = { 12 | enable = true; 13 | functions = { 14 | gitignore = "curl -sL https://www.gitignore.io/api/$argv"; 15 | fish_command_not_found = "echo Did not find command $argv[1]"; 16 | 17 | # # Create and change to a directory 18 | take = ''mkdir -p -- "$1" && cd -- "$1"''; 19 | 20 | # # Create and change to a new temporary directory 21 | ttake = "cd $(mktemp -d)"; 22 | 23 | # # Use `line 10 /etc/hosts` to get 10th line of file 24 | line = ''awk "NR == $1" "$2"''; 25 | }; 26 | 27 | plugins = [ 28 | 29 | { 30 | 31 | # https://github.com/gazorby/fifc 32 | 33 | name = "fifc"; 34 | src = pkgs.fetchFromGitHub { 35 | owner = "gazorby"; 36 | repo = "fifc"; 37 | rev = "a01650cd432becdc6e36feeff5e8d657bd7ee84a"; 38 | sha256 = "sha256-Ynb0Yd5EMoz7tXwqF8NNKqCGbzTZn/CwLsZRQXIAVp4="; 39 | }; 40 | } 41 | 42 | ]; 43 | 44 | shellAbbrs = { 45 | 46 | o = "xdg-open"; 47 | q = "exit"; 48 | snvim = "sudo -E nvim"; 49 | v = "nvim"; 50 | 51 | # Global aliases, get expanded everywhere 52 | # abbrev-alias -g G = "| rg -i" 53 | # abbrev-alias - g P="| tb" 54 | #TODO 55 | }; 56 | shellAliases = rec { 57 | 58 | # Eza ls replacement 59 | ls = "${pkgs.eza}/bin/eza --group-directories-first"; 60 | l = "${ls} -lbF --git --icons"; 61 | ll = "${l} -G"; 62 | la = "${ls} -lbhHigmuSa@ --time-style=long-iso --git --color-scale --icons"; 63 | lt = "${ls} --tree --level=2 --icons"; 64 | 65 | # Git 66 | gs = "${pkgs.git}/bin/git status"; 67 | 68 | # Pastebin (termbin.com) 69 | tb = "${pkgs.netcat-gnu}/bin/nc termbin.com 9999"; 70 | tbc = "${tb} | ${pkgs.xclip}/bin/xclip -selection c"; 71 | 72 | # Frequendly used folders 73 | cdn = "cd ~/code/github.com/pinpox/nixos"; 74 | cdnh = "cd ~/code/github.com/pinpox/nixos-home"; 75 | 76 | # Other 77 | pt = "${promterm.defaultPackage.x86_64-linux}/bin/promterm 'https://vpn.prometheus.pablo.tools/api/v1/alerts'"; 78 | lsblk = "lsblk -o name,mountpoint,label,size,type,uuid"; 79 | c = "${pkgs.bat}/bin/bat -n --decorations never"; 80 | cc = "${pkgs.clang}/bin/clang -Wall -Wextra -pedantic -std=c99 -Wshadow -Weverything"; 81 | qr = "${pkgs.qrencode}/bin/qrencode -t utf8 -o-"; 82 | top = "${pkgs.htop}/bin/htop"; 83 | weather = "${pkgs.curl}/bin/curl -4 http://wttr.in/Koeln"; 84 | radio = "${pkgs.mpv}/bin/mpv http://lassul.us:8000/radio.ogg"; 85 | 86 | zzz = "systemctl suspend"; 87 | 88 | serve = "${pkgs.miniserve}/bin/miniserve"; 89 | 90 | za = "${./zellij-chooser}"; 91 | 92 | upterm = "${pkgs.upterm}/bin/upterm host --server ssh://upterm.thalheim.io:2323 --force-command 'zellij attach pair-programming' -- zellij attach --create pair-programming"; 93 | }; 94 | }; 95 | } 96 | -------------------------------------------------------------------------------- /home-manager/modules/shell/starship.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | programs.starship = { 4 | enable = false; 5 | enableBashIntegration = true; 6 | enableZshIntegration = true; 7 | settings = { 8 | 9 | character = { 10 | success_symbol = "[»](bold green)"; 11 | error_symbol = "[×](bold red) "; 12 | }; 13 | 14 | aws = { 15 | disabled = true; 16 | }; 17 | 18 | python = { 19 | disabled = true; 20 | }; 21 | 22 | nix_shell = { 23 | symbol = "❄ "; 24 | }; 25 | 26 | git_status = { 27 | 28 | ahead = "↑"; 29 | behind = "↓"; 30 | diverged = "↕"; 31 | modified = "!"; 32 | staged = "±"; 33 | renamed = "→"; 34 | }; 35 | 36 | directory = { 37 | truncate_to_repo = false; 38 | fish_style_pwd_dir_length = 2; 39 | 40 | substitutions = { 41 | "~/code/github.com/pinpox/nixos" = ""; 42 | }; 43 | }; 44 | }; 45 | }; 46 | } 47 | -------------------------------------------------------------------------------- /home-manager/modules/shell/zellij-chooser: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ZJ_SESSIONS=$(zellij list-sessions -n) 4 | NO_SESSIONS=$(echo "${ZJ_SESSIONS}" | wc -l) 5 | 6 | if [ "${NO_SESSIONS}" -ge 2 ]; then 7 | zellij attach "$(echo "${ZJ_SESSIONS}" | fzf | cut -d' ' -f1)" 8 | else 9 | zellij attach -c 10 | fi 11 | -------------------------------------------------------------------------------- /home-manager/modules/shell/zshrc: -------------------------------------------------------------------------------- 1 | # Initialize prompt 2 | # 3 | # Show nix-shell in right prompt 4 | local snowflake='❄' 5 | [[ ! -z "$IN_NIX_SHELL" ]] && RPROMPT="%F{blue}$IN_NIX_SHELL $snowflake $NIX_SHELL_PACKAGES" 6 | 7 | # Don't do shit with the # in flake commmands 8 | unsetopt nomatch 9 | -------------------------------------------------------------------------------- /home-manager/modules/shell/zshrc-extra: -------------------------------------------------------------------------------- 1 | # Create and change to a directory 2 | take () { mkdir -p -- "$1" && cd -- "$1"; } 3 | 4 | # Create and change to a new temporary directory 5 | ttake () { cd $(mktemp -d) } 6 | 7 | # Use `line 10 /etc/hosts` to get 10th line of file 8 | line () { awk "NR == $1" "$2" } 9 | 10 | 11 | # Bind up and down keys to history matching partial input 12 | bindkey "$terminfo[kcuu1]" history-search-backward 13 | bindkey "$terminfo[kcud1]" history-search-forward 14 | 15 | # Init h (https://github.com/zimbatm/h) 16 | eval "$(h --setup ~/code)" 17 | 18 | # fzf-compete files with ctrl+t 19 | bindkey -s "^T" 'pazi_cd --pipe="fzf"^M' 20 | 21 | # Make tab-completion case-insensitive 22 | zstyle ':completion:*' matcher-list 'm:{a-z}={A-Za-z}' 23 | 24 | # fzf-tab: https://github.com/Aloxaf/fzf-tab?tab=readme-ov-file#configure 25 | 26 | # set list-colors to enable filename colorizing 27 | zstyle ':completion:*' list-colors ${(s.:.)LS_COLORS} 28 | # preview directory's content with eza when completing cd 29 | zstyle ':fzf-tab:complete:cd:*' fzf-preview 'eza -1 --color=always $realpath' 30 | 31 | # Wastebin 32 | # command | paste 33 | function paste() { 34 | jq -Rns '{text: inputs}' | curl -s -H 'Content-Type: application/json' \ 35 | --data-binary @- https://paste.0cx.de | jq -r '. | "https://paste.0cx.de\(.path)"' 36 | } 37 | 38 | # Self-hosted transfer.sh sharing. Expects ~/.netrc with crendentials in this format: 39 | # machine transfer.0cx.de login my-super-user password super-secret-password 40 | # transfer file.txt 41 | transfer () { 42 | if [ $# -eq 0 ] 43 | then 44 | echo "No arguments specified.\nUsage:\n transfer \n ... | transfer " >&2 45 | return 1 46 | fi 47 | if tty -s 48 | then 49 | file="$1" 50 | file_name=$(basename "$file") 51 | if [ ! -e "$file" ] 52 | then 53 | echo "$file: No such file or directory" >&2 54 | return 1 55 | fi 56 | if [ -d "$file" ] 57 | then 58 | file_name="$file_name.zip" , 59 | ( 60 | cd "$file" && zip -r -q - . 61 | ) | curl -n --progress-bar --upload-file "-" "https://transfer.0cx.de/$file_name" | tee /dev/null, 62 | else 63 | cat "$file" | curl -n --progress-bar --upload-file "-" "https://transfer.0cx.de/$file_name" | tee /dev/null 64 | fi 65 | else 66 | file_name=$1 67 | curl -n --progress-bar --upload-file "-" "https://transfer.0cx.de/$file_name" | tee /dev/null 68 | fi 69 | } 70 | 71 | function delta_sidebyside { 72 | if [[ COLUMNS -ge 140 ]]; then 73 | export DELTA_FEATURES='side-by-side' 74 | else 75 | export DELTA_FEATURES='' 76 | fi 77 | } 78 | trap delta_sidebyside WINCH 79 | 80 | function ranger-cd { 81 | tempfile=$(mktemp) 82 | \ranger --choosedir="$tempfile" "${@:-$(pwd)}" < $TTY 83 | test -f "$tempfile" && 84 | if [ "$(cat -- "$tempfile")" != "$(echo -n `pwd`)" ]; then 85 | cd -- "$(cat "$tempfile")" 86 | fi 87 | rm -f -- "$tempfile" 88 | } 89 | 90 | function carry-ranger-cd { 91 | ranger-cd 92 | VISUAL=true zle edit-command-line 93 | } 94 | 95 | autoload -z edit-command-line 96 | zle -N edit-command-line 97 | 98 | zle -N carry-ranger-cd 99 | 100 | bindkey '^L' carry-ranger-cd 101 | -------------------------------------------------------------------------------- /home-manager/modules/ssh/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | with lib; 4 | 5 | let 6 | cfg = config.pinpox.programs.ssh; 7 | in 8 | { 9 | options.pinpox.programs.ssh = { 10 | enable = mkEnableOption "SSH configuration"; 11 | }; 12 | 13 | config = mkIf cfg.enable { 14 | programs.ssh.enable = true; 15 | programs.ssh.extraConfig = '' 16 | PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so 17 | CertificateFile ~/.ssh/cert.pub 18 | ''; 19 | }; 20 | } -------------------------------------------------------------------------------- /home-manager/modules/sway/nixos-wallpaper.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pinpox/nixos/6ca6002a6360567f0233d2b6c81bac93dce7f143/home-manager/modules/sway/nixos-wallpaper.png -------------------------------------------------------------------------------- /home-manager/modules/sway/swaync/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "/home/pinpox/.config/swaync/configSchema.json", 3 | "positionX": "right", 4 | "positionY": "top", 5 | "layer": "overlay", 6 | "control-center-layer": "top", 7 | "layer-shell": true, 8 | "cssPriority": "user", 9 | "control-center-margin-top": 0, 10 | "control-center-margin-bottom": 0, 11 | "control-center-margin-right": 0, 12 | "control-center-margin-left": 0, 13 | "notification-2fa-action": true, 14 | "notification-inline-replies": false, 15 | "notification-icon-size": 64, 16 | "notification-body-image-height": 100, 17 | "notification-body-image-width": 200, 18 | "timeout": 10, 19 | "timeout-low": 5, 20 | "timeout-critical": 0, 21 | "fit-to-screen": true, 22 | "control-center-width": 500, 23 | "control-center-height": 600, 24 | "notification-window-width": 500, 25 | "keyboard-shortcuts": true, 26 | "image-visibility": "when-available", 27 | "transition-time": 200, 28 | "hide-on-clear": false, 29 | "hide-on-action": true, 30 | "script-fail-notify": true, 31 | "scripts": { 32 | "example-script": { 33 | "exec": "echo 'Do something...'", 34 | "urgency": "Normal" 35 | }, 36 | "example-action-script": { 37 | "exec": "echo 'Do something actionable!'", 38 | "urgency": "Normal", 39 | "run-on": "action" 40 | } 41 | }, 42 | "notification-visibility": { 43 | "example-name": { 44 | "state": "muted", 45 | "app-name": "Spotify" 46 | } 47 | }, 48 | "widgets": [ 49 | "menubar#label", 50 | "mpris", 51 | "backlight", 52 | "volume", 53 | "inhibitors", 54 | "label", 55 | "menubar", 56 | "title", 57 | "dnd", 58 | "notifications" 59 | ], 60 | "widget-config": { 61 | "menubar#label": { 62 | "menu#power-buttons": { 63 | "label": "", 64 | "position": "right", 65 | "actions": [ 66 | { 67 | "label": " Reboot", 68 | "command": "systemctl reboot" 69 | }, 70 | { 71 | "label": " Lock", 72 | "command": "swaylock -f" 73 | }, 74 | { 75 | "label": " Logout", 76 | "command": "swaymsg exit" 77 | }, 78 | { 79 | "label": " Shut down", 80 | "command": "systemctl poweroff" 81 | } 82 | ] 83 | }, 84 | "menu#powermode-buttons": { 85 | "label": "", 86 | "position": "left", 87 | "actions": [ 88 | { 89 | "label": "Performance", 90 | "command": "powerprofilesctl set performance" 91 | }, 92 | { 93 | "label": "Balanced", 94 | "command": "powerprofilesctl set balanced" 95 | }, 96 | { 97 | "label": "Power-saver", 98 | "command": "powerprofilesctl set power-saver" 99 | } 100 | ] 101 | }, 102 | "buttons#topbar-buttons": { 103 | "position": "left", 104 | "actions": [ 105 | { 106 | "label": "", 107 | "command": "screenshot-region-satty" 108 | } 109 | ] 110 | } 111 | }, 112 | "backlight": { 113 | "label": "", 114 | "device": "intel_backlight", 115 | "min": 10 116 | }, 117 | "volume": { 118 | "label": "", 119 | "show-per-app": true 120 | }, 121 | "inhibitors": { 122 | "text": "Inhibitors", 123 | "button-text": "Clear All", 124 | "clear-all-button": true 125 | }, 126 | "title": { 127 | "text": "Notifications", 128 | "clear-all-button": true, 129 | "button-text": "Clear All" 130 | }, 131 | "dnd": { 132 | "text": "Do Not Disturb" 133 | }, 134 | "label": { 135 | "max-lines": 5, 136 | "text": "Label Text" 137 | }, 138 | "mpris": { 139 | "image-size": 96, 140 | "image-radius": 12 141 | } 142 | } 143 | } 144 | -------------------------------------------------------------------------------- /home-manager/modules/swaylock/style.css: -------------------------------------------------------------------------------- 1 | 2 | * { 3 | border: none; 4 | border-radius: 0; 5 | min-height: 0; 6 | font-family: "Berkeley Mono"; 7 | font-size: 15px; 8 | } 9 | 10 | window#waybar { 11 | /* background-color: rgba(43, 48, 59, 0.65); */ 12 | background-color: transparent; 13 | color: white; 14 | } 15 | 16 | /* window#waybar.hidden { */ 17 | /* opacity: 0.2; */ 18 | /* } */ 19 | 20 | #tags button { 21 | padding: 0px 5px; 22 | margin: 3px 3px; 23 | /* background-color: #161320; */ 24 | background-color: rgba(0, 0, 0, 0.2); 25 | color: #D9E0EE; 26 | /* Use box-shadow instead of border so the text isn't offset */ 27 | box-shadow: inset 0 -3px transparent; 28 | /* Avoid rounded borders under each workspace name */ 29 | border: none; 30 | border-radius: 3; 31 | } 32 | 33 | /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */ 34 | #tags button:hover { 35 | /* background: rgba(0, 0, 0, 0.2); */ 36 | box-shadow: inset 0 -3px #D9E0EE; 37 | } 38 | 39 | #tags button.occupied { 40 | box-shadow: inset 0 -3px white; 41 | } 42 | 43 | #tags button.focused { 44 | background-color: black; 45 | box-shadow: inset 0 -3px green; 46 | } 47 | 48 | #tags button.urgent { 49 | background-color: #F28FAD; 50 | } 51 | 52 | #mode { 53 | background-color: #64727D; 54 | border-bottom: 3px solid #D9E0EE; 55 | } 56 | 57 | #clock, 58 | #battery, 59 | #cpu, 60 | #memory, 61 | #disk, 62 | #temperature, 63 | #backlight, 64 | #network, 65 | #pulseaudio, 66 | #custom-media, 67 | #tray, 68 | #mode, 69 | #idle_inhibitor, 70 | #mpd, 71 | #language, 72 | #idle_inhibitor { 73 | padding: 5px 10px; 74 | margin: 3px 3px; 75 | color: #D9E0EE; 76 | border-radius: 3; 77 | /* background-color: #161320; */ 78 | background-color: black; 79 | } 80 | 81 | #window, 82 | #tags { 83 | margin: 0 4px; 84 | } 85 | 86 | /* If workspaces is the leftmost module, omit left margin */ 87 | .modules-left > widget:first-child > #tags { 88 | margin-left: 9px; 89 | } 90 | 91 | /* If workspaces is the rightmost module, omit right margin */ 92 | .modules-right > widget:last-child > #tags { 93 | margin-right: 0; 94 | } 95 | 96 | #clock { 97 | min-width: 45px; 98 | margin-right: 11px; 99 | } 100 | 101 | #battery { 102 | min-width: 55px; 103 | } 104 | 105 | @keyframes blink { 106 | to { 107 | background-color: #ffffff; 108 | color: #000000; 109 | } 110 | } 111 | 112 | #battery.critical:not(.charging) { 113 | background-color: #f53c3c; 114 | color: #D9E0EE; 115 | animation-name: blink; 116 | animation-duration: 0.5s; 117 | animation-timing-function: linear; 118 | animation-iteration-count: infinite; 119 | animation-direction: alternate; 120 | } 121 | 122 | label:focus { 123 | background-color: #D9E0EE; 124 | } 125 | 126 | #backlight { 127 | min-width: 55px; 128 | } 129 | 130 | #network { 131 | min-width: 150px; 132 | } 133 | 134 | #tray { 135 | /* background-color: #161320; */ 136 | background-color: black; 137 | } 138 | 139 | #tray > .passive { 140 | -gtk-icon-effect: dim; 141 | } 142 | 143 | #tray > .needs-attention { 144 | -gtk-icon-effect: highlight; 145 | background-color: #F28FAD; 146 | } 147 | 148 | 149 | -------------------------------------------------------------------------------- /home-manager/modules/taskwarrior/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | config, 4 | ... 5 | }: 6 | with lib; 7 | let 8 | cfg = config.pinpox.programs.taskwarrior; 9 | in 10 | { 11 | options.pinpox.programs.taskwarrior.enable = mkEnableOption "takswarrior configuration"; 12 | 13 | config = mkIf cfg.enable { 14 | 15 | programs.taskwarrior = { 16 | 17 | # colorTheme Either one of the default provided theme as string, or a path to a theme configuration file. null or string or path 18 | # config Key-value configuration written to {file}`$XDG_CONFIG_HOME/task/taskrc`. attribute set of anything 19 | enable = true; 20 | # extraConfig Additional content written at the end of {file}`$XDG_CONFIG_HOME/task/taskrc`. strings concatenated with "\n" 21 | }; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /home-manager/modules/tmux/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | config, 4 | pkgs, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.programs.tmux; 10 | in 11 | { 12 | options.pinpox.programs.tmux.enable = mkEnableOption "tmux terminal mutliplexer"; 13 | 14 | config = mkIf cfg.enable { 15 | programs.tmux = { 16 | enable = true; 17 | 18 | # Set the prefix key. Overrules the "shortcut" option when set. 19 | prefix = "C-a"; 20 | 21 | # Automatically spawn a session if trying to attach and none are running. 22 | newSession = true; 23 | 24 | # Base index for windows and panes. 25 | baseIndex = 1; 26 | 27 | # Use 24 hour clock. 28 | clock24 = true; 29 | 30 | # Maximum number of lines held in window history. 31 | historyLimit = 8000; 32 | 33 | # Less command delay 34 | escapeTime = 20; 35 | 36 | # Set the $TERM variable. 37 | terminal = "screen-256color"; 38 | 39 | plugins = with pkgs.tmuxPlugins; [ tmux-fzf ]; 40 | 41 | extraConfig = builtins.readFile ./tmux.conf; 42 | }; 43 | }; 44 | } 45 | -------------------------------------------------------------------------------- /home-manager/modules/waybar/style.css: -------------------------------------------------------------------------------- 1 | 2 | /*************** 3 | * GENERAL * 4 | ***************/ 5 | 6 | * { 7 | border: none; 8 | border-radius: 0; 9 | min-height: 0; 10 | font-family: "Berkeley Mono", "Font Awesome 6 Free"; 11 | font-size: 12px; 12 | } 13 | 14 | window#waybar { 15 | background-color: transparent; 16 | color: @White; 17 | } 18 | 19 | #mode { 20 | border-bottom: 3px solid @White; 21 | } 22 | 23 | #clock, 24 | #battery, 25 | #cpu, 26 | #memory, 27 | #disk, 28 | #temperature, 29 | #backlight, 30 | #network, 31 | #pulseaudio, 32 | #custom-media, 33 | #tray, 34 | #mode, 35 | #idle_inhibitor, 36 | #custom-notification, 37 | #custom-mic, 38 | #workspaces button, 39 | #mpd, 40 | #language, 41 | #idle_inhibitor { 42 | padding: 3px 7px; 43 | margin: 3px 3px; 44 | color: @White; 45 | border-radius: 3px; 46 | background-color: @Black; 47 | } 48 | 49 | #custom-mic, #mpris { 50 | padding: 3px 7px; 51 | margin: 3px 3px; 52 | color: @White; 53 | background-color: transparent; 54 | } 55 | 56 | #pulseaudio.source-muted, #custom-mic { color: @Red; } 57 | 58 | #window { 59 | background-color: @Black; 60 | color: @White; 61 | } 62 | 63 | /********************* 64 | * WORKSPACES/TAGS * 65 | *********************/ 66 | 67 | #workspaces button, 68 | #tags button { 69 | background: @Black; 70 | color: @White; 71 | padding: 0px 0px; 72 | } 73 | 74 | #workspaces button.focused, 75 | #tags button.focused { 76 | background: @Blue; 77 | color: @Black; 78 | } 79 | 80 | #workspaces button.urgent, 81 | #tags button.urgent { 82 | background-color: @Red; 83 | color: @Black; 84 | } 85 | 86 | #workspaces button:hover , 87 | #tags button:hover { 88 | background: rgba(0, 0, 0, 0.2); 89 | box-shadow: inherit; 90 | text-shadow: inherit; 91 | } 92 | 93 | /* /1* If workspaces is the leftmost module, omit left margin *1/ */ 94 | /* .modules-left > widget:first-child > #tags { */ 95 | /* margin-left: 9px; */ 96 | /* } */ 97 | 98 | /* .modules-right > widget:last-child > #tags { */ 99 | /* margin-right: 0; */ 100 | /* } */ 101 | 102 | /********************* 103 | * CLOCK * 104 | *********************/ 105 | 106 | #clock { 107 | min-width: 45px; 108 | margin-right: 11px; 109 | } 110 | 111 | /********************* 112 | * BATTERY * 113 | *********************/ 114 | 115 | #battery { 116 | min-width: 55px; 117 | } 118 | 119 | @keyframes blink { 120 | to { 121 | background-color: @White; 122 | color: @Black; 123 | } 124 | } 125 | 126 | #battery.critical:not(.charging) { 127 | background-color: @Red; 128 | color: @White; 129 | animation-name: blink; 130 | animation-duration: 0.5s; 131 | animation-timing-function: linear; 132 | animation-iteration-count: infinite; 133 | animation-direction: alternate; 134 | } 135 | 136 | /* label:focus { */ 137 | /* background-color: @White; */ 138 | /* } */ 139 | 140 | 141 | /********************* 142 | * BACKLIGHT * 143 | *********************/ 144 | 145 | #backlight { 146 | min-width: 55px; 147 | } 148 | 149 | /* #network { */ 150 | /* min-width: 150px; */ 151 | /* } */ 152 | 153 | /********************* 154 | * TRAY * 155 | *********************/ 156 | 157 | #tray { 158 | background-color: @Black; 159 | } 160 | 161 | #tray > .passive { 162 | -gtk-icon-effect: dim; 163 | } 164 | 165 | #tray > .needs-attention { 166 | -gtk-icon-effect: highlight; 167 | background-color: @Red; 168 | } 169 | 170 | 171 | -------------------------------------------------------------------------------- /home-manager/modules/xdg/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.defaults.xdg; 5 | in 6 | { 7 | 8 | options.pinpox.defaults.xdg = { 9 | enable = mkEnableOption "xdg defaults"; 10 | }; 11 | 12 | config = mkIf cfg.enable { 13 | xdg = { 14 | enable = true; 15 | configFile = { }; 16 | }; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /home-manager/modules/zed/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | with lib; 4 | 5 | let cfg = config.pinpox.programs.zed; 6 | 7 | in { 8 | options.pinpox.programs.zed = { 9 | enable = mkEnableOption "Zed editor configuration"; 10 | }; 11 | 12 | config = mkIf cfg.enable { 13 | services.gnome-keyring.enable = true; 14 | 15 | # Add nixd (Nix language server) for better Nix support 16 | home.packages = with pkgs; [ 17 | nixd 18 | ]; 19 | 20 | programs.zed-editor = { 21 | enable = true; 22 | extensions = ["nix"]; 23 | userSettings = { 24 | telemetry = { 25 | metrics = false; 26 | diagnostics = false; 27 | }; 28 | vim_mode = true; 29 | ui_font_size = 15; 30 | buffer_font_size = 15; 31 | buffer_font_family = "Berkeley Mono"; 32 | ui_font_family = "Berkeley Mono"; 33 | theme = { 34 | mode = "dark"; 35 | light = "Ayu Light"; 36 | dark = "One Dark"; 37 | }; 38 | language_overrides = { 39 | nix = { 40 | language_server_id = "nixd"; 41 | }; 42 | }; 43 | }; 44 | }; 45 | }; 46 | } -------------------------------------------------------------------------------- /home-manager/modules/zellij/default.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.programs.zellij; 5 | in 6 | { 7 | options.pinpox.programs.zellij.enable = mkEnableOption "zellij terminal mutliplexer"; 8 | 9 | config = mkIf cfg.enable { 10 | programs.zellij = { 11 | 12 | enable = true; 13 | 14 | # Don't auto-start zellij on new shells 15 | enableZshIntegration = false; 16 | 17 | settings = { 18 | 19 | keybinds.unbind = "Ctrl q"; 20 | 21 | session_serialization = false; 22 | 23 | theme = "custom"; 24 | themes.custom = { 25 | fg = "#${config.pinpox.colors.White}"; 26 | bg = "#${config.pinpox.colors.BrightBlack}"; 27 | black = "#${config.pinpox.colors.Black}"; 28 | red = "#${config.pinpox.colors.Red}"; 29 | green = "#${config.pinpox.colors.Green}"; 30 | yellow = "#${config.pinpox.colors.BrightYellow}"; 31 | blue = "#${config.pinpox.colors.Blue}"; 32 | magenta = "#${config.pinpox.colors.Magenta}"; 33 | cyan = "#${config.pinpox.colors.Cyan}"; 34 | white = "#${config.pinpox.colors.White}"; 35 | orange = "#${config.pinpox.colors.Yellow}"; 36 | }; 37 | }; 38 | }; 39 | }; 40 | } 41 | -------------------------------------------------------------------------------- /home-manager/modules/zk/default.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: {{title}} 3 | created: {{format-date now}} 4 | visibility: private 5 | language: en 6 | tags: 7 | - {{slug title}} 8 | --- 9 | 10 | {{content}} 11 | 12 | # References 13 | -------------------------------------------------------------------------------- /home-manager/modules/zk/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | config, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.programs.zk; 10 | in 11 | { 12 | options.pinpox.programs.zk.enable = mkEnableOption "zk zettelkasten client"; 13 | 14 | config = mkIf cfg.enable { 15 | home.packages = with pkgs; [ zk ]; 16 | 17 | programs.zsh = { 18 | 19 | sessionVariables.ZK_NOTEBOOK_DIR = "/home/pinpox/Notes"; 20 | 21 | shellAliases = { 22 | # Edit notes 23 | zke = "${pkgs.zk}/bin/zk edit --interactive -x journal"; 24 | zkn = "${pkgs.zk}/bin/zk new inbox"; 25 | }; 26 | }; 27 | 28 | xdg = { 29 | enable = true; 30 | configFile = { 31 | 32 | # zk configuration file 33 | zk_config = { 34 | target = "zk/config.toml"; 35 | source = ./config.toml; 36 | }; 37 | 38 | # Template for default notes 39 | zk_template_default = { 40 | target = "zk/templates/default.md"; 41 | source = ./default.md; 42 | }; 43 | 44 | # Template for juornal/dairy notes 45 | zk_template_journal = { 46 | target = "zk/templates/journal.md"; 47 | source = ./journal.md; 48 | }; 49 | }; 50 | }; 51 | }; 52 | } 53 | -------------------------------------------------------------------------------- /home-manager/modules/zk/journal.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: {{title}} 3 | created: {{format-date now}} 4 | visibility: private 5 | language: de 6 | tags: 7 | - {{slug title}} 8 | - journal 9 | --- 10 | 11 | # {{format-date now "long"}} - {{title}} 12 | 13 | What did I do today? 14 | {{content}} 15 | -------------------------------------------------------------------------------- /home-manager/profiles/common.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | nur, 5 | flake-self, 6 | ... 7 | }: 8 | with lib; 9 | { 10 | imports = [ ../colorscheme.nix ]; 11 | 12 | config = { 13 | 14 | 15 | # Home-manager nixpkgs config 16 | nixpkgs = { 17 | 18 | # Allow "unfree" licenced packages 19 | config = { 20 | allowUnfree = true; 21 | }; 22 | 23 | overlays = [ 24 | flake-self.overlays.default 25 | nur.overlays.default 26 | ]; 27 | }; 28 | 29 | # Extra arguments to pass to modules 30 | _module.args = { 31 | pinpox-utils = import ../../utils { inherit pkgs; }; 32 | }; 33 | 34 | # Include man-pages 35 | manual.manpages.enable = true; 36 | 37 | # Environment variables 38 | systemd.user.sessionVariables = { 39 | ZDOTDIR = "/home/pinpox/.config/zsh"; 40 | }; 41 | 42 | home = { 43 | # Install these packages for my user 44 | packages = with pkgs; [ 45 | eza 46 | htop 47 | pkg-config 48 | tealdeer 49 | unzip 50 | delta 51 | ]; 52 | 53 | sessionVariables = { 54 | ZDOTDIR = "/home/pinpox/.config/zsh"; 55 | }; 56 | 57 | # This value determines the Home Manager release that your 58 | # configuration is compatible with. This helps avoid breakage 59 | # when a new Home Manager release introduces backwards 60 | # incompatible changes. 61 | # 62 | # You can update Home Manager without changing this value. See 63 | # the Home Manager release notes for a list of state version 64 | # changes in each release. 65 | stateVersion = "25.05"; 66 | }; 67 | 68 | # Let Home Manager install and manage itself. 69 | programs.home-manager.enable = true; 70 | }; 71 | } 72 | -------------------------------------------------------------------------------- /home-manager/profiles/server/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | ... 4 | }: 5 | { 6 | imports = [ ../common.nix ]; 7 | 8 | config = { 9 | 10 | # Install these packages for my user 11 | home.packages = with pkgs; [ 12 | exa 13 | htop 14 | httpie 15 | pkg-config 16 | tealdeer 17 | unzip 18 | ]; 19 | 20 | pinpox = { 21 | defaults = { 22 | credentials.enable = true; 23 | git.enable = true; 24 | shell.enable = true; 25 | xdg.enable = true; 26 | }; 27 | 28 | programs = { 29 | tmux.enable = true; 30 | }; 31 | }; 32 | }; 33 | } 34 | -------------------------------------------------------------------------------- /images/configuration.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | modulesPath, 6 | ... 7 | }: 8 | with lib; 9 | { 10 | 11 | imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 12 | 13 | config = { 14 | 15 | # Filesystems 16 | fileSystems."/" = { 17 | device = "/dev/disk/by-label/nixos"; 18 | fsType = "ext4"; 19 | autoResize = true; 20 | }; 21 | 22 | # Bootloader 23 | boot.growPartition = true; 24 | boot.kernelParams = [ "console=ttyS0" ]; 25 | boot.loader.grub.device = "/dev/vda"; 26 | boot.loader.timeout = 0; 27 | 28 | # Locale settings 29 | i18n.defaultLocale = "en_US.UTF-8"; 30 | console = { 31 | font = "Lat2-Terminus16"; 32 | keyMap = "colemak"; 33 | }; 34 | 35 | # TODO set hostname 36 | networking.hostName = "my-nixos-host"; 37 | 38 | # Openssh 39 | programs.ssh.startAgent = false; 40 | services.openssh = { 41 | enable = true; 42 | passwordAuthentication = false; 43 | startWhenNeeded = true; 44 | kbdInteractiveAuthentication = false; 45 | permitRootLogin = "yes"; 46 | }; 47 | 48 | users = { 49 | users.root = { 50 | openssh.authorizedKeys.keyFiles = [ 51 | (pkgs.fetchurl { 52 | url = "https://github.com/pinpox.keys"; 53 | sha256 = "sha256-Cf/PSZemROU/Y0EEnr6A+FXE0M3+Kso5VqJgomGST/U="; 54 | }) 55 | ]; 56 | }; 57 | }; 58 | 59 | # Enable flakes 60 | nix.package = pkgs.nixVersions.stable; 61 | 62 | # Install some basic utilities 63 | environment.systemPackages = [ 64 | pkgs.git 65 | pkgs.ag 66 | pkgs.htop 67 | ]; 68 | 69 | # Let 'nixos-version --json' know about the Git revision 70 | # of this flake. 71 | # system.configurationRevision = pkgs.lib.mkIf (self ? rev) self.rev; 72 | }; 73 | } 74 | -------------------------------------------------------------------------------- /images/raspi.nix: -------------------------------------------------------------------------------- 1 | # # nix build '.#base-image' 2 | # raspi-image = 3 | # let 4 | # system = "aarch64-linux"; 5 | # in 6 | # import "${nixpkgs}/nixos/lib/make-disk-image.nix" { 7 | # pkgs = nixpkgs.legacyPackages."${system}"; 8 | # lib = nixpkgs.lib; 9 | # config = 10 | # (nixpkgs.lib.nixosSystem { 11 | # inherit system; 12 | # modules = [ ./images/raspi.nix ]; 13 | # }).config; 14 | # format = "qcow2"; 15 | # diskSize = 4096; 16 | # name = "raspi-image"; 17 | # }; 18 | # 19 | # base-image = 20 | # let 21 | # system = "x86_64-linux"; 22 | # in 23 | # import "${nixpkgs}/nixos/lib/make-disk-image.nix" { 24 | # pkgs = nixpkgs.legacyPackages."${system}"; 25 | # lib = nixpkgs.lib; 26 | # config = 27 | # (nixpkgs.lib.nixosSystem { 28 | # inherit system; 29 | # modules = [ ./images/configuration.nix ]; 30 | # }).config; 31 | # format = "qcow2"; 32 | # diskSize = 2048; 33 | # name = "base-image"; 34 | # }; 35 | # 36 | 37 | { 38 | config, 39 | pkgs, 40 | lib, 41 | ... 42 | }: 43 | 44 | { 45 | 46 | # Filesystems 47 | fileSystems."/" = { 48 | device = "/dev/disk/by-label/nixos"; 49 | fsType = "ext4"; 50 | autoResize = true; 51 | }; 52 | # This configuration worked on 09-03-2021 nixos-unstable @ commit 102eb68ceec 53 | # The image used https://hydra.nixos.org/build/134720986 54 | 55 | boot = { 56 | kernelPackages = pkgs.linuxPackages_rpi4; 57 | tmpOnTmpfs = true; 58 | initrd.availableKernelModules = [ 59 | "usbhid" 60 | "usb_storage" 61 | ]; 62 | # ttyAMA0 is the serial console broken out to the GPIO 63 | kernelParams = [ 64 | "8250.nr_uarts=1" 65 | "console=ttyAMA0,115200" 66 | "console=tty1" 67 | # A lot GUI programs need this, nearly all wayland applications 68 | "cma=128M" 69 | ]; 70 | }; 71 | 72 | # Openssh 73 | programs.ssh.startAgent = false; 74 | services.openssh = { 75 | enable = true; 76 | passwordAuthentication = false; 77 | startWhenNeeded = true; 78 | kbdInteractiveAuthentication = false; 79 | permitRootLogin = "yes"; 80 | }; 81 | 82 | boot.growPartition = true; 83 | 84 | boot.loader.raspberryPi = { 85 | enable = true; 86 | version = 4; 87 | }; 88 | boot.loader.grub.enable = false; 89 | 90 | # Required for the Wireless firmware 91 | hardware.enableRedistributableFirmware = true; 92 | 93 | networking = { 94 | hostName = "nixos-raspi-4"; # Define your hostname. 95 | networkmanager = { 96 | enable = true; 97 | }; 98 | }; 99 | 100 | # Locale settings 101 | i18n.defaultLocale = "en_US.UTF-8"; 102 | console = { 103 | font = "Lat2-Terminus16"; 104 | keyMap = "colemak"; 105 | }; 106 | 107 | users = { 108 | users.root = { 109 | openssh.authorizedKeys.keyFiles = [ 110 | (pkgs.fetchurl { 111 | url = "https://github.com/pinpox.keys"; 112 | sha256 = "sha256-V0ek+L0axLt8v1sdyPXHfZgkbOxqwE3Zw8vOT2aNDcE="; 113 | }) 114 | ]; 115 | }; 116 | }; 117 | 118 | nix = { 119 | autoOptimiseStore = true; 120 | gc = { 121 | automatic = true; 122 | dates = "weekly"; 123 | options = "--delete-older-than 30d"; 124 | }; 125 | # Free up to 1GiB whenever there is less than 100MiB left. 126 | extraOptions = '' 127 | min-free = ${toString (100 * 1024 * 1024)} 128 | max-free = ${toString (1024 * 1024 * 1024)} 129 | ''; 130 | }; 131 | system.stateVersion = "20.09"; 132 | } 133 | -------------------------------------------------------------------------------- /machines/birne/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pinpox/nixos/6ca6002a6360567f0233d2b6c81bac93dce7f143/machines/birne/README.md -------------------------------------------------------------------------------- /machines/birne/configuration.nix: -------------------------------------------------------------------------------- 1 | # Configuration for birne 2 | { 3 | pkgs, 4 | ... 5 | }: 6 | { 7 | imports = [ ./hardware-configuration.nix ]; 8 | 9 | clan.core.networking.targetHost = "192.168.101.221"; 10 | 11 | # The global useDHCP flag is deprecated, therefore explicitly set to false here. 12 | # Per-interface useDHCP will be mandatory in the future, so this generated config 13 | # replicates the default behaviour. 14 | networking.useDHCP = false; 15 | networking.interfaces.eno1.useDHCP = true; 16 | 17 | # Host forwards incoming wg connections to the local network so we can reach LAN devices via wireguard. E.g. for retrieving stats directly from smart-home devices 18 | boot.kernel.sysctl."net.ipv4.ip_forward" = 1; 19 | 20 | boot.supportedFilesystems = { 21 | btrfs = true; 22 | zfs = true; 23 | }; 24 | 25 | networking.hostName = "birne"; 26 | 27 | pinpox = { 28 | 29 | server.enable = true; 30 | 31 | services = { 32 | minio.enable = true; 33 | home-assistant.enable = true; 34 | }; 35 | 36 | defaults = { 37 | lvm-grub.enable = true; 38 | environment.enable = true; 39 | locale.enable = true; 40 | nix.enable = true; 41 | }; 42 | 43 | metrics.node.enable = true; 44 | }; 45 | 46 | security.acme.acceptTerms = true; 47 | security.acme.defaults.email = "letsencrypt@pablo.tools"; 48 | 49 | # Access locally via: 50 | # https://birne:8443/manage/ 51 | services.unifi = { 52 | enable = false; 53 | 54 | # 6 is latest supported for my access points. Beware that this will build 55 | # an older version of mongodb (from source), which may cause slow rebuilds 56 | # if it's not cached. 57 | unifiPackage = pkgs.unifi6; 58 | 59 | # Open required ports 60 | openFirewall = true; 61 | # tcp/8080 # Port for UAP to inform controller. 62 | # tcp/8880 # Port for HTTP portal redirect, if guest portal is enabled. 63 | # tcp/8843 # Port for HTTPS portal redirect, ditto. 64 | # tcp/6789 # Port for UniFi mobile speed test. 65 | # udp/3478 # UDP port used for STUN. 66 | # udp/10001 # UDP port used for device discovery. 67 | }; 68 | 69 | # Waiting until seafile/seahub is fixed 70 | # services.seafile = { 71 | # enable = true; 72 | # 73 | # adminEmail = "seafile@pablo.tools"; 74 | # 75 | # # ccnetSettings 76 | # # https://manual.seafile.com/config/ccnet-conf/ 77 | # ccnetSettings.General.SERVICE_URL = "https://cloud.pablo.tools"; 78 | # 79 | # # dataDir = "/var/lib/seafile/data"; 80 | # 81 | # # gc.dates 82 | # # gc.enable 83 | # # gc.persistent 84 | # # gc.randomizedDelaySec 85 | # 86 | # initialAdminPassword = "changeme"; 87 | # 88 | # seafileSettings = { 89 | # # fileserver.port = 8082; 90 | # # fileserver.host = "ipv4:127.0.0.1"; 91 | # }; 92 | # 93 | # # seahubAddress = "unix:/run/seahub/gunicorn.sock"; 94 | # 95 | # # https://manual.seafile.com/config/seahub_settings_py/ 96 | # # seahubExtraConf = 97 | # # '' 98 | # # CSRF_TRUSTED_ORIGINS = ["https://example.com"] 99 | # # '' 100 | # 101 | # # seahubPackage 102 | # # workers 103 | # }; 104 | 105 | # Open ports in the firewall. 106 | networking.firewall = { 107 | 108 | allowedUDPPorts = [ 3478 ]; 109 | allowedTCPPorts = [ 110 | 80 111 | 443 112 | # 8443 113 | 4533 114 | ]; 115 | }; 116 | 117 | services.navidrome = { 118 | 119 | enable = true; 120 | 121 | settings.Port = 4533; 122 | settings.Address = "192.168.8.4"; 123 | settings.MusicFolder = "/mnt/data/admin/ARCHIVE/Musik/Alphabetisch"; 124 | 125 | # openFirewall 126 | # environmentFile 127 | }; 128 | 129 | } 130 | -------------------------------------------------------------------------------- /machines/birne/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | pkgs, 8 | modulesPath, 9 | ... 10 | }: 11 | 12 | { 13 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 14 | 15 | boot.initrd.availableKernelModules = [ 16 | "ahci" 17 | "xhci_pci" 18 | "usb_storage" 19 | "usbhid" 20 | "sd_mod" 21 | ]; 22 | boot.initrd.kernelModules = [ "dm-snapshot" ]; 23 | boot.kernelModules = [ "kvm-intel" ]; 24 | boot.extraModulePackages = [ ]; 25 | 26 | # ZFS support 27 | boot.supportedFilesystems = [ "zfs" ]; 28 | 29 | # Needed for ZFS 30 | # head -c4 /dev/urandom | od -A none -t x4 31 | networking.hostId = "887bde8c"; 32 | 33 | # Efi partition (SSD) 34 | fileSystems."/boot" = { 35 | device = "/dev/disk/by-uuid/E45C-8185"; 36 | fsType = "vfat"; 37 | }; 38 | 39 | # Root drive (SSD) 40 | fileSystems."/" = { 41 | device = "/dev/disk/by-uuid/74866c52-5077-44aa-afb2-88ce9e72ab47"; 42 | fsType = "ext4"; 43 | }; 44 | 45 | # Swap partition 46 | swapDevices = [ { device = "/dev/disk/by-uuid/8551b399-6866-40e0-b8f5-266b5475ffa9"; } ]; 47 | 48 | # Data drive for seafile 49 | fileSystems."/mnt/data" = { 50 | device = "/dev/disk/by-uuid/426645bc-dbf6-4c4d-b389-16bbb55d7a14"; 51 | fsType = "ext4"; 52 | }; 53 | 54 | # Backup drive for restic 55 | fileSystems."/mnt/backup" = { 56 | device = "/dev/disk/by-uuid/9961fd1b-3162-474d-9e2e-7cb7d269cd0e"; 57 | fsType = "ext4"; 58 | }; 59 | 60 | fileSystems."/mnt/backup-old" = { 61 | device = "/dev/disk/by-uuid/a6a101de-0238-4b87-ada2-76653ce51cfc"; 62 | fsType = "ext4"; 63 | }; 64 | 65 | powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; 66 | } 67 | -------------------------------------------------------------------------------- /machines/kartoffel/configuration.nix: -------------------------------------------------------------------------------- 1 | # Configuration for kartoffel 2 | { pkgs, lib, ... }: 3 | { 4 | 5 | imports = [ 6 | ./hardware-configuration.nix 7 | ./retiolum.nix 8 | ]; 9 | 10 | networking.hostName = "kartoffel"; 11 | 12 | pinpox.desktop.enable = true; 13 | 14 | # Encrypted drive to be mounted by the bootloader. Path of the device will 15 | # have to be changed for each install. 16 | boot.initrd.luks.devices = { 17 | root = { 18 | # Get UUID from blkid /dev/sda2 19 | device = "/dev/disk/by-uuid/608e0e77-eea4-4dc4-b88d-76cc63e4488b"; 20 | preLVM = true; 21 | allowDiscards = true; 22 | }; 23 | }; 24 | 25 | # Video driver for nvidia graphics card 26 | hardware.nvidia.open = false; 27 | boot.blacklistedKernelModules = [ "nouveau" ]; 28 | services.greetd.settings.default_session.command = 29 | lib.mkForce "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd 'sway --unsupported-gpu'"; 30 | 31 | boot.supportedFilesystems = { 32 | btrfs = true; 33 | zfs = true; 34 | }; 35 | 36 | } 37 | -------------------------------------------------------------------------------- /machines/kartoffel/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { 5 | config, 6 | lib, 7 | pkgs, 8 | modulesPath, 9 | ... 10 | }: 11 | 12 | { 13 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 14 | 15 | boot.initrd.availableKernelModules = [ 16 | "xhci_pci" 17 | "ahci" 18 | "usbhid" 19 | "sd_mod" 20 | ]; 21 | boot.initrd.kernelModules = [ "dm-snapshot" ]; 22 | boot.kernelModules = [ "kvm-amd" ]; 23 | boot.extraModulePackages = [ ]; 24 | 25 | fileSystems."/" = { 26 | device = "/dev/disk/by-uuid/8dcfb3f0-4dba-4c32-af96-84024706ff76"; 27 | fsType = "ext4"; 28 | }; 29 | 30 | fileSystems."/boot" = { 31 | device = "/dev/disk/by-uuid/5D7C-69F9"; 32 | fsType = "vfat"; 33 | }; 34 | 35 | swapDevices = [ { device = "/dev/disk/by-uuid/0f369649-cdbc-4a34-82dc-9f442c445c53"; } ]; 36 | 37 | powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; 38 | } 39 | -------------------------------------------------------------------------------- /machines/kartoffel/retiolum.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | retiolum, 4 | ... 5 | }: 6 | { 7 | 8 | imports = [ retiolum.nixosModules.retiolum ]; 9 | 10 | networking.retiolum = { 11 | ipv4 = "10.243.100.100"; 12 | ipv6 = "42:0:3c46:519d:1696:f464:9756:8727"; 13 | }; 14 | 15 | networking.retiolum.nodename = "ahorn"; 16 | 17 | clan.core.vars.generators."retiolum" = { 18 | prompts.rsa_priv.persist = true; 19 | prompts.ed25519_priv.persist = true; 20 | }; 21 | 22 | services.tinc.networks.retiolum = { 23 | rsaPrivateKeyFile = config.clan.core.vars.generators."retiolum".files."rsa_priv".path; 24 | ed25519PrivateKeyFile = config.clan.core.vars.generators."retiolum".files."ed25519_priv".path; 25 | }; 26 | } 27 | -------------------------------------------------------------------------------- /machines/kfbox/README.md: -------------------------------------------------------------------------------- 1 | # Krosse-Flagge Server 2 | 3 | 4 | ## The Lounge user setup 5 | 6 | The `kfbox` server hosts an instance of [The Lounge](https://thelounge.chat/), a 7 | IRC bouncer and client. 8 | 9 | ### New User Setup 10 | 11 | 1. Ask [pinpox](https://pablo.tools) for a account with the desired nickname. 12 | A user with the needed permissions will create the user for you using this 13 | command and give you a initial password for your user. 14 | 15 | ```bash 16 | docker exec --user node -it thelounge thelounge add awesome-new-nickname 17 | ``` 18 | 2. With the nickname and initial password, login at [The Lounge](https://irc.0cx.de). 19 | 3. You will be presented with a wizard to add IRC servers. The default is 20 | `freenode`. 21 | 4. Add your existing freenode account credentials to The Lounge. If you don't 22 | have a user on the `freenode` IRC server, you should now register one. 23 | The registration process is documented 24 | [here](https://freenode.net/kb/answer/registration#registering). To use [The 25 | lougne 26 | 27 | 3. Change your password to whatever you want, make it a good one. 28 | 29 | 30 | 31 | 32 | 33 | 34 | 4. Account auf [freenode registrieren] 35 | ``` 36 | /nick mein-freenode-nick 37 | /msg NickServ REGISTER mein-frenode-passwort youremail@example.com 38 | ``` 39 | 5. Freenode Account auf [The Lounge](https://irc.0cx.de) speichern (Freenode 40 | sollte im Wizard der Default sein, Freenode Nick und Passwort einfach 41 | eintragen) 42 | 43 | 6. Den Channel `#krosse-flagge` joinen (`/join #krosse-flagge`) 44 | -------------------------------------------------------------------------------- /machines/kfbox/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, ... }: 2 | { 3 | imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 4 | } 5 | -------------------------------------------------------------------------------- /machines/kfbox/retiolum.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | retiolum, 4 | ... 5 | }: 6 | { 7 | 8 | imports = [ retiolum.nixosModules.retiolum ]; 9 | 10 | networking.retiolum = { 11 | ipv4 = "10.243.100.102"; 12 | ipv6 = "42:0:3c46:3ae6:90a8:b220:e772:8a5c"; 13 | }; 14 | 15 | clan.core.vars.generators."retiolum" = { 16 | prompts.rsa_priv.persist = true; 17 | prompts.ed25519_priv.persist = true; 18 | }; 19 | 20 | services.tinc.networks.retiolum = { 21 | rsaPrivateKeyFile = config.clan.core.vars.generators."retiolum".files."rsa_priv".path; 22 | ed25519PrivateKeyFile = config.clan.core.vars.generators."retiolum".files."ed25519_priv".path; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /machines/kiwi/configuration.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | { 3 | imports = [ 4 | ./disko-config-btrfs.nix 5 | ./framework.nix 6 | ]; 7 | 8 | networking.hostName = "kiwi"; 9 | pinpox.desktop.enable = true; 10 | 11 | # Games 12 | programs.steam.enable = true; 13 | hardware.xone.enable = true; 14 | 15 | # For dual-boot 16 | boot.loader.efi.canTouchEfiVariables = true; 17 | boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; 18 | } 19 | -------------------------------------------------------------------------------- /machines/kiwi/disko-config-btrfs.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | boot.growPartition = true; 4 | boot.supportedFilesystems.btrfs = true; 5 | 6 | services.btrfs.autoScrub = { 7 | enable = true; 8 | interval = "weekly"; 9 | # Defaults to all 10 | # fileSystems = [ "/" ]; 11 | }; 12 | 13 | disko.devices = { 14 | disk = { 15 | main = { 16 | type = "disk"; 17 | device = "/dev/nvme0n1"; 18 | content = { 19 | type = "gpt"; 20 | partitions = { 21 | 22 | ESP = { 23 | size = "512M"; 24 | type = "EF00"; 25 | content = { 26 | type = "filesystem"; 27 | format = "vfat"; 28 | mountpoint = "/boot"; 29 | mountOptions = [ "umask=0077" ]; 30 | }; 31 | }; 32 | windows = { 33 | size = "512G"; 34 | type = "EF00"; 35 | content = { 36 | type = "filesystem"; 37 | format = "vfat"; 38 | }; 39 | }; 40 | luks = { 41 | size = "100%"; 42 | content = { 43 | type = "luks"; 44 | name = "crypted"; 45 | # disable settings.keyFile if you want to use interactive password entry 46 | #passwordFile = "/tmp/secret.key"; # Interactive 47 | settings = { 48 | allowDiscards = true; 49 | # keyFile = "/tmp/secret.key"; 50 | }; 51 | # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; 52 | content = { 53 | type = "btrfs"; 54 | extraArgs = [ "-f" ]; 55 | subvolumes = { 56 | "/root" = { 57 | mountpoint = "/"; 58 | mountOptions = [ 59 | "compress=zstd" 60 | "noatime" 61 | ]; 62 | }; 63 | "/home" = { 64 | mountpoint = "/home"; 65 | mountOptions = [ 66 | "compress=zstd" 67 | "noatime" 68 | ]; 69 | }; 70 | "/nix" = { 71 | mountpoint = "/nix"; 72 | mountOptions = [ 73 | "compress=zstd" 74 | "noatime" 75 | ]; 76 | }; 77 | "/swap" = { 78 | mountpoint = "/.swapvol"; 79 | swap.swapfile.size = "20M"; 80 | }; 81 | }; 82 | }; 83 | }; 84 | }; 85 | }; 86 | }; 87 | }; 88 | }; 89 | }; 90 | } 91 | -------------------------------------------------------------------------------- /machines/kiwi/framework.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | ... 5 | }: 6 | { 7 | # For fingerprint support 8 | # To enroll prints: `sudo fprint-enroll ` 9 | services.fprintd.enable = true; 10 | 11 | boot.extraModulePackages = with config.boot.kernelPackages; [ framework-laptop-kmod ]; 12 | 13 | # Module is not used for Framework EC but causes boot time error log. 14 | # boot.blacklistedKernelModules = [ "cros-usbpd-charger" ]; 15 | 16 | # https://github.com/DHowett/framework-laptop-kmod?tab=readme-ov-file#usage 17 | # boot.kernelModules = [ 18 | # "cros_ec" 19 | # "cros_ec_lpcs" 20 | # ]; 21 | 22 | # boot.kernelParams = [ 23 | # For Power consumption 24 | # https://community.frame.work/t/linux-battery-life-tuning/6665/156 25 | # "nvme.noacpi=1" 26 | # ]; 27 | 28 | # Custom udev rules 29 | # services.udev.extraRules = '' 30 | # # Fix headphone noise when on powersave 31 | # # https://community.frame.work/t/headphone-jack-intermittent-noise/5246/55 32 | # SUBSYSTEM=="pci", ATTR{vendor}=="0x8086", ATTR{device}=="0xa0e0", ATTR{power/control}="on" 33 | # ''; 34 | 35 | # Ethernet expansion card support 36 | services.udev.extraRules = '' 37 | ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", ATTR{power/autosuspend}="20" 38 | ''; 39 | 40 | environment.systemPackages = [ 41 | # This adds a patched ectool, to interact with the Embedded Controller 42 | # Can be used to interact with leds from userspace, etc. 43 | # Not part of a nixos release yet, so package only gets added if it exists. 44 | pkgs.fw-ectool 45 | pkgs.framework-tool 46 | ]; 47 | 48 | # AMD has better battery life with PPD over TLP: 49 | # https://community.frame.work/t/responded-amd-7040-sleep-states/38101/13 50 | services.power-profiles-daemon.enable = true; 51 | services.tlp.enable = false; 52 | 53 | # Needed for desktop environments to detect/manage display brightness 54 | hardware.sensor.iio.enable = true; 55 | 56 | # TODO not sure if needed 57 | # Deactivates light sensor? 58 | # https://github.com/NixOS/nixpkgs/issues/171093 59 | # https://wiki.archlinux.org/title/Framework_Laptop#Changing_the_brightness_of_the_monitor_does_not_work 60 | hardware.acpilight.enable = true; 61 | } 62 | -------------------------------------------------------------------------------- /machines/limette/configuration.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | nixos-hardware, 4 | ... 5 | }: 6 | { 7 | 8 | networking.hostName = "limette"; 9 | 10 | boot.growPartition = true; 11 | 12 | hardware.enableRedistributableFirmware = true; 13 | imports = [ 14 | nixos-hardware.nixosModules.lenovo-thinkpad-x230 15 | ./disko-config-zfs.nix 16 | ]; 17 | 18 | disko.imageBuilder.extraDependencies = [ pkgs.kmod ]; 19 | 20 | 21 | hardware.graphics.extraPackages = [ 22 | pkgs.intel-media-driver # LIBVA_DRIVER_NAME=iHD 23 | ]; 24 | 25 | pinpox.desktop.enable = true; 26 | boot.loader.efi.canTouchEfiVariables = false; 27 | } 28 | -------------------------------------------------------------------------------- /machines/limette/disko-config-btrfs.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | boot.growPartition = true; 4 | boot.supportedFilesystems.btrfs = true; 5 | 6 | disko.devices = { 7 | disk = { 8 | main = { 9 | type = "disk"; 10 | device = "/dev/sda"; 11 | content = { 12 | type = "gpt"; 13 | partitions = { 14 | ESP = { 15 | size = "512M"; 16 | type = "EF00"; 17 | content = { 18 | type = "filesystem"; 19 | format = "vfat"; 20 | mountpoint = "/boot"; 21 | mountOptions = [ "umask=0077" ]; 22 | }; 23 | }; 24 | luks = { 25 | size = "100%"; 26 | content = { 27 | type = "luks"; 28 | name = "crypted"; 29 | # disable settings.keyFile if you want to use interactive password entry 30 | #passwordFile = "/tmp/secret.key"; # Interactive 31 | settings = { 32 | allowDiscards = true; 33 | # keyFile = "/tmp/secret.key"; 34 | }; 35 | # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; 36 | content = { 37 | type = "btrfs"; 38 | extraArgs = [ "-f" ]; 39 | subvolumes = { 40 | "/root" = { 41 | mountpoint = "/"; 42 | mountOptions = [ 43 | "compress=zstd" 44 | "noatime" 45 | ]; 46 | }; 47 | "/home" = { 48 | mountpoint = "/home"; 49 | mountOptions = [ 50 | "compress=zstd" 51 | "noatime" 52 | ]; 53 | }; 54 | "/nix" = { 55 | mountpoint = "/nix"; 56 | mountOptions = [ 57 | "compress=zstd" 58 | "noatime" 59 | ]; 60 | }; 61 | "/swap" = { 62 | mountpoint = "/.swapvol"; 63 | swap.swapfile.size = "20M"; 64 | }; 65 | }; 66 | }; 67 | }; 68 | }; 69 | }; 70 | }; 71 | }; 72 | }; 73 | }; 74 | } 75 | -------------------------------------------------------------------------------- /machines/limette/disko-config-zfs.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: 2 | { 3 | 4 | # You may also find this setting useful to automatically set the latest compatible kernel: 5 | boot.kernelPackages = lib.mkDefault config.boot.zfs.package.latestCompatibleLinuxPackages; 6 | boot.supportedFilesystems.zfs = true; 7 | 8 | services.zfs.autoSnapshot = { 9 | enable = true; 10 | frequent = 4; # 15 min 11 | hourly = 24; 12 | daily = 7; 13 | weekly = 4; 14 | monthly = 0; 15 | }; 16 | 17 | disko.devices = { 18 | disk = { 19 | root = { 20 | type = "disk"; 21 | device = "/dev/sda"; 22 | content = { 23 | type = "gpt"; 24 | partitions = { 25 | ESP = { 26 | size = "1G"; 27 | type = "EF00"; 28 | content = { 29 | type = "filesystem"; 30 | format = "vfat"; 31 | mountpoint = "/boot"; 32 | mountOptions = [ "nofail" ]; 33 | }; 34 | }; 35 | zfs = { 36 | size = "100%"; 37 | content = { 38 | type = "zfs"; 39 | pool = "zroot"; 40 | }; 41 | }; 42 | }; 43 | }; 44 | }; 45 | }; 46 | zpool = { 47 | zroot = { 48 | type = "zpool"; 49 | rootFsOptions = { 50 | mountpoint = "none"; 51 | compression = "zstd"; 52 | acltype = "posixacl"; 53 | xattr = "sa"; 54 | "com.sun:auto-snapshot" = "true"; 55 | }; 56 | options.ashift = "12"; 57 | datasets = { 58 | "root" = { 59 | type = "zfs_fs"; 60 | options = { 61 | encryption = "aes-256-gcm"; 62 | keyformat = "passphrase"; 63 | #keylocation = "file:///tmp/secret.key"; 64 | keylocation = "prompt"; 65 | }; 66 | mountpoint = "/"; 67 | }; 68 | 69 | "root/nix" = { 70 | type = "zfs_fs"; 71 | options.mountpoint = "/nix"; 72 | mountpoint = "/nix"; 73 | }; 74 | 75 | "root/home" = { 76 | type = "zfs_fs"; 77 | options.mountpoint = "/home"; 78 | mountpoint = "/home"; 79 | }; 80 | 81 | "root/var/lib" = { 82 | type = "zfs_fs"; 83 | options.mountpoint = "/var/lib"; 84 | mountpoint = "/var/lib"; 85 | }; 86 | 87 | # "root/tmp" = { 88 | # type = "zfs_fs"; 89 | # mountpoint = "/tmp"; 90 | # options = { 91 | # mountpoint = "/tmp"; 92 | # sync = "disabled"; 93 | # }; 94 | # }; 95 | 96 | # README MORE: https://wiki.archlinux.org/title/ZFS#Swap_volume 97 | # "root/swap" = { 98 | # type = "zfs_volume"; 99 | # size = "10M"; 100 | # content = { 101 | # type = "swap"; 102 | # }; 103 | # options = { 104 | # volblocksize = "4096"; 105 | # compression = "zle"; 106 | # logbias = "throughput"; 107 | # sync = "always"; 108 | # primarycache = "metadata"; 109 | # secondarycache = "none"; 110 | # "com.sun:auto-snapshot" = "false"; 111 | # }; 112 | # }; 113 | }; 114 | }; 115 | }; 116 | }; 117 | } 118 | -------------------------------------------------------------------------------- /machines/porree/README.md: -------------------------------------------------------------------------------- 1 | # Porree 2 | 3 | Personal server for [pablo.tools](pablo.tools) hosted on 4 | [netcup](https://netcup.de) 5 | 6 | ## Sysetem Information 7 | 8 | ``` 9 | root@porree> nix-shell -p pkgs.inxi -p pkgs.lm_sensors --command "inxi -Fx" 10 | System: Host: porree Kernel: 5.4.78 x86_64 bits: 64 compiler: gcc v: 9.3.0 Console: tty 0 11 | Distro: NixOS 21.03pre253635.2247d824fe0 (Okapi) 12 | Machine: Type: Kvm System: netcup product: KVM Server v: VPS 200 G8 serial: N/A 13 | Mobo: N/A model: N/A serial: N/A BIOS: netcup v: VPS 200 G8 date: 10/16/2020 14 | CPU: Info: Single Core model: QEMU Virtual version 2.5+ bits: 64 type: MCP arch: P6 II Mendocino 15 | rev: 3 L2 cache: 16.0 MiB 16 | flags: lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 bogomips: 4589 17 | Speed: 2295 MHz min/max: N/A Core speed (MHz): 1: 2295 18 | Graphics: Message: No Device data found. 19 | Display: server: No display server data found. Headless machine? tty: 108x79 20 | Message: Unable to show advanced data. Required tool glxinfo missing. 21 | Audio: Message: No Device data found. 22 | Network: Message: No Device data found. 23 | IF-ID-1: ens3 state: up speed: -1 duplex: unknown mac: 86:36:85:0f:f6:fe 24 | Drives: Local Storage: total: 20.00 GiB used: 11.88 GiB (59.4%) 25 | ID-1: /dev/sda vendor: QEMU model: HARDDISK size: 20.00 GiB 26 | Partition: ID-1: / size: 19.62 GiB used: 11.88 GiB (60.5%) fs: ext4 dev: /dev/sda1 27 | Swap: Alert: No Swap data was found. 28 | Sensors: Message: No sensors data was found. Is sensors configured? 29 | Info: Processes: 71 Uptime: 4h 34m Memory: 1.95 GiB used: 332.4 MiB (16.7%) Init: systemd 30 | Compilers: gcc: 9.3.0 Packages: N/A Shell: Bash v: 4.4.23 inxi: 3.1.09 31 | ``` 32 | 33 | ``` 34 | root@porree> lsblk -f /etc/nixos/machines/porree 35 | NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINT 36 | sda 37 | └─sda1 ext4 1.0 nixos e5913895-7f56-44ce-8975-f3da7eaac2f8 6.7G 61% / 38 | sr0 39 | ``` 40 | 41 | ## Services 42 | 43 | The following services are provided by this server. Nginx is used as 44 | reverse-proxy to manage TLS using Let's Encrypt (acme). 45 | 46 | ### Personal Homepage (pablo.tools) 47 | 48 | Static files hosted in `/var/www/pablo-tools`. Updates are deployed from another 49 | machine with this command: 50 | 51 | ```bash 52 | rsync -avz --delete public/ pinpox@nix.own:/var/www/pablo-tools/ 53 | ``` 54 | 55 | ### Bitwarden_rs (pass.pablo.tools) 56 | 57 | Bitwarden server written in Rust. Data and environment file is hosted in 58 | `/var/lib/bitwarden_rs/` 59 | 60 | The envfile `/var/lib/bitwarden_rs/envfile` provides secrets not included in the 61 | public system configuration. 62 | 63 | ``` 64 | YUBICO_CLIENT_ID=XXX 65 | YUBICO_SECRET_KEY=XXX 66 | ADMIN_TOKEN=XXX 67 | ``` 68 | 69 | Database files and keys are saved in `/var/lib/bitwarden_rs` aswell and owned by 70 | `bitwarden_rs:bitwarden_rs`. 71 | -------------------------------------------------------------------------------- /machines/porree/blog.nix: -------------------------------------------------------------------------------- 1 | with import { }; 2 | 3 | stdenv.mkDerivation rec { 4 | name = "blog"; 5 | 6 | # src = ./git-repos/hugo-website; 7 | src = builtins.fetchurl { url = "https://github.com/pinpox/hugo-website/archive/main.tar.gz"; }; 8 | 9 | buildInputs = [ hugo ]; 10 | buildPhase = "hugo"; 11 | installPhase = "cp -R public/ $out"; 12 | } 13 | -------------------------------------------------------------------------------- /machines/porree/configuration.nix: -------------------------------------------------------------------------------- 1 | { 2 | matrix-hook, 3 | config, 4 | alertmanager-ntfy, 5 | pinpox-utils, 6 | pkgs, 7 | ... 8 | }: 9 | { 10 | 11 | imports = [ 12 | ./hardware-configuration.nix 13 | matrix-hook.nixosModule 14 | alertmanager-ntfy.nixosModules.default 15 | ./caddy.nix 16 | ./retiolum.nix 17 | ]; 18 | 19 | clan.core.networking.targetHost = "94.16.108.229"; 20 | networking.hostName = "porree"; 21 | 22 | networking.interfaces.ens3 = { 23 | ipv6.addresses = [ 24 | { 25 | address = "2a03:4000:51:aa3::1"; 26 | prefixLength = 64; 27 | } 28 | ]; 29 | }; 30 | 31 | 32 | clan.core.vars.generators."matrix-hook" = pinpox-utils.mkEnvGenerator [ "MX_TOKEN" ]; 33 | clan.core.vars.generators."alertmanager-ntfy" = pinpox-utils.mkEnvGenerator [ 34 | "NTFY_USER" 35 | "NTFY_PASS" 36 | ]; 37 | 38 | services.qemuGuest.enable = true; 39 | 40 | fileSystems."/" = { 41 | device = "/dev/disk/by-label/nixos"; 42 | fsType = "ext4"; 43 | autoResize = true; 44 | }; 45 | 46 | # Block anything that is not HTTP(s) or SSH. 47 | networking.firewall = { 48 | enable = true; 49 | allowPing = true; 50 | allowedTCPPorts = [ 51 | 80 52 | 443 53 | 22 54 | ]; 55 | allowedUDPPorts = [ 51820 ]; 56 | 57 | interfaces.wg-clan.allowedTCPPorts = [ 58 | 2812 59 | 8086 # InfluxDB 60 | ]; 61 | }; 62 | 63 | boot.growPartition = true; 64 | boot.kernelParams = [ "console=ttyS0" ]; 65 | boot.loader.grub.device = "/dev/sda"; 66 | boot.loader.timeout = 0; 67 | 68 | programs.ssh.startAgent = false; 69 | security.acme.acceptTerms = true; 70 | security.acme.defaults.email = "letsencrypt@pablo.tools"; 71 | 72 | services.alertmanager-ntfy = { 73 | enable = true; 74 | httpAddress = "localhost"; 75 | httpPort = "9099"; 76 | ntfyTopic = "https://push.pablo.tools/pinpox_alertmanager"; 77 | ntfyPriority = "default"; 78 | envFile = "${config.clan.core.vars.generators."alertmanager-ntfy".files."envfile".path}"; 79 | }; 80 | 81 | pinpox = { 82 | server.enable = true; 83 | 84 | services = { 85 | vaultwarden.enable = true; 86 | ntfy-sh.enable = true; 87 | 88 | matrix-hook = { 89 | enable = true; 90 | httpAddress = "localhost"; 91 | matrixHomeserver = "https://matrix.org"; 92 | matrixUser = "@alertus-maximus:matrix.org"; 93 | matrixRoom = "!ilXTQgAfoBlNBuDmsz:matrix.org"; 94 | envFile = "${config.clan.core.vars.generators."matrix-hook".files."envfile".path}"; 95 | msgTemplatePath = "${matrix-hook.packages."x86_64-linux".matrix-hook}/bin/message.html.tmpl"; 96 | }; 97 | 98 | # Enable nextcloud configuration 99 | nextcloud.enable = true; 100 | 101 | monitoring-server = { 102 | 103 | enable = true; 104 | dashboard.enable = true; 105 | loki.enable = false; 106 | alertmanager-irc-relay.enable = true; 107 | 108 | blackboxTargets = [ 109 | "https://pablo.tools" 110 | "https://megaclan3000.de" 111 | "https://build.lounge.rocks" 112 | # "https://lounge.rocks" 113 | # "https://vpn.pablo.tools" 114 | "https://${config.pinpox.services.vaultwarden.host}" # Vaultwarden 115 | "https://pinpox.github.io/nixos/" 116 | "https://cache.lounge.rocks/nix-cache/nix-cache-info" 117 | "https://pads.0cx.de" 118 | "https://news.0cx.de" 119 | # Gitea (on kfbox with host set to default vaulue) 120 | "https://${config.pinpox.services.gitea.host}" 121 | "https://irc.0cx.de" 122 | ]; 123 | }; 124 | }; 125 | 126 | metrics = { 127 | node.enable = true; 128 | blackbox.enable = true; 129 | json.enable = true; 130 | }; 131 | }; 132 | } 133 | -------------------------------------------------------------------------------- /machines/porree/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, ... }: 2 | { 3 | imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 4 | } 5 | -------------------------------------------------------------------------------- /machines/porree/retiolum.nix: -------------------------------------------------------------------------------- 1 | 2 | { 3 | config, 4 | retiolum, 5 | ... 6 | }: 7 | { 8 | 9 | imports = [ retiolum.nixosModules.retiolum ]; 10 | 11 | networking.retiolum.ipv4 = "10.243.100.101"; 12 | networking.retiolum.ipv6 = "42:0:3c46:b51c:b34d:b7e1:3b02:8d24"; 13 | 14 | clan.core.vars.generators."retiolum" = { 15 | prompts.rsa_priv.persist = true; 16 | prompts.ed25519_priv.persist = true; 17 | }; 18 | 19 | services.tinc.networks.retiolum = { 20 | rsaPrivateKeyFile = config.clan.core.vars.generators."retiolum".files."rsa_priv".path; 21 | ed25519PrivateKeyFile = config.clan.core.vars.generators."retiolum".files."ed25519_priv".path; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /modules/activation-secrets/default.nix: -------------------------------------------------------------------------------- 1 | # Taken from https://raw.githubusercontent.com/Mic92/dotfiles/23f163cae52545d44a7e379dc204010b013d679a/nixos/vms/modules/secrets.nix 2 | 3 | { 4 | config, 5 | lib, 6 | pkgs, 7 | ... 8 | }: 9 | 10 | with lib; 11 | 12 | let 13 | cfg = config.krops.secrets; 14 | secret-file = types.submodule ( 15 | { config, ... }: 16 | { 17 | options = { 18 | name = mkOption { 19 | type = types.str; 20 | default = config._module.args.name; 21 | description = "Name of the secret"; 22 | }; 23 | path = mkOption { 24 | type = types.str; 25 | default = "/run/keys/${config.name}"; 26 | description = "Path to place the secret file"; 27 | }; 28 | mode = mkOption { 29 | type = types.str; 30 | default = "0400"; 31 | description = "Unix permission"; 32 | }; 33 | owner = mkOption { 34 | type = types.str; 35 | default = "root"; 36 | description = "Owner of the file"; 37 | }; 38 | group-name = mkOption { 39 | type = types.str; 40 | default = "root"; 41 | description = "Group of the file"; 42 | }; 43 | source-path = mkOption { 44 | type = types.str; 45 | default = "/var/src/secrets/${config.name}"; 46 | description = "Source to copy from"; 47 | }; 48 | }; 49 | } 50 | ); 51 | in 52 | { 53 | options.krops.secrets = { 54 | files = mkOption { 55 | type = with types; attrsOf secret-file; 56 | default = { }; 57 | description = "Attribute set specifying secrets to be deployed"; 58 | }; 59 | }; 60 | config = lib.mkIf (cfg.files != { }) { 61 | system.activationScripts.setup-secrets = 62 | let 63 | files = unique (map (flip removeAttrs [ "_module" ]) (attrValues cfg.files)); 64 | script = '' 65 | echo setting up secrets... 66 | mkdir -p /run/keys -m 0750 67 | chown root:keys /run/keys 68 | ${concatMapStringsSep "\n" (file: '' 69 | ${pkgs.coreutils}/bin/install \ 70 | -D \ 71 | --compare \ 72 | --verbose \ 73 | --mode=${lib.escapeShellArg file.mode} \ 74 | --owner=${lib.escapeShellArg file.owner} \ 75 | --group=${lib.escapeShellArg file.group-name} \ 76 | ${lib.escapeShellArg file.source-path} \ 77 | ${lib.escapeShellArg file.path} \ 78 | || echo "failed to copy ${file.source-path} to ${file.path}" 79 | '') files} 80 | ''; 81 | in 82 | stringAfter [ 83 | "users" 84 | "groups" 85 | ] "source ${pkgs.writeText "setup-secrets.sh" script}"; 86 | }; 87 | } 88 | -------------------------------------------------------------------------------- /modules/bluetooth/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | config, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.defaults.bluetooth; 10 | in 11 | { 12 | 13 | options.pinpox.defaults.bluetooth = { 14 | enable = mkEnableOption "default bluetooth configuration"; 15 | }; 16 | 17 | config = mkIf cfg.enable { 18 | 19 | hardware.bluetooth = { 20 | enable = true; 21 | # config = " 22 | # [General] 23 | # Enable=Source,Sink,Media,Socket 24 | # "; 25 | }; 26 | 27 | # Workaround until this hits unstable: 28 | # TODO https://github.com/NixOS/nixpkgs/issues/113628 29 | systemd.services.bluetooth.serviceConfig.ExecStart = [ 30 | "" 31 | "${pkgs.bluez}/libexec/bluetooth/bluetoothd -f /etc/bluetooth/main.conf" 32 | ]; 33 | 34 | services.blueman.enable = true; 35 | }; 36 | } 37 | -------------------------------------------------------------------------------- /modules/ci/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | flake-self, 6 | nixpkgs, 7 | ... 8 | }: 9 | with lib; 10 | { 11 | options.pinpox.defaults = { 12 | CISkip = mkOption { 13 | type = types.bool; 14 | default = false; 15 | example = true; 16 | description = "Wheter this host should be skipped by the CI pipeline"; 17 | }; 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /modules/clan-common/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | { 8 | 9 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 10 | 11 | # Default to depolying to the hostname 12 | clan.core.networking.targetHost = lib.mkDefault config.networking.hostName; 13 | 14 | clan.core.vars.settings.secretStore = "password-store"; 15 | clan.core.vars.settings.passBackend = "passage"; 16 | 17 | environment.systemPackages = [ pkgs.passage ]; 18 | 19 | clan.core.vars.generators."mkpasswd-generator" = { 20 | files.test-password = { }; 21 | runtimeInputs = with pkgs; [ 22 | coreutils 23 | xkcdpass 24 | ]; 25 | script = '' 26 | mkdir -p $out 27 | xkcdpass > $out/test-password 28 | ''; 29 | }; 30 | 31 | environment.etc."test-password".source = 32 | config.clan.core.vars.generators."mkpasswd-generator".files."test-password".path; 33 | 34 | nix.settings.trusted-substituters = [ 35 | "https://cache.clan.lol" 36 | "https://nix-community.cachix.org" 37 | ]; 38 | nix.settings.trusted-public-keys = [ 39 | "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" 40 | "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" 41 | ]; 42 | 43 | } 44 | -------------------------------------------------------------------------------- /modules/default-desktop/nextcloud-desktop.nix: -------------------------------------------------------------------------------- 1 | { 2 | # Nextcloud on the desktop 3 | services.davfs2 = { 4 | enable = true; 5 | # settings.globalSection.use_locks = false; 6 | # TODO: Note: Ordinary users can mount a davfs2 file system if they are a 7 | # member of the group dav_group as defined in the system wide 8 | # configuration. Make sure the option 'dav_group' is enabled in the system 9 | # wide configuration file. 10 | }; 11 | # fileSystems."/home/pinpox/Nextcloud" = { 12 | # device = "https://files.pablo.tools/remote.php/dav/files/pinpox"; 13 | # fsType = "davfs"; 14 | # options = [ 15 | # "user" 16 | # "rw" 17 | # "noauto" # I'll mount it manually 18 | # ]; 19 | # }; 20 | } 21 | -------------------------------------------------------------------------------- /modules/default-desktop/scanners.nix: -------------------------------------------------------------------------------- 1 | { 2 | hardware.sane.enable = true; 3 | users.users.pinpox.extraGroups = [ 4 | "scanner" 5 | "lp" 6 | ]; 7 | } 8 | -------------------------------------------------------------------------------- /modules/default-server/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | restic-exporter, 4 | lib, 5 | pkgs, 6 | config, 7 | ... 8 | }: 9 | with lib; 10 | let 11 | cfg = config.pinpox.server; 12 | in 13 | { 14 | 15 | imports = [ 16 | ../../users/pinpox.nix 17 | restic-exporter.nixosModules.default 18 | ]; 19 | 20 | options.pinpox.server = { 21 | enable = mkEnableOption "the default server configuration"; 22 | 23 | stateVersion = mkOption { 24 | type = types.str; 25 | default = "20.03"; 26 | example = "21.09"; 27 | description = "NixOS state-Version"; 28 | }; 29 | }; 30 | 31 | config = mkIf cfg.enable { 32 | 33 | hardware.enableRedistributableFirmware = true; 34 | 35 | # Limit log size for journal 36 | services.journald.extraConfig = "SystemMaxUse=1G"; 37 | 38 | environment.systemPackages = with pkgs; [ 39 | universal-ctags 40 | git 41 | gnumake 42 | go 43 | htop 44 | neovim 45 | nix-index 46 | nixfmt-rfc-style 47 | ripgrep 48 | wget 49 | ncdu 50 | duf 51 | tmux 52 | ]; 53 | 54 | pinpox.defaults = { 55 | environment.enable = true; 56 | locale.enable = true; 57 | nix.enable = true; 58 | zsh.enable = true; 59 | networking.enable = true; 60 | }; 61 | pinpox.services = { 62 | openssh.enable = true; 63 | }; 64 | 65 | # Backups 66 | pinpox.services = { 67 | restic-client = { 68 | enable = true; 69 | backup-paths-exclude = [ 70 | "*.pyc" 71 | "*/.cache" 72 | "*/.cargo" 73 | "*/.container-diff" 74 | "*/.go/pkg" 75 | "*/.gvfs/" 76 | "*/.local/share/Steam" 77 | "*/.local/share/Trash" 78 | "*/.local/share/virtualenv" 79 | "*/.mozilla/firefox" 80 | "*/.rustup" 81 | "*/.vim" 82 | "*/.vimtemp" 83 | ]; 84 | backup-paths-onsite = [ 85 | config.services.postgresqlBackup.location 86 | "/home" 87 | "/root" 88 | ]; 89 | }; 90 | }; 91 | 92 | # Backup Postgres, if it is running 93 | services.postgresqlBackup = { 94 | enable = config.services.postgresql.enable; 95 | startAt = "*-*-* 01:15:00"; 96 | location = "/var/backup/postgresql"; 97 | backupAll = true; 98 | }; 99 | 100 | # This value determines the NixOS release from which the default 101 | # settings for stateful data, like file locations and database versions 102 | # on your system were taken. It‘s perfectly fine and recommended to leave 103 | # this value at the release version of the first install of this system. 104 | # Before changing this value read the documentation for this option 105 | # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). 106 | system.stateVersion = cfg.stateVersion; # Did you read the comment? 107 | }; 108 | } 109 | -------------------------------------------------------------------------------- /modules/environment/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.defaults.environment; 10 | in 11 | { 12 | 13 | options.pinpox.defaults.environment = { 14 | enable = mkEnableOption "Environment defaults"; 15 | }; 16 | 17 | config = mkIf cfg.enable { 18 | 19 | # System-wide environment variables to be set 20 | environment = { 21 | variables = { 22 | EDITOR = "nvim"; 23 | GOPATH = "~/.go"; 24 | VISUAL = "nvim"; 25 | # Use librsvg's gdk-pixbuf loader cache file as it enables gdk-pixbuf to load 26 | # SVG files (important for icons) 27 | # GDK_PIXBUF_MODULE_FILE = 28 | # "$(echo ${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/*/loaders.cache)"; 29 | }; 30 | }; 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /modules/fonts/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.defaults.fonts; 10 | in 11 | { 12 | 13 | options.pinpox.defaults.fonts = { 14 | enable = mkEnableOption "Fonts defaults"; 15 | }; 16 | 17 | config = mkIf cfg.enable { 18 | 19 | fonts = { 20 | fontDir.enable = true; 21 | packages = with pkgs; [ 22 | 23 | stix-two 24 | league-of-moveable-type 25 | inter 26 | source-sans-pro 27 | source-serif-pro 28 | noto-fonts-emoji 29 | # corefonts 30 | recursive 31 | iosevka-bin 32 | font-awesome 33 | line-awesome 34 | ]; 35 | 36 | fontconfig = { 37 | defaultFonts = { 38 | serif = [ 39 | "Berkeley Mono" 40 | "Inconsolata Nerd Font Mono" 41 | ]; 42 | sansSerif = [ 43 | "Berkeley Mono" 44 | "Inconsolata Nerd Font Mono" 45 | ]; 46 | monospace = [ 47 | "Berkeley Mono" 48 | "Inconsolata Nerd Font Mono" 49 | ]; 50 | emoji = [ "Noto Color Emoji" ]; 51 | }; 52 | }; 53 | }; 54 | }; 55 | } 56 | -------------------------------------------------------------------------------- /modules/gitea/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.services.gitea; 5 | in 6 | { 7 | 8 | options.pinpox.services.gitea = { 9 | enable = mkEnableOption "gitea config"; 10 | host = mkOption { 11 | type = types.str; 12 | default = "git.0cx.de"; 13 | description = "Host serving gitea"; 14 | example = "git.0cx.de"; 15 | }; 16 | }; 17 | 18 | config = mkIf cfg.enable { 19 | 20 | # Reverse proxy 21 | services.caddy.virtualHosts."${cfg.host}".extraConfig = 22 | with config.services.gitea.settings.server; 23 | "reverse_proxy ${HTTP_ADDR}:${builtins.toString HTTP_PORT}"; 24 | 25 | # Backups 26 | pinpox.services.restic-client.backup-paths-offsite = [ "/var/lib/gitea" ]; 27 | 28 | clan.core.vars.generators."gitea" = { 29 | files.mailer-pw.owner = "gitea"; 30 | prompts.mailer-pw.persist = true; 31 | }; 32 | 33 | services.gitea = { 34 | 35 | enable = true; 36 | mailerPasswordFile = "${config.clan.core.vars.generators."gitea".files."mailer-pw".path}"; 37 | 38 | settings = { 39 | server = { 40 | ROOT_URL = "https://${cfg.host}"; 41 | HTTP_PORT = 3333; 42 | HTTP_ADDR = "127.0.0.1"; 43 | }; 44 | service = { 45 | DISABLE_REGISTRATION = true; 46 | REQUIRE_SIGNIN_VIEW = true; 47 | DOMAIN = cfg.host; 48 | }; 49 | 50 | mailer = { 51 | ENABLED = true; 52 | FROM = "git@0cx.de"; 53 | PROTOCOL = "smtp"; 54 | IS_TLS_ENABLED = false; 55 | USER = "mail@0cx.de"; 56 | SMTP_ADDR = "r19.hallo.cloud:587"; 57 | }; 58 | markdown.ENABLE_MATH = true; 59 | }; 60 | }; 61 | }; 62 | } 63 | -------------------------------------------------------------------------------- /modules/hedgedoc/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pinpox-utils, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.services.hedgedoc; 10 | in 11 | # pinpox-utils = import ../../utils { inherit pkgs; }; 12 | { 13 | 14 | options.pinpox.services.hedgedoc = { 15 | enable = mkEnableOption "Hedgedoc server"; 16 | }; 17 | 18 | config = mkIf cfg.enable { 19 | 20 | clan.core.vars.generators."hedgedoc" = pinpox-utils.mkEnvGenerator [ 21 | "CMD_SESSION_SECRET" 22 | "CMD_OAUTH2_CLIENT_ID" 23 | "CMD_OAUTH2_CLIENT_SECRET" 24 | ]; 25 | 26 | systemd.services.hedgedoc.serviceConfig.Environment = [ 27 | # Allow creating on-the-fly by url 28 | "CMD_ALLOW_FREEURL=true" 29 | 30 | # Default permission of notes 31 | "CMD_DEFAULT_PERMISSION=limited" 32 | 33 | # Forbid anonymous usage 34 | "CMD_ALLOW_ANONYMOUS=false" 35 | 36 | # oauth2 with dex 37 | "CMD_OAUTH2_BASEURL=https://${config.pinpox.services.dex.host}" 38 | "CMD_OAUTH2_AUTHORIZATION_URL=https://${config.pinpox.services.dex.host}/auth" 39 | "CMD_OAUTH2_TOKEN_URL=https://${config.pinpox.services.dex.host}/token" 40 | "CMD_OAUTH2_USER_PROFILE_URL='https://${config.pinpox.services.dex.host}/userinfo'" 41 | "CMD_OAUTH2_PROVIDERNAME=dex" 42 | "CMD_OAUTH2_SCOPE='openid email profile'" 43 | "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR='preferred_username'" 44 | "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR='name'" 45 | "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR='email'" 46 | ]; 47 | 48 | # Create system user and group 49 | services.hedgedoc = { 50 | enable = true; 51 | 52 | environmentFile = "${config.clan.core.vars.generators."hedgedoc".files."envfile".path}"; 53 | 54 | settings = { 55 | 56 | protocolUseSSL = true; # Use https when loading assets 57 | allowEmailRegister = false; # Disable email registration 58 | email = false; # Disable email login 59 | 60 | domain = "pads.0cx.de"; 61 | host = "127.0.0.1"; 62 | # port = 3000; # Default 63 | debug = true; 64 | 65 | db = { 66 | dialect = "sqlite"; 67 | storage = "/var/lib/hedgedoc/db.sqlite"; 68 | }; 69 | 70 | useCDN = true; 71 | }; 72 | }; 73 | 74 | # Backup SQLite databse 75 | pinpox.services.restic-client.backup-paths-offsite = [ 76 | config.services.hedgedoc.settings.db.storage 77 | ]; 78 | 79 | # systemd.services.hedgedoc-git-sync = { 80 | # serviceConfig = { 81 | # Type = "oneshot"; 82 | # Environment = [ 83 | # "GIT_SSH_COMMAND='ssh -i private_key_file'" 84 | # ]; 85 | # }; 86 | # path = with pkgs; [ bash ]; 87 | # script = '' 88 | # echo "RUNNING IN " 89 | # pwd 90 | # ''; 91 | # }; 92 | 93 | # systemd.timers.hedgedoc-git-sync = { 94 | # wantedBy = [ "timers.target" ]; 95 | # partOf = [ "hedgedoc-git-sync.service" ]; 96 | # timerConfig = { 97 | # OnCalendar = "*:0/1"; 98 | # Unit = "hedgedoc-git-sync.service"; 99 | # }; 100 | # }; 101 | }; 102 | } 103 | -------------------------------------------------------------------------------- /modules/hello/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | config, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.services.hello; 10 | in 11 | { 12 | options.pinpox.services.hello = { 13 | enable = mkEnableOption "hello service"; 14 | greeter = mkOption { 15 | type = types.str; 16 | default = "world"; 17 | example = "universe"; 18 | description = "A very friendly service that greets you"; 19 | }; 20 | }; 21 | 22 | config = mkIf cfg.enable { 23 | 24 | environment.systemPackages = [ pkgs.hello ]; 25 | 26 | systemd.services.hello = { 27 | wantedBy = [ "multi-user.target" ]; 28 | serviceConfig.ExecStart = "${pkgs.hello}/bin/hello -g'Hello, ${escapeShellArg cfg.greeter}!'"; 29 | }; 30 | }; 31 | } 32 | -------------------------------------------------------------------------------- /modules/hello/test.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | system, 4 | self, 5 | ... 6 | }: 7 | 8 | with import (pkgs + "/nixos/lib/testing-python.nix") { inherit system; }; 9 | 10 | (makeTest { 11 | nodes = { 12 | client = 13 | { ... }: 14 | { 15 | imports = [ self.nixosModules.hello ]; 16 | pinpox.services.hello.enable = true; 17 | }; 18 | }; 19 | 20 | testScript = '' 21 | start_all() 22 | client.wait_for_unit("multi-user.target") 23 | print(client.succeed("uname")) 24 | print(client.succeed("hello")) 25 | ''; 26 | }).test 27 | -------------------------------------------------------------------------------- /modules/http2irc/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | config, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.services.monitoring-server.http-irc; 10 | 11 | http2irc = pkgs.buildGoModule rec { 12 | 13 | pname = "http2irc"; 14 | version = "1.0"; 15 | 16 | # TODO use flake inputs 17 | src = pkgs.fetchFromGitHub { 18 | owner = "pinpox"; 19 | repo = "http2irc"; 20 | rev = "v${version}"; 21 | sha256 = "sha256-5aHQ3Y0Md0qrJlFju8Nx6S5Ul+SVZOtFrcx90oiVvWo="; 22 | }; 23 | 24 | vendorHash = "sha256-k45e6RSIl3AQdOFQysIwJP9nlYsSFeaUznVIXfbYwLA="; 25 | subPackages = [ "." ]; 26 | 27 | meta = with lib; { 28 | description = "Webhook reciever to annouce in IRC channels"; 29 | homepage = "https://github.com/pinpox/http2irc"; 30 | license = licenses.gpl3; 31 | maintainers = with maintainers; [ pinpox ]; 32 | platforms = platforms.linux; 33 | }; 34 | }; 35 | 36 | templateFile = pkgs.writeTextFile { 37 | name = "template.mustache"; 38 | text = concatStrings [ "{{#plain}}{{plain}}{{/plain}}" ]; 39 | }; 40 | in 41 | # port-loki = 3100; 42 | { 43 | 44 | options.pinpox.services.monitoring-server.http-irc = { 45 | enable = mkEnableOption "http2irc webhook relay"; 46 | }; 47 | 48 | config = mkIf cfg.enable { 49 | 50 | # User and group 51 | users.users.http2irc = { 52 | isSystemUser = true; 53 | home = "/var/lib/http2irc"; 54 | description = "http2irc system user"; 55 | group = "http2irc"; 56 | createHome = true; 57 | }; 58 | 59 | users.groups.http2irc = { 60 | name = "http2irc"; 61 | }; 62 | 63 | clan.core.vars.generators."http2irc" = pinpox-utils.mkEnvGenerator [ 64 | "IRC_SASL_PASS" 65 | "IRC_SASL_USER" 66 | "IRC_NICK" 67 | "IRC_BOT_TOKEN" 68 | ]; 69 | 70 | # Service 71 | systemd.services.http2irc = { 72 | wantedBy = [ "multi-user.target" ]; 73 | after = [ "network.target" ]; 74 | description = "Start http2irc"; 75 | serviceConfig = { 76 | EnvironmentFile = [ 77 | config.clan.core.vars.generators.http2irc.files."envfile".path 78 | ]; 79 | Environment = [ 80 | "IRC_TEMPLATE='${templateFile}'" 81 | "IRC_CHANNEL='#lounge-rocks'" 82 | "IRC_DEBUG='false'" 83 | "IRC_LISTEN=localhost:8989" 84 | "IRC_NOTICE='true'" 85 | "IRC_SERVER='irc.freenode.net:7000'" 86 | ]; 87 | WorkingDirectory = "/var/lib/http2irc"; 88 | User = "http2irc"; 89 | ExecStart = "${http2irc}/bin/http2irc"; 90 | Restart = "on-failure"; 91 | RestartSec = "5s"; 92 | }; 93 | }; 94 | 95 | # Reverse proxy 96 | }; 97 | } 98 | -------------------------------------------------------------------------------- /modules/jitsi-matrix-presence/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | jitsi-matrix-presence, 6 | ... 7 | }: 8 | with lib; 9 | let 10 | cfg = config.pinpox.services.jitsi-matrix-presence; 11 | pinpox-utils = import ../../utils { inherit pkgs; }; 12 | mkPres = JITSI_ROOMS: JITSI_SERVER: ROOM_ID: port: { 13 | 14 | wantedBy = [ "multi-user.target" ]; 15 | environment = { 16 | inherit JITSI_ROOMS JITSI_SERVER ROOM_ID; 17 | HOMESERVER_URL = "https://matrix.org"; 18 | USER_ID = "@alertus-maximus:matrix.org"; 19 | LISTEN_ADDRESS = "0.0.0.0:${port}"; 20 | }; 21 | 22 | serviceConfig = { 23 | EnvironmentFile = [ 24 | config.clan.core.vars.generators."jitsi-presence".files."envfile".path 25 | ]; 26 | DynamicUser = true; 27 | ExecStart = "${jitsi-matrix-presence.packages.x86_64-linux.default}/bin/jitsi-presence"; 28 | Restart = "on-failure"; 29 | RestartSec = "5s"; 30 | }; 31 | }; 32 | 33 | in 34 | { 35 | 36 | options.pinpox.services.jitsi-matrix-presence = { 37 | enable = mkEnableOption "Jitsi presence notification service"; 38 | }; 39 | 40 | config = mkIf cfg.enable { 41 | 42 | networking.firewall.allowedTCPPorts = [ 43 | 8226 44 | 8227 45 | 8228 46 | ]; 47 | 48 | clan.core.vars.generators."jitsi-presence" = pinpox-utils.mkEnvGenerator [ "ACCESS_TOKEN" ]; 49 | 50 | systemd.services.jitsi-matrix-presence-krebs = 51 | mkPres "krebs,nixos" "https://jitsi.lassul.us" "!bohcSYPVoePqBDWlvE:hackint.org" 52 | "8226"; 53 | }; 54 | } 55 | -------------------------------------------------------------------------------- /modules/kf-homepage/default.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.services.kf-homepage; 5 | in 6 | { 7 | 8 | options.pinpox.services.kf-homepage = { 9 | enable = mkEnableOption "Krosse Flagge Homepage"; 10 | }; 11 | 12 | config = mkIf cfg.enable { 13 | 14 | services.caddy = { 15 | enable = true; 16 | virtualHosts = { 17 | "0cx.de".extraConfig = '' 18 | root * ${./page} 19 | encode zstd gzip 20 | file_server 21 | ''; 22 | }; 23 | }; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /modules/kf-homepage/page/dance.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pinpox/nixos/6ca6002a6360567f0233d2b6c81bac93dce7f143/modules/kf-homepage/page/dance.gif -------------------------------------------------------------------------------- /modules/kf-homepage/page/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Krosse Flagge 6 | 7 | 8 | 9 | 10 | 47 | 48 |
49 | 50 |
51 | pads 52 | git 53 | irc 54 | news 55 |
56 |
57 | 58 | 59 | -------------------------------------------------------------------------------- /modules/locale/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.defaults.locale; 5 | in 6 | { 7 | 8 | options.pinpox.defaults.locale = { 9 | enable = mkEnableOption "Locale defaults"; 10 | }; 11 | 12 | config = mkIf cfg.enable { 13 | 14 | # Set localization and tty options 15 | i18n.defaultLocale = "en_DK.UTF-8"; 16 | 17 | i18n.supportedLocales = [ 18 | "en_US.UTF-8/UTF-8" 19 | "en_DK.UTF-8/UTF-8" 20 | ]; 21 | 22 | console = { 23 | # font = "Lat2-Terminus16"; 24 | keyMap = "colemak"; 25 | }; 26 | 27 | # Set the timezone 28 | time.timeZone = "Europe/Berlin"; 29 | }; 30 | } 31 | -------------------------------------------------------------------------------- /modules/lvm-grub/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.defaults.lvm-grub; 5 | in 6 | { 7 | 8 | options.pinpox.defaults.lvm-grub = { 9 | enable = mkEnableOption "LVM/Grub defaults"; 10 | }; 11 | config = mkIf cfg.enable { 12 | 13 | # Use the grub2 boot loader. 14 | boot = { 15 | 16 | loader = { 17 | grub.enable = true; 18 | 19 | # Required for LVM 20 | grub.device = "nodev"; 21 | 22 | # Use UEFI support 23 | grub.efiSupport = true; 24 | grub.efiInstallAsRemovable = true; 25 | # efi.canTouchEfiVariables = true; 26 | # useOSProber = true; 27 | }; 28 | 29 | # /tmp is cleaned after each reboot 30 | tmp.cleanOnBoot = true; 31 | }; 32 | }; 33 | } 34 | -------------------------------------------------------------------------------- /modules/miniflux/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.services.miniflux; 10 | in 11 | { 12 | 13 | options.pinpox.services.miniflux = { 14 | enable = mkEnableOption "miniflux RSS reader"; 15 | }; 16 | 17 | config = mkIf cfg.enable { 18 | 19 | clan.core.vars.generators."miniflux" = { 20 | files.credentials = { }; 21 | 22 | # From Gitea 23 | prompts.oauth2_client_id.persist = true; 24 | prompts.oauth2_client_secret.persist = true; 25 | 26 | runtimeInputs = with pkgs; [ 27 | coreutils 28 | xkcdpass 29 | ]; 30 | 31 | script = # sh 32 | '' 33 | mkdir -p $out 34 | printf "ADMIN_USERNAME=admin\nADMIN_PASSWORD='%s'" "$(xkcdpass -d-)" > $out/credentials 35 | ''; 36 | }; 37 | 38 | services.caddy = { 39 | enable = true; 40 | virtualHosts."news.0cx.de".extraConfig = 41 | "reverse_proxy ${config.services.miniflux.config.LISTEN_ADDR}"; 42 | }; 43 | 44 | systemd.services.miniflux.serviceConfig.LoadCredential = 45 | with config.clan.core.vars.generators."miniflux".files; [ 46 | "oauth2_client_id_file:${oauth2_client_id.path}" 47 | "oauth2_client_secret_file:${oauth2_client_secret.path}" 48 | ]; 49 | 50 | services.miniflux = { 51 | enable = true; 52 | config = { 53 | # OAUTH2_USER_CREATION = "1"; 54 | CLEANUP_FREQUENCY = "48"; 55 | LISTEN_ADDR = "127.0.0.1:8787"; 56 | OAUTH2_PROVIDER = "oidc"; 57 | OAUTH2_CLIENT_ID_FILE = "%d/oauth2_client_id_file"; 58 | OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_client_secret_file"; 59 | OAUTH2_REDIRECT_URL = "https://news.0cx.de/oauth2/oidc/callback"; 60 | OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://git.0cx.de/"; 61 | }; 62 | adminCredentialsFile = config.clan.core.vars.generators."miniflux".files."credentials".path; 63 | }; 64 | }; 65 | } 66 | -------------------------------------------------------------------------------- /modules/minio/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | config, 4 | pkgs, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.services.minio; 10 | in 11 | { 12 | 13 | options.pinpox.services.minio = { 14 | enable = mkEnableOption "minio s3 config"; 15 | }; 16 | 17 | config = mkIf cfg.enable { 18 | 19 | clan.core.vars.generators."minio" = rec { 20 | files.root-credentials = { }; 21 | validation.script = script; 22 | 23 | runtimeInputs = with pkgs; [ 24 | coreutils 25 | xkcdpass 26 | ]; 27 | 28 | script = # sh 29 | '' 30 | mkdir -p $out 31 | printf "MINIO_ROOT_USER=admin\nMINIO_ROOT_PASSWORD='%s'" "$(xkcdpass -d-)" > $out/root-credentials 32 | ''; 33 | }; 34 | 35 | networking.firewall.interfaces.wg-clan.allowedTCPPorts = [ 36 | 9000 37 | 9001 38 | ]; 39 | 40 | services.minio = 41 | 42 | let 43 | wg-clan-ip = builtins.elemAt (builtins.match "(.*)/.*" (builtins.elemAt config.networking.wireguard.interfaces.wg-clan.ips 0)) 0; 44 | 45 | in 46 | { 47 | enable = true; 48 | listenAddress = "${wg-clan-ip}:9000"; 49 | consoleAddress = "${wg-clan-ip}:9001"; 50 | region = "eu-central-1"; 51 | rootCredentialsFile = "${config.clan.core.vars.generators."minio".files."root-credentials".path}"; 52 | dataDir = [ "/mnt/data/minio/data" ]; 53 | configDir = "/mnt/data/minio/config"; 54 | }; 55 | 56 | systemd.services.minio = { 57 | 58 | environment = { 59 | MINIO_SERVER_URL = "https://vpn.s3.pablo.tools"; 60 | MINIO_BROWSER_REDIRECT_URL = "https://vpn.minio.pablo.tools"; 61 | }; 62 | }; 63 | }; 64 | } 65 | -------------------------------------------------------------------------------- /modules/minio/policies/nextcloud-external.json: -------------------------------------------------------------------------------- 1 | { 2 | "ID": "NextcloudExternalRepoPolicy", 3 | "Version": "2012-10-17", 4 | "Statement": [ 5 | { 6 | "Sid": "AllowObjects", 7 | "Effect": "Allow", 8 | "Action": [ 9 | "s3:DeleteObject", 10 | "s3:GetObject", 11 | "s3:PutObject" 12 | ], 13 | "Resource": [ 14 | "arn:aws:s3:::nextcloud-external/*" 15 | ] 16 | }, 17 | { 18 | "Sid": "AllowRepo", 19 | "Effect": "Allow", 20 | "Action": [ 21 | "s3:GetBucketLocation", 22 | "s3:ListBucket" 23 | ], 24 | "Resource": [ 25 | "arn:aws:s3:::nextcloud-external" 26 | ] 27 | } 28 | ] 29 | } 30 | -------------------------------------------------------------------------------- /modules/minio/policies/restic.json: -------------------------------------------------------------------------------- 1 | { 2 | "ID": "ResticRepoPolicy", 3 | "Version": "2012-10-17", 4 | "Statement": [ 5 | { 6 | "Sid": "AllowObjects", 7 | "Effect": "Allow", 8 | "Action": [ 9 | "s3:DeleteObject", 10 | "s3:GetObject", 11 | "s3:PutObject" 12 | ], 13 | "Resource": [ 14 | "arn:aws:s3:::restic/*" 15 | ] 16 | }, 17 | { 18 | "Sid": "AllowRepo", 19 | "Effect": "Allow", 20 | "Action": [ 21 | "s3:GetBucketLocation", 22 | "s3:ListBucket" 23 | ], 24 | "Resource": [ 25 | "arn:aws:s3:::restic" 26 | ] 27 | } 28 | ] 29 | } 30 | -------------------------------------------------------------------------------- /modules/monitoring/alertmanager-irc-relay.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | config, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.services.monitoring-server.alertmanager-irc-relay; 10 | 11 | am-irc-conf = { 12 | # listening host/port. 13 | http_host = "localhost"; 14 | http_port = 8667; 15 | 16 | # Connect to this IRC host/port. 17 | irc_host = "irc.hackint.org"; 18 | irc_port = 6697; 19 | # irc_host_password = "myserver_password"; 20 | irc_nickname = "alertus-maximus"; 21 | irc_nickname_password = "mynickserv_key"; 22 | irc_realname = "myrealname"; 23 | 24 | irc_channels = [ { name = "#lounge-rocks-log"; } ]; 25 | 26 | msg_once_per_alert_group = false; 27 | # Use PRIVMSG instead of NOTICE (default) to send messages. 28 | use_privmsg = true; 29 | 30 | # Define how IRC messages should be formatted. 31 | msg_template = "⚠ ⚠ ⚠ [{{.Labels.instance}}] - {{ .Labels.alertname }} is {{.Status}} ⚠ ⚠ ⚠ {{.Annotations.description}} (@pinpox act accordingly)"; 32 | # Note: When sending only one message per alert group the default 33 | # msg_template is set to 34 | # "Alert {{ .GroupLabels.alertname }} for {{ .GroupLabels.job }} is {{ .Status }}" 35 | 36 | # Set the internal buffer size for alerts received but not yet sent to IRC. 37 | alert_buffer_size = 2048; 38 | 39 | # Patterns used to guess whether NickServ is asking us to IDENTIFY 40 | # Note: If you need to change this because the bot is not catching a request 41 | # from a rather common NickServ, please consider sending a PR to update the 42 | # default config instead. 43 | # nickserv_identify_patterns = [ 44 | # "identify via /msg NickServ identify " 45 | # "type /msg NickServ IDENTIFY password" 46 | # "authenticate yourself to services with the IDENTIFY command" 47 | # ]; 48 | }; 49 | 50 | confPath = pkgs.writeText "config.yml" (builtins.toJSON am-irc-conf); 51 | in 52 | { 53 | 54 | options.pinpox.services.monitoring-server.alertmanager-irc-relay = { 55 | enable = mkEnableOption "alertmanager-irc-relay"; 56 | }; 57 | 58 | config = mkIf cfg.enable { 59 | 60 | # User and group 61 | users.groups."alertmanager-irc-relay" = { }; 62 | users.users."alertmanager-irc-relay" = { 63 | isSystemUser = true; 64 | # createHome = true; 65 | group = "alertmanager-irc-relay"; 66 | }; 67 | 68 | # Service 69 | systemd.services.alertmanager-irc-relay = { 70 | wantedBy = [ "multi-user.target" ]; 71 | serviceConfig = { 72 | 73 | # Environment = [ ]; 74 | 75 | ExecStart = "${pkgs.alertmanager-irc-relay}/bin/alertmanager-irc-relay --config ${confPath}"; 76 | User = config.users.users.alertmanager-irc-relay.name; 77 | Group = config.users.users.alertmanager-irc-relay.name; 78 | }; 79 | }; 80 | }; 81 | } 82 | -------------------------------------------------------------------------------- /modules/monitoring/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, config, ... }: 2 | 3 | { 4 | imports = [ 5 | ./metrics.nix 6 | ./grafana.nix 7 | ./loki.nix 8 | ./prometheus.nix 9 | ./alertmanager-irc-relay.nix 10 | ]; 11 | } 12 | -------------------------------------------------------------------------------- /modules/monitoring/grafana.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | config, 4 | ... 5 | }: 6 | with lib; 7 | let 8 | cfg = config.pinpox.services.monitoring-server.dashboard; 9 | in 10 | { 11 | 12 | # [porree:rebuild] trace: warning: Provisioning Grafana datasources with options has been deprecated. 13 | # [porree:rebuild] Use `services.grafana.provision.datasources.settings` or 14 | # [porree:rebuild] `services.grafana.provision.datasources.path` instead. 15 | 16 | options.pinpox.services.monitoring-server.dashboard = { 17 | enable = mkEnableOption "Grafana dashboard"; 18 | 19 | domain = mkOption { 20 | type = types.str; 21 | default = "status.pablo.tools"; 22 | example = "dashboards.myhost.com"; 23 | description = "Domain for grafana"; 24 | }; 25 | }; 26 | 27 | config = mkIf cfg.enable { 28 | 29 | # SMTP password file 30 | clan.core.vars.generators."grafana".prompts.smtp-password.persist = true; 31 | 32 | # Backup Graphana dir, contains stateful config 33 | pinpox.services.restic-client.backup-paths-offsite = [ "/var/lib/grafana" ]; 34 | 35 | # Graphana fronend 36 | services.grafana = { 37 | 38 | enable = true; 39 | 40 | settings = { 41 | server = { 42 | domain = cfg.domain; 43 | # Default is 3000 44 | http_port = 9005; 45 | http_addr = "127.0.0.1"; 46 | }; 47 | 48 | # Mail notifications 49 | smtp = { 50 | enabled = true; 51 | host = "smtp.sendgrid.net:587"; 52 | user = "apikey"; 53 | passwordFile = "${config.clan.core.vars.generators."grafana".files."smtp-password".path}"; 54 | fromAddress = "status@pablo.tools"; 55 | }; 56 | }; 57 | 58 | # TODO add plugins here, instead of using grafana-cli 59 | # declarativePlugins = with pkgs.grafanaPlugins [ 60 | # grafana-piechart-panel 61 | # ]; 62 | # TODO provision the dashboards as currently configured 63 | 64 | provision.datasources.settings = { 65 | datasources = [ 66 | { 67 | name = "Prometheus localhost"; 68 | url = "http://localhost:9090"; 69 | type = "prometheus"; 70 | isDefault = true; 71 | } 72 | { 73 | name = "loki"; 74 | url = "http://localhost:3100"; 75 | type = "loki"; 76 | } 77 | ]; 78 | }; 79 | }; 80 | }; 81 | } 82 | -------------------------------------------------------------------------------- /modules/monitoring/loki.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.services.monitoring-server.loki; 5 | port-loki = 3100; 6 | in 7 | { 8 | 9 | options.pinpox.services.monitoring-server.loki = { 10 | enable = mkEnableOption "Loki log collector"; 11 | }; 12 | 13 | config = mkIf cfg.enable { 14 | 15 | pinpox.services.restic-client.backup-paths-exclude = [ "/var/lib/loki" ]; 16 | 17 | networking.firewall = { 18 | enable = true; 19 | interfaces.wg-clan.allowedTCPPorts = [ port-loki ]; 20 | }; 21 | 22 | services.loki = { 23 | enable = true; 24 | configuration = { 25 | auth_enabled = false; 26 | 27 | server.http_listen_port = port-loki; 28 | 29 | ingester = { 30 | lifecycler = { 31 | address = "0.0.0.0"; 32 | ring = { 33 | kvstore.store = "inmemory"; 34 | replication_factor = 1; 35 | }; 36 | final_sleep = "0s"; 37 | }; 38 | 39 | # Any chunk not receiving new logs in this time will be flushed 40 | chunk_idle_period = "1h"; 41 | 42 | # All chunks will be flushed when they hit this age, default is 1h 43 | max_chunk_age = "1h"; 44 | # Loki will attempt to build chunks up to 1.5MB, flushing first if 45 | # chunk_idle_period or max_chunk_age is reached first 46 | chunk_target_size = 1048576; 47 | 48 | # Must be greater than index read cache TTL if using an index cache (Default 49 | # index read cache TTL is 5m) 50 | chunk_retain_period = "30s"; 51 | }; 52 | 53 | schema_config.configs = [ 54 | { 55 | from = "2020-10-24"; 56 | store = "boltdb-shipper"; 57 | object_store = "filesystem"; 58 | schema = "v13"; 59 | index = { 60 | prefix = "index_"; 61 | period = "24h"; 62 | }; 63 | } 64 | ]; 65 | 66 | storage_config = { 67 | 68 | boltdb_shipper = { 69 | active_index_directory = "/var/lib/loki/boltdb-shipper-active"; 70 | cache_location = "/var/lib/loki/boltdb-shipper-cache"; 71 | 72 | # Can be increased for faster performance over longer query periods, 73 | # uses more disk space 74 | cache_ttl = "24h"; 75 | }; 76 | 77 | filesystem.directory = "/var/lib/loki/chunks"; 78 | }; 79 | 80 | limits_config = { 81 | reject_old_samples = true; 82 | reject_old_samples_max_age = "168h"; 83 | allow_structured_metadata = false; 84 | }; 85 | 86 | table_manager = { 87 | retention_deletes_enabled = false; 88 | retention_period = "0s"; 89 | }; 90 | 91 | compactor.working_directory = "/var/lib/loki/boltdb-shipper-compactor"; 92 | }; 93 | }; 94 | 95 | services.promtail = { 96 | enable = true; 97 | configuration = { 98 | 99 | server = { 100 | http_listen_port = 28183; 101 | grpc_listen_port = 0; 102 | }; 103 | 104 | positions.filename = "/tmp/positions.yml"; 105 | 106 | clients = [ { url = "http://localhost:${toString port-loki}/loki/api/v1/push"; } ]; 107 | 108 | scrape_configs = [ 109 | { 110 | job_name = "journal"; 111 | journal = { 112 | max_age = "12h"; 113 | labels = { 114 | job = "systemd-journal"; 115 | host = "${config.networking.hostName}"; 116 | }; 117 | }; 118 | relabel_configs = [ 119 | { 120 | source_labels = [ "__journal__systemd_unit" ]; 121 | target_label = "unit"; 122 | } 123 | ]; 124 | } 125 | ]; 126 | }; 127 | }; 128 | }; 129 | } 130 | -------------------------------------------------------------------------------- /modules/monitoring/metrics.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | config, 5 | pinpox-utils, 6 | ... 7 | }: 8 | with lib; 9 | let 10 | cfg = config.pinpox.metrics; 11 | in 12 | { 13 | 14 | options.pinpox.metrics.node = { 15 | enable = mkEnableOption "prometheus node-exporter metrics collection"; 16 | }; 17 | 18 | options.pinpox.metrics.json = { 19 | enable = mkEnableOption "prometheus json metrics collection"; 20 | }; 21 | 22 | options.pinpox.metrics.blackbox = { 23 | enable = mkEnableOption "prometheus blackbox-exporter metrics collection"; 24 | }; 25 | 26 | config = { 27 | 28 | services.prometheus.exporters = { 29 | node = mkIf cfg.node.enable { 30 | enable = true; 31 | # Default port is 9100 32 | # Listen on 0.0.0.0, bet we only open the firewall for wg-clan 33 | openFirewall = false; 34 | enabledCollectors = [ 35 | "cgroups" 36 | "systemd" 37 | ]; 38 | 39 | extraFlags = [ "--collector.textfile.directory=/etc/nix" ]; 40 | }; 41 | 42 | blackbox = mkIf cfg.blackbox.enable { 43 | enable = true; 44 | # Default port is 9115 45 | # Listen on 0.0.0.0, bet we only open the firewall for wg-clan 46 | openFirewall = false; 47 | 48 | configFile = pkgs.writeTextFile { 49 | name = "blackbox-exporter-config"; 50 | text = '' 51 | modules: 52 | http_2xx: 53 | prober: http 54 | timeout: 5s 55 | http: 56 | valid_http_versions: ["HTTP/1.1", "HTTP/2.0"] 57 | valid_status_codes: [] # Defaults to 2xx 58 | method: GET 59 | no_follow_redirects: false 60 | fail_if_ssl: false 61 | fail_if_not_ssl: false 62 | tls_config: 63 | insecure_skip_verify: false 64 | preferred_ip_protocol: "ip4" # defaults to "ip6" 65 | ip_protocol_fallback: true # fallback to "ip6" 66 | ''; 67 | }; 68 | }; 69 | }; 70 | 71 | # github = { 72 | # repositories = [ "nixos/nixpkgs" "pinpox/nixos" "pinpox/nixos-home" ]; 73 | # }; 74 | 75 | # Open firewall ports on the wireguard interface 76 | networking.firewall.interfaces.wg-clan.allowedTCPPorts = 77 | lib.optional cfg.blackbox.enable 9115 78 | ++ lib.optional cfg.node.enable 9100; 79 | }; 80 | } 81 | -------------------------------------------------------------------------------- /modules/networking/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | ... 5 | }: 6 | with lib; 7 | let 8 | cfg = config.pinpox.defaults.networking; 9 | in 10 | { 11 | 12 | options.pinpox.defaults.networking = { 13 | enable = mkEnableOption "Network defaults"; 14 | }; 15 | 16 | config = mkIf cfg.enable { 17 | 18 | networking = { 19 | 20 | # Define the DNS servers 21 | nameservers = [ 22 | "1.1.1.1" 23 | "8.8.8.8" 24 | "192.168.2.1" 25 | ]; 26 | 27 | # Additional hosts to put in /etc/hosts 28 | extraHosts = '' 29 | # Wireguard 30 | 192.168.8.1 porree.wireguard 31 | 192.168.8.3 kartoffel.wireguard 32 | 192.168.8.4 birne.wireguard 33 | 192.168.8.5 kfbox.wireguard 34 | 35 | # Public 36 | 94.16.114.42 porree-old.public 37 | 94.16.108.229 porree.public 38 | 46.38.242.17 kfbox.public 39 | 93.177.66.52 kfbox-old 40 | 5.181.48.121 mega.public 41 | 42 | # VPN protected services 43 | 192.168.8.1 vpn.motion.pablo.tools 44 | 192.168.8.1 vpn.octoprint.pablo.tools 45 | 192.168.8.1 vpn.alerts.pablo.tools 46 | 192.168.8.1 vpn.prometheus.pablo.tools 47 | 192.168.8.1 vpn.notify.pablo.tools 48 | 192.168.8.1 vpn.s3.pablo.tools 49 | 192.168.8.1 vpn.minio.pablo.tools 50 | ''; 51 | }; 52 | }; 53 | } 54 | -------------------------------------------------------------------------------- /modules/ntfy-sh/default.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.services.ntfy-sh; 5 | ntfy-port = "8090"; 6 | ntfy-host = "push.pablo.tools"; 7 | in 8 | { 9 | 10 | options.pinpox.services.ntfy-sh = { 11 | enable = mkEnableOption "ntfy-sh notification server"; 12 | }; 13 | 14 | config = mkIf cfg.enable { 15 | 16 | services.ntfy-sh = { 17 | enable = true; 18 | settings = { 19 | behind-proxy = true; 20 | listen-http = "127.0.0.1:${ntfy-port}"; 21 | base-url = "https://${ntfy-host}"; 22 | auth-file = "/var/lib/ntfy-sh/user.db"; 23 | auth-default-access = "deny-all"; 24 | upstream-base-url = "https://ntfy.sh"; 25 | # https://github.com/binwiederhier/ntfy/issues/459 26 | web-root = "disable"; # Set to "app" to enable web UI 27 | }; 28 | }; 29 | 30 | users.users.ntfy-sh = { 31 | home = "/var/lib/ntfy-sh"; 32 | createHome = true; 33 | }; 34 | 35 | services.caddy.virtualHosts."${ntfy-host}".extraConfig = '' 36 | reverse_proxy 127.0.0.1:${ntfy-port} 37 | ''; 38 | }; 39 | } 40 | -------------------------------------------------------------------------------- /modules/openssh/ca.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAPcS8NMzwYLvKFOXeTZwX/W6ua0zIzs4zA0PW0xz62i user-ca 2 | -------------------------------------------------------------------------------- /modules/openssh/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | pinpox-keys, 6 | ... 7 | }: 8 | with lib; 9 | let 10 | cfg = config.pinpox.services.openssh; 11 | in 12 | { 13 | 14 | options.pinpox.services.openssh = { 15 | enable = mkEnableOption "OpenSSH server"; 16 | }; 17 | 18 | config = mkIf cfg.enable { 19 | 20 | # Enable the OpenSSH daemon. 21 | services.openssh = { 22 | enable = true; 23 | startWhenNeeded = true; 24 | settings = { 25 | PasswordAuthentication = false; 26 | KbdInteractiveAuthentication = false; 27 | }; 28 | }; 29 | 30 | # Block anything that is not HTTP(s) or SSH. 31 | networking.firewall = { 32 | enable = true; 33 | allowPing = true; 34 | allowedTCPPorts = [ 22 ]; 35 | }; 36 | 37 | users.users.root.openssh.authorizedKeys.keyFiles = [ pinpox-keys ]; 38 | 39 | services.openssh.extraConfig = "TrustedUserCAKeys ${./ca.pub}"; 40 | }; 41 | } 42 | -------------------------------------------------------------------------------- /modules/owncast/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.services.owncast; 5 | in 6 | { 7 | options.pinpox.services.owncast = { 8 | enable = mkEnableOption "owncast server"; 9 | host = mkOption { 10 | type = types.str; 11 | default = "stream.0cx.de"; 12 | description = "Host serving owncast"; 13 | example = "stream.0cx.de"; 14 | }; 15 | }; 16 | 17 | config = mkIf cfg.enable { 18 | 19 | services.owncast = { 20 | enable = true; 21 | port = 9768; 22 | rtmp-port = 1935; 23 | }; 24 | 25 | networking.firewall.allowedTCPPorts = [ config.services.owncast.rtmp-port ]; 26 | 27 | services.caddy = { 28 | enable = true; 29 | virtualHosts."${cfg.host}".extraConfig = 30 | "reverse_proxy 127.0.0.1:${builtins.toString config.services.owncast.port}"; 31 | }; 32 | }; 33 | } 34 | -------------------------------------------------------------------------------- /modules/radio/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | radio, 5 | pkgs, 6 | ... 7 | }: 8 | with lib; 9 | let 10 | cfg = config.pinpox.services.radio; 11 | in 12 | { 13 | 14 | options.pinpox.services.radio = { 15 | enable = mkEnableOption "web radio streamer"; 16 | 17 | host = mkOption { 18 | type = types.str; 19 | default = "radio.0cx.de"; 20 | description = "Host serving the radio"; 21 | example = "radio.0cx.de"; 22 | }; 23 | 24 | }; 25 | 26 | config = mkIf cfg.enable { 27 | 28 | services.caddy = { 29 | enable = true; 30 | virtualHosts."${cfg.host}".extraConfig = "reverse_proxy 127.0.0.1:7000"; 31 | }; 32 | 33 | systemd.services.radio = 34 | let 35 | stationsfile = pkgs.writeTextFile { 36 | name = "stations.ini"; 37 | text = '' 38 | [Hirschmilch Psytrance] 39 | url = "https://hirschmilch.de:7000/psytrance.mp3" 40 | 41 | [Hirschmilch Progressive] 42 | url = "https://hirschmilch.de:7000/progressive.mp3" 43 | 44 | [Lassulus Radio] 45 | url = "https://radio.lassul.us/radio.mp3" 46 | ''; 47 | }; 48 | 49 | in 50 | { 51 | wantedBy = [ "multi-user.target" ]; 52 | environment = { 53 | RADIO_ADDRESS = "127.0.0.1:7000"; 54 | RADIO_STATIONFILE = stationsfile; 55 | GIN_MODE = "release"; 56 | }; 57 | serviceConfig = { 58 | DynamicUser = true; 59 | ExecStart = "${radio.packages.x86_64-linux.default}/bin/radio"; 60 | Restart = "on-failure"; 61 | RestartSec = "5s"; 62 | }; 63 | }; 64 | }; 65 | } 66 | -------------------------------------------------------------------------------- /modules/screego/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | let 8 | cfg = config.pinpox.services.screego; 9 | in 10 | { 11 | options.pinpox.services.screego = { 12 | enable = lib.mkEnableOption "screego server"; 13 | 14 | domain = lib.mkOption { 15 | type = lib.types.str; 16 | default = "0cx.de"; 17 | description = "Domain to create the sudomains unders"; 18 | }; 19 | 20 | }; 21 | 22 | config = lib.mkIf cfg.enable { 23 | 24 | services.caddy = { 25 | enable = true; 26 | virtualHosts = { 27 | "screen.${cfg.domain}".extraConfig = "reverse_proxy 127.0.0.1:5050"; 28 | "turn.${cfg.domain}".extraConfig = "reverse_proxy 127.0.0.1:5050"; 29 | }; 30 | }; 31 | 32 | clan.core.vars.generators."screego" = { 33 | 34 | files.envfile = { }; 35 | files.users = { }; 36 | files.prometheus-pass = { }; 37 | 38 | runtimeInputs = with pkgs; [ 39 | coreutils 40 | screego 41 | xkcdpass 42 | ]; 43 | 44 | script = '' 45 | echo "SCREEGO_SECRET=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 40)" > $out/envfile 46 | xkcdpass -n 4 -d - > $out/prometheus-pass 47 | cat $out/prometheus-pass | screego hash --name "prometheus" --pass - > $out/users 48 | ''; 49 | }; 50 | 51 | systemd.services.screego.serviceConfig.LoadCredential = [ 52 | "users:${config.clan.core.vars.generators.screego.files."users".path}" 53 | ]; 54 | 55 | services.screego = { 56 | enable = true; 57 | openFirewall = true; 58 | environmentFile = "${config.clan.core.vars.generators.screego.files."envfile".path}"; 59 | settings = { 60 | # SCREEGO_EXTERNAL_IP = "46.38.242.17"; 61 | SCREEGO_EXTERNAL_IP = "dns:screen.${cfg.domain}"; 62 | SCREEGO_SERVER_TLS = "false"; 63 | SCREEGO_CORS_ALLOWED_ORIGINS = "https://screen.${cfg.domain}"; 64 | SCREEGO_USERS_FILE = "%d/users"; 65 | SCREEGO_PROMETHEUS = "true"; 66 | }; 67 | }; 68 | }; 69 | } 70 | -------------------------------------------------------------------------------- /modules/sound/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.defaults.sound; 10 | in 11 | { 12 | 13 | options.pinpox.defaults.sound = { 14 | enable = mkEnableOption "sound defaults"; 15 | }; 16 | config = mkIf cfg.enable { 17 | 18 | environment.systemPackages = [ pkgs.qjackctl ]; 19 | 20 | services.pipewire = { 21 | enable = true; 22 | 23 | # Use pipeware to emulate jack and pulseaudio 24 | jack.enable = true; 25 | pulse.enable = true; 26 | alsa.enable = true; 27 | 28 | configPackages = 29 | 30 | let 31 | rnnoiseFilter = { 32 | nodes = [ 33 | { 34 | type = "ladspa"; 35 | name = "rnnoise"; 36 | plugin = "${pkgs.rnnoise-plugin}/lib/ladspa/librnnoise_ladspa.so"; 37 | label = "noise_suppressor_mono"; 38 | control = { 39 | "VAD Threshold (%)" = 75.0; 40 | "VAD Grace Period (ms)" = 200; 41 | "Retroactive VAD Grace (ms)" = 100; 42 | }; 43 | } 44 | ]; 45 | }; 46 | 47 | mkFilterChain = 48 | { 49 | name, 50 | capture, 51 | playback, 52 | }: 53 | { 54 | name = "libpipewire-module-filter-chain"; 55 | 56 | args = { 57 | "node.description" = name; 58 | "media.name" = name; 59 | 60 | "filter.graph" = rnnoiseFilter; 61 | 62 | "capture.props" = { 63 | "audio.rate" = 48000; 64 | } // capture; 65 | 66 | "playback.props" = { 67 | "audio.rate" = 48000; 68 | } // playback; 69 | }; 70 | }; 71 | 72 | inputFilter = mkFilterChain { 73 | name = "Noise Cancelling Source"; 74 | 75 | capture = { 76 | # > indicate that a link is passive and does not cause the graph to be runnable. 77 | # https://docs.pipewire.org/group__pw__keys.html#gafcd3d133168b9353c89c1c5f2de6954e 78 | "node.passive" = true; 79 | "node.name" = "capture.rnnoise_source"; 80 | }; 81 | playback = { 82 | "node.name" = "rnnoise_source"; 83 | "media.class" = "Audio/Source"; 84 | }; 85 | }; 86 | 87 | outputFilter = mkFilterChain { 88 | name = "Noise Cancelling Sink"; 89 | 90 | capture = { 91 | "node.name" = "capture.rnnoise_sink"; 92 | "media.class" = "Audio/Sink"; 93 | }; 94 | playback = { 95 | "node.passive" = true; 96 | "node.name" = "rnnoise_sink"; 97 | "media.class" = "Stream/Output/Audio"; 98 | }; 99 | }; 100 | 101 | config = { 102 | "context.modules" = [ 103 | inputFilter 104 | outputFilter 105 | ]; 106 | }; 107 | in 108 | [ 109 | (pkgs.writeTextDir "share/pipewire/pipewire.conf.d/99-input-denoising.conf" ( 110 | builtins.toJSON config 111 | )) 112 | ]; 113 | 114 | }; 115 | 116 | # Use noisetorch (RNnoise) to create a virtual source with noise removal 117 | programs.noisetorch.enable = true; 118 | 119 | # services.pipewire.wireplumber.enable = true; 120 | 121 | # environment.etc."wireplumber/main.lua.d/90-suspend-timeout.lua" = { 122 | # text = '' 123 | # session.suspend-timeout-seconds = 0 124 | # ''; 125 | # }; 126 | }; 127 | } 128 | -------------------------------------------------------------------------------- /modules/thelounge/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.services.thelounge; 5 | in 6 | { 7 | 8 | options.pinpox.services.thelounge = { 9 | enable = mkEnableOption "The Lounge IRC client and bouncer"; 10 | }; 11 | 12 | config = mkIf cfg.enable { 13 | 14 | services.thelounge = { 15 | 16 | enable = true; 17 | port = 9090; # Default port 18 | public = false; 19 | extraConfig = { 20 | host = "127.0.0.1"; 21 | reverseProxy = true; 22 | storagePolicy = { 23 | enabled = true; 24 | maxAgeDays = 365; 25 | deletionPolicy = "everything"; 26 | }; 27 | 28 | # TODO default network to mattermost brideg 29 | # defaults = {}; 30 | theme = "morning"; 31 | }; 32 | }; 33 | 34 | pinpox.services.restic-client.backup-paths-offsite = [ 35 | "/var/lib/thelounge/certificates" 36 | "/var/lib/thelounge/config.js" 37 | # Don't backup logs for now - too big. 38 | # "/var/lib/thelounge/logs" 39 | # "/var/lib/thelounge/packages" 40 | "/var/lib/thelounge/sts-policies.json" 41 | "/var/lib/thelounge/users" 42 | "/var/lib/thelounge/vapid.json" 43 | ]; 44 | }; 45 | } 46 | -------------------------------------------------------------------------------- /modules/unbound-desktop/default.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: 2 | with lib; 3 | let 4 | cfg = config.pinpox.services.unbound-desktop; 5 | in 6 | { 7 | 8 | options.pinpox.services.unbound-desktop = { 9 | enable = mkEnableOption "local unbound for desktops"; 10 | }; 11 | 12 | config = mkIf cfg.enable { 13 | 14 | services.avahi = { 15 | enable = true; 16 | nssmdns4 = true; 17 | nssmdns6 = true; 18 | openFirewall = true; 19 | publish = { 20 | enable = true; 21 | addresses = true; 22 | workstation = true; 23 | userServices = true; 24 | domain = true; 25 | }; 26 | }; 27 | 28 | networking.networkmanager.insertNameservers = config.services.unbound.settings.server.interface; 29 | # networking.networkmanager.dns = "unbound"; 30 | # services.resolved.enable = false; 31 | networking.search = [ "fritz.box" ]; 32 | 33 | services.unbound = { 34 | enable = true; 35 | settings = { 36 | 37 | server = { 38 | interface = [ "127.0.0.1" ]; 39 | 40 | # include = [ 41 | # "\"${dns-overwrites-config}\"" 42 | # "\"${flake-self.inputs.adblock-unbound.packages.${pkgs.system}.unbound-adblockStevenBlack}\"" 43 | # ]; 44 | 45 | access-control = [ "127.0.0.0/8 allow" ]; 46 | }; 47 | 48 | domain-insecure = [ "fritz.box" ]; 49 | stub-zone = [ 50 | { 51 | name = "fritz.box"; 52 | stub-addr = "192.168.101.1"; 53 | } 54 | ]; 55 | 56 | forward-zone = [ 57 | { 58 | name = "google.*."; 59 | forward-addr = [ 60 | "8.8.8.8@853#dns.google" 61 | "8.8.8.4@853#dns.google" 62 | ]; 63 | forward-tls-upstream = "yes"; 64 | } 65 | { 66 | name = "."; 67 | forward-addr = [ 68 | "1.1.1.1@853#cloudflare-dns.com" 69 | "1.0.0.1@853#cloudflare-dns.com" 70 | "192.168.101.1" 71 | ]; 72 | forward-tls-upstream = "yes"; 73 | } 74 | ]; 75 | # remote-control.control-enable = true; 76 | }; 77 | }; 78 | }; 79 | } 80 | -------------------------------------------------------------------------------- /modules/vaultwarden/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pinpox-utils, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.services.vaultwarden; 10 | in 11 | { 12 | 13 | options.pinpox.services.vaultwarden = { 14 | enable = mkEnableOption "vaultwarden password manager"; 15 | 16 | host = mkOption { 17 | type = types.str; 18 | default = "pass.pablo.tools"; 19 | description = "Host serving vaultwarden"; 20 | example = "pass.pablo.tools"; 21 | }; 22 | }; 23 | 24 | config = mkIf cfg.enable { 25 | 26 | services.caddy = { 27 | enable = true; 28 | virtualHosts."${cfg.host}".extraConfig = '' 29 | reverse_proxy 127.0.0.1:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT} 30 | ''; 31 | }; 32 | 33 | systemd.services.backup-vaultwarden.serviceConfig.StateDirectory = "vaultwarden-backups"; 34 | 35 | services.vaultwarden = { 36 | enable = true; 37 | dbBackend = "sqlite"; # Still in /var/lib/bitwarde_rs 38 | backupDir = "/var/lib/vaultwarden-backups"; # backup its persistent data 39 | config = { 40 | DOMAIN = "https://${cfg.host}"; 41 | SIGNUPS_ALLOWED = false; 42 | INVITATIONS_ALLOWED = "true"; 43 | ROCKET_PORT = 8222; 44 | EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "ssh-key-vault-item,ssh-agent"; 45 | }; 46 | 47 | environmentFile = "${config.clan.core.vars.generators."vaultwarden".files."envfile".path}"; 48 | }; 49 | 50 | clan.core.vars.generators."vaultwarden" = pinpox-utils.mkEnvGenerator [ 51 | "YUBICO_CLIENT_ID" 52 | "YUBICO_SECRET_KEY" 53 | "ADMIN_TOKEN" 54 | ]; 55 | 56 | # Backup DB and persistent data (e.g. attachments) 57 | pinpox.services.restic-client.backup-paths-offsite = [ 58 | "${config.services.vaultwarden.backupDir}" 59 | "/var/lib/bitwarden_rs" 60 | ]; 61 | }; 62 | } 63 | -------------------------------------------------------------------------------- /modules/vikunja/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pinpox-utils, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.services.vikunja; 10 | in 11 | { 12 | 13 | options.pinpox.services.vikunja = { 14 | enable = mkEnableOption "vikunja config"; 15 | host = mkOption { 16 | type = types.str; 17 | default = "todo.0cx.de"; 18 | description = "Host serving vikunja"; 19 | example = "tasks.0cx.de"; 20 | }; 21 | }; 22 | 23 | config = mkIf cfg.enable { 24 | 25 | services.caddy.virtualHosts."${cfg.host}".extraConfig = 26 | "reverse_proxy localhost:${toString config.services.vikunja.port}"; 27 | 28 | clan.core.vars.generators."vikunja" = pinpox-utils.mkEnvGenerator [ 29 | "VIKUNJA_AUTH_OPENID_PROVIDERS_DEX_CLIENTID" 30 | "VIKUNJA_AUTH_OPENID_PROVIDERS_DEX_CLIENTSECRET" 31 | "VIKUNJA_METRIC_PASSWORD" 32 | "VIKUNJA_MAILER_PASSWORD" 33 | ]; 34 | 35 | services.vikunja = { 36 | enable = true; 37 | port = 3456; 38 | environmentFiles = [ config.clan.core.vars.generators."vikunja".files."envfile".path ]; 39 | 40 | frontendScheme = "https"; 41 | frontendHostname = cfg.host; 42 | 43 | settings = { 44 | 45 | service.timezone = "Europe/Berlin"; 46 | files.basepath = "/var/lib/vikunja/files"; 47 | 48 | defaultsettings = { 49 | discoverable_by_name = true; 50 | discoverable_by_email = true; 51 | email_reminders_enabled = true; 52 | overdue_tasks_reminders_enabled = true; 53 | overdue_tasks_reminders_time = "10:00"; 54 | week_start = "1"; 55 | }; 56 | 57 | mailer = { 58 | enabled = true; 59 | host = "smtp.sendgrid.net"; 60 | username = "apikey"; 61 | frommail = "todo@0cx.de"; 62 | port = "587"; 63 | authtype = "plain"; 64 | skiptlsverify = "false"; 65 | forcessl = true; 66 | }; 67 | 68 | metrics = { 69 | enabled = true; 70 | username = "prometheus"; 71 | }; 72 | 73 | auth = { 74 | local.enabled = false; 75 | openid = { 76 | enabled = true; 77 | redirect_url = "https://todo.0cx.de/auth/openid/"; 78 | providers.dex = { 79 | authurl = "https://login.0cx.de"; 80 | name = "dex"; 81 | }; 82 | }; 83 | }; 84 | }; 85 | }; 86 | }; 87 | } 88 | -------------------------------------------------------------------------------- /modules/virtualisation/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.virtualisation; 10 | in 11 | { 12 | 13 | options.pinpox.virtualisation.docker = { 14 | enable = mkEnableOption "Docker virtualisation"; 15 | }; 16 | 17 | options.pinpox.virtualisation.virtualbox = { 18 | enable = mkEnableOption "VirtualBox virtualisation"; 19 | }; 20 | 21 | # TODO separate virtualbox and docker into separate enable options. For now 22 | # the virtualbox.enable option enables both while the docker.enable does 23 | # nothhing 24 | 25 | config = mkIf cfg.virtualbox.enable { 26 | 27 | users.users.pinpox.extraGroups = [ "docker" ]; 28 | 29 | virtualisation.docker.enable = true; 30 | 31 | virtualisation.virtualbox.host.enable = true; 32 | # virtualisation.virtualbox.host.enableKvm = true; 33 | # virtualisation.virtualbox.host.addNetworkInterface = false; 34 | 35 | # virtualisation.virtualbox.host.enableExtensionPack = true; 36 | users.extraGroups.vboxusers.members = [ "pinpox" ]; 37 | }; 38 | } 39 | -------------------------------------------------------------------------------- /modules/wastebin/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | lib, 4 | pkgs, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.services.wastebin; 10 | in 11 | { 12 | 13 | options.pinpox.services.wastebin.enable = mkEnableOption "wastebin server"; 14 | 15 | config = mkIf cfg.enable { 16 | 17 | clan.core.vars.generators."wastebin" = { 18 | files.envfile = { }; 19 | runtimeInputs = [ pkgs.coreutils ]; 20 | script = '' 21 | echo "WASTEBIN_PASSWORD_SALT=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 80)" >> $out/envfile 22 | echo "WASTEBIN_SIGNING_KEY=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 80)" >> $out/envfile 23 | ''; 24 | }; 25 | 26 | # Create system user and group 27 | services.wastebin = { 28 | enable = true; 29 | 30 | secretFile = config.clan.core.vars.generators."wastebin".files."envfile".path; 31 | 32 | settings = { 33 | WASTEBIN_ADDRESS_PORT = "127.0.0.1:8088"; 34 | WASTEBIN_BASE_URL = "https://paste.0cx.de"; 35 | WASTEBIN_HTTP_TIMEOUT = 7; 36 | WASTEBIN_MAX_BODY_SIZE = 16384; 37 | WASTEBIN_TITLE = "wastebin"; 38 | RUST_LOG = "warning"; 39 | }; 40 | }; 41 | 42 | # Reverse proxy 43 | services.caddy.virtualHosts."paste.0cx.de".extraConfig = 44 | "reverse_proxy ${config.services.wastebin.settings.WASTEBIN_ADDRESS_PORT}"; 45 | }; 46 | } 47 | -------------------------------------------------------------------------------- /modules/wayland/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.services.wayland; 10 | in 11 | { 12 | 13 | options.pinpox.services.wayland = { 14 | enable = mkEnableOption "wayland configuration"; 15 | }; 16 | 17 | config = mkIf cfg.enable { 18 | 19 | # Wayland/sway 20 | programs.sway.enable = true; 21 | 22 | # Turn on wayland support for some electron apps 23 | environment.sessionVariables = { 24 | LIBVA_DRIVER_NAME = "iHD"; 25 | NIXOS_OZONE_WL = "1"; 26 | }; 27 | 28 | # Extra portals (screensharing) 29 | xdg.portal = { 30 | enable = true; 31 | config.common.default = [ 32 | "wlr" 33 | "gtk" 34 | ]; 35 | wlr = { 36 | enable = true; 37 | settings = { 38 | screencast = { 39 | max_fps = 30; 40 | chooser_type = "simple"; 41 | chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or"; 42 | }; 43 | }; 44 | }; 45 | extraPortals = [ 46 | pkgs.xdg-desktop-portal-gtk 47 | ]; 48 | }; 49 | 50 | environment.systemPackages = [ 51 | pkgs.xdg-desktop-portal 52 | pkgs.wdisplays # Configure screen placement 53 | ]; 54 | 55 | }; 56 | } 57 | -------------------------------------------------------------------------------- /modules/yubikey/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.defaults.yubikey; 10 | in 11 | { 12 | 13 | options.pinpox.defaults.yubikey.enable = mkEnableOption "yubikey defaults"; 14 | 15 | config = mkIf cfg.enable { 16 | 17 | security.tpm2.enable = true; 18 | security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so 19 | security.tpm2.pkcs11.package = pkgs.tpm2-pkcs11-esapi; 20 | security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables 21 | users.users.pinpox.extraGroups = [ config.security.tpm2.tssGroup ]; # tss group has access to TPM devices 22 | 23 | programs.ssh.startAgent = true; 24 | programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/*"; 25 | 26 | # services.yubikey-agent.enable = false; 27 | services.udev.packages = [ pkgs.yubikey-personalization ]; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /modules/zsh/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | config, 3 | pkgs, 4 | lib, 5 | ... 6 | }: 7 | with lib; 8 | let 9 | cfg = config.pinpox.defaults.zsh; 10 | in 11 | { 12 | 13 | options.pinpox.defaults.zsh = { 14 | enable = mkEnableOption "ZSH defaults"; 15 | }; 16 | config = mkIf cfg.enable { 17 | 18 | environment.systemPackages = with pkgs; [ zsh ]; 19 | 20 | # Needed for yubikey to work 21 | environment.shellInit = '' 22 | export ZDOTDIR=$HOME/.config/zsh 23 | ''; 24 | 25 | programs.zsh = { 26 | enable = true; 27 | shellAliases = { 28 | vim = "nvim"; 29 | }; 30 | enableCompletion = true; 31 | autosuggestions.enable = true; 32 | }; 33 | 34 | # Needed for zsh completion of system packages, e.g. systemd 35 | environment.pathsToLink = [ "/share/zsh" ]; 36 | }; 37 | } 38 | -------------------------------------------------------------------------------- /overlays/default.nix: -------------------------------------------------------------------------------- 1 | inputs: flake-self: 2 | let 3 | # Pass flake inputs to overlay so we can use the sources pinned in flake.lock 4 | # instead of having to keep sha256 hashes in each package for src 5 | inherit inputs; 6 | 7 | # Pass flake itself, so we can build woodpecker-pipeline and manual 8 | inherit flake-self; 9 | in 10 | self: super: { 11 | 12 | # TODO: fix infinite recursion 13 | manual = super.callPackage ../packages/manual { 14 | inherit inputs; 15 | flake-self.nixosModules = with flake-self.nixosModules; { 16 | 17 | # TODO: 18 | # Some modules cause infinite recursion, so we only pass the ones that 19 | # work. There is probably a better way, this should be automagic. 20 | 21 | # caddy-security = flake-self.nixosModules.caddy-security; 22 | 23 | inherit 24 | activation-secrets 25 | bluetooth 26 | ci 27 | default-desktop 28 | default-server 29 | dex 30 | ente 31 | environment 32 | fonts 33 | gitea 34 | hedgedoc 35 | hello 36 | home-assistant 37 | http2irc 38 | kf-homepage 39 | locale 40 | lvm-grub 41 | miniflux 42 | minio 43 | monitoring 44 | networking 45 | nextcloud 46 | nix-common 47 | ntfy-sh 48 | openssh 49 | owncast 50 | restic 51 | sound 52 | thelounge 53 | unbound-desktop 54 | vikunja 55 | virtualisation 56 | wastebin 57 | wireguard-client 58 | yubikey 59 | zsh 60 | ; 61 | }; 62 | }; 63 | 64 | # TODO workaround for 65 | # https://github.com/nix-community/home-manager/issues/5991, remove when 66 | # merged 67 | utillinux = super.util-linux; 68 | 69 | woodpecker-pipeline = super.callPackage ../packages/woodpecker-pipeline { 70 | inherit inputs; 71 | inherit flake-self; 72 | }; 73 | 74 | # Override unfree src with flake input 75 | # ndi = super.ndi.overrideAttrs (old: { 76 | # src = inputs.ndi-linux; 77 | # unpackPhase = '' 78 | # echo y | $src; 79 | # sourceRoot="NDI SDK for Linux"; 80 | # ''; 81 | # }); 82 | 83 | # museum = super.callPackage ../packages/ente/museum.nix { }; 84 | ente-web = super.callPackage ../packages/ente/web.nix { }; 85 | 86 | # TODO remove when fixed upsteam 87 | zynaddsubfx = super.zynaddsubfx.overrideAttrs (old: { 88 | CXXFLAGS = [ 89 | # GCC 13: error: 'uint8_t' does not name a type 90 | "-include cstdint" 91 | ]; 92 | }); 93 | 94 | # Override packages from master until fixes arrive 95 | # TODO Remove 96 | dmraid = inputs.nixpkgs-master.legacyPackages."${super.system}".dmraid; 97 | fzf-tab-zsh = inputs.nixpkgs-master.legacyPackages."${super.system}".fzf-tab-zsh; 98 | zsh-fzf-tab = inputs.nixpkgs-master.legacyPackages."${super.system}".zsh-fzf-tab; 99 | 100 | # Example package, used only for tests 101 | hello-custom = super.callPackage ../packages/hello-custom { }; 102 | # river-luatile = super.callPackage ../packages/river-luatile { }; 103 | fritzbox_exporter = super.callPackage ../packages/fritzbox_exporter { }; 104 | mqtt2prometheus = super.callPackage ../packages/mqtt2prometheus { }; 105 | 106 | # Custom packages. Will be made available on all machines and used where 107 | # needed. 108 | smartmon-script = super.callPackage ../packages/smartmon-script { }; 109 | 110 | # Use custom neovim in standalone flake 111 | neovim = inputs.pinpox-neovim.packages.x86_64-linux.pinpox-neovim; 112 | 113 | # ZSH plugins 114 | zsh-abbrev-alias = super.callPackage ../packages/zsh-abbrev-alias { inputs = inputs; }; 115 | zsh-colored-man-pages = super.callPackage ../packages/zsh-colored-man-pages { inputs = inputs; }; 116 | 117 | forgit = super.callPackage ../packages/forgit { inputs = inputs; }; 118 | } 119 | -------------------------------------------------------------------------------- /overlays/nextcloud.patch: -------------------------------------------------------------------------------- 1 | From 3c3e45f0ad4b4f10161197f70daf46c8888ba91e Mon Sep 17 00:00:00 2001 2 | From: Josh 3 | Date: Fri, 23 Feb 2024 12:55:58 -0500 4 | Subject: [PATCH] fix(Files): Change how scanner diffs for changed metadata 5 | 6 | Fixes #43408 7 | 8 | Signed-off-by: Josh 9 | --- 10 | lib/private/Files/Cache/Scanner.php | 49 +++++++++++++++++++++++++++-- 11 | 1 file changed, 47 insertions(+), 2 deletions(-) 12 | 13 | diff --git a/lib/private/Files/Cache/Scanner.php b/lib/private/Files/Cache/Scanner.php 14 | index 1c66f3af8d2b0..4aef73b9b2522 100644 15 | --- a/lib/private/Files/Cache/Scanner.php 16 | +++ b/lib/private/Files/Cache/Scanner.php 17 | @@ -221,8 +221,9 @@ public function scanFile($file, $reuseExisting = 0, $parentId = -1, $cacheData = 18 | } 19 | 20 | // Only update metadata that has changed 21 | - $newData = array_diff_assoc($data, $cacheData->getData()); 22 | - 23 | + // i.e. get all the values in $data that are not present in the cache already 24 | + $newData = $this->array_diff_assoc_multi($data, $cacheData->getData()); 25 | + 26 | // make it known to the caller that etag has been changed and needs propagation 27 | if (isset($newData['etag'])) { 28 | $data['etag_changed'] = true; 29 | @@ -369,6 +370,50 @@ public function scan($path, $recursive = self::SCAN_RECURSIVE, $reuse = -1, $loc 30 | return $data; 31 | } 32 | 33 | + /** 34 | + * Compares $array1 against $array2 and returns all the values in $array1 that are not in $array2 35 | + * Note this is a one-way check - i.e. we don't care about things that are in $array2 that aren't in $array1 36 | + * 37 | + * Supports multi-dimensional arrays 38 | + * Also checks keys/indexes 39 | + * Comparisons are strict just like array_diff_assoc 40 | + * Order of keys/values does not matter 41 | + * 42 | + * @param array $array1 43 | + * @param array $array2 44 | + * @return array with the differences between $array1 and $array1 45 | + * @throws \InvalidArgumentException if $array1 isn't an actual array 46 | + * 47 | + */ 48 | + protected function array_diff_assoc_multi(array $array1, array $array2) { 49 | + 50 | + $result = []; 51 | + 52 | + foreach ($array1 as $key => $value) { 53 | + 54 | + // if $array2 doesn't have the same key, that's a result 55 | + if (!array_key_exists($key, $array2)) { 56 | + $result[$key] = $value; 57 | + continue; 58 | + } 59 | + 60 | + // if $array2's value for the same key is different, that's a result 61 | + if ($array2[$key] !== $value && !is_array($value)) { 62 | + $result[$key] = $value; 63 | + continue; 64 | + } 65 | + 66 | + if (is_array($value)) { 67 | + $nestedDiff = $this->array_diff_assoc_multi($value, $array2[$key]); 68 | + if (!empty($nestedDiff)) { 69 | + $result[$key] = $nestedDiff; 70 | + continue; 71 | + } 72 | + } 73 | + } 74 | + return $result; 75 | + } 76 | + 77 | /** 78 | * Get the children currently in the cache 79 | * 80 | -------------------------------------------------------------------------------- /packages/ente/web.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | stdenv, 4 | fetchFromGitHub, 5 | fetchYarnDeps, 6 | nodejs, 7 | yarnConfigHook, 8 | yarnBuildHook, 9 | extraBuildEnv ? null, 10 | }: 11 | 12 | stdenv.mkDerivation (finalAttrs: { 13 | pname = "ente-web"; 14 | version = "0.9.16"; 15 | 16 | src = 17 | fetchFromGitHub { 18 | owner = "ente-io"; 19 | repo = "ente"; 20 | sparseCheckout = [ "web" ]; 21 | rev = "photos-v${finalAttrs.version}"; 22 | fetchSubmodules = true; 23 | hash = "sha256-DqfUUXY79CndEqPT8TR4PasLtaSCtqZaV2kp10Vu4PQ="; 24 | } 25 | + "/web"; 26 | 27 | offlineCache = fetchYarnDeps { 28 | yarnLock = "${finalAttrs.src}/yarn.lock"; 29 | hash = "sha256-tgFh8Av1Wl77N4hR2Y5TQp9lEH4ZCQnCIWMPmlZBlV4="; 30 | }; 31 | 32 | nativeBuildInputs = [ 33 | yarnConfigHook 34 | yarnBuildHook 35 | nodejs 36 | ]; 37 | 38 | # See: https://github.com/ente-io/ente/blob/main/web/apps/photos/.env 39 | env = lib.optionals (extraBuildEnv != null) extraBuildEnv; 40 | 41 | installPhase = '' 42 | cp -r apps/photos/out $out 43 | ''; 44 | 45 | meta = { 46 | description = "Web client for Ente Photos"; 47 | homepage = "https://ente.io/"; 48 | license = lib.licenses.agpl3Only; 49 | maintainers = with lib.maintainers; [ 50 | surfaceflinger 51 | pinpox 52 | ]; 53 | platforms = lib.platforms.all; 54 | }; 55 | }) 56 | -------------------------------------------------------------------------------- /packages/forgit/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | stdenvNoCC, 3 | lib, 4 | fetchFromGitHub, 5 | inputs, 6 | }: 7 | 8 | stdenvNoCC.mkDerivation rec { 9 | pname = "forgit"; 10 | version = "latest"; 11 | 12 | src = inputs.forgit; 13 | 14 | dontConfigure = true; 15 | dontBuild = true; 16 | 17 | installPhase = '' 18 | plugindir="$out/share/forgit" 19 | mkdir -p "$plugindir" 20 | cp -r * "$plugindir"/ 21 | ''; 22 | 23 | meta = with lib; { 24 | description = "A utility tool powered by fzf for using git interactively."; 25 | homepage = "https://github.com/wfxr/forgit"; 26 | license = licenses.mit; 27 | platforms = platforms.unix; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /packages/fritzbox_exporter/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | fetchFromGitHub, 4 | buildGoModule, 5 | pkgs, 6 | }: 7 | 8 | buildGoModule rec { 9 | pname = "fritzbox_exporter"; 10 | version = "latest"; 11 | 12 | # vendorHash = null; 13 | vendorHash = "sha256-jcHJNTdiYRQcjJr9VcABY5Ark4bmzqsJcn1iMW09Xl0="; 14 | 15 | nativeBuildInputs = with pkgs; [ pkg-config ]; 16 | 17 | # Updated 2022-01-11 18 | src = fetchFromGitHub { 19 | owner = "sberk42"; 20 | repo = "fritzbox_exporter"; 21 | rev = "baa6961be43256af0d904642492e016a35f2a135"; 22 | sha256 = "sha256-ANK8sIHn2vx5+XJ0c6U2uQQiDBYhTfQ65RASdXPtF7w="; 23 | }; 24 | 25 | meta = with lib; { 26 | maintainers = with maintainers; [ pinpox ]; 27 | license = licenses.asl20; 28 | description = "Fritzbox exporter for prometheus"; 29 | }; 30 | } 31 | -------------------------------------------------------------------------------- /packages/hello-custom/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | stdenv, 4 | fetchurl, 5 | }: 6 | 7 | stdenv.mkDerivation rec { 8 | pname = "hello"; 9 | version = "2.10"; 10 | 11 | src = fetchurl { 12 | url = "mirror://gnu/hello/${pname}-${version}.tar.gz"; 13 | sha256 = "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"; 14 | }; 15 | 16 | doCheck = true; 17 | 18 | meta = with lib; { 19 | description = "A program that produces a familiar, friendly greeting"; 20 | longDescription = '' 21 | GNU Hello is a program that prints "Hello, world!" when you run it. 22 | It is fully customizable. 23 | ''; 24 | homepage = "https://www.gnu.org/software/hello/manual/"; 25 | changelog = "https://git.savannah.gnu.org/cgit/hello.git/plain/NEWS?h=v${version}"; 26 | license = licenses.gpl3Plus; 27 | maintainers = [ maintainers.eelco ]; 28 | platforms = platforms.all; 29 | }; 30 | } 31 | -------------------------------------------------------------------------------- /packages/manual/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | stdenvNoCC, 3 | pkgs, 4 | flake-self, 5 | inputs, 6 | }: 7 | 8 | stdenvNoCC.mkDerivation rec { 9 | pname = "flake-manual"; 10 | version = "latest"; 11 | src = ./.; 12 | dontConfigure = true; 13 | dontUnpack = true; 14 | 15 | buildPhase = 16 | 17 | let 18 | options-json = 19 | let 20 | 21 | isValidOpt = 22 | a: 23 | (builtins.hasAttr "_type" a) 24 | && (a._type == "option") 25 | && (builtins.hasAttr "default" a) 26 | && (builtins.hasAttr "example" a) 27 | && (builtins.hasAttr "description" a) 28 | && (builtins.hasAttr "type" a); 29 | 30 | getOptionValues = 31 | opt: path: 32 | if builtins.typeOf opt == "set" then 33 | if isValidOpt opt then 34 | { 35 | inherit path; 36 | name = builtins.concatStringsSep "." path; 37 | example = opt.example; 38 | description = opt.description; 39 | default = opt.default; 40 | type = opt.type.description; 41 | documentedOption = true; 42 | } 43 | else 44 | # it is a set, but has no "default", recurse 45 | builtins.mapAttrs (name: value: getOptionValues value (path ++ [ "${name}" ])) opt 46 | else 47 | { }; # it is no set 48 | in 49 | pkgs.writeTextFile { 50 | name = "options.json"; 51 | text = 52 | builtins.toJSON 53 | 54 | { 55 | options = pkgs.lib.attrsets.collect (o: o ? "documentedOption") ( 56 | pkgs.lib.attrsets.mapAttrs ( 57 | name: value: 58 | let 59 | allopts = getOptionValues (value ( 60 | { 61 | inherit (inputs) flake-self; 62 | inherit pkgs; 63 | lib = pkgs.lib; 64 | config = { }; 65 | } 66 | // inputs 67 | )) [ ]; 68 | in 69 | if 70 | # Filter out everything that has no ".options.pinpox" 71 | builtins.hasAttr "options" allopts 72 | then 73 | if builtins.hasAttr "pinpox" allopts.options then allopts.options.pinpox else null 74 | else 75 | null 76 | ) flake-self.nixosModules 77 | ); 78 | }; 79 | }; 80 | in 81 | '' 82 | cat ${options-json} | ${pkgs.mustache-go}/bin/mustache --allow-missing-variables=false ${src}/template.html > index.html 83 | ''; 84 | 85 | installPhase = '' 86 | mkdir -p "$out" 87 | cp index.html "$out" 88 | ''; 89 | 90 | meta = { 91 | description = "Manual for this flake as package"; 92 | homepage = "https://github.com/pinpox/nixos"; 93 | }; 94 | } 95 | -------------------------------------------------------------------------------- /packages/manual/template.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | Module Options 8 | 9 | 10 | 11 | 12 |
13 |
14 |

15 | Module options 16 |

17 |

18 | Options provided by modules in 19 | github.com/pinpox/nixos 20 |

21 | 22 |
23 |

24 | 25 | 26 |

27 |
28 |
29 | {{#options}} 30 |
31 |
32 |
33 |
34 |

# {{name}}

35 |
36 |
37 |
38 |
39 | {{type}} 40 |
41 |
42 |
43 | 44 |

{{description}}

45 | 46 |
47 |

Default: {{default}}

48 |

Example: {{example}}

49 |
50 |
51 | {{/options}} 52 |
53 |
54 |
55 | 56 | 57 | 58 | 86 | -------------------------------------------------------------------------------- /packages/mqtt2prometheus/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | fetchFromGitHub, 4 | buildGoModule, 5 | pkgs, 6 | }: 7 | 8 | # https://github.com/hikhvar/mqtt2prometheus 9 | 10 | buildGoModule rec { 11 | pname = "mqtt2prometheus"; 12 | version = "latest"; 13 | 14 | # vendorHash = null; 15 | vendorHash = "sha256-5DIU1NUEVI7Fz6UHhC6trva9qd47DwdFNw1OxY6M37s="; 16 | 17 | nativeBuildInputs = with pkgs; [ pkg-config ]; 18 | 19 | # Updated 2022-01-11 20 | src = fetchFromGitHub { 21 | owner = "hikhvar"; 22 | repo = "mqtt2prometheus"; 23 | rev = "v0.1.6"; 24 | sha256 = "sha256-55WAuu6n2h0IPIjt8iTJzNSF1Fe7roxiIS8MUXmu5Tc="; 25 | }; 26 | 27 | meta = with lib; { 28 | maintainers = with maintainers; [ pinpox ]; 29 | license = licenses.mit; 30 | description = "TODO"; 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /packages/raspi-image: -------------------------------------------------------------------------------- 1 | 2 | # nix build '.#base-image' 3 | raspi-image = 4 | let 5 | system = "aarch64-linux"; 6 | in 7 | import "${nixpkgs}/nixos/lib/make-disk-image.nix" { 8 | pkgs = nixpkgs.legacyPackages."${system}"; 9 | lib = nixpkgs.lib; 10 | config = 11 | (nixpkgs.lib.nixosSystem { 12 | inherit system; 13 | modules = [ ./images/raspi.nix ]; 14 | }).config; 15 | format = "qcow2"; 16 | diskSize = 4096; 17 | name = "raspi-image"; 18 | }; 19 | -------------------------------------------------------------------------------- /packages/river-luatile/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | fetchFromGitHub, 4 | openssl, 5 | luajit, 6 | pkg-config, 7 | rustPlatform, 8 | }: 9 | 10 | rustPlatform.buildRustPackage rec { 11 | pname = "river-luatile"; 12 | version = "0.1.0"; 13 | 14 | src = fetchFromGitHub { 15 | owner = "MaxVerevkin"; 16 | repo = pname; 17 | fetchSubmodules = true; 18 | rev = "v${version}"; 19 | sha256 = "sha256-A8vx8jN4XUUI970ZsWLKBCd5lO9p3w63b9EiGwk/rCU="; 20 | }; 21 | 22 | cargoSha256 = "sha256-udfsd1iONlDSQ/7mzzRNNhoJHmXJsxWdhqeKK/onx+4="; 23 | 24 | buildInputs = [ luajit ]; 25 | nativeBuildInputs = [ pkg-config ]; 26 | PKG_CONFIG_PATH = "${openssl.dev}/lib/pkgconfig"; 27 | 28 | meta = with lib; { 29 | homepage = "https://github.com/MaxVerevkin/river-luatile"; 30 | description = "Write your own river layout generator in lua"; 31 | license = licenses.gpl3; 32 | platforms = platforms.linux; 33 | maintainers = with maintainers; [ pinpox ]; 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /packages/smartmon-script/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | stdenv, 3 | smartmontools, 4 | python3, 5 | ... 6 | }: 7 | stdenv.mkDerivation { 8 | name = "smartmon-script"; 9 | buildInputs = [ 10 | python3 11 | smartmontools 12 | ]; 13 | unpackPhase = "true"; 14 | installPhase = '' 15 | mkdir -p $out/bin 16 | cp ${./smartmon.py} $out/bin/smartmon-script 17 | chmod +x $out/bin/smartmon-script 18 | ''; 19 | } 20 | -------------------------------------------------------------------------------- /packages/zsh-abbrev-alias/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | stdenvNoCC, 3 | lib, 4 | fetchFromGitHub, 5 | inputs, 6 | }: 7 | 8 | stdenvNoCC.mkDerivation rec { 9 | pname = "zsh-abbrev-alias"; 10 | version = "latest"; 11 | 12 | src = inputs.zsh-abbrev-alias; 13 | 14 | dontConfigure = true; 15 | dontBuild = true; 16 | 17 | installPhase = '' 18 | plugindir="$out/share/zsh-abbrev-alias" 19 | mkdir -p "$plugindir" 20 | cp -r * "$plugindir"/ 21 | ''; 22 | 23 | meta = with lib; { 24 | description = "ZSH plugin with functionality similar to Vim's abbreviation expansion."; 25 | homepage = "https://github.com/momo-lab/zsh-abbrev-alias"; 26 | license = licenses.mit; 27 | platforms = platforms.unix; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /packages/zsh-colored-man-pages/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | stdenvNoCC, 3 | lib, 4 | fetchFromGitHub, 5 | inputs, 6 | }: 7 | 8 | stdenvNoCC.mkDerivation rec { 9 | pname = "zsh-colored-man-pages"; 10 | version = "latest"; 11 | 12 | src = inputs.zsh-colored-man-pages; 13 | 14 | dontConfigure = true; 15 | dontBuild = true; 16 | 17 | installPhase = '' 18 | plugindir="$out/share/zsh-colored-man-pages" 19 | mkdir -p "$plugindir" 20 | cp -r * "$plugindir"/ 21 | ''; 22 | 23 | meta = with lib; { 24 | description = "ZSH plugin that colorifies man page"; 25 | homepage = "https://github.com/ael-code/zsh-colored-man-pages"; 26 | license = licenses.gpl3; 27 | platforms = platforms.unix; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /users/pinpox.nix: -------------------------------------------------------------------------------- 1 | { 2 | pkgs, 3 | pinpox-keys, 4 | ... 5 | }: 6 | { 7 | 8 | # Define a user account. Don't forget to set a password with ‘passwd’. 9 | users = { 10 | 11 | # For Virtualbox 12 | extraGroups = { 13 | vboxusers.members = [ "pinpox" ]; 14 | }; 15 | 16 | # Shell is set to zsh for all users as default. 17 | defaultUserShell = pkgs.zsh; 18 | 19 | users.pinpox = { 20 | initialPassword = "changeme"; 21 | isNormalUser = true; 22 | home = "/home/pinpox"; 23 | description = "Pablo Ovelleiro Corral"; 24 | extraGroups = [ 25 | "docker" 26 | "wheel" 27 | "networkmanager" 28 | "audio" 29 | "libvirtd" 30 | "tty" 31 | "dialout" 32 | "video" 33 | ]; 34 | shell = pkgs.zsh; 35 | 36 | # Public ssh-keys that are authorized for the user. Fetched from github 37 | openssh.authorizedKeys.keyFiles = [ pinpox-keys ]; 38 | }; 39 | }; 40 | 41 | # Allow to run nix 42 | nix.settings.allowed-users = [ "pinpox" ]; 43 | } 44 | -------------------------------------------------------------------------------- /users/root.nix: -------------------------------------------------------------------------------- 1 | { 2 | pinpox-keys, 3 | ... 4 | }: 5 | { 6 | 7 | # Define a user account. Don't forget to set a password with ‘passwd’. 8 | users = { 9 | 10 | users.root = { 11 | isNormalUser = true; 12 | 13 | # Public ssh-keys that are authorized for the user. Fetched from homepage 14 | # and github profile. 15 | openssh.authorizedKeys.keyFiles = [ 16 | pinpox-keys 17 | # (pkgs.fetchurl { 18 | # url = "https://pablo.tools/ssh-key1"; 19 | # sha256 = 20 | # "sha256:0h24djs4qahfgi5yfp14n8ljrsng36vhnn91klrz0qxqffxkrh7s"; 21 | # }) 22 | ]; 23 | }; 24 | }; 25 | 26 | # Allow to run nix 27 | nix.allowedUsers = [ "root" ]; 28 | } 29 | -------------------------------------------------------------------------------- /utils/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | mkEnvGenerator = envs: rec { 5 | files.envfile = { }; 6 | runtimeInputs = [ pkgs.coreutils ]; 7 | prompts = pkgs.lib.genAttrs envs (name: { 8 | persist = false; 9 | }); 10 | 11 | # Invalidate on env change 12 | validation.script = script; 13 | 14 | script = '' 15 | mkdir -p $out 16 | cat <> $out/envfile 17 | ${builtins.concatStringsSep "\n" (map (e: "${e}='$(cat $prompts/${e})'") envs)} 18 | EOT 19 | ''; 20 | }; 21 | 22 | renderMustache = 23 | name: template: data: 24 | # Render handlebars `template` called `name` by converting `data` to JSON 25 | pkgs.stdenv.mkDerivation { 26 | 27 | name = "${name}"; 28 | 29 | # Disable phases which are not needed. In particular the unpackPhase will 30 | # fail, if no src attribute is set 31 | nativeBuildInpts = [ pkgs.mustache-go ]; 32 | 33 | # Pass Json as file to avoid escaping 34 | passAsFile = [ "jsonData" ]; 35 | jsonData = builtins.toJSON data; 36 | 37 | phases = [ 38 | "buildPhase" 39 | "installPhase" 40 | ]; 41 | 42 | buildPhase = '' 43 | ${pkgs.mustache-go}/bin/mustache $jsonDataPath ${template} > rendered_file 44 | ''; 45 | installPhase = '' 46 | cp rendered_file $out 47 | ''; 48 | }; 49 | } 50 | -------------------------------------------------------------------------------- /vars/per-machine/birne/minio/.validation-hash: -------------------------------------------------------------------------------- 1 | 254338cffe84c5c7b887f86fe600d1af1c074de339a69e3fba9ea94154f6c099 -------------------------------------------------------------------------------- /vars/per-machine/birne/restic-server/.validation-hash: -------------------------------------------------------------------------------- 1 | b40bd3130574d1d8e07160248cb6f48dcde7cf6aa948fda48bbedf8d0fcb6516 -------------------------------------------------------------------------------- /vars/per-machine/birne/state-version/version/value: -------------------------------------------------------------------------------- 1 | 20.03 -------------------------------------------------------------------------------- /vars/per-machine/birne/wireguard-wg-clan/publickey/value: -------------------------------------------------------------------------------- 1 | Rp3zB7Bwhow4BJ8q7lg3nPZ+g9TDPY/I2dQJ3faT8hk= 2 | -------------------------------------------------------------------------------- /vars/per-machine/birne/wireguard/publickey/value: -------------------------------------------------------------------------------- 1 | jvUOwDHp6tWMhfoRbM+0BkPqQVIPHqR4R7KU11i38Bs= 2 | -------------------------------------------------------------------------------- /vars/per-machine/kartoffel/state-version/version/value: -------------------------------------------------------------------------------- 1 | 20.03 -------------------------------------------------------------------------------- /vars/per-machine/kartoffel/wireguard-wg-clan/publickey/value: -------------------------------------------------------------------------------- 1 | 0MEAQID/ekklJgxAFr7iSWqVNbptJ+TP1y9B/yuC3D8= 2 | -------------------------------------------------------------------------------- /vars/per-machine/kartoffel/wireguard/publickey/value: -------------------------------------------------------------------------------- 1 | HM7c/n99iblET+6myP8fG3L79L8nWWHHwaH+Oz0OPEE= 2 | -------------------------------------------------------------------------------- /vars/per-machine/kfbox/caddy/.validation-hash: -------------------------------------------------------------------------------- 1 | 9aec7258b9d9753deca55cf69724c322103ff822c72fa6614fb3e5c41e45cdf8 -------------------------------------------------------------------------------- /vars/per-machine/kfbox/dex/.validation-hash: -------------------------------------------------------------------------------- 1 | d2b8da6120ff1bcbaec6e423e507d423c13a4e2c55cee7b8f0ddbe33363312eb -------------------------------------------------------------------------------- /vars/per-machine/kfbox/go-karma-bot/.validation-hash: -------------------------------------------------------------------------------- 1 | 24d59f70cba7b4ee0c772354f0c041e925448e52431083a8bf37cda6b48b11a0 -------------------------------------------------------------------------------- /vars/per-machine/kfbox/hedgedoc/.validation-hash: -------------------------------------------------------------------------------- 1 | 96ba40a19e0a2b2696bb565184f28251d63c35f31f86ed8f85e526f660aa79ae -------------------------------------------------------------------------------- /vars/per-machine/kfbox/jitsi-presence/.validation-hash: -------------------------------------------------------------------------------- 1 | 3ce0ea6332ad94bb81f83a03ee7c89514f4e6b218a43956b03ba4f48e4383432 -------------------------------------------------------------------------------- /vars/per-machine/kfbox/restic-exporter/.validation-hash: -------------------------------------------------------------------------------- 1 | 2281613666175c6d6f41a42c0c5136e29409c86f7821fa5e73be344cf9fd18d7 -------------------------------------------------------------------------------- /vars/per-machine/kfbox/state-version/version/value: -------------------------------------------------------------------------------- 1 | 22.05 -------------------------------------------------------------------------------- /vars/per-machine/kfbox/vikunja/.validation-hash: -------------------------------------------------------------------------------- 1 | d46d7942b025ed4866f10969d73fb73fc90b2e3d7e30752d3c45d8a0142ecca5 -------------------------------------------------------------------------------- /vars/per-machine/kfbox/wireguard-wg-clan/publickey/value: -------------------------------------------------------------------------------- 1 | c7/KN2JcbrhiyjShE2A2tT6SQ6OJs0mGXGowUnZ3a0k= 2 | -------------------------------------------------------------------------------- /vars/per-machine/kfbox/wireguard/publickey/value: -------------------------------------------------------------------------------- 1 | N5rFljGz1BMiF3hxsRChK9VvZxmQchZFcQrIkECVEnU= 2 | -------------------------------------------------------------------------------- /vars/per-machine/kiwi/state-version/version/value: -------------------------------------------------------------------------------- 1 | 20.03 -------------------------------------------------------------------------------- /vars/per-machine/limette/state-version/version/value: -------------------------------------------------------------------------------- 1 | 20.03 -------------------------------------------------------------------------------- /vars/per-machine/limette/wireguard-wg-clan/publickey/value: -------------------------------------------------------------------------------- 1 | 8DaOeJAmGyrRR2o9W5lmik+VqaRO958XXu+eRHy8yHQ= 2 | -------------------------------------------------------------------------------- /vars/per-machine/limette/wireguard/publickey/value: -------------------------------------------------------------------------------- 1 | TCDZ1RBxqVBEp699/3UUBm9icI9UERswFlw4kJWd/jE= 2 | -------------------------------------------------------------------------------- /vars/per-machine/porree/alertmanager-ntfy/.validation-hash: -------------------------------------------------------------------------------- 1 | 7c21c80d4620962abd3d601c5b4302caa54dc10981de5982c6821d853b67a949 -------------------------------------------------------------------------------- /vars/per-machine/porree/caddy-basicauth/.validation-hash: -------------------------------------------------------------------------------- 1 | 1708aa15aec5b4efba07ecd95fea8e970abd8bfcdea9a9eec05f1aad781d9ca8 -------------------------------------------------------------------------------- /vars/per-machine/porree/caddy/.validation-hash: -------------------------------------------------------------------------------- 1 | 39b8a0ffd9699b029fa80287910104a5a646388572aeeff18edd9aff32c566e0 -------------------------------------------------------------------------------- /vars/per-machine/porree/matrix-hook/.validation-hash: -------------------------------------------------------------------------------- 1 | ad87e37f3326763c110d056e28f87471da0e88bb6891cfae314b43d38a79d214 -------------------------------------------------------------------------------- /vars/per-machine/porree/prometheus/.validation-hash: -------------------------------------------------------------------------------- 1 | 4ba92dd604df16f02a402cdeee13cd827fb912e08d632eee3b2911644bcadf79 -------------------------------------------------------------------------------- /vars/per-machine/porree/restic-exporter/.validation-hash: -------------------------------------------------------------------------------- 1 | 2281613666175c6d6f41a42c0c5136e29409c86f7821fa5e73be344cf9fd18d7 -------------------------------------------------------------------------------- /vars/per-machine/porree/state-version/version/value: -------------------------------------------------------------------------------- 1 | 20.03 -------------------------------------------------------------------------------- /vars/per-machine/porree/vaultwarden/.validation-hash: -------------------------------------------------------------------------------- 1 | 763d277911fb0f2d246a13714dddc4f2e1a26c9f9850a96e39d21d77aa45345a -------------------------------------------------------------------------------- /vars/per-machine/porree/wireguard-wg-clan/publickey/value: -------------------------------------------------------------------------------- 1 | V7t8UAixnIJHSL2ygKJQ/9q2Ga31uzgTFrjAj/Oc/VM= 2 | -------------------------------------------------------------------------------- /vars/per-machine/porree/wireguard/publickey/value: -------------------------------------------------------------------------------- 1 | 9CSzhcAPiBTmH2cXvQ2f9oDE3TlTjCORyzUKDd2FaSA= 2 | -------------------------------------------------------------------------------- /vars/shared/restic-cert/.validation-hash: -------------------------------------------------------------------------------- 1 | a3da374e9cad9051dce842a991c18e71feb879b073bca0f4ef291cb33c01a0a7 -------------------------------------------------------------------------------- /vars/shared/restic-cert/restic-cert/value: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDgDCCAmigAwIBAgIUDBp2agTh90M4T0oU59HTKguVW+QwDQYJKoZIhvcNAQEL 3 | BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM 4 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNTAxMjIxMzE3MTlaFw0yNTAy 5 | MjExMzE3MTlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw 6 | HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB 7 | AQUAA4IBDwAwggEKAoIBAQDLq1xdCjYpFoKoNTde+ca+Av3Q2aeeE1iug+GO7mAi 8 | R4WXUlIxBncwvzAqlQBEixsPWsYvL/MND570NvzGfUmfY204fyMb46sMOBAL0Rfi 9 | /gVaVXLErTGJrOGPUdZgWpdLAATbwMVLqUawKM66lcr+A+ftxUjyosTPpQwrq/Zv 10 | arlORTW4Ekzwo9nX9VQ+ZzoRlokay1H/Nzd3no8lY16IKxleuif+l0O96NsUFgZL 11 | VFvZHsGBwn5PfWxXvUDqdRjh3QJ3gbdlFq6+B+znsgkj38jW7YdvPUKYYojXEgk/ 12 | aAaii33RB4SjyCFeaO9QSTxQC3z8dxG+R9HXfVqOMD2pAgMBAAGjaDBmMB0GA1Ud 13 | DgQWBBQuz8nhTizE/kt8ePJzj4s8f3BXgDAfBgNVHSMEGDAWgBQuz8nhTizE/kt8 14 | ePJzj4s8f3BXgDAPBgNVHRMBAf8EBTADAQH/MBMGA1UdEQQMMAqCCCoucmVzdGlj 15 | MA0GCSqGSIb3DQEBCwUAA4IBAQB5knuIq6d3EjfBoiCDJwHFVIjgaWqo7g3Z1Rg7 16 | GFe4s4HZYMHQcmKFaKDMiqEENstMopUO/iT8dmmeNEIXMuofAVdfd2PJri0hMmCo 17 | jcpswgtOtCHqSE0mALV2R/tEUt0nzSTRbmH1PfDlYfvt8y00kyQLqE8qQwjx+1Pd 18 | ldlxK3b6qZqvfOZzwhvYhRDYON6UFY6u/qc8mF5Qr5qFnzoasz0XDhlhhz5ogvst 19 | I4Wn9Kb9SxKPL42t5jQVinAT+KZ0x3/cIgl20qVOdiQdCx57p3ZdgDru5g6BOyGk 20 | CZ7HRSaXpO8dgDZ5bmR3NNlNwvA2TRT0oLcBR3y1tohbp9Ye 21 | -----END CERTIFICATE----- 22 | -------------------------------------------------------------------------------- /vars/shared/restic-credentials-backblaze/.validation-hash: -------------------------------------------------------------------------------- 1 | 406e5d73f5915d7762fdbbe0dfafb7b37fd5ad1f0e7c47895a7279180d88b810 -------------------------------------------------------------------------------- /vars/shared/restic-credentials/.validation-hash: -------------------------------------------------------------------------------- 1 | 406e5d73f5915d7762fdbbe0dfafb7b37fd5ad1f0e7c47895a7279180d88b810 -------------------------------------------------------------------------------- /vars/shared/restic-kfbox/.validation-hash: -------------------------------------------------------------------------------- 1 | 4bfe1766afd037ef15eeeaa180acb87117e957d87631f545782b5f69a1657e79 --------------------------------------------------------------------------------