L-Nafaryus/bonfire
L-Nafaryus/bonfire
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 4 Releases Wiki Activity

Compare commits

base: L-Nafaryus:master
Branches Tags
L-Nafaryus:master
L-Nafaryus:devel
L-Nafaryus:catarina-radio-service
L-Nafaryus:packages-onetagger
L-Nafaryus:packages-wezterm
..
compare: L-Nafaryus:packages-wezterm
Branches Tags
L-Nafaryus:devel
L-Nafaryus:master
L-Nafaryus:catarina-radio-service
L-Nafaryus:packages-onetagger
L-Nafaryus:packages-wezterm

No commits in common. "master" and "packages-wezterm" have entirely different histories.
master ... packages-w

33 changed files with 865 additions and 1704 deletions
Show Stats Expand all files Collapse all files

2
devShells/default.nix
View File

@ -30,6 +30,4 @@ in
rust-x11 = import ./rust-x11.nix environment; rust-x11 = import ./rust-x11.nix environment;
go = import ./go.nix environment; go = import ./go.nix environment;
python-uv = import ./python-uv.nix environment;
}) })

8
devShells/python-uv.nix
View File

@ -1,8 +0,0 @@
{pkgs, ...}:
pkgs.mkShellNoCC {
packages = with pkgs; [
uv
curl
jq
];
}

326
flake.lock
View File

@ -1,21 +1,5 @@
{ {
"nodes": { "nodes": {
"advisory-db": {
"flake": false,
"locked": {
"lastModified": 1728429239,
"narHash": "sha256-k1KRRgmfKNhO9eU55FMkkzkneqAlwz5oLC5NSiEfGxs=",
"owner": "rustsec",
"repo": "advisory-db",
"rev": "acb7ce45817b13dd34cb32540ff18be4e1f3ba09",
"type": "github"
},
"original": {
"owner": "rustsec",
"repo": "advisory-db",
"type": "github"
}
},
"ags": { "ags": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -24,11 +8,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1728326430, "lastModified": 1725841979,
"narHash": "sha256-tV1ABHuA1HItMdCTuNdA8fMB+qw7LpjvI945VwMSABI=", "narHash": "sha256-SXYqzpHPuXFR6w/cUKo3VN8XRn6XA2mGbdRXs9oLk6k=",
"owner": "Aylur", "owner": "Aylur",
"repo": "ags", "repo": "ags",
"rev": "60180a184cfb32b61a1d871c058b31a3b9b0743d", "rev": "aaef50bb2c80ef4b4a359329d72669a95e7c4796",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -55,11 +39,11 @@
}, },
"catppuccin": { "catppuccin": {
"locked": { "locked": {
"lastModified": 1730458408, "lastModified": 1725509983,
"narHash": "sha256-JQ+SphQn13bdibKUrBBBznYehXX4xJrxD1ifBp6vSWw=", "narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=",
"owner": "catppuccin", "owner": "catppuccin",
"repo": "nix", "repo": "nix",
"rev": "191fbf2d81a63fad8f62f1233c0051f09b75d0ad", "rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -70,11 +54,11 @@
}, },
"crane": { "crane": {
"locked": { "locked": {
"lastModified": 1730504891, "lastModified": 1725409566,
"narHash": "sha256-Fvieht4pai+Wey7terllZAKOj0YsaDP0e88NYs3K/Lo=", "narHash": "sha256-PrtLmqhM6UtJP7v7IGyzjBFhbG4eOAHT6LPYOFmYfbk=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "8658adcdad49b8f2c6cbf0cc3cb4b4db988f7638", "rev": "7e4586bad4e3f8f97a9271def747cf58c4b68f3c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -83,94 +67,7 @@
"type": "github" "type": "github"
} }
}, },
"crane_2": {
"locked": {
"lastModified": 1728344376,
"narHash": "sha256-lxTce2XE6mfJH8Zk6yBbqsbu9/jpwdymbSH5cCbiVOA=",
"owner": "ipetkov",
"repo": "crane",
"rev": "fd86b78f5f35f712c72147427b1eb81a9bd55d0b",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"dream2nix": {
"inputs": {
"nixpkgs": [
"elnafo-radio",
"nixpkgs"
],
"purescript-overlay": "purescript-overlay",
"pyproject-nix": "pyproject-nix"
},
"locked": {
"lastModified": 1728499310,
"narHash": "sha256-6qa+IU6PaQa/swQ9wRn4J1pFprundzruJiV0aTDou/Q=",
"owner": "nix-community",
"repo": "dream2nix",
"rev": "586ff3bb752711bbf6d54475295f0da98ead5ee4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "dream2nix",
"type": "github"
}
},
"elnafo-radio": {
"inputs": {
"advisory-db": "advisory-db",
"crane": "crane_2",
"dream2nix": "dream2nix",
"fenix": "fenix",
"nix-std": "nix-std",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1728643944,
"narHash": "sha256-LRlsDN/0aqEDlM0cHM5mW1FVBepvTBEsWPYijOqpTWM=",
"ref": "refs/heads/master",
"rev": "c707ca5a360242bf0ae27dd14f8c58b8624a00e5",
"revCount": 13,
"type": "git",
"url": "https://vcs.elnafo.ru/L-Nafaryus/elnafo-radio"
},
"original": {
"type": "git",
"url": "https://vcs.elnafo.ru/L-Nafaryus/elnafo-radio"
}
},
"fenix": { "fenix": {
"inputs": {
"nixpkgs": [
"elnafo-radio",
"nixpkgs"
],
"rust-analyzer-src": [
"elnafo-radio"
]
},
"locked": {
"lastModified": 1728542061,
"narHash": "sha256-2YAnVU67qimQGO71rCBWcv7RrRK5gYgysXe3NVomuwQ=",
"owner": "nix-community",
"repo": "fenix",
"rev": "b135535125e24270dddddc8cfab455533492e4ad",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"fenix_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -178,11 +75,11 @@
"rust-analyzer-src": [] "rust-analyzer-src": []
}, },
"locked": { "locked": {
"lastModified": 1730529264, "lastModified": 1726813972,
"narHash": "sha256-5gC0y6cKXKQvumK4jOhKyjVsYqQ7EOcWKNtKB8UiP74=", "narHash": "sha256-t6turZgoSAVgj7hn5mxzNlLOeVeZvymFo8+ymB52q34=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "fff718e230e40b8202d7be6223c13492bb0010a8", "rev": "251caeafc75b710282ee7e375800f75f4c8c5727",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -207,22 +104,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
@ -231,11 +112,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1727826117, "lastModified": 1726153070,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -249,11 +130,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1726560853, "lastModified": 1710146030,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -321,11 +202,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730490306, "lastModified": 1726825546,
"narHash": "sha256-AvCVDswOUM9D368HxYD25RsSKp+5o0L0/JHADjLoD38=", "narHash": "sha256-HiBzfzgqojA9OjPB+vdi2o+gy4Zw/MEipuGopgGsZEw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "1743615b61c7285976f85b303a36cdf88a556503", "rev": "0b052dd8119005c6ba819db48bcc657e48f401b7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -334,34 +215,6 @@
"type": "github" "type": "github"
} }
}, },
"ixx": {
"inputs": {
"flake-utils": [
"nixvim",
"nuschtosSearch",
"flake-utils"
],
"nixpkgs": [
"nixvim",
"nuschtosSearch",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729544999,
"narHash": "sha256-YcyJLvTmN6uLEBGCvYoMLwsinblXMkoYkNLEO4WnKus=",
"owner": "NuschtOS",
"repo": "ixx",
"rev": "65c207c92befec93e22086da9456d3906a4e999c",
"type": "github"
},
"original": {
"owner": "NuschtOS",
"ref": "v0.0.5",
"repo": "ixx",
"type": "github"
}
},
"libpng": { "libpng": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -379,40 +232,10 @@
"type": "github" "type": "github"
} }
}, },
"nix-std": {
"locked": {
"lastModified": 1710870712,
"narHash": "sha256-e+7MJF2gsgTBuOWv4mCimSP0D9+naeFSw9a7N3yEmv4=",
"owner": "chessai",
"repo": "nix-std",
"rev": "31bbc925750cc9d8f828fe55cee1a2bd985e0c00",
"type": "github"
},
"original": {
"owner": "chessai",
"repo": "nix-std",
"type": "github"
}
},
"nix-std_2": {
"locked": {
"lastModified": 1710870712,
"narHash": "sha256-e+7MJF2gsgTBuOWv4mCimSP0D9+naeFSw9a7N3yEmv4=",
"owner": "chessai",
"repo": "nix-std",
"rev": "31bbc925750cc9d8f828fe55cee1a2bd985e0c00",
"type": "github"
},
"original": {
"owner": "chessai",
"repo": "nix-std",
"type": "github"
}
},
"nixos-mailserver": { "nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -434,11 +257,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1730200266, "lastModified": 1726755586,
"narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", "narHash": "sha256-PmUr/2GQGvFTIJ6/Tvsins7Q43KTMvMFhvG6oaYK+Wk=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", "rev": "c04d5652cfa9742b1d519688f65d1bbccea9eb7e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -465,11 +288,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1729973466, "lastModified": 1725762081,
"narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=", "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cd3e8833d70618c4eea8df06f95b364b016d4950", "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -510,11 +333,11 @@
"treefmt-nix": [] "treefmt-nix": []
}, },
"locked": { "locked": {
"lastModified": 1730499477, "lastModified": 1726846628,
"narHash": "sha256-olt0Sx4alDxv3ko9BgbV3SsE2KQ/Tf0/Az1Fr9s2Y6U=", "narHash": "sha256-0CH44sEwiljiN2q7eIFCvabyUm1WeEiF8ofP/z5ca0Q=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "356896f58dde22ee16481b7c954e340dceec340d", "rev": "3211ce356be612ae89a38c60799992bde8a47127",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -526,18 +349,17 @@
"nuschtosSearch": { "nuschtosSearch": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"ixx": "ixx",
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1730337772, "lastModified": 1726816132,
"narHash": "sha256-uTxvqDohfG85+zldO5Tf1B+fuAF8ZhMouNwG5S6OAnA=", "narHash": "sha256-AbB0lgc0IbzLIxj1O3cosiMNAVQak4KJtvq9q8MjHhs=",
"owner": "NuschtOS", "owner": "NuschtOS",
"repo": "search", "repo": "search",
"rev": "4e0a7a95a3df3333771abc4df6a656e7baf67106", "rev": "7733a39a1321057172d87e6251ded7cdeb67171e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -587,56 +409,13 @@
"type": "github" "type": "github"
} }
}, },
"purescript-overlay": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"elnafo-radio",
"dream2nix",
"nixpkgs"
],
"slimlock": "slimlock"
},
"locked": {
"lastModified": 1724504251,
"narHash": "sha256-TIw+sac0NX0FeAneud+sQZT+ql1G/WEb7/Vb436rUXM=",
"owner": "thomashoneyman",
"repo": "purescript-overlay",
"rev": "988b09676c2a0e6a46dfa3589aa6763c90476b8a",
"type": "github"
},
"original": {
"owner": "thomashoneyman",
"repo": "purescript-overlay",
"type": "github"
}
},
"pyproject-nix": {
"flake": false,
"locked": {
"lastModified": 1702448246,
"narHash": "sha256-hFg5s/hoJFv7tDpiGvEvXP0UfFvFEDgTdyHIjDVHu1I=",
"owner": "davhau",
"repo": "pyproject.nix",
"rev": "5a06a2697b228c04dd2f35659b4b659ca74f7aeb",
"type": "github"
},
"original": {
"owner": "davhau",
"ref": "dream2nix",
"repo": "pyproject.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"ags": "ags", "ags": "ags",
"catppuccin": "catppuccin", "catppuccin": "catppuccin",
"crane": "crane", "crane": "crane",
"elnafo-radio": "elnafo-radio", "fenix": "fenix",
"fenix": "fenix_2",
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-std": "nix-std_2",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixvim": "nixvim", "nixvim": "nixvim",
@ -667,29 +446,6 @@
"type": "github" "type": "github"
} }
}, },
"slimlock": {
"inputs": {
"nixpkgs": [
"elnafo-radio",
"dream2nix",
"purescript-overlay",
"nixpkgs"
]
},
"locked": {
"lastModified": 1688756706,
"narHash": "sha256-xzkkMv3neJJJ89zo3o2ojp7nFeaZc2G0fYwNXNJRFlo=",
"owner": "thomashoneyman",
"repo": "slimlock",
"rev": "cf72723f59e2340d24881fd7bf61cb113b4c407c",
"type": "github"
},
"original": {
"owner": "thomashoneyman",
"repo": "slimlock",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -698,11 +454,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1729999681, "lastModified": 1726524647,
"narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=", "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56", "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -770,11 +526,11 @@
}, },
"locked": { "locked": {
"dir": "nix", "dir": "nix",
"lastModified": 1730443872, "lastModified": 1726842683,
"narHash": "sha256-dQG+9b/EUn+UWDjDSsje19hn3DxiDOzSGmIwsSGdqDA=", "narHash": "sha256-n0k/znwnDGF3CNB2GhX9NfGg02mhxOzRTMmWr2EUxFs=",
"owner": "wez", "owner": "wez",
"repo": "wezterm", "repo": "wezterm",
"rev": "0983ae90d6dfb45c5f99058e97de73a70ca9dd36", "rev": "abfc0b4c3aa2d6f99c76b20c4d7bdb6d0603ac80",
"type": "github" "type": "github"
}, },
"original": { "original": {

10
flake.nix
View File

@ -65,17 +65,12 @@
url = "github:wez/wezterm?dir=nix"; url = "github:wez/wezterm?dir=nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
elnafo-radio = {
url = "git+https://vcs.elnafo.ru/L-Nafaryus/elnafo-radio";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-std.url = "github:chessai/nix-std";
}; };
outputs = {self, ...} @ inputs: let outputs = {self, ...} @ inputs: let
lib = inputs.nixpkgs.lib; lib = inputs.nixpkgs.lib;
bonLib = import ./lib {inherit lib inputs;}; bonLib = import ./lib {inherit lib;};
bonModules = self.nixosModules; bonModules = self.nixosModules;
# no bonPkgs, it must be defined by appropriate system + skip a possible infinite recursion # no bonPkgs, it must be defined by appropriate system + skip a possible infinite recursion
in { in {
@ -91,7 +86,8 @@
nixosConfigurations = import ./nixosConfigurations {inherit lib inputs bonModules bonLib self;}; nixosConfigurations = import ./nixosConfigurations {inherit lib inputs bonModules bonLib self;};
hydraJobs = { hydraJobs = {
packages = lib.filterAttrsRecursive (name: value: !bonLib.isBroken value && !bonLib.isInsecure value && !bonLib.isUnfree value) self.packages; # filter broken packages ?
packages = lib.filterAttrsRecursive (name: value: !bonLib.isBroken value) self.packages;
}; };
templates = { templates = {

25
lib/default.nix
View File

@ -1,8 +1,4 @@
{ {lib, ...}: rec {
lib,
inputs,
...
}: rec {
maintainers = import ./maintainers.nix; maintainers = import ./maintainers.nix;
nameFromPath = path: nameFromPath = path:
@ -17,25 +13,9 @@
[ [
./preconfiguredModules/bonvim.nix ./preconfiguredModules/bonvim.nix
./preconfiguredModules/homeManager ./preconfiguredModules/homeManager
./preconfiguredModules/nixos
#(import ./preconfiguredModules/bonvim.nix)
#(import ./preconfiguredModules/homeManager {inherit lib inputs;})
]); ]);
injectArgs = moduleArgs: ({
config,
pkgs,
...
}: {
config = {
# extra arguments
_module.args = moduleArgs;
};
});
isBroken = derivation: derivation ? meta && derivation.meta ? broken && derivation.meta.broken; isBroken = derivation: derivation ? meta && derivation.meta ? broken && derivation.meta.broken;
isInsecure = derivation: derivation ? meta && derivation.meta ? insecure && derivation.meta.insecure;
isUnfree = derivation: derivation ? meta && derivation.meta ? unfree && derivation.meta.unfree;
functionType = lib.types.mkOptionType { functionType = lib.types.mkOptionType {
name = "function"; name = "function";
@ -115,7 +95,4 @@
packagesList; packagesList;
in in
lib.mapAttrs (name: value: lib.mergeAttrsList value) (lib.zipAttrs evaluatedPackages); lib.mapAttrs (name: value: lib.mergeAttrsList value) (lib.zipAttrs evaluatedPackages);
# external
inherit (inputs.nix-std.lib.serde) toTOML;
} }

28
lib/preconfiguredModules/bonvim.nix
View File

@ -71,7 +71,7 @@
settings.system_clipboard.sync_with_ring = true; settings.system_clipboard.sync_with_ring = true;
}; };
plugins.web-devicons.enable = true; extraPlugins = with pkgs.vimPlugins; [nvim-web-devicons];
diagnostics = { diagnostics = {
underline = true; underline = true;
@ -152,7 +152,6 @@
# UI # UI
plugins.noice = { plugins.noice = {
enable = true; enable = true;
settings = {
lsp.override = { lsp.override = {
"cmp.entry.get_documentation" = true; "cmp.entry.get_documentation" = true;
"vim.lsp.util.convert_input_to_markdown_lines" = true; "vim.lsp.util.convert_input_to_markdown_lines" = true;
@ -162,7 +161,6 @@
long_message_to_split = true; long_message_to_split = true;
}; };
}; };
};
plugins.dressing = { plugins.dressing = {
enable = true; enable = true;
@ -366,24 +364,22 @@
]; ];
}; };
cmake.enable = true; cmake.enable = true;
nil_ls.enable = true; nil-ls.enable = true;
pyright.enable = true;
ruff.enable = true;
# pylyzer.enable = true; # not working with virtual environments currently :( # pylyzer.enable = true; # not working with virtual environments currently :(
#pylsp = { pylsp = {
# enable = true; # https://github.com/nix-community/nixvim/pull/1893 enable = true; # https://github.com/nix-community/nixvim/pull/1893
# settings.plugins = { settings.plugins = {
# pyflakes.enabled = true; pyflakes.enabled = true;
# black.enabled = true; black.enabled = true;
# }; };
#}; };
rust_analyzer = { rust-analyzer = {
enable = true; enable = true;
package = rust-analyzer; package = rust-analyzer;
cargoPackage = cargo; cargoPackage = cargo;
rustcPackage = rustc; rustcPackage = rustc;
installCargo = false; installCargo = true;
installRustc = false; installRustc = true;
settings = { settings = {
checkOnSave = true; checkOnSave = true;
check.command = "clippy"; check.command = "clippy";

3
lib/preconfiguredModules/homeManager/default.nix
View File

@ -1,6 +1,3 @@
{ {
ags = import ./ags; ags = import ./ags;
hyprland = import ./hyprland.nix;
hypridle = import ./hypridle.nix;
hyprlock = import ./hyprlock.nix;
} }

24
lib/preconfiguredModules/homeManager/hypridle.nix
View File

@ -1,24 +0,0 @@
{
pkgs,
lib,
config,
hmConfig,
...
}: {
services.hypridle = {
enable = true;
settings = {
general = {
after_sleep_cmd = "${pkgs.hyprland}/bin/hyprctl dispatch dpms on";
ignore_dbus_inhibit = false;
};
listener = [
{
timeout = 300;
on-timeout = "${pkgs.hyprland}/bin/hyprctl dispatch dpms off";
on-resume = "${pkgs.hyprland}/bin/hyprctl dispatch dpms on";
}
];
};
};
}

245
lib/preconfiguredModules/homeManager/hyprland.nix
View File

@ -1,245 +0,0 @@
{
pkgs,
lib,
hmConfig,
...
}: {
imports = [
./ags
./hypridle.nix
./hyprlock.nix
];
home.packages = with pkgs; [
networkmanagerapplet
blueman
wl-clipboard
cliphist
swww
hyprshot
wl-gammarelay-rs
playerctl
];
xdg.portal = {
enable = true;
configPackages = with pkgs; [
xdg-desktop-portal-hyprland
];
extraPortals = with pkgs; [
xdg-desktop-portal-gtk
];
};
wayland.windowManager.hyprland = {
enable = true;
settings = {
# Devices (use `hyprctl devices`)
"$monitor1" = "AOC Q27G2G3R3B 137P4HA000540";
"$monitor2" = "AOC Q27B3MA 17ZPAHA006135";
"$keyboard" = "keychron-keychron-k3-pro";
"$mouse" = "logitech-g102-lightsync-gaming-mouse";
# Main programs
"$terminal" = "${lib.getExe hmConfig.programs.wezterm.package}";
"$menu" = "${lib.getExe hmConfig.programs.rofi.package} -show drun";
"$fileManager" = "$terminal -e ${lib.getExe hmConfig.programs.nnn.package}";
monitor = [
"desc:$monitor2, 2560x1440@75, 0x0, auto"
"desc:$monitor1, 2560x1440@165, 2560x0, auto"
"Unknown-1, disable"
];
exec-once = [
"ags &"
"nm-applet --indicator &"
"blueman-applet &"
"wl-gammarelay-rs run &"
"systemctl --user start hypridle"
"wl-paste --type text --watch cliphist store" #Stores only text data
"wl-paste --type image --watch cliphist store" #Stores only image data
"swww-daemon & swww img ~/Pictures/wallpapers/current" # wallpaper symlinked
];
env = [
"XCURSOR_SIZE,14"
"HYPRCURSOR_SIZE,14"
"WLR_DRM_NO_ATOMIC,1"
"HYPRSHOT_DIR,${hmConfig.xdg.userDirs.pictures}/screenshots"
];
general = {
gaps_in = 2;
gaps_out = 2;
border_size = 2;
# https://wiki.hyprland.org/Configuring/Variables/#variable-types for info about colors
"col.active_border" = "rgba(33ccffee) rgba(00ff99ee) 45deg";
"col.inactive_border" = "rgba(595959aa)";
# Set to true enable resizing windows by clicking and dragging on borders and gaps
resize_on_border = true;
# Please see https://wiki.hyprland.org/Configuring/Tearing/ before you turn this on
allow_tearing = true;
layout = "dwindle";
};
decoration = {
rounding = 5;
# Change transparency of focused and unfocused windows
active_opacity = 1.0;
inactive_opacity = 0.95;
drop_shadow = true;
shadow_range = 4;
shadow_render_power = 3;
"col.shadow" = "rgba(1a1a1aee)";
# https://wiki.hyprland.org/Configuring/Variables/#blur
blur = {
enabled = true;
size = 3;
passes = 1;
vibrancy = 0.1696;
};
};
animations = {
enabled = true;
# Default animations, see https://wiki.hyprland.org/Configuring/Animations/ for more
bezier = "myBezier, 0.05, 0.9, 0.1, 1.05";
animation = [
"windows, 1, 7, myBezier"
"windowsOut, 1, 7, default, popin 80%"
"border, 1, 10, default"
"borderangle, 1, 8, default"
"fade, 1, 7, default"
"workspaces, 1, 6, default"
];
};
# See https://wiki.hyprland.org/Configuring/Dwindle-Layout/ for more
dwindle = {
pseudotile = true; # Master switch for pseudotiling. Enabling is bound to mainMod + P in the keybinds section below
preserve_split = true; # You probably want this
};
# See https://wiki.hyprland.org/Configuring/Master-Layout/ for more
master = {
new_status = "master";
};
# https://wiki.hyprland.org/Configuring/Variables/#misc
misc = {
force_default_wallpaper = -1; # Set to 0 or 1 to disable the anime mascot wallpapers
disable_hyprland_logo = false; # Enable the random hyprland logo / anime girl background. :)
};
input = {
kb_layout = "us,ru";
follow_mouse = 1;
sensitivity = 0; # -1.0 - 1.0, 0 means no modification.
touchpad = {
natural_scroll = false;
};
};
# https://wiki.hyprland.org/Configuring/Variables/#gestures
gestures = {
workspace_swipe = false;
};
windowrulev2 = [
"suppressevent maximize, class:.*" # You'll probably like this.
"float, class:^(steam_app.*)$"
"immediate, class:^(steam_app.*)$"
"float, class:^(steam_proton.*)$"
"float,class:^(org.wezfurlong.wezterm)$"
"tile,class:^(org.wezfurlong.wezterm)$"
];
bind = [
"SUPER, Q, exec, $terminal"
"SUPER, N, exec, $fileManager"
"SUPER, R, exec, $menu"
"SUPER, X, exec, ags -t clock"
"SUPER, X, exec, ags -t control"
"SUPER, X, exec, ags -t systray"
"SUPER, X, exec, ags -t workspaces"
"SUPER, X, exec, ags -t window-title"
"SUPER, C, killactive,"
"SUPER, M, exit,"
"SUPER, V, togglefloating,"
"SUPER, F, fullscreen,"
"SUPER, J, togglesplit," # dwindle
# Move focus with mainMod + arrow keys
"SUPER, left, movefocus, l"
"SUPER, right, movefocus, r"
"SUPER, up, movefocus, u"
"SUPER, down, movefocus, d"
# Switch workspaces with mainMod + [0-9]
"SUPER, 1, workspace, 1"
"SUPER, 2, workspace, 2"
"SUPER, 3, workspace, 3"
"SUPER, 4, workspace, 4"
"SUPER, 5, workspace, 5"
"SUPER, 6, workspace, 6"
"SUPER, 7, workspace, 7"
"SUPER, 8, workspace, 8"
"SUPER, 9, workspace, 9"
"SUPER, 0, workspace, 10"
# Move active window to a workspace with mainMod + SHIFT + [0-9]
"SUPER SHIFT, 1, movetoworkspace, 1"
"SUPER SHIFT, 2, movetoworkspace, 2"
"SUPER SHIFT, 3, movetoworkspace, 3"
"SUPER SHIFT, 4, movetoworkspace, 4"
"SUPER SHIFT, 5, movetoworkspace, 5"
"SUPER SHIFT, 6, movetoworkspace, 6"
"SUPER SHIFT, 7, movetoworkspace, 7"
"SUPER SHIFT, 8, movetoworkspace, 8"
"SUPER SHIFT, 9, movetoworkspace, 9"
"SUPER SHIFT, 0, movetoworkspace, 10"
# special workspace (scratchpad)
"SUPER, S, togglespecialworkspace, magic"
"SUPER SHIFT, S, movetoworkspace, special:magic"
"SUPER, SPACE, exec, hyprctl switchxkblayout keychron-keychron-k3-pro next"
", PRINT, exec, hyprshot --freeze --mode region"
"CTRL, PRINT, exec, hyprshot --freeze --mode output"
"SUPER, H, exec, cliphist list | rofi -dmenu | cliphist decode | wl-copy"
];
# Move/resize windows with mainMod + LMB/RMB and dragging
bindm = [
"SUPER, mouse:272, movewindow"
"SUPER, mouse:273, resizewindow"
];
bindel = [
", XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"
", XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"
];
bindl = [
", XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
", XF86AudioPrev, exec, playerctl previous"
", XF86AudioPlay, exec, playerctl play-pause"
", XF86AudioNext, exec, playerctl next"
", XF86MonBrightnessDown, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay UpdateTemperature n -500"
", XF86MonBrightnessUp, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay UpdateTemperature n +500"
"SUPER, XF86MonBrightnessDown, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay Brightness d -0.1"
"SUPER, XF86MonBrightnessUp, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay Brightness d +0.1"
];
};
};
}

11
lib/preconfiguredModules/homeManager/hyprlock.nix
View File

@ -1,11 +0,0 @@
{
pkgs,
lib,
config,
hmConfig,
...
}: {
programs.hyprlock = {
enable = true;
};
}

237
lib/preconfiguredModules/nixos/common.nix
View File

@ -1,237 +0,0 @@
{
lib,
config,
pkgs,
...
}: {
# Nix settings
nix = {
settings = {
experimental-features = ["nix-command" "flakes"];
substituters = [
"https://cache.elnafo.ru"
"https://bonfire.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.elnafo.ru:j3VD+Hn+is2Qk3lPXDSdPwHJQSatizk7V82iJ2RP1yo="
"bonfire.cachix.org-1:mzAGBy/Crdf8NhKail5ciK7ZrGRbPJJobW6TwFb7WYM="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
auto-optimise-store = true;
};
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "weekly";
options = lib.mkDefault "--delete-older-than 7d";
};
};
# Filesystem
fileSystems = {
"/" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd"];
};
"/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"];
};
"/home" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd"];
};
"/swap" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=swap" "noatime"];
};
};
swapDevices = [
{device = "/swap/swapfile";}
];
# Boot and kernel options
boot = {
loader.systemd-boot.enable = true;
loader.systemd-boot.configurationLimit = 5;
loader.efi.canTouchEfiVariables = true;
tmp.useTmpfs = lib.mkDefault true;
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
initrd.kernelModules = [];
kernelModules = ["tcp_bbr" "coretemp" "nct6775"];
kernelParams = ["threadirqs"];
kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets
"net.ipv4.conf.all.accept_source_route" = 1;
"net.ipv4.conf.wlo1.accept_source_route" = 1;
"net.ipv6.conf.all.accept_source_route" = 1;
# Don't send ICMP redirects
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
};
# Security
security = {
protectKernelImage = true;
sudo.extraConfig = ''Defaults timestamp_timeout=30'';
rtkit.enable = true;
polkit.enable = true;
pam.loginLimits = [
{
domain = "@audio";
item = "memlock";
type = "-";
value = "unlimited";
}
{
domain = "@audio";
item = "rtprio";
type = "-";
value = "99";
}
{
domain = "@audio";
item = "nofile";
type = "soft";
value = "99999";
}
{
domain = "@audio";
item = "nofile";
type = "hard";
value = "99999";
}
{
domain = "*";
item = "nofile";
type = "-";
value = "524288";
}
{
domain = "*";
item = "memlock";
type = "-";
value = "524288";
}
];
};
# Hardware
hardware = {
enableRedistributableFirmware = true;
};
# Timezone and locale
time.timeZone = "Asia/Yekaterinburg";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
};
# Base packages
environment.systemPackages = with pkgs; [
wget
parted
ntfs3g
sshfs
exfat
btrfs-progs
btrbk
lm_sensors
btop
git
git-lfs
lazygit
nnn
fzf
ripgrep
fd
unzip
fishPlugins.fzf-fish
fishPlugins.tide
fishPlugins.grc
fishPlugins.hydro
grc
gnupg
pass
bat
];
programs = {
fish.enable = true;
neovim = {
enable = true;
defaultEditor = true;
};
};
}

5
lib/preconfiguredModules/nixos/default.nix
View File

@ -1,5 +0,0 @@
{
common = import ./common.nix;
hyprland = import ./hyprland.nix;
hyprland-greetd = import ./hyprland-greetd.nix;
}

33
lib/preconfiguredModules/nixos/hyprland-greetd.nix
View File

@ -1,33 +0,0 @@
{
pkgs,
lib,
config,
...
}:
lib.mkIf config.programs.hyprland.enable {
services.greetd = let
hyprConfig = pkgs.writeText "greetd-hyprland-config" ''
exec-once = ${lib.getExe pkgs.greetd.regreet}; hyprctl dispatch exit
'';
in {
enable = true;
settings = {
default_session = {
command = "${lib.getExe config.programs.hyprland.package} --config ${hyprConfig}";
user = "greeter";
};
};
};
programs.regreet = {
enable = true;
settings = {
GTK = {
application_prefer_dark_theme = true;
};
appearance = {
greeting_msg = "Hey, you. You're finally awake.";
};
};
};
}

6
lib/preconfiguredModules/nixos/hyprland.nix
View File

@ -1,6 +0,0 @@
{...}: {
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
}

20
lib/preconfiguredModules/pack/hyprland.nix
View File

@ -1,20 +0,0 @@
{
inputs,
hmConfig,
username,
bonLib,
...
}: {
imports = [
../nixos/hyprland.nix
../nixos/hyprland-greetd.nix
];
home-manager.users.${username} = {...}: {
imports = [
(bonLib.injectArgs {inherit hmConfig;})
inputs.ags.homeManagerModules.default
../homeManager/hyprland.nix
];
};
}

130
nixosConfigurations/astora/default.nix
View File

@ -2,21 +2,35 @@
pkgs, pkgs,
lib, lib,
config, config,
bonLib,
... ...
}: { }: {
system.stateVersion = "23.11"; system.stateVersion = "23.11";
imports = [ imports = [./hardware.nix ./users.nix];
bonLib.preconfiguredModules.nixos.common
./hardware.nix
./users.nix
];
# Nix settings # Nix settings
nix.settings = { nix = {
settings = {
experimental-features = ["nix-command" "flakes" "repl-flake"];
trusted-users = ["l-nafaryus"]; trusted-users = ["l-nafaryus"];
allowed-users = ["l-nafaryus"]; allowed-users = ["l-nafaryus"];
substituters = [
"https://cache.elnafo.ru"
"https://bonfire.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.elnafo.ru:j3VD+Hn+is2Qk3lPXDSdPwHJQSatizk7V82iJ2RP1yo="
"bonfire.cachix.org-1:mzAGBy/Crdf8NhKail5ciK7ZrGRbPJJobW6TwFb7WYM="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
auto-optimise-store = true;
};
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "weekly";
options = lib.mkDefault "--delete-older-than 7d";
};
}; };
# Nix packages # Nix packages
@ -43,20 +57,53 @@
videoDrivers = ["nvidia"]; videoDrivers = ["nvidia"];
#displayManager.gdm = {
# enable = true;
# autoSuspend = false;
# wayland = true;
#};
#desktopManager.gnome.enable = true;
#windowManager.awesome.enable = true;
wacom.enable = true; wacom.enable = true;
}; };
services.desktopManager.plasma6.enable = true; services.greetd = let
hyprConfig = pkgs.writeText "greetd-hyprland-config" ''
services.displayManager.sddm = { exec-once = ${lib.getExe pkgs.greetd.regreet}; hyprctl dispatch exit
'';
in {
enable = true; enable = true;
wayland.enable = true; settings = {
default_session = {
command = "${lib.getExe config.programs.hyprland.package} --config ${hyprConfig}";
user = "greeter";
};
};
}; };
services.dbus = { programs.regreet = {
enable = true; enable = true;
packages = with pkgs; [networkmanager]; settings = {
GTK = {
application_prefer_dark_theme = true;
# TODO: provide gtk themes
# theme_name = "Catppuccin-Macchiato-Standard-Green-Dark";
# icon_theme_name = "Catppuccin-Macchiato-Green-Cursors";
# cursor_theme_name = "Papirus-Dark";
# font_name = "";
}; };
appearance = {
greeting_msg = "Hey, you. You're finally awake.";
};
};
};
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
services.dbus.enable = true;
services.printing = { services.printing = {
enable = true; enable = true;
@ -85,13 +132,14 @@
}; };
services.udev = { services.udev = {
packages = with pkgs; [gnome.gnome-settings-daemon];
extraRules = '' extraRules = ''
KERNEL=="rtc0", GROUP="audio" KERNEL=="rtc0", GROUP="audio"
KERNEL=="hpet", GROUP="audio" KERNEL=="hpet", GROUP="audio"
''; '';
}; };
#services.blueman.enable = true; services.blueman.enable = true;
services.btrfs.autoScrub = { services.btrfs.autoScrub = {
enable = true; enable = true;
@ -99,6 +147,49 @@
fileSystems = ["/"]; fileSystems = ["/"];
}; };
# Packages
environment.systemPackages = with pkgs; [
wget
parted
ntfs3g
sshfs
exfat
lm_sensors
git
git-lfs
ripgrep
fd
lazygit
unzip
gnumake
fishPlugins.fzf-fish
fishPlugins.tide
fishPlugins.grc
fishPlugins.hydro
nnn
fzf
grc
gcc
cachix
];
programs = {
fish.enable = true;
neovim = {
enable = true;
defaultEditor = true;
};
};
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host astora Host astora
HostName 192.168.156.101 HostName 192.168.156.101
@ -111,6 +202,13 @@
User l-nafaryus User l-nafaryus
''; '';
programs.direnv.enable = true;
fonts.packages = with pkgs; [nerdfonts];
programs.steam.enable = true;
systemd.extraConfig = "DefaultLimitNOFILE=1048576";
virtualisation = { virtualisation = {
containers.enable = true; containers.enable = true;
podman = { podman = {
@ -119,9 +217,5 @@
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
libvirtd.enable = true; libvirtd.enable = true;
test-share = {
source = "/home/l-nafaryus/vms/shared";
target = "/mnt/shared";
};
}; };
} }

189
nixosConfigurations/astora/hardware.nix
View File

@ -5,14 +5,144 @@
}: { }: {
# Boot # Boot
boot = { boot = {
kernelModules = ["kvm-amd"]; loader.systemd-boot.enable = true;
loader.systemd-boot.configurationLimit = 5;
loader.efi.canTouchEfiVariables = true;
tmp.useTmpfs = lib.mkDefault true;
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
initrd.kernelModules = [];
kernelModules = ["kvm-amd" "tcp_bbr" "coretemp" "nct6775"];
extraModulePackages = with config.boot.kernelPackages; [v4l2loopback]; extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
extraModprobeConfig = ''
options v4l2loopback devices=1 video_nr=1 card_label="OBS Camera" exclusive_caps=1
'';
kernelParams = ["threadirqs"];
kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
};
# Security
security = {
protectKernelImage = true;
acme.acceptTerms = true;
sudo.extraConfig = ''Defaults timestamp_timeout=30'';
rtkit.enable = true;
pam.loginLimits = [
{
domain = "@audio";
item = "memlock";
type = "-";
value = "unlimited";
}
{
domain = "@audio";
item = "rtprio";
type = "-";
value = "99";
}
{
domain = "@audio";
item = "nofile";
type = "soft";
value = "99999";
}
{
domain = "@audio";
item = "nofile";
type = "hard";
value = "99999";
}
{
domain = "*";
item = "nofile";
type = "-";
value = "524288";
}
{
domain = "*";
item = "memlock";
type = "-";
value = "524288";
}
];
polkit.enable = true;
}; };
users.users.root.initialPassword = "nixos"; users.users.root.initialPassword = "nixos";
# Filesystem # Filesystem
fileSystems = { fileSystems = {
"/" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd"];
};
"/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"];
};
"/home" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd"];
};
"/swap" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=swap" "noatime"];
};
"/media/steam-library" = { "/media/steam-library" = {
device = "/dev/disk/by-label/siegward"; device = "/dev/disk/by-label/siegward";
fsType = "btrfs"; fsType = "btrfs";
@ -26,10 +156,16 @@
}; };
}; };
swapDevices = [
{device = "/swap/swapfile";}
];
services.fstrim.enable = true; services.fstrim.enable = true;
# Hardware etc # Hardware etc
hardware = { hardware = {
enableRedistributableFirmware = true;
cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nvidia.nvidiaSettings = true; nvidia.nvidiaSettings = true;
@ -45,9 +181,56 @@
}; };
networking = { networking = {
networkmanager = { networkmanager.enable = true;
networkmanager.unmanaged = ["interface-name:ve-*"];
useDHCP = lib.mkDefault true;
hostName = "astora";
extraHosts = '''';
firewall = {
enable = true; enable = true;
enableStrongSwan = true; allowedTCPPorts = [80 443];
trustedInterfaces = ["ve-+"];
extraCommands = ''
iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE
'';
extraStopCommands = ''
iptables -t nat -D POSTROUTING -o wlo1 -j MASQUERADE
'';
};
nat = {
enable = true;
externalInterface = "wlo1";
internalInterfaces = ["ve-+"];
};
interfaces.wlo1.ipv4.addresses = [
{
address = "192.168.156.101";
prefixLength = 24;
}
];
defaultGateway = "192.168.156.1";
nameservers = ["192.168.156.1" "8.8.8.8"];
};
# Common
time.timeZone = "Asia/Yekaterinburg";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
}; };
}; };
} }

364
nixosConfigurations/astora/users.nix
View File

@ -6,9 +6,7 @@
bonLib, bonLib,
inputs, inputs,
... ...
}: let }: {
user = "l-nafaryus";
in {
# Users # Users
users.users.l-nafaryus = { users.users.l-nafaryus = {
isNormalUser = true; isNormalUser = true;
@ -24,23 +22,24 @@ in {
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.backupFileExtension = "hmbackup"; home-manager.backupFileExtension = "hmbackup";
home-manager.users.${user} = {pkgs, ...}: let home-manager.users.l-nafaryus = {pkgs, ...}: let
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.l-nafaryus;
in { in {
home.stateVersion = "23.11"; home.stateVersion = "23.11";
home.username = "l-nafaryus"; home.username = "l-nafaryus";
home.homeDirectory = "/home/l-nafaryus"; home.homeDirectory = "/home/l-nafaryus";
imports = [ imports = [
(bonLib.injectArgs {
inherit hmConfig;
})
inputs.catppuccin.homeManagerModules.catppuccin inputs.catppuccin.homeManagerModules.catppuccin
inputs.ags.homeManagerModules.default inputs.ags.homeManagerModules.default
#bonLib.preconfiguredModules.homeManager.hyprland bonLib.preconfiguredModules.homeManager.ags
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
#gnupg
git
#nnn
pass
taskwarrior3 taskwarrior3
#tmux
gparted gparted
@ -94,37 +93,46 @@ in {
jdk jdk
bonPkgs.ultimmc bonPkgs.ultimmc
liberation_ttf
steamtinkerlaunch steamtinkerlaunch
#dunst discord
#libnotify webcord
vesktop
tor
networkmanagerapplet
#rofi-wayland
kgx
dunst
libnotify
playerctl
wl-gammarelay-rs
# btop # btop
lua lua
# bat # bat
musikcube
swww
hyprshot
mangohud mangohud
gamescope gamescope
libstrangle libstrangle
wl-clipboard
cliphist
tree tree
bonPkgs.bonvim bonPkgs.bonvim
freenect freenect
mpc-cli mpc-cli
kdePackages.kmail
kdePackages.kmail-account-wizard
flacon
picard
podman-desktop
virtiofsd
]; ];
xdg.portal = { xdg.portal = {
enable = true; enable = true;
configPackages = with pkgs; [ configPackages = with pkgs; [
kdePackages.xdg-desktop-portal-kde #xdg-desktop-portal-wlr
xdg-desktop-portal-hyprland
]; ];
extraPortals = with pkgs; [ extraPortals = with pkgs; [
xdg-desktop-portal-gtk xdg-desktop-portal-gtk
@ -139,6 +147,22 @@ in {
accent = "green"; accent = "green";
}; };
gtk = {
enable = true;
# TODO: fix catppuccin deprecation. Provide Paper icons to gtk and gnomeShell manually. (+ regreet)
catppuccin = {
enable = true;
accent = "green";
flavor = "macchiato";
gnomeShellTheme = true;
icon = {
enable = true;
accent = "green";
flavor = "macchiato";
};
};
};
programs = { programs = {
# General # General
fish = { fish = {
@ -220,9 +244,6 @@ in {
homedir = "${hmConfig.xdg.configHome}/gnupg"; homedir = "${hmConfig.xdg.configHome}/gnupg";
mutableKeys = true; mutableKeys = true;
mutableTrust = true; mutableTrust = true;
settings = {
default-key = "B0B3 DFDB B842 BE9C 7468 B511 86F1 EA98 B48F FB19";
};
# TODO: replace existing ssh key with gpg provided # TODO: replace existing ssh key with gpg provided
}; };
@ -248,9 +269,12 @@ in {
ncmpcpp.enable = true; ncmpcpp.enable = true;
# Graphical # Graphical
hyprlock = {
enable = true;
};
wezterm = { wezterm = {
enable = false; enable = true;
package = inputs.wezterm.packages.x86_64-linux.default; package = inputs.wezterm.packages.x86_64-linux.default;
extraConfig = '' extraConfig = ''
return { return {
@ -273,7 +297,7 @@ in {
}; };
rofi = { rofi = {
enable = false; enable = true;
package = pkgs.rofi-wayland; package = pkgs.rofi-wayland;
terminal = "${lib.getExe hmConfig.programs.wezterm.package}"; terminal = "${lib.getExe hmConfig.programs.wezterm.package}";
cycle = true; cycle = true;
@ -318,7 +342,7 @@ in {
defaultCacheTtl = 3600; defaultCacheTtl = 3600;
defaultCacheTtlSsh = 3600; defaultCacheTtlSsh = 3600;
enableSshSupport = true; enableSshSupport = true;
pinentryPackage = pkgs.pinentry-qt; pinentryPackage = pkgs.pinentry-gtk2;
enableFishIntegration = true; enableFishIntegration = true;
enableBashIntegration = true; enableBashIntegration = true;
}; };
@ -331,8 +355,237 @@ in {
#mpdris2 = { #mpdris2 = {
# enable = true; # enable = true;
#}; #};
};
# Graphical # Graphical
hypridle = {
enable = true;
settings = {
general = {
after_sleep_cmd = "${pkgs.hyprland}/bin/hyprctl dispatch dpms on";
ignore_dbus_inhibit = false;
};
listener = [
{
timeout = 300;
on-timeout = "${pkgs.hyprland}/bin/hyprctl dispatch dpms off";
on-resume = "${pkgs.hyprland}/bin/hyprctl dispatch dpms on";
}
];
};
};
};
wayland.windowManager.hyprland = {
enable = true;
settings = {
# Devices (use `hyprctl devices`)
"$monitor1" = "AOC Q27G2G3R3B 137P4HA000540";
"$monitor2" = "AOC Q27B3MA 17ZPAHA006135";
"$keyboard" = "keychron-keychron-k3-pro";
"$mouse" = "logitech-g102-lightsync-gaming-mouse";
# Main programs
"$terminal" = "${lib.getExe hmConfig.programs.wezterm.package}";
"$menu" = "${lib.getExe hmConfig.programs.rofi.package} -show drun";
"$fileManager" = "$terminal -e ${lib.getExe hmConfig.programs.nnn.package}";
monitor = [
"desc:$monitor2, 2560x1440@75, 0x0, auto"
"desc:$monitor1, 2560x1440@165, 2560x0, auto"
"Unknown-1, disable"
];
exec-once = [
"ags &"
"nm-applet --indicator &"
"blueman-applet &"
"wl-gammarelay-rs run &"
"systemctl --user start hypridle"
"wl-paste --type text --watch cliphist store" #Stores only text data
"wl-paste --type image --watch cliphist store" #Stores only image data
"swww-daemon & swww img ~/Pictures/wallpapers/current" # wallpaper symlinked
];
env = [
"XCURSOR_SIZE,16"
"HYPRCURSOR_SIZE,16"
"WLR_DRM_NO_ATOMIC,1"
"HYPRSHOT_DIR,${hmConfig.xdg.userDirs.pictures}/screenshots"
];
general = {
gaps_in = 2;
gaps_out = 2;
border_size = 2;
# https://wiki.hyprland.org/Configuring/Variables/#variable-types for info about colors
"col.active_border" = "rgba(33ccffee) rgba(00ff99ee) 45deg";
"col.inactive_border" = "rgba(595959aa)";
# Set to true enable resizing windows by clicking and dragging on borders and gaps
resize_on_border = true;
# Please see https://wiki.hyprland.org/Configuring/Tearing/ before you turn this on
allow_tearing = true;
layout = "dwindle";
};
decoration = {
rounding = 5;
# Change transparency of focused and unfocused windows
active_opacity = 1.0;
inactive_opacity = 0.95;
drop_shadow = true;
shadow_range = 4;
shadow_render_power = 3;
"col.shadow" = "rgba(1a1a1aee)";
# https://wiki.hyprland.org/Configuring/Variables/#blur
blur = {
enabled = true;
size = 3;
passes = 1;
vibrancy = 0.1696;
};
};
animations = {
enabled = true;
# Default animations, see https://wiki.hyprland.org/Configuring/Animations/ for more
bezier = "myBezier, 0.05, 0.9, 0.1, 1.05";
animation = [
"windows, 1, 7, myBezier"
"windowsOut, 1, 7, default, popin 80%"
"border, 1, 10, default"
"borderangle, 1, 8, default"
"fade, 1, 7, default"
"workspaces, 1, 6, default"
];
};
# See https://wiki.hyprland.org/Configuring/Dwindle-Layout/ for more
dwindle = {
pseudotile = true; # Master switch for pseudotiling. Enabling is bound to mainMod + P in the keybinds section below
preserve_split = true; # You probably want this
};
# See https://wiki.hyprland.org/Configuring/Master-Layout/ for more
master = {
new_status = "master";
};
# https://wiki.hyprland.org/Configuring/Variables/#misc
misc = {
force_default_wallpaper = -1; # Set to 0 or 1 to disable the anime mascot wallpapers
disable_hyprland_logo = false; # Enable the random hyprland logo / anime girl background. :)
};
input = {
kb_layout = "us,ru";
follow_mouse = 1;
sensitivity = 0; # -1.0 - 1.0, 0 means no modification.
touchpad = {
natural_scroll = false;
};
};
# https://wiki.hyprland.org/Configuring/Variables/#gestures
gestures = {
workspace_swipe = false;
};
windowrulev2 = [
"suppressevent maximize, class:.*" # You'll probably like this.
"float, class:^(steam_app.*)$"
"immediate, class:^(steam_app.*)$"
"float, class:^(steam_proton.*)$"
"float,class:^(org.wezfurlong.wezterm)$"
"tile,class:^(org.wezfurlong.wezterm)$"
];
bind = [
"SUPER, Q, exec, $terminal"
"SUPER, N, exec, $fileManager"
"SUPER, R, exec, $menu"
"SUPER, X, exec, ags -t clock"
"SUPER, X, exec, ags -t control"
"SUPER, X, exec, ags -t systray"
"SUPER, X, exec, ags -t workspaces"
"SUPER, X, exec, ags -t window-title"
"SUPER, C, killactive,"
"SUPER, M, exit,"
"SUPER, V, togglefloating,"
"SUPER, F, fullscreen,"
"SUPER, J, togglesplit," # dwindle
# Move focus with mainMod + arrow keys
"SUPER, left, movefocus, l"
"SUPER, right, movefocus, r"
"SUPER, up, movefocus, u"
"SUPER, down, movefocus, d"
# Switch workspaces with mainMod + [0-9]
"SUPER, 1, workspace, 1"
"SUPER, 2, workspace, 2"
"SUPER, 3, workspace, 3"
"SUPER, 4, workspace, 4"
"SUPER, 5, workspace, 5"
"SUPER, 6, workspace, 6"
"SUPER, 7, workspace, 7"
"SUPER, 8, workspace, 8"
"SUPER, 9, workspace, 9"
"SUPER, 0, workspace, 10"
# Move active window to a workspace with mainMod + SHIFT + [0-9]
"SUPER SHIFT, 1, movetoworkspace, 1"
"SUPER SHIFT, 2, movetoworkspace, 2"
"SUPER SHIFT, 3, movetoworkspace, 3"
"SUPER SHIFT, 4, movetoworkspace, 4"
"SUPER SHIFT, 5, movetoworkspace, 5"
"SUPER SHIFT, 6, movetoworkspace, 6"
"SUPER SHIFT, 7, movetoworkspace, 7"
"SUPER SHIFT, 8, movetoworkspace, 8"
"SUPER SHIFT, 9, movetoworkspace, 9"
"SUPER SHIFT, 0, movetoworkspace, 10"
# special workspace (scratchpad)
"SUPER, S, togglespecialworkspace, magic"
"SUPER SHIFT, S, movetoworkspace, special:magic"
"SUPER, SPACE, exec, hyprctl switchxkblayout keychron-keychron-k3-pro next"
", PRINT, exec, hyprshot --freeze --mode region"
"CTRL, PRINT, exec, hyprshot --freeze --mode output"
"SUPER, H, exec, cliphist list | rofi -dmenu | cliphist decode | wl-copy"
];
# Move/resize windows with mainMod + LMB/RMB and dragging
bindm = [
"SUPER, mouse:272, movewindow"
"SUPER, mouse:273, resizewindow"
];
bindel = [
", XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"
", XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"
];
bindl = [
", XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
", XF86AudioPrev, exec, playerctl previous"
", XF86AudioPlay, exec, playerctl play-pause"
", XF86AudioNext, exec, playerctl next"
", XF86MonBrightnessDown, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay UpdateTemperature n -500"
", XF86MonBrightnessUp, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay UpdateTemperature n +500"
"SUPER, XF86MonBrightnessDown, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay Brightness d -0.1"
"SUPER, XF86MonBrightnessUp, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay Brightness d +0.1"
];
};
};
# XDG # XDG
xdg = { xdg = {
@ -384,28 +637,27 @@ in {
}; };
# Services # Services
#services.spoofdpi.enable = true; services.spoofdpi.enable = true;
#services.zapret = { services.zapret = {
# enable = true; enable = true;
# mode = "nfqws"; mode = "tpws";
# firewallType = "iptables"; firewallType = "iptables";
# disableIpv6 = true; disableIpv6 = true;
# settings = '' settings = ''
# MODE_HTTP=1 MODE_HTTP=1
# MODE_HTTP_KEEPALIVE=0 MODE_HTTP_KEEPALIVE=0
# MODE_HTTPS=1 MODE_HTTPS=1
# MODE_QUIC=1 MODE_QUIC=0
# MODE_FILTER=ipset MODE_FILTER=ipset
# TPWS_OPT="--split-http-req=method --split-pos=1 --oob" TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob"
# NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=5" INIT_APPLY_FW=1
# NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake --dpi-desync-ttl=5" '';
# NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=fake --dpi-desync-ttl=5" filterAddresses = lib.readFile (pkgs.fetchurl {
# NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-ttl=5" url = "https://antifilter.network/download/ipsmart.lst";
# INIT_APPLY_FW=1 hash = "sha256-zLq3rgci/rye1oQp2zbJelPaoN9+jqPebIbxfJ44Qlg=";
# ''; });
# filterAddressesSource = "https://antifilter.network/download/ipsmart.lst"; };
#};
# TODO: remember who use gvfs # TODO: remember who use gvfs
services.gvfs.enable = true; services.gvfs.enable = true;
@ -429,16 +681,4 @@ in {
# User-id must match above user. MPD will look inside this directory for the PipeWire socket. # User-id must match above user. MPD will look inside this directory for the PipeWire socket.
XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.l-nafaryus.uid}"; XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.l-nafaryus.uid}";
}; };
programs.kdeconnect = {
enable = true;
package = lib.mkForce pkgs.kdePackages.kdeconnect-kde;
};
programs.direnv.enable = true;
fonts.packages = with pkgs; [nerdfonts liberation_ttf];
programs.steam.enable = true;
systemd.extraConfig = "DefaultLimitNOFILE=1048576";
} }

4
nixosConfigurations/catarina/default.nix
View File

@ -13,8 +13,6 @@
# ./services/papermc.nix # disabled # ./services/papermc.nix # disabled
./services/gitea.nix ./services/gitea.nix
./services/radio.nix ./services/radio.nix
./services/matrix.nix
./services/metrics.nix
]; ];
# Nix settings # Nix settings
@ -283,6 +281,8 @@
fzf fzf
grc grc
gcc
cachix cachix
gnupg gnupg

6
nixosConfigurations/catarina/hardware.nix
View File

@ -150,12 +150,6 @@
defaultGateway = "192.168.156.1"; defaultGateway = "192.168.156.1";
nameservers = ["192.168.156.1" "8.8.8.8"]; nameservers = ["192.168.156.1" "8.8.8.8"];
nat = {
enable = true;
externalInterface = "enp9s0";
internalInterfaces = ["ve-+"];
};
}; };
services.logind.lidSwitchExternalPower = "ignore"; services.logind.lidSwitchExternalPower = "ignore";

4
nixosConfigurations/catarina/services/gitea.nix
View File

@ -55,10 +55,6 @@
indexer = { indexer = {
REPO_INDEXER_ENABLED = true; REPO_INDEXER_ENABLED = true;
}; };
metrics = {
ENABLED = true;
};
}; };
mailerPasswordFile = config.sops.secrets."gitea/mail".path; mailerPasswordFile = config.sops.secrets."gitea/mail".path;

101
nixosConfigurations/catarina/services/matrix.nix
View File

@ -1,101 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
services.conduit = {
enable = true;
settings.global = {
allow_registration = true;
server_name = "elnafo.ru";
address = "127.0.0.1";
database_backend = "sqlite";
well_known.client = "https://matrix.elnafo.ru";
well_known.server = "matrix.elnafo.ru:443";
turn_uris = ["turn:elnafo.ru?transport=udp" "turn:elnafo.ru?transport=tcp"];
};
turn_secret_file = config.sops.secrets.turn-secret.path;
};
services.nginx = {
virtualHosts."matrix.elnafo.ru" = {
forceSSL = true;
http2 = true;
useACMEHost = "elnafo.ru";
locations."/" = {
proxyPass = "http://127.0.0.1:6167";
extraConfig = ''
proxy_http_version 1.0;
client_max_body_size 50M;
'';
};
};
virtualHosts."element.elnafo.ru" = {
forceSSL = true;
http2 = true;
useACMEHost = "elnafo.ru";
root = pkgs.element-web.override {
conf = {
default_theme = "dark";
default_server_name = "matrix.elnafo.ru";
brand = "Elnafo Matrix";
permalink_prefix = "https://element.elnafo.ru";
};
};
};
virtualHosts."matrix-federation" = {
serverName = "elnafo.ru";
forceSSL = true;
useACMEHost = "elnafo.ru";
listen = [
{
port = 8448;
addr = "0.0.0.0";
ssl = true;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."~ ^/(_matrix|.well_known)" = {
proxyPass = "http://127.0.0.1:6167";
extraConfig = ''
proxy_http_version 1.0;
client_max_body_size 50M;
'';
};
};
};
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets.coturn-secret.path;
realm = "elnafo.ru";
cert = "${config.security.acme.certs."elnafo.ru".directory}/full.pem";
pkey = "${config.security.acme.certs."elnafo.ru".directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
'';
};
networking.firewall = {
allowedUDPPortRanges = lib.singleton {
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
};
allowedUDPPorts = [3478 5349];
allowedTCPPorts = [8448 3478 5349];
};
}

123
nixosConfigurations/catarina/services/metrics.nix
View File

@ -1,123 +0,0 @@
{
config,
pkgs,
...
}: {
services.grafana = {
enable = true;
settings.server = {
domain = "grafana.elnafo.ru";
http_port = 2342;
http_addr = "127.0.0.1";
};
};
services.prometheus = {
enable = true;
port = 9090;
globalConfig.scrape_interval = "10s"; # "1m"
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9092;
};
};
scrapeConfigs = [
{
job_name = "catarina";
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
];
};
services.loki = {
enable = true;
configuration = {
auth_enabled = false;
server = {
http_listen_port = 3100;
};
common = {
ring = {
instance_addr = "127.0.0.1";
kvstore = {
store = "inmemory";
};
};
replication_factor = 1;
path_prefix = "/tmp/loki";
};
schema_config = {
configs = [
{
from = "2020-05-15";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
filesystem = {
directory = "/tmp/loki/chunks";
};
};
};
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3101;
grpc_listen_port = 0;
};
clients = [
{
url = "http://127.0.0.1:3100/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "catarina";
};
};
relabel_configs = [
{
source_labels = [
"__journal__systemd_unit"
];
target_label = "unit";
}
];
}
];
};
};
services.nginx = {
virtualHosts."grafana.elnafo.ru" = {
forceSSL = true;
useACMEHost = "elnafo.ru";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true;
};
};
};
}

133
nixosConfigurations/catarina/services/radio.nix
View File

@ -1,39 +1,19 @@
{config, ...}: { {config, ...}: {
containers = {
radio-synthwave = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.231.136.1";
localAddress = "10.231.136.2";
bindMounts = {
"/var/lib/music" = {
hostPath = "/home/l-nafaryus/Music";
isReadOnly = true;
};
};
config = {
config,
pkgs,
lib,
...
}: {
services.mpd = { services.mpd = {
enable = true; enable = true;
musicDirectory = "/var/lib/music"; musicDirectory = "/home/l-nafaryus/Music";
network.listenAddress = "any"; network.listenAddress = "any";
#network.startWhenNeeded = true; network.startWhenNeeded = true;
user = "mpd"; user = "l-nafaryus";
network.port = 6600;
extraConfig = '' extraConfig = ''
audio_output { audio_output {
type "httpd" type "httpd"
name "Radio" name "Radio"
port "6660" port "6666"
bind_to_address "127.0.0.1"
encoder "lame" encoder "lame"
max_clients "0" max_clients "0"
website "https://radio.elnafo.ru/synthwave" website "https://radio.elnafo.ru"
always_on "yes" always_on "yes"
tags "yes" tags "yes"
bitrate "128" bitrate "128"
@ -42,106 +22,11 @@
''; '';
}; };
system.stateVersion = "24.05";
networking.firewall = {
enable = true;
allowedTCPPorts = [6600 6660];
};
};
};
radio-non-stop-pop = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.231.136.1";
localAddress = "10.231.136.3";
bindMounts = {
"/var/lib/music" = {
hostPath = "/home/l-nafaryus/Music";
isReadOnly = true;
};
};
config = {
config,
pkgs,
lib,
...
}: {
services.mpd = {
enable = true;
musicDirectory = "/var/lib/music";
network.listenAddress = "any";
#network.startWhenNeeded = true;
user = "mpd";
network.port = 6601;
extraConfig = ''
audio_output {
type "httpd"
name "Radio"
port "6661"
encoder "lame"
max_clients "0"
website "https://radio.elnafo.ru/non-stop-pop"
always_on "yes"
tags "yes"
bitrate "128"
format "44100:16:1"
}
'';
};
system.stateVersion = "24.05";
networking.firewall = {
enable = true;
allowedTCPPorts = [6601 6661];
};
};
};
};
services.elnafo-radio = {
enable = true;
base = {
title = "// Elnafo Radio //";
meta = [
["author" "L-Nafaryus"]
["discord" "https://discord.gg/ZWUChw5wzm"]
["git" "https://vcs.elnafo.ru/L-Nafaryus/elnafo-radio"]
["matrix" "https://matrix.to/#/#elnafo:elnafo.ru"]
];
};
stations = [
{
id = "synthwave";
name = "Synthwave";
host = "10.231.136.2";
port = 6600;
url = "https://radio.elnafo.ru/synthwave";
status = "Receive";
genre = "synthwave, dark synthwave";
}
{
id = "non-stop-pop";
name = "Non-Stop-Pop";
host = "10.231.136.3";
port = 6601;
url = "https://radio.elnafo.ru/non-stop-pop";
status = "Online";
location = "Los Santos";
genre = "pop, r&b, dance music";
}
];
};
services.nginx.virtualHosts."radio.elnafo.ru" = { services.nginx.virtualHosts."radio.elnafo.ru" = {
forceSSL = true; forceSSL = true;
useACMEHost = "elnafo.ru"; useACMEHost = "elnafo.ru";
locations."/".proxyPass = "http://127.0.0.1:54605"; locations."/synthwave".proxyPass = "http://127.0.0.1:6666";
locations."/synthwave".proxyPass = "http://10.231.136.2:6660";
locations."/non-stop-pop".proxyPass = "http://10.231.136.3:6661";
}; };
networking.firewall.allowedTCPPorts = [config.services.mpd.network.port];
} }

1
nixosConfigurations/default.nix
View File

@ -22,7 +22,6 @@
catarina = lib.nixosSystem { catarina = lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = with inputs; [ modules = with inputs; [
elnafo-radio.nixosModules.elnafo-radio
nixos-mailserver.nixosModules.mailserver nixos-mailserver.nixosModules.mailserver
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
oscuro.nixosModules.oscuro oscuro.nixosModules.oscuro

7
nixosModules/default.nix
View File

@ -10,9 +10,7 @@
./services/papermc.nix ./services/papermc.nix
./services/qbittorrent-nox.nix ./services/qbittorrent-nox.nix
./services/spoofdpi.nix ./services/spoofdpi.nix
# ISSUE: collision with nixos module zapret ./services/zapret.nix
#./services/zapret.nix
./services/conduit.nix
]; ];
configModule = { configModule = {
@ -26,7 +24,6 @@
# extra arguments # extra arguments
_module.args = { _module.args = {
bonPkgs = self.packages.${pkgs.system}; bonPkgs = self.packages.${pkgs.system};
bonLib = lib.mkDefault bonLib;
}; };
}; };
}; };
@ -47,7 +44,7 @@
... ...
}: { }: {
# collect all modules # collect all modules
imports = moduleList ++ [configModule]; imports = importedModules;
}; };
in in
lib.listToAttrs ( lib.listToAttrs (

50
nixosModules/misc/bonfire/secrets/catarina.yaml
View File

@ -1,24 +1,22 @@
dns: ENC[AES256_GCM,data:x2oHP6nGHnPl5WblPHRcBDQCkhj8FZnr5r+cBdaHyrPKxI71ECYmno/ItV/0opj0eGYamQjrVJkuZBGcQlXMMn9Hp4ImjByaX/zqYrdIjSY2B24h8kvnblsXjF6SlA==,iv:QRbiqpCwQ41pfmn3wwNITWdoMI9FzxShsG+fR5lAbl4=,tag:Rknw+qwLZ8No806ek+2zmQ==,type:str] dns: ENC[AES256_GCM,data:KIcegw69ZEVY1VnSktZMMjaRhCJVCHn7BCAKvfR/iXs5AseDLVC025WRAy92UuuVYPwBvdHgRQUg8I6lrfr7RTHJooANHUK8D79c2+sAI/KsUw2ENh1tVgdW2A4enQ==,iv:12yEf+u0Ky0vktAfpAuG28mRSKDLyWlWHJ+9EPYqI4w=,tag:9MKTsAUfvzEyEzTd6ba/Jg==,type:str]
users: users:
root: ENC[AES256_GCM,data:NIWAU+rCD7ShRU+ZMWw7D1XlNdhL9iwu6MP53edBFeCdSaiA91uS/n4MDgoQkao3sIE6zl5k/jht8GigZLSbjlj9iGhe3sTngg==,iv:hjimz2SsXf0nNgGhkDx97sg8iWBrne75KSbJLtJUf3k=,tag:4wfCpXew/OtTDZLIQk3cFA==,type:str] root: ENC[AES256_GCM,data:nZpmZM0Ws9mVujJhqPKfSJwIqit23pc2TlF6k4iGEzQvf2iROyWN/+b212d/LiAWOoVl3tRkt7EcOiLsLu51DJnQtCGOWGcF5w==,iv:hbNMqy+OxbHsh77zT6a2Yb1lUXwVRvRF1PhSO/15keE=,tag:oe/Y2fWKHNiRamuhY+3xYQ==,type:str]
l-nafaryus: ENC[AES256_GCM,data:xXRQH92Hi0qO31pxmlHNLG+fHJRsAFgEs1a1APwNsGRZEVV5UB+ijK1S8dThFN+gnlcLb/gLlypFiK8Vzd7/kCOMyaJYtXJChg==,iv:AgE2X3iUAA/U8YmPawcONvWcxgBDkRdVvye4dTSIBd4=,tag:kkwiaSymObztQTjcfno1DA==,type:str] l-nafaryus: ENC[AES256_GCM,data:RJXjIcSWrG00IqneQVBpvPayVZ/mFNZ16digWF/GaNNGYy+bDPYkglTiMdy5/xfah8BMrwmfID4PKyEBtMiIEx8VlV55N+hJyg==,iv:noFYBRrWMg7dxqAbVuT7uOCK4mQk4U29kiECJLb6QCQ=,tag:dZs6TC8kI9ioRYfhcceT+Q==,type:str]
database: database:
git: ENC[AES256_GCM,data:noMvwTPWZWb79JtoEh0FLuXotVAXTX51QLcRfmjwxVg=,iv:EMiKZvMNhxpe2gARJ7BUrJFVM3ap/gMhJaRnKEJ7lX8=,tag:y+TAUHijY0NCvlwdg1fS1w==,type:str] git: ENC[AES256_GCM,data:g5Fnb9R/LnKrB6rDQ0ss0wu9SZu7433xfUIzJQKG3SA=,iv:MHEclxa1ldE51hNe0zHsVv5BPdN5RELlkHgZGXxSdTo=,tag:zzKNB0/RehFPrhFQMi/g9w==,type:str]
mail: mail:
l-nafaryus: ENC[AES256_GCM,data:0PKuC3fI8gGOg99DtyF84neRRnr1P7cqKti8XSjHUurb4CyLG01+aCzABBJzcAs05oQMjiLbAj0prj6Q,iv:m4PzJ5hJqyyLmNss8/CckrBhDe3HC3HVTCbCvhZf93Y=,tag:uKiZLlmQzuO7mcGhQb3/og==,type:str] l-nafaryus: ENC[AES256_GCM,data:8JGjpQxcytZhfYT2JFUspufCnwCISbzBbaY2gN8WpSrlSlhIxVBkcdFnuGl3EJ6kABFX3lEGZomVNtay,iv:9l/x5xiDvkJ8QeqK7LTtQ/nxTckMGTkgujSDLtfWMZM=,tag:6qVUxjgs6QB+MQwog1fksw==,type:str]
git: ENC[AES256_GCM,data:YxU4Ws+yHgv5RsluX6BhpEnGBiDWZmIx+D8uD7oZr+v18tCSX27mI+T0t4IycPli4SLHUQR4PjGmnJao,iv:yHPkp1QmRWj4Nj4isIYtpe0ROSVLK9biBWJb81P5aew=,tag:+FJ6l4P7onUhKejYVq25Hg==,type:str] git: ENC[AES256_GCM,data:w6odytyieDSJCRdf6og7rX1274Xtd3Mn+Eg5tPFjQv3pN/OVJ1fRk7nGFmHlKqR2VEtUVFHyZHKW4J7+,iv:Lo9yyCNvBxUOlxhLo4PFfT7eZrwZ3d6Yue2U8MBlTfM=,tag:T41aErdaYDI6ns20EBOwyw==,type:str]
kirill: ENC[AES256_GCM,data:erI0exQOi8JccOQVkWIt8zwvrm45Yrt1MNccBYO2oE5eEuXmeDU7uL92U4h+rDH+NojYpVjl1IaRAyU5,iv:kRvqVs70OzXLOBpZ/bfN0TQMdhqV6RAzQiszPQ4ZIwM=,tag:1whNxpchBdzOiVxCwYAzFA==,type:str] kirill: ENC[AES256_GCM,data:ZBFfZufBdRRaeXUWiISVPxGvou78kNn+U1nYSBJ7OR6IqyvZMec+/s3+dDiwySOJ58EYCCqUZ7pq05U0,iv:r+mHKvxfI32Y/AHVN0AQqj3OqkxECuU6LIFNzmGvZ5s=,tag:gJsG2pa2k4gBTD294DuNWg==,type:str]
gitea: gitea:
mail: ENC[AES256_GCM,data:RwQY3sOfcZMTWbvK5NWOprTSKTY5Fn/cECCh1MRC,iv:KjiYDiqmMO8u3m2VArdAva937cqfqNHKKMUkvnpDtkU=,tag:OpkSgrs8Rrz+XG5Q3tw+QQ==,type:str] mail: ENC[AES256_GCM,data:LFYWpjHPcu6CQgcUEVcFA0ewZRjzA36wsoATnVGj,iv:Jqn1+6xa+wdkmdG2z9b8jf4DzCqF0I0YSctbiMN2tKw=,tag:aQQJG9STQmnAu+Dp9lj6cg==,type:str]
gitea-runner: gitea-runner:
master-token: ENC[AES256_GCM,data:VbOnxgDr8Ni0NTdJvnwnppY3Q+/bev7IoVhxTpjGAphxh0tieCPfbnBJweav+l8dtQ==,iv:FzB5h/O0GSeBv1ZzE/zojWR2C6RR90NsxYddreVSmU0=,tag:c1WDgG9BlzvXaf+afzZW5g==,type:str] master-token: ENC[AES256_GCM,data:hZc+sti6I1j3EQQc/wRb5exg0yO6+wq0NCdUJ6FN/wpwyhfWPdEJ5eWw+3bAsEpxdQ==,iv:uJXhf5DZtk1LROyfw8bn5ZjN329LbZyTlaSPMvzeNXs=,tag:IeGUODEvfELc2YS+TUP7/g==,type:str]
papermc: papermc:
rcon: ENC[AES256_GCM,data:h9DqMN3MAS2X,iv:M72Ku0n1BTaj9TuHmpj+xBcE/6nJvHWKB87HZ3pUKyE=,tag:QRN8e/SXKv0VGyOf9Fq49Q==,type:str] rcon: ENC[AES256_GCM,data:t6EjQmR+7l9x,iv:Vg3Ht/FNDUSkpRcP4c3hR/GzXMFMH/uD1wkPGn/OyKQ=,tag:++OEAYFK2qE4gM/XMSGH+g==,type:str]
discordToken: ENC[AES256_GCM,data:dII/1MKdUt/gjl6j+0mIyy0e03BmRwFPBle4fCx5ZYFjQ6zy9ByjFwVYKS8LlXTaPZQGknTBg0QHypRjE3XFW5uzvfp0OfTYm0o=,iv:bSkp6dKYeOuei9OkshO89ihfGMpRXE+8vb0iXEEkv0I=,tag:ICCUF/l8vJfzb/hgF9AYsg==,type:str] discordToken: ENC[AES256_GCM,data:oRNbi3uDJClyRJgKycvJAt+2ZPT3hU9AVGmB1XMGqObz6O0DpdBlsmSCbwXwhvD2U0cMLUx7fdehdDUXTnk5qLR/eBSwD/k0+0U=,iv:WXRo7iSRn+/4oeHuuEhQsDNrxw1pWt21GDLeinVOmV0=,tag:IHWpKGlkmHwDI7j9MHTbtg==,type:str]
nix-store: nix-store:
cache-key: ENC[AES256_GCM,data:wEp8XH18N5P+h8EMognt93/VwXVF5/sxvEOrGzba/iK1W4nVZM8pStGAP0wI593MEB7Vobw+slWj4I3wwRJjOpDsK4EsgROUBein84Gn9uqk/liCEqjSAqZkktv4yX5p3dETZw+Ojak=,iv:oVKBfzJP8il3N6lH4JmaPaHSaqkUfmsM6cr+xumjAdE=,tag:+Gj9CzpoQknT+i6xAPZ7dg==,type:str] cache-key: ENC[AES256_GCM,data:SH0lBYa6ELoraxKmWo+hb3+rFRjFbVm1mj0YiVKUua5pVnC8Weihk4haTJZ1zShc3ADuinyHD/Ns+576bajWoE5jSGHXlgWQ8P+5fMZ0BkmZEuP5kooWRBk5t1aZilM3LJavwsYiE6E=,iv:KpwDXIXtaiNgVgcUQJJOnA+YLXVhJwILeq2dX1XkXgo=,tag:4kTemsodW0bhW9joQAPzhA==,type:str]
matrix:
coturn-secret: ENC[AES256_GCM,data:BWYo08cS4oAYk7aK5yKT7xWkcxhOhxi3mZzl//xB/IqJ70x4ggGoiVudTxE=,iv:4YYWyxnwR1KcpjTNwvzrGWWVobr3LM6H6l/1/fbBQE4=,tag:qmXc+tzYKJR6hErgurx97Q==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -28,23 +26,23 @@ sops:
- recipient: age1u9xr3tmwskfsrxg6gus3hmh9eakjh2h22jklfmcu33kassaraues435vvc - recipient: age1u9xr3tmwskfsrxg6gus3hmh9eakjh2h22jklfmcu33kassaraues435vvc
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVmZiM3RqVkphSm5aV0E5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvajllWmw2U2U3eDFvY0Uw
ZW56NjEvdEFyQmI1NlEwaHNYOWN4aEp0bDN3CmcyTDY3QzJLSk5MSXZ4T0xONG5D S09kTGV1RDZVTU42QmlOZXcwWFl2RWNQeldRCklsSERCUUJKS1BNbkt4MWtoWFl3
NXRQejQrSlRWSHBQbnhVVVY5SGdmQzAKLS0tIGJWRWlPbVVicWhXcm1wMnBjbGpB ZG9BVUFoQ1h5ZGlFelNzMEtIQmliTjgKLS0tIHZCWFBHUEw2TE9Yc0tZemtkUkNN
aXFvYzkvUDV6RTZTdzViZkVmeHY1MUkKoxyI003op6VxqTNFApFoAzIA1KwvKD51 eXgrOTk1S0tDWWpHUkIveWZZdlYvMTQKyZMAYr6n5figUX2YUAAA37nxA5r1tyXh
hjBPkP9e1B3fRWZXysva51G/Y2zc6ylv17qPE5TjaVw9OS2WqTQNWA== F7/l2T4R+cXq3Oywf5EtezOMdl9Xprk0ZoubzT55p0TPtYwCNk6Chg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wyz7cfldqe9hh8qyw2qm42hkq9s7qdwqnrnv0u3s6vstv9649v0sh0z4em - recipient: age1wyz7cfldqe9hh8qyw2qm42hkq9s7qdwqnrnv0u3s6vstv9649v0sh0z4em
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eGVWZnVUMUdyNys4cUFv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSkt5NG4wdGVwMDlpMFhv
czl4THRPOFN6RXl1d3hoUlMzVittUmtjMGl3CnlCOElNVitLdXJQbmMxNTROdHRz Vm56L1owRXJ2RTBhUVZ2aXpVVUVrZDV6M0FNCmYxTlNrQko0SmorWUV3VnRkOENK
MFl6NmxHWEY3anFsUkxpWGZHZ21iZ2sKLS0tIG1UT0VpaDBRNUpSY2lDcTRJMHpT RDJzQkk0dVA0UVdDWEtxRDJEZFpSWVUKLS0tIGc1NFUzb1dhWUZlQWdpNFA4ZC9J
ZnlzMlFUcEx5bHltdlg5ODVMVFNHNW8K7x38gdL5sbNLqTXdCxIHuX+yIy+XX8Vi cFBmaUV4SWx3K21UUDA2YlBVY1NCazgK080jE+EELtQf8PmlaZs4RR+gjJEeEiTn
x90Ltb5GOAMkd6qzgup3bWuQazpZ/Gj25f6ql7L2Oenlw8/8S9vbeQ== wwZXV8ufOGtLLwFtYlm8pdMXDtVrBywcRdzSo6/e73Y+GFxulTIFCQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-09T07:20:47Z" lastmodified: "2024-08-05T17:43:22Z"
mac: ENC[AES256_GCM,data:fJ86HMwKQmbSTsAWAKC1cGxDqwkddTGHfFjQMa74RVxNh+yFlD+gEHFV2GKTRVji8kEUlp4qXqwtKnJ9Fx5zw0P1LHuCE9Q4j1Cxgs/j7XFTNMTvpt/8sVR1YC77Qp9LDwDxdDQK0GV4Z3BzoqjM20BHRbTWtCSyoNRmBP6Wcg8=,iv:BptqL9qXcyc5SaGvPMfUWDd0b22Viy5LJElbNGhpDYQ=,tag:jHMETvWq9IOCk+z63Dntpg==,type:str] mac: ENC[AES256_GCM,data:OMwzBcK+KEaxZNTxCnlhDmm9efUkOtMk7vZUfxV9bCny80CdQhp9dD9a9bRPwn+lzgTj3CZLhLAubB3Eh01dqrbZ3DQt/p6xFQ54kCX0a18AHVSIrDcYQNez0MLcOI56RvJDofsO5Dh3i2sFXZ/gaxEjPBQPxlbH1KOrjCm480w=,iv:70i/TOlDF8Vru5FBu0fVb9IkG+Fg83zqcrcuyiHEHBc=,tag:A5qPz8KQl33Z5uHzMlTA0Q==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

12
nixosModules/misc/bonfire/secrets/default.nix
View File

@ -42,18 +42,6 @@
group = "nix-serve"; group = "nix-serve";
mode = "0600"; mode = "0600";
}; };
coturn-secret = lib.mkIf config.services.coturn.enable {
owner = "turnserver";
group = "turnserver";
key = "matrix/coturn-secret";
};
turn-secret = lib.mkIf config.services.conduit.enable {
owner = "conduit";
group = "conduit";
key = "matrix/coturn-secret";
};
}; };
}; };

223
nixosModules/services/conduit.nix
View File

@ -1,223 +0,0 @@
{
config,
lib,
pkgs,
bonLib,
...
}:
with lib; let
cfg = config.services.conduit;
format = pkgs.formats.toml {};
configFile = pkgs.writeText "config.toml" ''
${bonLib.toTOML {global = cfg.settings.global // lib.optionals (cfg.turn_secret_file != null) {turn_secret = "#turn_secret#";};}}
'';
in {
options.services.conduit = {
enable = mkEnableOption "conduit";
extraEnvironment = mkOption {
type = types.attrsOf types.str;
description = "Extra Environment variables to pass to the conduit server.";
default = {};
example = {RUST_BACKTRACE = "yes";};
};
package = mkOption {
type = types.package;
default = pkgs.matrix-conduit;
defaultText = literalExpression "pkgs.matrix-conduit";
description = "The package to use.";
};
turn_secret_file = mkOption {
type = types.nullOr types.path;
default = null;
description = "The path to the file with TURN secret.";
};
settings = mkOption {
type = types.submodule {
#freeformType = format.type;
options = {
global.server_name = mkOption {
type = types.str;
example = "example.com";
description = "The server_name is the name of this server. It is used as a suffix for user # and room ids.";
};
global.port = mkOption {
type = types.port;
default = 6167;
description = "The port Conduit will be running on. You need to set up a reverse proxy in your web server (e.g. apache or nginx), so all requests to /_matrix on port 443 and 8448 will be forwarded to the Conduit instance running on this port";
};
global.max_request_size = mkOption {
type = types.ints.positive;
default = 20000000;
description = "Max request size in bytes. Don't forget to also change it in the proxy.";
};
global.allow_registration = mkOption {
type = types.bool;
default = false;
description = "Whether new users can register on this server.";
};
global.allow_encryption = mkOption {
type = types.bool;
default = true;
description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
};
global.allow_federation = mkOption {
type = types.bool;
default = true;
description = ''
Whether this server federates with other servers.
'';
};
global.trusted_servers = mkOption {
type = types.listOf types.str;
default = ["matrix.org"];
description = "Servers trusted with signing server keys.";
};
global.address = mkOption {
type = types.str;
default = "::1";
description = "Address to listen on for connections by the reverse proxy/tls terminator.";
};
global.database_path = mkOption {
type = types.str;
default = "/var/lib/conduit/";
readOnly = true;
description = ''
Path to the conduit database, the directory where conduit will save its data.
Note that due to using the DynamicUser feature of systemd, this value should not be changed
and is set to be read only.
'';
};
global.database_backend = mkOption {
type = types.enum ["sqlite" "rocksdb"];
default = "sqlite";
example = "rocksdb";
description = ''
The database backend for the service. Switching it on an existing
instance will require manual migration of data.
'';
};
global.allow_check_for_updates = mkOption {
type = types.bool;
default = false;
description = ''
Whether to allow Conduit to automatically contact
<https://conduit.rs> hourly to check for important Conduit news.
Disabled by default because nixpkgs handles updates.
'';
};
global.well_known.client = mkOption {
type = types.nullOr types.str;
default = null;
description = "The URL that clients should use to connect to Conduit.";
};
global.well_known.server = mkOption {
type = types.nullOr types.str;
default = null;
description = "The hostname and port servers should use to connect to Conduit.";
};
global.turn_uris = mkOption {
type = types.listOf types.str;
default = [];
description = "The TURN URIs.";
};
global.turn_secret = mkOption {
type = types.nullOr types.str;
default = null;
description = "The TURN secret.";
};
global.turn_ttl = mkOption {
type = types.int;
default = 86400;
description = "The TURN TTL in seconds.";
};
};
};
default = {};
description = ''
Generates the conduit.toml configuration file. Refer to
<https://docs.conduit.rs/configuration.html>
for details on supported values.
Note that database_path can not be edited because the service's reliance on systemd StateDir.
'';
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.settings.global.turn_secret != null -> cfg.turn_secret_file == null;
message = "settings.global.turn_secret and turn_secret_file cannot be set at the same time";
}
];
users.users.conduit = {
description = "Conduit service user.";
isSystemUser = true;
group = "conduit";
};
users.groups.conduit = {};
systemd.services.conduit = let
runConfig = "/run/conduit/config.toml";
in {
description = "Conduit Matrix Server";
documentation = ["https://gitlab.com/famedly/conduit/"];
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
environment = mkMerge [
{CONDUIT_CONFIG = runConfig;}
cfg.extraEnvironment
];
preStart = ''
cat ${configFile} > ${runConfig}
${lib.optionalString (cfg.turn_secret_file != null) ''
${pkgs.replace-secret}/bin/replace-secret \
"#turn_secret#" \
${cfg.turn_secret_file} \
${runConfig}
''}
chmod 640 ${runConfig}
'';
serviceConfig = {
User = "conduit";
LockPersonality = true;
MemoryDenyWriteExecute = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
StateDirectory = "conduit";
StateDirectoryMode = "0700";
RuntimeDirectory = "conduit";
ExecStart = "${cfg.package}/bin/conduit";
Restart = "on-failure";
RestartSec = 10;
StartLimitBurst = 5;
UMask = "077";
};
};
systemd.tmpfiles.rules = [
"d /run/conduit 0700 conduit conduit - -"
];
};
}

57
nixosModules/services/zapret.nix
View File

@ -101,30 +101,14 @@ in {
description = "List of addresses to ignore"; description = "List of addresses to ignore";
}; };
dataDir = mkOption { # TODO: add filter and anti filter options with optional file paths
type = types.path; # TODO ipset hashsize and maxelem
default = "/var/lib/zapret";
description = ''
Directory to store zapret files and antifilter lists.
'';
};
filterAddressesSource = mkOption {
type = types.nullOr types.str;
default = null;
example = ''https://antifilter.network/download/ipsmart.lst'';
description = "Link to external list of addresses to download and use.";
};
# TODO: ipset hashsize and maxelem
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users.tpws = { users.users.tpws = {
isSystemUser = true; isSystemUser = true;
group = "tpws"; group = "tpws";
home = cfg.dataDir;
createHome = true;
}; };
users.groups.tpws = {}; users.groups.tpws = {};
@ -142,8 +126,6 @@ in {
) )
gawk gawk
ipset ipset
wget
curl
]; ];
serviceConfig = { serviceConfig = {
@ -151,11 +133,10 @@ in {
Restart = "no"; Restart = "no";
TimeoutSec = "30sec"; TimeoutSec = "30sec";
IgnoreSIGPIPE = "no"; IgnoreSIGPIPE = "no";
#KillMode = "none"; KillMode = "none";
GuessMainPID = "no"; GuessMainPID = "no";
RemainAfterExit = "no"; RemainAfterExit = "no";
WorkingDirectory = cfg.dataDir;
ExecStart = "${cfg.package}/bin/zapret start"; ExecStart = "${cfg.package}/bin/zapret start";
ExecStop = let ExecStop = let
stop_script = pkgs.writeShellScriptBin "zapret-stop" '' stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
@ -176,25 +157,37 @@ in {
DISABLE_IPV6=${toString cfg.disableIPV6} DISABLE_IPV6=${toString cfg.disableIPV6}
'' ''
]); ]);
# hardening
DevicePolicy = "closed";
KeyringMode = "private";
PrivateTmp = true;
PrivateMounts = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "invisible";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
}; };
preStart = let preStart = let
zapretListFile = src: pkgs.writeText "zapretList" (createFilterList "zapret" src); # zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" (lib.readFile cfg.package.passthru.antifilter.ipsmart));
nozapretListFile = src: pkgs.writeText "nozapretList" (createFilterList "nozapret" src); zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" cfg.filterAddresses);
nozapretListFile = pkgs.writeText "nozapretList" (createFilterList "nozapret" cfg.ignoreAddresses);
in '' in ''
${lib.optionalString (cfg.filterAddressesSource != null) "curl -L '${cfg.filterAddressesSource}' -o ${cfg.dataDir}/zapretList && sed -i -e 's/^/add zapret /' '${cfg.dataDir}/zapretList'"}
ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -! ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
ipset flush zapret ipset flush zapret
ipset restore -! < ${ ipset restore -! < ${zapretListFile}
if (cfg.filterAddressesSource != null)
then "${cfg.dataDir}/zapretList"
else (zapretListFile cfg.filterAddresses)
}
ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -! ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
ipset flush nozapret ipset flush nozapret
ipset restore -! < ${nozapretListFile cfg.ignoreAddresses} ipset restore -! < ${nozapretListFile}
''; '';
}; };
}; };

13
packages/blender/default.nix Normal file
View File

@ -0,0 +1,13 @@
{
bonLib,
lib,
pkgs,
...
}:
(pkgs.blender.override {cudaSupport = true;}).overrideAttrs (old: {
meta =
old.meta
// {
description = old.meta.description + " (CUDA enabled)";
};
})

17
packages/default.nix
View File

@ -83,12 +83,17 @@ in
# Pass for cache # Pass for cache
# ISSUE: attribute 'targetPlatforms' missing blender = {
#wezterm = { source = ./blender;
# source = ./wezterm; platforms = ["x86_64-linux"];
# platforms = ["x86_64-linux"]; builder = {...}: import;
# builder = {...}: import; };
#};
wezterm = {
source = ./wezterm;
platforms = ["x86_64-linux"];
builder = {...}: import;
};
# Container images # Container images

106
packages/wezterm/default.nix
View File

@ -1,16 +1,108 @@
{ {
bonLib,
craneLib,
lib, lib,
weztermPkgs, pkgs,
version ? "2d0c5cddc91a9c59aef9a7667d90924e7cedd0ac",
hash ? "sha256-ZsDJQSUokodwFMP4FIZm2dYojf5iC4F/EeKC5VuQlqY=",
... ...
}: }: let
weztermPkgs.default.overrideAttrs (old: { src = pkgs.fetchFromGitHub {
owner = "wez";
repo = "wezterm";
rev = version;
hash = hash;
fetchSubmodules = true;
};
terminfo =
pkgs.runCommand "wezterm-terminfo"
{
nativeBuildInputs = [pkgs.ncurses];
} ''
mkdir -p $out/share/terminfo $out/nix-support
tic -x -o $out/share/terminfo ${src}/termwiz/data/wezterm.terminfo
'';
pkg = {
pname = "wezterm"; pname = "wezterm";
inherit version;
meta = inherit src;
old.meta
// { strictDeps = true;
doCheck = false;
nativeBuildInputs = with pkgs; [
installShellFiles
ncurses # tic for terminfo
pkg-config
python3
];
buildInputs = with pkgs; [
fontconfig
pkgs.zlib
libxkbcommon
openssl
wayland
cairo
xorg.libX11
xorg.libxcb
xorg.xcbutil
xorg.xcbutilimage
xorg.xcbutilkeysyms
xorg.xcbutilwm # contains xcb-ewmh among others
];
libPath = lib.makeLibraryPath (with pkgs; [
xorg.xcbutilimage
libGL
vulkan-loader
]);
postPatch = ''
echo ${version} > .tag
# tests are failing with: Unable to exchange encryption keys
# rm -r wezterm-ssh/tests
'';
preFixup = lib.optionalString pkgs.stdenv.isLinux ''
patchelf \
--add-needed "${pkgs.libGL}/lib/libEGL.so.1" \
--add-needed "${pkgs.vulkan-loader}/lib/libvulkan.so.1" \
$out/bin/wezterm-gui
'';
postInstall = ''
mkdir -p $out/nix-support
echo "${terminfo}" >> $out/nix-support/propagated-user-env-packages
install -Dm644 assets/icon/terminal.png $out/share/icons/hicolor/128x128/apps/org.wezfurlong.wezterm.png
install -Dm644 assets/wezterm.desktop $out/share/applications/org.wezfurlong.wezterm.desktop
install -Dm644 assets/wezterm.appdata.xml $out/share/metainfo/org.wezfurlong.wezterm.appdata.xml
install -Dm644 assets/shell-integration/wezterm.sh -t $out/etc/profile.d
installShellCompletion --cmd wezterm \
--bash assets/shell-completion/bash \
--fish assets/shell-completion/fish \
--zsh assets/shell-completion/zsh
install -Dm644 assets/wezterm-nautilus.py -t $out/share/nautilus-python/extensions
'';
meta = with lib; {
homepage = "https://github.com/wez/wezterm"; homepage = "https://github.com/wez/wezterm";
description = "A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust"; description = "A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust";
license = lib.licenses.mit; license = lib.licenses.mit;
maintainers = with bonLib.maintainers; [L-Nafaryus];
platforms = platforms.x86_64;
mainProgram = "wezterm";
}; };
}) };
in let
cargoArtifacts = craneLib.buildDepsOnly pkg;
in
craneLib.buildPackage (
pkg // {inherit cargoArtifacts;}
)