Compare commits

...

15 Commits

Author SHA1 Message Date
25a4c9af9c
flake: update lock
All checks were successful
nix / check (push) Successful in 2m59s
astora: exclude hyprland and some tools for kde expansion
lib.preconfiguredModules: common nixos configurations
lib.preconfiguredModules.bonvim: change python tool set, remove
deprecations
packages.wezterm: exclude from evaluation [see #8]
nixosModules.zapret: exclude from evaluation [see #9]
2024-11-03 19:06:04 +05:00
1c09a25ff6
minimizing nixosConfigurations 2024-10-21 23:22:53 +05:00
42d160ad03
remove: packages.blender
All checks were successful
nix / check (push) Successful in 3m7s
2024-10-11 17:47:40 +05:00
b1902d78d5
fix: preconfiguredModules.bonvim: deprecations
All checks were successful
nix / check (push) Successful in 3m47s
2024-10-11 16:49:39 +05:00
647c61580d
hydraJobs: exclude inscure and unfree packages
flake: update lock
2024-10-11 16:12:15 +05:00
1dc04e92b2
catarina: metrics
All checks were successful
nix / check (push) Successful in 4m46s
2024-10-10 12:43:33 +05:00
e0d0da9d8f
catarina: matrix and turn services
All checks were successful
nix / check (push) Successful in 3m24s
2024-10-09 22:40:40 +05:00
7aeff65627
new: nixosModules.conduit 2024-10-09 22:39:53 +05:00
1836d855d5
catarina: radio interface
All checks were successful
nix / check (push) Successful in 6m6s
2024-10-02 22:20:12 +05:00
44338f20c5
Revert "packages.wezterm: own derivation build (incomplete)"
All checks were successful
nix / check (push) Successful in 2m58s
This reverts commit f68d7a7e3a.
2024-09-22 22:04:39 +05:00
e3a8b6a2ab
Merge branch 'catarina-radio-service'
Some checks failed
nix / check (push) Failing after 4m30s
2024-09-22 19:49:52 +05:00
70f47e2f75
catarina: split radio services to containers + new radio station 2024-09-22 19:47:46 +05:00
aa3f2c28e0
new: lib.preconfiguredModules: hyprland, hypridle, hyprlock
All checks were successful
nix / check (push) Successful in 3m38s
2024-09-22 14:36:33 +05:00
ec11cf6a7b
nixosModules.zapret: manage filter lists only in service runtime
Some checks failed
nix / check (push) Failing after 5m4s
2024-09-21 18:30:43 +05:00
484529aaa2
catarina: try to split radio service to isolated services (incomplete) 2024-09-20 23:09:45 +05:00
33 changed files with 1704 additions and 865 deletions

View File

@ -30,4 +30,6 @@ in
rust-x11 = import ./rust-x11.nix environment; rust-x11 = import ./rust-x11.nix environment;
go = import ./go.nix environment; go = import ./go.nix environment;
python-uv = import ./python-uv.nix environment;
}) })

8
devShells/python-uv.nix Normal file
View File

@ -0,0 +1,8 @@
{pkgs, ...}:
pkgs.mkShellNoCC {
packages = with pkgs; [
uv
curl
jq
];
}

View File

@ -1,5 +1,21 @@
{ {
"nodes": { "nodes": {
"advisory-db": {
"flake": false,
"locked": {
"lastModified": 1728429239,
"narHash": "sha256-k1KRRgmfKNhO9eU55FMkkzkneqAlwz5oLC5NSiEfGxs=",
"owner": "rustsec",
"repo": "advisory-db",
"rev": "acb7ce45817b13dd34cb32540ff18be4e1f3ba09",
"type": "github"
},
"original": {
"owner": "rustsec",
"repo": "advisory-db",
"type": "github"
}
},
"ags": { "ags": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -8,11 +24,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1725841979, "lastModified": 1728326430,
"narHash": "sha256-SXYqzpHPuXFR6w/cUKo3VN8XRn6XA2mGbdRXs9oLk6k=", "narHash": "sha256-tV1ABHuA1HItMdCTuNdA8fMB+qw7LpjvI945VwMSABI=",
"owner": "Aylur", "owner": "Aylur",
"repo": "ags", "repo": "ags",
"rev": "aaef50bb2c80ef4b4a359329d72669a95e7c4796", "rev": "60180a184cfb32b61a1d871c058b31a3b9b0743d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -39,11 +55,11 @@
}, },
"catppuccin": { "catppuccin": {
"locked": { "locked": {
"lastModified": 1725509983, "lastModified": 1730458408,
"narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=", "narHash": "sha256-JQ+SphQn13bdibKUrBBBznYehXX4xJrxD1ifBp6vSWw=",
"owner": "catppuccin", "owner": "catppuccin",
"repo": "nix", "repo": "nix",
"rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9", "rev": "191fbf2d81a63fad8f62f1233c0051f09b75d0ad",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -54,11 +70,11 @@
}, },
"crane": { "crane": {
"locked": { "locked": {
"lastModified": 1725409566, "lastModified": 1730504891,
"narHash": "sha256-PrtLmqhM6UtJP7v7IGyzjBFhbG4eOAHT6LPYOFmYfbk=", "narHash": "sha256-Fvieht4pai+Wey7terllZAKOj0YsaDP0e88NYs3K/Lo=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "7e4586bad4e3f8f97a9271def747cf58c4b68f3c", "rev": "8658adcdad49b8f2c6cbf0cc3cb4b4db988f7638",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -67,7 +83,94 @@
"type": "github" "type": "github"
} }
}, },
"crane_2": {
"locked": {
"lastModified": 1728344376,
"narHash": "sha256-lxTce2XE6mfJH8Zk6yBbqsbu9/jpwdymbSH5cCbiVOA=",
"owner": "ipetkov",
"repo": "crane",
"rev": "fd86b78f5f35f712c72147427b1eb81a9bd55d0b",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"dream2nix": {
"inputs": {
"nixpkgs": [
"elnafo-radio",
"nixpkgs"
],
"purescript-overlay": "purescript-overlay",
"pyproject-nix": "pyproject-nix"
},
"locked": {
"lastModified": 1728499310,
"narHash": "sha256-6qa+IU6PaQa/swQ9wRn4J1pFprundzruJiV0aTDou/Q=",
"owner": "nix-community",
"repo": "dream2nix",
"rev": "586ff3bb752711bbf6d54475295f0da98ead5ee4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "dream2nix",
"type": "github"
}
},
"elnafo-radio": {
"inputs": {
"advisory-db": "advisory-db",
"crane": "crane_2",
"dream2nix": "dream2nix",
"fenix": "fenix",
"nix-std": "nix-std",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1728643944,
"narHash": "sha256-LRlsDN/0aqEDlM0cHM5mW1FVBepvTBEsWPYijOqpTWM=",
"ref": "refs/heads/master",
"rev": "c707ca5a360242bf0ae27dd14f8c58b8624a00e5",
"revCount": 13,
"type": "git",
"url": "https://vcs.elnafo.ru/L-Nafaryus/elnafo-radio"
},
"original": {
"type": "git",
"url": "https://vcs.elnafo.ru/L-Nafaryus/elnafo-radio"
}
},
"fenix": { "fenix": {
"inputs": {
"nixpkgs": [
"elnafo-radio",
"nixpkgs"
],
"rust-analyzer-src": [
"elnafo-radio"
]
},
"locked": {
"lastModified": 1728542061,
"narHash": "sha256-2YAnVU67qimQGO71rCBWcv7RrRK5gYgysXe3NVomuwQ=",
"owner": "nix-community",
"repo": "fenix",
"rev": "b135535125e24270dddddc8cfab455533492e4ad",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"fenix_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -75,11 +178,11 @@
"rust-analyzer-src": [] "rust-analyzer-src": []
}, },
"locked": { "locked": {
"lastModified": 1726813972, "lastModified": 1730529264,
"narHash": "sha256-t6turZgoSAVgj7hn5mxzNlLOeVeZvymFo8+ymB52q34=", "narHash": "sha256-5gC0y6cKXKQvumK4jOhKyjVsYqQ7EOcWKNtKB8UiP74=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "251caeafc75b710282ee7e375800f75f4c8c5727", "rev": "fff718e230e40b8202d7be6223c13492bb0010a8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -104,6 +207,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
@ -112,11 +231,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726153070, "lastModified": 1727826117,
"narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -130,11 +249,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1726560853,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -202,11 +321,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726825546, "lastModified": 1730490306,
"narHash": "sha256-HiBzfzgqojA9OjPB+vdi2o+gy4Zw/MEipuGopgGsZEw=", "narHash": "sha256-AvCVDswOUM9D368HxYD25RsSKp+5o0L0/JHADjLoD38=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0b052dd8119005c6ba819db48bcc657e48f401b7", "rev": "1743615b61c7285976f85b303a36cdf88a556503",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -215,6 +334,34 @@
"type": "github" "type": "github"
} }
}, },
"ixx": {
"inputs": {
"flake-utils": [
"nixvim",
"nuschtosSearch",
"flake-utils"
],
"nixpkgs": [
"nixvim",
"nuschtosSearch",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729544999,
"narHash": "sha256-YcyJLvTmN6uLEBGCvYoMLwsinblXMkoYkNLEO4WnKus=",
"owner": "NuschtOS",
"repo": "ixx",
"rev": "65c207c92befec93e22086da9456d3906a4e999c",
"type": "github"
},
"original": {
"owner": "NuschtOS",
"ref": "v0.0.5",
"repo": "ixx",
"type": "github"
}
},
"libpng": { "libpng": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -232,10 +379,40 @@
"type": "github" "type": "github"
} }
}, },
"nix-std": {
"locked": {
"lastModified": 1710870712,
"narHash": "sha256-e+7MJF2gsgTBuOWv4mCimSP0D9+naeFSw9a7N3yEmv4=",
"owner": "chessai",
"repo": "nix-std",
"rev": "31bbc925750cc9d8f828fe55cee1a2bd985e0c00",
"type": "github"
},
"original": {
"owner": "chessai",
"repo": "nix-std",
"type": "github"
}
},
"nix-std_2": {
"locked": {
"lastModified": 1710870712,
"narHash": "sha256-e+7MJF2gsgTBuOWv4mCimSP0D9+naeFSw9a7N3yEmv4=",
"owner": "chessai",
"repo": "nix-std",
"rev": "31bbc925750cc9d8f828fe55cee1a2bd985e0c00",
"type": "github"
},
"original": {
"owner": "chessai",
"repo": "nix-std",
"type": "github"
}
},
"nixos-mailserver": { "nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -257,11 +434,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1726755586, "lastModified": 1730200266,
"narHash": "sha256-PmUr/2GQGvFTIJ6/Tvsins7Q43KTMvMFhvG6oaYK+Wk=", "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c04d5652cfa9742b1d519688f65d1bbccea9eb7e", "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -288,11 +465,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1725762081, "lastModified": 1729973466,
"narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=", "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05", "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -333,11 +510,11 @@
"treefmt-nix": [] "treefmt-nix": []
}, },
"locked": { "locked": {
"lastModified": 1726846628, "lastModified": 1730499477,
"narHash": "sha256-0CH44sEwiljiN2q7eIFCvabyUm1WeEiF8ofP/z5ca0Q=", "narHash": "sha256-olt0Sx4alDxv3ko9BgbV3SsE2KQ/Tf0/Az1Fr9s2Y6U=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "3211ce356be612ae89a38c60799992bde8a47127", "rev": "356896f58dde22ee16481b7c954e340dceec340d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -349,17 +526,18 @@
"nuschtosSearch": { "nuschtosSearch": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"ixx": "ixx",
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1726816132, "lastModified": 1730337772,
"narHash": "sha256-AbB0lgc0IbzLIxj1O3cosiMNAVQak4KJtvq9q8MjHhs=", "narHash": "sha256-uTxvqDohfG85+zldO5Tf1B+fuAF8ZhMouNwG5S6OAnA=",
"owner": "NuschtOS", "owner": "NuschtOS",
"repo": "search", "repo": "search",
"rev": "7733a39a1321057172d87e6251ded7cdeb67171e", "rev": "4e0a7a95a3df3333771abc4df6a656e7baf67106",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -409,13 +587,56 @@
"type": "github" "type": "github"
} }
}, },
"purescript-overlay": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"elnafo-radio",
"dream2nix",
"nixpkgs"
],
"slimlock": "slimlock"
},
"locked": {
"lastModified": 1724504251,
"narHash": "sha256-TIw+sac0NX0FeAneud+sQZT+ql1G/WEb7/Vb436rUXM=",
"owner": "thomashoneyman",
"repo": "purescript-overlay",
"rev": "988b09676c2a0e6a46dfa3589aa6763c90476b8a",
"type": "github"
},
"original": {
"owner": "thomashoneyman",
"repo": "purescript-overlay",
"type": "github"
}
},
"pyproject-nix": {
"flake": false,
"locked": {
"lastModified": 1702448246,
"narHash": "sha256-hFg5s/hoJFv7tDpiGvEvXP0UfFvFEDgTdyHIjDVHu1I=",
"owner": "davhau",
"repo": "pyproject.nix",
"rev": "5a06a2697b228c04dd2f35659b4b659ca74f7aeb",
"type": "github"
},
"original": {
"owner": "davhau",
"ref": "dream2nix",
"repo": "pyproject.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"ags": "ags", "ags": "ags",
"catppuccin": "catppuccin", "catppuccin": "catppuccin",
"crane": "crane", "crane": "crane",
"fenix": "fenix", "elnafo-radio": "elnafo-radio",
"fenix": "fenix_2",
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-std": "nix-std_2",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixvim": "nixvim", "nixvim": "nixvim",
@ -446,6 +667,29 @@
"type": "github" "type": "github"
} }
}, },
"slimlock": {
"inputs": {
"nixpkgs": [
"elnafo-radio",
"dream2nix",
"purescript-overlay",
"nixpkgs"
]
},
"locked": {
"lastModified": 1688756706,
"narHash": "sha256-xzkkMv3neJJJ89zo3o2ojp7nFeaZc2G0fYwNXNJRFlo=",
"owner": "thomashoneyman",
"repo": "slimlock",
"rev": "cf72723f59e2340d24881fd7bf61cb113b4c407c",
"type": "github"
},
"original": {
"owner": "thomashoneyman",
"repo": "slimlock",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -454,11 +698,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1726524647, "lastModified": 1729999681,
"narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "e2d404a7ea599a013189aa42947f66cede0645c8", "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -526,11 +770,11 @@
}, },
"locked": { "locked": {
"dir": "nix", "dir": "nix",
"lastModified": 1726842683, "lastModified": 1730443872,
"narHash": "sha256-n0k/znwnDGF3CNB2GhX9NfGg02mhxOzRTMmWr2EUxFs=", "narHash": "sha256-dQG+9b/EUn+UWDjDSsje19hn3DxiDOzSGmIwsSGdqDA=",
"owner": "wez", "owner": "wez",
"repo": "wezterm", "repo": "wezterm",
"rev": "abfc0b4c3aa2d6f99c76b20c4d7bdb6d0603ac80", "rev": "0983ae90d6dfb45c5f99058e97de73a70ca9dd36",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -65,12 +65,17 @@
url = "github:wez/wezterm?dir=nix"; url = "github:wez/wezterm?dir=nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
elnafo-radio = {
url = "git+https://vcs.elnafo.ru/L-Nafaryus/elnafo-radio";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-std.url = "github:chessai/nix-std";
}; };
outputs = {self, ...} @ inputs: let outputs = {self, ...} @ inputs: let
lib = inputs.nixpkgs.lib; lib = inputs.nixpkgs.lib;
bonLib = import ./lib {inherit lib;}; bonLib = import ./lib {inherit lib inputs;};
bonModules = self.nixosModules; bonModules = self.nixosModules;
# no bonPkgs, it must be defined by appropriate system + skip a possible infinite recursion # no bonPkgs, it must be defined by appropriate system + skip a possible infinite recursion
in { in {
@ -86,8 +91,7 @@
nixosConfigurations = import ./nixosConfigurations {inherit lib inputs bonModules bonLib self;}; nixosConfigurations = import ./nixosConfigurations {inherit lib inputs bonModules bonLib self;};
hydraJobs = { hydraJobs = {
# filter broken packages ? packages = lib.filterAttrsRecursive (name: value: !bonLib.isBroken value && !bonLib.isInsecure value && !bonLib.isUnfree value) self.packages;
packages = lib.filterAttrsRecursive (name: value: !bonLib.isBroken value) self.packages;
}; };
templates = { templates = {

View File

@ -1,4 +1,8 @@
{lib, ...}: rec { {
lib,
inputs,
...
}: rec {
maintainers = import ./maintainers.nix; maintainers = import ./maintainers.nix;
nameFromPath = path: nameFromPath = path:
@ -13,9 +17,25 @@
[ [
./preconfiguredModules/bonvim.nix ./preconfiguredModules/bonvim.nix
./preconfiguredModules/homeManager ./preconfiguredModules/homeManager
./preconfiguredModules/nixos
#(import ./preconfiguredModules/bonvim.nix)
#(import ./preconfiguredModules/homeManager {inherit lib inputs;})
]); ]);
injectArgs = moduleArgs: ({
config,
pkgs,
...
}: {
config = {
# extra arguments
_module.args = moduleArgs;
};
});
isBroken = derivation: derivation ? meta && derivation.meta ? broken && derivation.meta.broken; isBroken = derivation: derivation ? meta && derivation.meta ? broken && derivation.meta.broken;
isInsecure = derivation: derivation ? meta && derivation.meta ? insecure && derivation.meta.insecure;
isUnfree = derivation: derivation ? meta && derivation.meta ? unfree && derivation.meta.unfree;
functionType = lib.types.mkOptionType { functionType = lib.types.mkOptionType {
name = "function"; name = "function";
@ -95,4 +115,7 @@
packagesList; packagesList;
in in
lib.mapAttrs (name: value: lib.mergeAttrsList value) (lib.zipAttrs evaluatedPackages); lib.mapAttrs (name: value: lib.mergeAttrsList value) (lib.zipAttrs evaluatedPackages);
# external
inherit (inputs.nix-std.lib.serde) toTOML;
} }

View File

@ -71,7 +71,7 @@
settings.system_clipboard.sync_with_ring = true; settings.system_clipboard.sync_with_ring = true;
}; };
extraPlugins = with pkgs.vimPlugins; [nvim-web-devicons]; plugins.web-devicons.enable = true;
diagnostics = { diagnostics = {
underline = true; underline = true;
@ -152,6 +152,7 @@
# UI # UI
plugins.noice = { plugins.noice = {
enable = true; enable = true;
settings = {
lsp.override = { lsp.override = {
"cmp.entry.get_documentation" = true; "cmp.entry.get_documentation" = true;
"vim.lsp.util.convert_input_to_markdown_lines" = true; "vim.lsp.util.convert_input_to_markdown_lines" = true;
@ -161,6 +162,7 @@
long_message_to_split = true; long_message_to_split = true;
}; };
}; };
};
plugins.dressing = { plugins.dressing = {
enable = true; enable = true;
@ -364,22 +366,24 @@
]; ];
}; };
cmake.enable = true; cmake.enable = true;
nil-ls.enable = true; nil_ls.enable = true;
pyright.enable = true;
ruff.enable = true;
# pylyzer.enable = true; # not working with virtual environments currently :( # pylyzer.enable = true; # not working with virtual environments currently :(
pylsp = { #pylsp = {
enable = true; # https://github.com/nix-community/nixvim/pull/1893 # enable = true; # https://github.com/nix-community/nixvim/pull/1893
settings.plugins = { # settings.plugins = {
pyflakes.enabled = true; # pyflakes.enabled = true;
black.enabled = true; # black.enabled = true;
}; # };
}; #};
rust-analyzer = { rust_analyzer = {
enable = true; enable = true;
package = rust-analyzer; package = rust-analyzer;
cargoPackage = cargo; cargoPackage = cargo;
rustcPackage = rustc; rustcPackage = rustc;
installCargo = true; installCargo = false;
installRustc = true; installRustc = false;
settings = { settings = {
checkOnSave = true; checkOnSave = true;
check.command = "clippy"; check.command = "clippy";

View File

@ -1,3 +1,6 @@
{ {
ags = import ./ags; ags = import ./ags;
hyprland = import ./hyprland.nix;
hypridle = import ./hypridle.nix;
hyprlock = import ./hyprlock.nix;
} }

View File

@ -0,0 +1,24 @@
{
pkgs,
lib,
config,
hmConfig,
...
}: {
services.hypridle = {
enable = true;
settings = {
general = {
after_sleep_cmd = "${pkgs.hyprland}/bin/hyprctl dispatch dpms on";
ignore_dbus_inhibit = false;
};
listener = [
{
timeout = 300;
on-timeout = "${pkgs.hyprland}/bin/hyprctl dispatch dpms off";
on-resume = "${pkgs.hyprland}/bin/hyprctl dispatch dpms on";
}
];
};
};
}

View File

@ -0,0 +1,245 @@
{
pkgs,
lib,
hmConfig,
...
}: {
imports = [
./ags
./hypridle.nix
./hyprlock.nix
];
home.packages = with pkgs; [
networkmanagerapplet
blueman
wl-clipboard
cliphist
swww
hyprshot
wl-gammarelay-rs
playerctl
];
xdg.portal = {
enable = true;
configPackages = with pkgs; [
xdg-desktop-portal-hyprland
];
extraPortals = with pkgs; [
xdg-desktop-portal-gtk
];
};
wayland.windowManager.hyprland = {
enable = true;
settings = {
# Devices (use `hyprctl devices`)
"$monitor1" = "AOC Q27G2G3R3B 137P4HA000540";
"$monitor2" = "AOC Q27B3MA 17ZPAHA006135";
"$keyboard" = "keychron-keychron-k3-pro";
"$mouse" = "logitech-g102-lightsync-gaming-mouse";
# Main programs
"$terminal" = "${lib.getExe hmConfig.programs.wezterm.package}";
"$menu" = "${lib.getExe hmConfig.programs.rofi.package} -show drun";
"$fileManager" = "$terminal -e ${lib.getExe hmConfig.programs.nnn.package}";
monitor = [
"desc:$monitor2, 2560x1440@75, 0x0, auto"
"desc:$monitor1, 2560x1440@165, 2560x0, auto"
"Unknown-1, disable"
];
exec-once = [
"ags &"
"nm-applet --indicator &"
"blueman-applet &"
"wl-gammarelay-rs run &"
"systemctl --user start hypridle"
"wl-paste --type text --watch cliphist store" #Stores only text data
"wl-paste --type image --watch cliphist store" #Stores only image data
"swww-daemon & swww img ~/Pictures/wallpapers/current" # wallpaper symlinked
];
env = [
"XCURSOR_SIZE,14"
"HYPRCURSOR_SIZE,14"
"WLR_DRM_NO_ATOMIC,1"
"HYPRSHOT_DIR,${hmConfig.xdg.userDirs.pictures}/screenshots"
];
general = {
gaps_in = 2;
gaps_out = 2;
border_size = 2;
# https://wiki.hyprland.org/Configuring/Variables/#variable-types for info about colors
"col.active_border" = "rgba(33ccffee) rgba(00ff99ee) 45deg";
"col.inactive_border" = "rgba(595959aa)";
# Set to true enable resizing windows by clicking and dragging on borders and gaps
resize_on_border = true;
# Please see https://wiki.hyprland.org/Configuring/Tearing/ before you turn this on
allow_tearing = true;
layout = "dwindle";
};
decoration = {
rounding = 5;
# Change transparency of focused and unfocused windows
active_opacity = 1.0;
inactive_opacity = 0.95;
drop_shadow = true;
shadow_range = 4;
shadow_render_power = 3;
"col.shadow" = "rgba(1a1a1aee)";
# https://wiki.hyprland.org/Configuring/Variables/#blur
blur = {
enabled = true;
size = 3;
passes = 1;
vibrancy = 0.1696;
};
};
animations = {
enabled = true;
# Default animations, see https://wiki.hyprland.org/Configuring/Animations/ for more
bezier = "myBezier, 0.05, 0.9, 0.1, 1.05";
animation = [
"windows, 1, 7, myBezier"
"windowsOut, 1, 7, default, popin 80%"
"border, 1, 10, default"
"borderangle, 1, 8, default"
"fade, 1, 7, default"
"workspaces, 1, 6, default"
];
};
# See https://wiki.hyprland.org/Configuring/Dwindle-Layout/ for more
dwindle = {
pseudotile = true; # Master switch for pseudotiling. Enabling is bound to mainMod + P in the keybinds section below
preserve_split = true; # You probably want this
};
# See https://wiki.hyprland.org/Configuring/Master-Layout/ for more
master = {
new_status = "master";
};
# https://wiki.hyprland.org/Configuring/Variables/#misc
misc = {
force_default_wallpaper = -1; # Set to 0 or 1 to disable the anime mascot wallpapers
disable_hyprland_logo = false; # Enable the random hyprland logo / anime girl background. :)
};
input = {
kb_layout = "us,ru";
follow_mouse = 1;
sensitivity = 0; # -1.0 - 1.0, 0 means no modification.
touchpad = {
natural_scroll = false;
};
};
# https://wiki.hyprland.org/Configuring/Variables/#gestures
gestures = {
workspace_swipe = false;
};
windowrulev2 = [
"suppressevent maximize, class:.*" # You'll probably like this.
"float, class:^(steam_app.*)$"
"immediate, class:^(steam_app.*)$"
"float, class:^(steam_proton.*)$"
"float,class:^(org.wezfurlong.wezterm)$"
"tile,class:^(org.wezfurlong.wezterm)$"
];
bind = [
"SUPER, Q, exec, $terminal"
"SUPER, N, exec, $fileManager"
"SUPER, R, exec, $menu"
"SUPER, X, exec, ags -t clock"
"SUPER, X, exec, ags -t control"
"SUPER, X, exec, ags -t systray"
"SUPER, X, exec, ags -t workspaces"
"SUPER, X, exec, ags -t window-title"
"SUPER, C, killactive,"
"SUPER, M, exit,"
"SUPER, V, togglefloating,"
"SUPER, F, fullscreen,"
"SUPER, J, togglesplit," # dwindle
# Move focus with mainMod + arrow keys
"SUPER, left, movefocus, l"
"SUPER, right, movefocus, r"
"SUPER, up, movefocus, u"
"SUPER, down, movefocus, d"
# Switch workspaces with mainMod + [0-9]
"SUPER, 1, workspace, 1"
"SUPER, 2, workspace, 2"
"SUPER, 3, workspace, 3"
"SUPER, 4, workspace, 4"
"SUPER, 5, workspace, 5"
"SUPER, 6, workspace, 6"
"SUPER, 7, workspace, 7"
"SUPER, 8, workspace, 8"
"SUPER, 9, workspace, 9"
"SUPER, 0, workspace, 10"
# Move active window to a workspace with mainMod + SHIFT + [0-9]
"SUPER SHIFT, 1, movetoworkspace, 1"
"SUPER SHIFT, 2, movetoworkspace, 2"
"SUPER SHIFT, 3, movetoworkspace, 3"
"SUPER SHIFT, 4, movetoworkspace, 4"
"SUPER SHIFT, 5, movetoworkspace, 5"
"SUPER SHIFT, 6, movetoworkspace, 6"
"SUPER SHIFT, 7, movetoworkspace, 7"
"SUPER SHIFT, 8, movetoworkspace, 8"
"SUPER SHIFT, 9, movetoworkspace, 9"
"SUPER SHIFT, 0, movetoworkspace, 10"
# special workspace (scratchpad)
"SUPER, S, togglespecialworkspace, magic"
"SUPER SHIFT, S, movetoworkspace, special:magic"
"SUPER, SPACE, exec, hyprctl switchxkblayout keychron-keychron-k3-pro next"
", PRINT, exec, hyprshot --freeze --mode region"
"CTRL, PRINT, exec, hyprshot --freeze --mode output"
"SUPER, H, exec, cliphist list | rofi -dmenu | cliphist decode | wl-copy"
];
# Move/resize windows with mainMod + LMB/RMB and dragging
bindm = [
"SUPER, mouse:272, movewindow"
"SUPER, mouse:273, resizewindow"
];
bindel = [
", XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"
", XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"
];
bindl = [
", XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
", XF86AudioPrev, exec, playerctl previous"
", XF86AudioPlay, exec, playerctl play-pause"
", XF86AudioNext, exec, playerctl next"
", XF86MonBrightnessDown, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay UpdateTemperature n -500"
", XF86MonBrightnessUp, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay UpdateTemperature n +500"
"SUPER, XF86MonBrightnessDown, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay Brightness d -0.1"
"SUPER, XF86MonBrightnessUp, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay Brightness d +0.1"
];
};
};
}

View File

@ -0,0 +1,11 @@
{
pkgs,
lib,
config,
hmConfig,
...
}: {
programs.hyprlock = {
enable = true;
};
}

View File

@ -0,0 +1,237 @@
{
lib,
config,
pkgs,
...
}: {
# Nix settings
nix = {
settings = {
experimental-features = ["nix-command" "flakes"];
substituters = [
"https://cache.elnafo.ru"
"https://bonfire.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.elnafo.ru:j3VD+Hn+is2Qk3lPXDSdPwHJQSatizk7V82iJ2RP1yo="
"bonfire.cachix.org-1:mzAGBy/Crdf8NhKail5ciK7ZrGRbPJJobW6TwFb7WYM="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
auto-optimise-store = true;
};
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "weekly";
options = lib.mkDefault "--delete-older-than 7d";
};
};
# Filesystem
fileSystems = {
"/" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd"];
};
"/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"];
};
"/home" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd"];
};
"/swap" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=swap" "noatime"];
};
};
swapDevices = [
{device = "/swap/swapfile";}
];
# Boot and kernel options
boot = {
loader.systemd-boot.enable = true;
loader.systemd-boot.configurationLimit = 5;
loader.efi.canTouchEfiVariables = true;
tmp.useTmpfs = lib.mkDefault true;
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
initrd.kernelModules = [];
kernelModules = ["tcp_bbr" "coretemp" "nct6775"];
kernelParams = ["threadirqs"];
kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets
"net.ipv4.conf.all.accept_source_route" = 1;
"net.ipv4.conf.wlo1.accept_source_route" = 1;
"net.ipv6.conf.all.accept_source_route" = 1;
# Don't send ICMP redirects
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
};
# Security
security = {
protectKernelImage = true;
sudo.extraConfig = ''Defaults timestamp_timeout=30'';
rtkit.enable = true;
polkit.enable = true;
pam.loginLimits = [
{
domain = "@audio";
item = "memlock";
type = "-";
value = "unlimited";
}
{
domain = "@audio";
item = "rtprio";
type = "-";
value = "99";
}
{
domain = "@audio";
item = "nofile";
type = "soft";
value = "99999";
}
{
domain = "@audio";
item = "nofile";
type = "hard";
value = "99999";
}
{
domain = "*";
item = "nofile";
type = "-";
value = "524288";
}
{
domain = "*";
item = "memlock";
type = "-";
value = "524288";
}
];
};
# Hardware
hardware = {
enableRedistributableFirmware = true;
};
# Timezone and locale
time.timeZone = "Asia/Yekaterinburg";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
};
# Base packages
environment.systemPackages = with pkgs; [
wget
parted
ntfs3g
sshfs
exfat
btrfs-progs
btrbk
lm_sensors
btop
git
git-lfs
lazygit
nnn
fzf
ripgrep
fd
unzip
fishPlugins.fzf-fish
fishPlugins.tide
fishPlugins.grc
fishPlugins.hydro
grc
gnupg
pass
bat
];
programs = {
fish.enable = true;
neovim = {
enable = true;
defaultEditor = true;
};
};
}

View File

@ -0,0 +1,5 @@
{
common = import ./common.nix;
hyprland = import ./hyprland.nix;
hyprland-greetd = import ./hyprland-greetd.nix;
}

View File

@ -0,0 +1,33 @@
{
pkgs,
lib,
config,
...
}:
lib.mkIf config.programs.hyprland.enable {
services.greetd = let
hyprConfig = pkgs.writeText "greetd-hyprland-config" ''
exec-once = ${lib.getExe pkgs.greetd.regreet}; hyprctl dispatch exit
'';
in {
enable = true;
settings = {
default_session = {
command = "${lib.getExe config.programs.hyprland.package} --config ${hyprConfig}";
user = "greeter";
};
};
};
programs.regreet = {
enable = true;
settings = {
GTK = {
application_prefer_dark_theme = true;
};
appearance = {
greeting_msg = "Hey, you. You're finally awake.";
};
};
};
}

View File

@ -0,0 +1,6 @@
{...}: {
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
}

View File

@ -0,0 +1,20 @@
{
inputs,
hmConfig,
username,
bonLib,
...
}: {
imports = [
../nixos/hyprland.nix
../nixos/hyprland-greetd.nix
];
home-manager.users.${username} = {...}: {
imports = [
(bonLib.injectArgs {inherit hmConfig;})
inputs.ags.homeManagerModules.default
../homeManager/hyprland.nix
];
};
}

View File

@ -2,35 +2,21 @@
pkgs, pkgs,
lib, lib,
config, config,
bonLib,
... ...
}: { }: {
system.stateVersion = "23.11"; system.stateVersion = "23.11";
imports = [./hardware.nix ./users.nix]; imports = [
bonLib.preconfiguredModules.nixos.common
./hardware.nix
./users.nix
];
# Nix settings # Nix settings
nix = { nix.settings = {
settings = {
experimental-features = ["nix-command" "flakes" "repl-flake"];
trusted-users = ["l-nafaryus"]; trusted-users = ["l-nafaryus"];
allowed-users = ["l-nafaryus"]; allowed-users = ["l-nafaryus"];
substituters = [
"https://cache.elnafo.ru"
"https://bonfire.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.elnafo.ru:j3VD+Hn+is2Qk3lPXDSdPwHJQSatizk7V82iJ2RP1yo="
"bonfire.cachix.org-1:mzAGBy/Crdf8NhKail5ciK7ZrGRbPJJobW6TwFb7WYM="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
auto-optimise-store = true;
};
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "weekly";
options = lib.mkDefault "--delete-older-than 7d";
};
}; };
# Nix packages # Nix packages
@ -57,53 +43,20 @@
videoDrivers = ["nvidia"]; videoDrivers = ["nvidia"];
#displayManager.gdm = {
# enable = true;
# autoSuspend = false;
# wayland = true;
#};
#desktopManager.gnome.enable = true;
#windowManager.awesome.enable = true;
wacom.enable = true; wacom.enable = true;
}; };
services.greetd = let services.desktopManager.plasma6.enable = true;
hyprConfig = pkgs.writeText "greetd-hyprland-config" ''
exec-once = ${lib.getExe pkgs.greetd.regreet}; hyprctl dispatch exit services.displayManager.sddm = {
'';
in {
enable = true; enable = true;
settings = { wayland.enable = true;
default_session = {
command = "${lib.getExe config.programs.hyprland.package} --config ${hyprConfig}";
user = "greeter";
};
};
}; };
programs.regreet = { services.dbus = {
enable = true; enable = true;
settings = { packages = with pkgs; [networkmanager];
GTK = {
application_prefer_dark_theme = true;
# TODO: provide gtk themes
# theme_name = "Catppuccin-Macchiato-Standard-Green-Dark";
# icon_theme_name = "Catppuccin-Macchiato-Green-Cursors";
# cursor_theme_name = "Papirus-Dark";
# font_name = "";
}; };
appearance = {
greeting_msg = "Hey, you. You're finally awake.";
};
};
};
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
services.dbus.enable = true;
services.printing = { services.printing = {
enable = true; enable = true;
@ -132,14 +85,13 @@
}; };
services.udev = { services.udev = {
packages = with pkgs; [gnome.gnome-settings-daemon];
extraRules = '' extraRules = ''
KERNEL=="rtc0", GROUP="audio" KERNEL=="rtc0", GROUP="audio"
KERNEL=="hpet", GROUP="audio" KERNEL=="hpet", GROUP="audio"
''; '';
}; };
services.blueman.enable = true; #services.blueman.enable = true;
services.btrfs.autoScrub = { services.btrfs.autoScrub = {
enable = true; enable = true;
@ -147,49 +99,6 @@
fileSystems = ["/"]; fileSystems = ["/"];
}; };
# Packages
environment.systemPackages = with pkgs; [
wget
parted
ntfs3g
sshfs
exfat
lm_sensors
git
git-lfs
ripgrep
fd
lazygit
unzip
gnumake
fishPlugins.fzf-fish
fishPlugins.tide
fishPlugins.grc
fishPlugins.hydro
nnn
fzf
grc
gcc
cachix
];
programs = {
fish.enable = true;
neovim = {
enable = true;
defaultEditor = true;
};
};
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host astora Host astora
HostName 192.168.156.101 HostName 192.168.156.101
@ -202,13 +111,6 @@
User l-nafaryus User l-nafaryus
''; '';
programs.direnv.enable = true;
fonts.packages = with pkgs; [nerdfonts];
programs.steam.enable = true;
systemd.extraConfig = "DefaultLimitNOFILE=1048576";
virtualisation = { virtualisation = {
containers.enable = true; containers.enable = true;
podman = { podman = {
@ -217,5 +119,9 @@
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
libvirtd.enable = true; libvirtd.enable = true;
test-share = {
source = "/home/l-nafaryus/vms/shared";
target = "/mnt/shared";
};
}; };
} }

View File

@ -5,144 +5,14 @@
}: { }: {
# Boot # Boot
boot = { boot = {
loader.systemd-boot.enable = true; kernelModules = ["kvm-amd"];
loader.systemd-boot.configurationLimit = 5;
loader.efi.canTouchEfiVariables = true;
tmp.useTmpfs = lib.mkDefault true;
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
initrd.kernelModules = [];
kernelModules = ["kvm-amd" "tcp_bbr" "coretemp" "nct6775"];
extraModulePackages = with config.boot.kernelPackages; [v4l2loopback]; extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
extraModprobeConfig = ''
options v4l2loopback devices=1 video_nr=1 card_label="OBS Camera" exclusive_caps=1
'';
kernelParams = ["threadirqs"];
kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
};
# Security
security = {
protectKernelImage = true;
acme.acceptTerms = true;
sudo.extraConfig = ''Defaults timestamp_timeout=30'';
rtkit.enable = true;
pam.loginLimits = [
{
domain = "@audio";
item = "memlock";
type = "-";
value = "unlimited";
}
{
domain = "@audio";
item = "rtprio";
type = "-";
value = "99";
}
{
domain = "@audio";
item = "nofile";
type = "soft";
value = "99999";
}
{
domain = "@audio";
item = "nofile";
type = "hard";
value = "99999";
}
{
domain = "*";
item = "nofile";
type = "-";
value = "524288";
}
{
domain = "*";
item = "memlock";
type = "-";
value = "524288";
}
];
polkit.enable = true;
}; };
users.users.root.initialPassword = "nixos"; users.users.root.initialPassword = "nixos";
# Filesystem # Filesystem
fileSystems = { fileSystems = {
"/" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd"];
};
"/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"];
};
"/home" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd"];
};
"/swap" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=swap" "noatime"];
};
"/media/steam-library" = { "/media/steam-library" = {
device = "/dev/disk/by-label/siegward"; device = "/dev/disk/by-label/siegward";
fsType = "btrfs"; fsType = "btrfs";
@ -156,16 +26,10 @@
}; };
}; };
swapDevices = [
{device = "/swap/swapfile";}
];
services.fstrim.enable = true; services.fstrim.enable = true;
# Hardware etc # Hardware etc
hardware = { hardware = {
enableRedistributableFirmware = true;
cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nvidia.nvidiaSettings = true; nvidia.nvidiaSettings = true;
@ -181,56 +45,9 @@
}; };
networking = { networking = {
networkmanager.enable = true; networkmanager = {
networkmanager.unmanaged = ["interface-name:ve-*"];
useDHCP = lib.mkDefault true;
hostName = "astora";
extraHosts = '''';
firewall = {
enable = true; enable = true;
allowedTCPPorts = [80 443]; enableStrongSwan = true;
trustedInterfaces = ["ve-+"];
extraCommands = ''
iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE
'';
extraStopCommands = ''
iptables -t nat -D POSTROUTING -o wlo1 -j MASQUERADE
'';
};
nat = {
enable = true;
externalInterface = "wlo1";
internalInterfaces = ["ve-+"];
};
interfaces.wlo1.ipv4.addresses = [
{
address = "192.168.156.101";
prefixLength = 24;
}
];
defaultGateway = "192.168.156.1";
nameservers = ["192.168.156.1" "8.8.8.8"];
};
# Common
time.timeZone = "Asia/Yekaterinburg";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
}; };
}; };
} }

View File

@ -6,7 +6,9 @@
bonLib, bonLib,
inputs, inputs,
... ...
}: { }: let
user = "l-nafaryus";
in {
# Users # Users
users.users.l-nafaryus = { users.users.l-nafaryus = {
isNormalUser = true; isNormalUser = true;
@ -22,24 +24,23 @@
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.backupFileExtension = "hmbackup"; home-manager.backupFileExtension = "hmbackup";
home-manager.users.l-nafaryus = {pkgs, ...}: let home-manager.users.${user} = {pkgs, ...}: let
hmConfig = config.home-manager.users.l-nafaryus; hmConfig = config.home-manager.users.${user};
in { in {
home.stateVersion = "23.11"; home.stateVersion = "23.11";
home.username = "l-nafaryus"; home.username = "l-nafaryus";
home.homeDirectory = "/home/l-nafaryus"; home.homeDirectory = "/home/l-nafaryus";
imports = [ imports = [
(bonLib.injectArgs {
inherit hmConfig;
})
inputs.catppuccin.homeManagerModules.catppuccin inputs.catppuccin.homeManagerModules.catppuccin
inputs.ags.homeManagerModules.default inputs.ags.homeManagerModules.default
bonLib.preconfiguredModules.homeManager.ags #bonLib.preconfiguredModules.homeManager.hyprland
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
#gnupg
git
#nnn
pass
taskwarrior3 taskwarrior3
#tmux
gparted gparted
@ -93,46 +94,37 @@
jdk jdk
bonPkgs.ultimmc bonPkgs.ultimmc
liberation_ttf
steamtinkerlaunch steamtinkerlaunch
discord #dunst
webcord #libnotify
vesktop
tor
networkmanagerapplet
#rofi-wayland
kgx
dunst
libnotify
playerctl
wl-gammarelay-rs
# btop # btop
lua lua
# bat # bat
musikcube
swww
hyprshot
mangohud mangohud
gamescope gamescope
libstrangle libstrangle
wl-clipboard
cliphist
tree tree
bonPkgs.bonvim bonPkgs.bonvim
freenect freenect
mpc-cli mpc-cli
kdePackages.kmail
kdePackages.kmail-account-wizard
flacon
picard
podman-desktop
virtiofsd
]; ];
xdg.portal = { xdg.portal = {
enable = true; enable = true;
configPackages = with pkgs; [ configPackages = with pkgs; [
#xdg-desktop-portal-wlr kdePackages.xdg-desktop-portal-kde
xdg-desktop-portal-hyprland
]; ];
extraPortals = with pkgs; [ extraPortals = with pkgs; [
xdg-desktop-portal-gtk xdg-desktop-portal-gtk
@ -147,22 +139,6 @@
accent = "green"; accent = "green";
}; };
gtk = {
enable = true;
# TODO: fix catppuccin deprecation. Provide Paper icons to gtk and gnomeShell manually. (+ regreet)
catppuccin = {
enable = true;
accent = "green";
flavor = "macchiato";
gnomeShellTheme = true;
icon = {
enable = true;
accent = "green";
flavor = "macchiato";
};
};
};
programs = { programs = {
# General # General
fish = { fish = {
@ -244,6 +220,9 @@
homedir = "${hmConfig.xdg.configHome}/gnupg"; homedir = "${hmConfig.xdg.configHome}/gnupg";
mutableKeys = true; mutableKeys = true;
mutableTrust = true; mutableTrust = true;
settings = {
default-key = "B0B3 DFDB B842 BE9C 7468 B511 86F1 EA98 B48F FB19";
};
# TODO: replace existing ssh key with gpg provided # TODO: replace existing ssh key with gpg provided
}; };
@ -269,12 +248,9 @@
ncmpcpp.enable = true; ncmpcpp.enable = true;
# Graphical # Graphical
hyprlock = {
enable = true;
};
wezterm = { wezterm = {
enable = true; enable = false;
package = inputs.wezterm.packages.x86_64-linux.default; package = inputs.wezterm.packages.x86_64-linux.default;
extraConfig = '' extraConfig = ''
return { return {
@ -297,7 +273,7 @@
}; };
rofi = { rofi = {
enable = true; enable = false;
package = pkgs.rofi-wayland; package = pkgs.rofi-wayland;
terminal = "${lib.getExe hmConfig.programs.wezterm.package}"; terminal = "${lib.getExe hmConfig.programs.wezterm.package}";
cycle = true; cycle = true;
@ -342,7 +318,7 @@
defaultCacheTtl = 3600; defaultCacheTtl = 3600;
defaultCacheTtlSsh = 3600; defaultCacheTtlSsh = 3600;
enableSshSupport = true; enableSshSupport = true;
pinentryPackage = pkgs.pinentry-gtk2; pinentryPackage = pkgs.pinentry-qt;
enableFishIntegration = true; enableFishIntegration = true;
enableBashIntegration = true; enableBashIntegration = true;
}; };
@ -355,237 +331,8 @@
#mpdris2 = { #mpdris2 = {
# enable = true; # enable = true;
#}; #};
};
# Graphical # Graphical
hypridle = {
enable = true;
settings = {
general = {
after_sleep_cmd = "${pkgs.hyprland}/bin/hyprctl dispatch dpms on";
ignore_dbus_inhibit = false;
};
listener = [
{
timeout = 300;
on-timeout = "${pkgs.hyprland}/bin/hyprctl dispatch dpms off";
on-resume = "${pkgs.hyprland}/bin/hyprctl dispatch dpms on";
}
];
};
};
};
wayland.windowManager.hyprland = {
enable = true;
settings = {
# Devices (use `hyprctl devices`)
"$monitor1" = "AOC Q27G2G3R3B 137P4HA000540";
"$monitor2" = "AOC Q27B3MA 17ZPAHA006135";
"$keyboard" = "keychron-keychron-k3-pro";
"$mouse" = "logitech-g102-lightsync-gaming-mouse";
# Main programs
"$terminal" = "${lib.getExe hmConfig.programs.wezterm.package}";
"$menu" = "${lib.getExe hmConfig.programs.rofi.package} -show drun";
"$fileManager" = "$terminal -e ${lib.getExe hmConfig.programs.nnn.package}";
monitor = [
"desc:$monitor2, 2560x1440@75, 0x0, auto"
"desc:$monitor1, 2560x1440@165, 2560x0, auto"
"Unknown-1, disable"
];
exec-once = [
"ags &"
"nm-applet --indicator &"
"blueman-applet &"
"wl-gammarelay-rs run &"
"systemctl --user start hypridle"
"wl-paste --type text --watch cliphist store" #Stores only text data
"wl-paste --type image --watch cliphist store" #Stores only image data
"swww-daemon & swww img ~/Pictures/wallpapers/current" # wallpaper symlinked
];
env = [
"XCURSOR_SIZE,16"
"HYPRCURSOR_SIZE,16"
"WLR_DRM_NO_ATOMIC,1"
"HYPRSHOT_DIR,${hmConfig.xdg.userDirs.pictures}/screenshots"
];
general = {
gaps_in = 2;
gaps_out = 2;
border_size = 2;
# https://wiki.hyprland.org/Configuring/Variables/#variable-types for info about colors
"col.active_border" = "rgba(33ccffee) rgba(00ff99ee) 45deg";
"col.inactive_border" = "rgba(595959aa)";
# Set to true enable resizing windows by clicking and dragging on borders and gaps
resize_on_border = true;
# Please see https://wiki.hyprland.org/Configuring/Tearing/ before you turn this on
allow_tearing = true;
layout = "dwindle";
};
decoration = {
rounding = 5;
# Change transparency of focused and unfocused windows
active_opacity = 1.0;
inactive_opacity = 0.95;
drop_shadow = true;
shadow_range = 4;
shadow_render_power = 3;
"col.shadow" = "rgba(1a1a1aee)";
# https://wiki.hyprland.org/Configuring/Variables/#blur
blur = {
enabled = true;
size = 3;
passes = 1;
vibrancy = 0.1696;
};
};
animations = {
enabled = true;
# Default animations, see https://wiki.hyprland.org/Configuring/Animations/ for more
bezier = "myBezier, 0.05, 0.9, 0.1, 1.05";
animation = [
"windows, 1, 7, myBezier"
"windowsOut, 1, 7, default, popin 80%"
"border, 1, 10, default"
"borderangle, 1, 8, default"
"fade, 1, 7, default"
"workspaces, 1, 6, default"
];
};
# See https://wiki.hyprland.org/Configuring/Dwindle-Layout/ for more
dwindle = {
pseudotile = true; # Master switch for pseudotiling. Enabling is bound to mainMod + P in the keybinds section below
preserve_split = true; # You probably want this
};
# See https://wiki.hyprland.org/Configuring/Master-Layout/ for more
master = {
new_status = "master";
};
# https://wiki.hyprland.org/Configuring/Variables/#misc
misc = {
force_default_wallpaper = -1; # Set to 0 or 1 to disable the anime mascot wallpapers
disable_hyprland_logo = false; # Enable the random hyprland logo / anime girl background. :)
};
input = {
kb_layout = "us,ru";
follow_mouse = 1;
sensitivity = 0; # -1.0 - 1.0, 0 means no modification.
touchpad = {
natural_scroll = false;
};
};
# https://wiki.hyprland.org/Configuring/Variables/#gestures
gestures = {
workspace_swipe = false;
};
windowrulev2 = [
"suppressevent maximize, class:.*" # You'll probably like this.
"float, class:^(steam_app.*)$"
"immediate, class:^(steam_app.*)$"
"float, class:^(steam_proton.*)$"
"float,class:^(org.wezfurlong.wezterm)$"
"tile,class:^(org.wezfurlong.wezterm)$"
];
bind = [
"SUPER, Q, exec, $terminal"
"SUPER, N, exec, $fileManager"
"SUPER, R, exec, $menu"
"SUPER, X, exec, ags -t clock"
"SUPER, X, exec, ags -t control"
"SUPER, X, exec, ags -t systray"
"SUPER, X, exec, ags -t workspaces"
"SUPER, X, exec, ags -t window-title"
"SUPER, C, killactive,"
"SUPER, M, exit,"
"SUPER, V, togglefloating,"
"SUPER, F, fullscreen,"
"SUPER, J, togglesplit," # dwindle
# Move focus with mainMod + arrow keys
"SUPER, left, movefocus, l"
"SUPER, right, movefocus, r"
"SUPER, up, movefocus, u"
"SUPER, down, movefocus, d"
# Switch workspaces with mainMod + [0-9]
"SUPER, 1, workspace, 1"
"SUPER, 2, workspace, 2"
"SUPER, 3, workspace, 3"
"SUPER, 4, workspace, 4"
"SUPER, 5, workspace, 5"
"SUPER, 6, workspace, 6"
"SUPER, 7, workspace, 7"
"SUPER, 8, workspace, 8"
"SUPER, 9, workspace, 9"
"SUPER, 0, workspace, 10"
# Move active window to a workspace with mainMod + SHIFT + [0-9]
"SUPER SHIFT, 1, movetoworkspace, 1"
"SUPER SHIFT, 2, movetoworkspace, 2"
"SUPER SHIFT, 3, movetoworkspace, 3"
"SUPER SHIFT, 4, movetoworkspace, 4"
"SUPER SHIFT, 5, movetoworkspace, 5"
"SUPER SHIFT, 6, movetoworkspace, 6"
"SUPER SHIFT, 7, movetoworkspace, 7"
"SUPER SHIFT, 8, movetoworkspace, 8"
"SUPER SHIFT, 9, movetoworkspace, 9"
"SUPER SHIFT, 0, movetoworkspace, 10"
# special workspace (scratchpad)
"SUPER, S, togglespecialworkspace, magic"
"SUPER SHIFT, S, movetoworkspace, special:magic"
"SUPER, SPACE, exec, hyprctl switchxkblayout keychron-keychron-k3-pro next"
", PRINT, exec, hyprshot --freeze --mode region"
"CTRL, PRINT, exec, hyprshot --freeze --mode output"
"SUPER, H, exec, cliphist list | rofi -dmenu | cliphist decode | wl-copy"
];
# Move/resize windows with mainMod + LMB/RMB and dragging
bindm = [
"SUPER, mouse:272, movewindow"
"SUPER, mouse:273, resizewindow"
];
bindel = [
", XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"
", XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"
];
bindl = [
", XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
", XF86AudioPrev, exec, playerctl previous"
", XF86AudioPlay, exec, playerctl play-pause"
", XF86AudioNext, exec, playerctl next"
", XF86MonBrightnessDown, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay UpdateTemperature n -500"
", XF86MonBrightnessUp, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay UpdateTemperature n +500"
"SUPER, XF86MonBrightnessDown, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay Brightness d -0.1"
"SUPER, XF86MonBrightnessUp, exec, busctl --user -- call rs.wl-gammarelay / rs.wl.gammarelay Brightness d +0.1"
];
};
};
# XDG # XDG
xdg = { xdg = {
@ -637,27 +384,28 @@
}; };
# Services # Services
services.spoofdpi.enable = true; #services.spoofdpi.enable = true;
services.zapret = { #services.zapret = {
enable = true; # enable = true;
mode = "tpws"; # mode = "nfqws";
firewallType = "iptables"; # firewallType = "iptables";
disableIpv6 = true; # disableIpv6 = true;
settings = '' # settings = ''
MODE_HTTP=1 # MODE_HTTP=1
MODE_HTTP_KEEPALIVE=0 # MODE_HTTP_KEEPALIVE=0
MODE_HTTPS=1 # MODE_HTTPS=1
MODE_QUIC=0 # MODE_QUIC=1
MODE_FILTER=ipset # MODE_FILTER=ipset
TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3 --oob" # TPWS_OPT="--split-http-req=method --split-pos=1 --oob"
INIT_APPLY_FW=1 # NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=5"
''; # NFQWS_OPT_DESYNC_HTTP="--dpi-desync=fake --dpi-desync-ttl=5"
filterAddresses = lib.readFile (pkgs.fetchurl { # NFQWS_OPT_DESYNC_HTTPS="--dpi-desync=fake --dpi-desync-ttl=5"
url = "https://antifilter.network/download/ipsmart.lst"; # NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-ttl=5"
hash = "sha256-zLq3rgci/rye1oQp2zbJelPaoN9+jqPebIbxfJ44Qlg="; # INIT_APPLY_FW=1
}); # '';
}; # filterAddressesSource = "https://antifilter.network/download/ipsmart.lst";
#};
# TODO: remember who use gvfs # TODO: remember who use gvfs
services.gvfs.enable = true; services.gvfs.enable = true;
@ -681,4 +429,16 @@
# User-id must match above user. MPD will look inside this directory for the PipeWire socket. # User-id must match above user. MPD will look inside this directory for the PipeWire socket.
XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.l-nafaryus.uid}"; XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.l-nafaryus.uid}";
}; };
programs.kdeconnect = {
enable = true;
package = lib.mkForce pkgs.kdePackages.kdeconnect-kde;
};
programs.direnv.enable = true;
fonts.packages = with pkgs; [nerdfonts liberation_ttf];
programs.steam.enable = true;
systemd.extraConfig = "DefaultLimitNOFILE=1048576";
} }

View File

@ -13,6 +13,8 @@
# ./services/papermc.nix # disabled # ./services/papermc.nix # disabled
./services/gitea.nix ./services/gitea.nix
./services/radio.nix ./services/radio.nix
./services/matrix.nix
./services/metrics.nix
]; ];
# Nix settings # Nix settings
@ -281,8 +283,6 @@
fzf fzf
grc grc
gcc
cachix cachix
gnupg gnupg

View File

@ -150,6 +150,12 @@
defaultGateway = "192.168.156.1"; defaultGateway = "192.168.156.1";
nameservers = ["192.168.156.1" "8.8.8.8"]; nameservers = ["192.168.156.1" "8.8.8.8"];
nat = {
enable = true;
externalInterface = "enp9s0";
internalInterfaces = ["ve-+"];
};
}; };
services.logind.lidSwitchExternalPower = "ignore"; services.logind.lidSwitchExternalPower = "ignore";

View File

@ -55,6 +55,10 @@
indexer = { indexer = {
REPO_INDEXER_ENABLED = true; REPO_INDEXER_ENABLED = true;
}; };
metrics = {
ENABLED = true;
};
}; };
mailerPasswordFile = config.sops.secrets."gitea/mail".path; mailerPasswordFile = config.sops.secrets."gitea/mail".path;

View File

@ -0,0 +1,101 @@
{
config,
lib,
pkgs,
...
}: {
services.conduit = {
enable = true;
settings.global = {
allow_registration = true;
server_name = "elnafo.ru";
address = "127.0.0.1";
database_backend = "sqlite";
well_known.client = "https://matrix.elnafo.ru";
well_known.server = "matrix.elnafo.ru:443";
turn_uris = ["turn:elnafo.ru?transport=udp" "turn:elnafo.ru?transport=tcp"];
};
turn_secret_file = config.sops.secrets.turn-secret.path;
};
services.nginx = {
virtualHosts."matrix.elnafo.ru" = {
forceSSL = true;
http2 = true;
useACMEHost = "elnafo.ru";
locations."/" = {
proxyPass = "http://127.0.0.1:6167";
extraConfig = ''
proxy_http_version 1.0;
client_max_body_size 50M;
'';
};
};
virtualHosts."element.elnafo.ru" = {
forceSSL = true;
http2 = true;
useACMEHost = "elnafo.ru";
root = pkgs.element-web.override {
conf = {
default_theme = "dark";
default_server_name = "matrix.elnafo.ru";
brand = "Elnafo Matrix";
permalink_prefix = "https://element.elnafo.ru";
};
};
};
virtualHosts."matrix-federation" = {
serverName = "elnafo.ru";
forceSSL = true;
useACMEHost = "elnafo.ru";
listen = [
{
port = 8448;
addr = "0.0.0.0";
ssl = true;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."~ ^/(_matrix|.well_known)" = {
proxyPass = "http://127.0.0.1:6167";
extraConfig = ''
proxy_http_version 1.0;
client_max_body_size 50M;
'';
};
};
};
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets.coturn-secret.path;
realm = "elnafo.ru";
cert = "${config.security.acme.certs."elnafo.ru".directory}/full.pem";
pkey = "${config.security.acme.certs."elnafo.ru".directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
'';
};
networking.firewall = {
allowedUDPPortRanges = lib.singleton {
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
};
allowedUDPPorts = [3478 5349];
allowedTCPPorts = [8448 3478 5349];
};
}

View File

@ -0,0 +1,123 @@
{
config,
pkgs,
...
}: {
services.grafana = {
enable = true;
settings.server = {
domain = "grafana.elnafo.ru";
http_port = 2342;
http_addr = "127.0.0.1";
};
};
services.prometheus = {
enable = true;
port = 9090;
globalConfig.scrape_interval = "10s"; # "1m"
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9092;
};
};
scrapeConfigs = [
{
job_name = "catarina";
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
];
};
services.loki = {
enable = true;
configuration = {
auth_enabled = false;
server = {
http_listen_port = 3100;
};
common = {
ring = {
instance_addr = "127.0.0.1";
kvstore = {
store = "inmemory";
};
};
replication_factor = 1;
path_prefix = "/tmp/loki";
};
schema_config = {
configs = [
{
from = "2020-05-15";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
filesystem = {
directory = "/tmp/loki/chunks";
};
};
};
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3101;
grpc_listen_port = 0;
};
clients = [
{
url = "http://127.0.0.1:3100/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "catarina";
};
};
relabel_configs = [
{
source_labels = [
"__journal__systemd_unit"
];
target_label = "unit";
}
];
}
];
};
};
services.nginx = {
virtualHosts."grafana.elnafo.ru" = {
forceSSL = true;
useACMEHost = "elnafo.ru";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true;
};
};
};
}

View File

@ -1,19 +1,39 @@
{config, ...}: { {config, ...}: {
containers = {
radio-synthwave = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.231.136.1";
localAddress = "10.231.136.2";
bindMounts = {
"/var/lib/music" = {
hostPath = "/home/l-nafaryus/Music";
isReadOnly = true;
};
};
config = {
config,
pkgs,
lib,
...
}: {
services.mpd = { services.mpd = {
enable = true; enable = true;
musicDirectory = "/home/l-nafaryus/Music"; musicDirectory = "/var/lib/music";
network.listenAddress = "any"; network.listenAddress = "any";
network.startWhenNeeded = true; #network.startWhenNeeded = true;
user = "l-nafaryus"; user = "mpd";
network.port = 6600;
extraConfig = '' extraConfig = ''
audio_output { audio_output {
type "httpd" type "httpd"
name "Radio" name "Radio"
port "6666" port "6660"
bind_to_address "127.0.0.1"
encoder "lame" encoder "lame"
max_clients "0" max_clients "0"
website "https://radio.elnafo.ru" website "https://radio.elnafo.ru/synthwave"
always_on "yes" always_on "yes"
tags "yes" tags "yes"
bitrate "128" bitrate "128"
@ -22,11 +42,106 @@
''; '';
}; };
system.stateVersion = "24.05";
networking.firewall = {
enable = true;
allowedTCPPorts = [6600 6660];
};
};
};
radio-non-stop-pop = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.231.136.1";
localAddress = "10.231.136.3";
bindMounts = {
"/var/lib/music" = {
hostPath = "/home/l-nafaryus/Music";
isReadOnly = true;
};
};
config = {
config,
pkgs,
lib,
...
}: {
services.mpd = {
enable = true;
musicDirectory = "/var/lib/music";
network.listenAddress = "any";
#network.startWhenNeeded = true;
user = "mpd";
network.port = 6601;
extraConfig = ''
audio_output {
type "httpd"
name "Radio"
port "6661"
encoder "lame"
max_clients "0"
website "https://radio.elnafo.ru/non-stop-pop"
always_on "yes"
tags "yes"
bitrate "128"
format "44100:16:1"
}
'';
};
system.stateVersion = "24.05";
networking.firewall = {
enable = true;
allowedTCPPorts = [6601 6661];
};
};
};
};
services.elnafo-radio = {
enable = true;
base = {
title = "// Elnafo Radio //";
meta = [
["author" "L-Nafaryus"]
["discord" "https://discord.gg/ZWUChw5wzm"]
["git" "https://vcs.elnafo.ru/L-Nafaryus/elnafo-radio"]
["matrix" "https://matrix.to/#/#elnafo:elnafo.ru"]
];
};
stations = [
{
id = "synthwave";
name = "Synthwave";
host = "10.231.136.2";
port = 6600;
url = "https://radio.elnafo.ru/synthwave";
status = "Receive";
genre = "synthwave, dark synthwave";
}
{
id = "non-stop-pop";
name = "Non-Stop-Pop";
host = "10.231.136.3";
port = 6601;
url = "https://radio.elnafo.ru/non-stop-pop";
status = "Online";
location = "Los Santos";
genre = "pop, r&b, dance music";
}
];
};
services.nginx.virtualHosts."radio.elnafo.ru" = { services.nginx.virtualHosts."radio.elnafo.ru" = {
forceSSL = true; forceSSL = true;
useACMEHost = "elnafo.ru"; useACMEHost = "elnafo.ru";
locations."/synthwave".proxyPass = "http://127.0.0.1:6666"; locations."/".proxyPass = "http://127.0.0.1:54605";
locations."/synthwave".proxyPass = "http://10.231.136.2:6660";
locations."/non-stop-pop".proxyPass = "http://10.231.136.3:6661";
}; };
networking.firewall.allowedTCPPorts = [config.services.mpd.network.port];
} }

View File

@ -22,6 +22,7 @@
catarina = lib.nixosSystem { catarina = lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = with inputs; [ modules = with inputs; [
elnafo-radio.nixosModules.elnafo-radio
nixos-mailserver.nixosModules.mailserver nixos-mailserver.nixosModules.mailserver
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
oscuro.nixosModules.oscuro oscuro.nixosModules.oscuro

View File

@ -10,7 +10,9 @@
./services/papermc.nix ./services/papermc.nix
./services/qbittorrent-nox.nix ./services/qbittorrent-nox.nix
./services/spoofdpi.nix ./services/spoofdpi.nix
./services/zapret.nix # ISSUE: collision with nixos module zapret
#./services/zapret.nix
./services/conduit.nix
]; ];
configModule = { configModule = {
@ -24,6 +26,7 @@
# extra arguments # extra arguments
_module.args = { _module.args = {
bonPkgs = self.packages.${pkgs.system}; bonPkgs = self.packages.${pkgs.system};
bonLib = lib.mkDefault bonLib;
}; };
}; };
}; };
@ -44,7 +47,7 @@
... ...
}: { }: {
# collect all modules # collect all modules
imports = importedModules; imports = moduleList ++ [configModule];
}; };
in in
lib.listToAttrs ( lib.listToAttrs (

View File

@ -1,22 +1,24 @@
dns: ENC[AES256_GCM,data:KIcegw69ZEVY1VnSktZMMjaRhCJVCHn7BCAKvfR/iXs5AseDLVC025WRAy92UuuVYPwBvdHgRQUg8I6lrfr7RTHJooANHUK8D79c2+sAI/KsUw2ENh1tVgdW2A4enQ==,iv:12yEf+u0Ky0vktAfpAuG28mRSKDLyWlWHJ+9EPYqI4w=,tag:9MKTsAUfvzEyEzTd6ba/Jg==,type:str] dns: ENC[AES256_GCM,data:x2oHP6nGHnPl5WblPHRcBDQCkhj8FZnr5r+cBdaHyrPKxI71ECYmno/ItV/0opj0eGYamQjrVJkuZBGcQlXMMn9Hp4ImjByaX/zqYrdIjSY2B24h8kvnblsXjF6SlA==,iv:QRbiqpCwQ41pfmn3wwNITWdoMI9FzxShsG+fR5lAbl4=,tag:Rknw+qwLZ8No806ek+2zmQ==,type:str]
users: users:
root: ENC[AES256_GCM,data:nZpmZM0Ws9mVujJhqPKfSJwIqit23pc2TlF6k4iGEzQvf2iROyWN/+b212d/LiAWOoVl3tRkt7EcOiLsLu51DJnQtCGOWGcF5w==,iv:hbNMqy+OxbHsh77zT6a2Yb1lUXwVRvRF1PhSO/15keE=,tag:oe/Y2fWKHNiRamuhY+3xYQ==,type:str] root: ENC[AES256_GCM,data:NIWAU+rCD7ShRU+ZMWw7D1XlNdhL9iwu6MP53edBFeCdSaiA91uS/n4MDgoQkao3sIE6zl5k/jht8GigZLSbjlj9iGhe3sTngg==,iv:hjimz2SsXf0nNgGhkDx97sg8iWBrne75KSbJLtJUf3k=,tag:4wfCpXew/OtTDZLIQk3cFA==,type:str]
l-nafaryus: ENC[AES256_GCM,data:RJXjIcSWrG00IqneQVBpvPayVZ/mFNZ16digWF/GaNNGYy+bDPYkglTiMdy5/xfah8BMrwmfID4PKyEBtMiIEx8VlV55N+hJyg==,iv:noFYBRrWMg7dxqAbVuT7uOCK4mQk4U29kiECJLb6QCQ=,tag:dZs6TC8kI9ioRYfhcceT+Q==,type:str] l-nafaryus: ENC[AES256_GCM,data:xXRQH92Hi0qO31pxmlHNLG+fHJRsAFgEs1a1APwNsGRZEVV5UB+ijK1S8dThFN+gnlcLb/gLlypFiK8Vzd7/kCOMyaJYtXJChg==,iv:AgE2X3iUAA/U8YmPawcONvWcxgBDkRdVvye4dTSIBd4=,tag:kkwiaSymObztQTjcfno1DA==,type:str]
database: database:
git: ENC[AES256_GCM,data:g5Fnb9R/LnKrB6rDQ0ss0wu9SZu7433xfUIzJQKG3SA=,iv:MHEclxa1ldE51hNe0zHsVv5BPdN5RELlkHgZGXxSdTo=,tag:zzKNB0/RehFPrhFQMi/g9w==,type:str] git: ENC[AES256_GCM,data:noMvwTPWZWb79JtoEh0FLuXotVAXTX51QLcRfmjwxVg=,iv:EMiKZvMNhxpe2gARJ7BUrJFVM3ap/gMhJaRnKEJ7lX8=,tag:y+TAUHijY0NCvlwdg1fS1w==,type:str]
mail: mail:
l-nafaryus: ENC[AES256_GCM,data:8JGjpQxcytZhfYT2JFUspufCnwCISbzBbaY2gN8WpSrlSlhIxVBkcdFnuGl3EJ6kABFX3lEGZomVNtay,iv:9l/x5xiDvkJ8QeqK7LTtQ/nxTckMGTkgujSDLtfWMZM=,tag:6qVUxjgs6QB+MQwog1fksw==,type:str] l-nafaryus: ENC[AES256_GCM,data:0PKuC3fI8gGOg99DtyF84neRRnr1P7cqKti8XSjHUurb4CyLG01+aCzABBJzcAs05oQMjiLbAj0prj6Q,iv:m4PzJ5hJqyyLmNss8/CckrBhDe3HC3HVTCbCvhZf93Y=,tag:uKiZLlmQzuO7mcGhQb3/og==,type:str]
git: ENC[AES256_GCM,data:w6odytyieDSJCRdf6og7rX1274Xtd3Mn+Eg5tPFjQv3pN/OVJ1fRk7nGFmHlKqR2VEtUVFHyZHKW4J7+,iv:Lo9yyCNvBxUOlxhLo4PFfT7eZrwZ3d6Yue2U8MBlTfM=,tag:T41aErdaYDI6ns20EBOwyw==,type:str] git: ENC[AES256_GCM,data:YxU4Ws+yHgv5RsluX6BhpEnGBiDWZmIx+D8uD7oZr+v18tCSX27mI+T0t4IycPli4SLHUQR4PjGmnJao,iv:yHPkp1QmRWj4Nj4isIYtpe0ROSVLK9biBWJb81P5aew=,tag:+FJ6l4P7onUhKejYVq25Hg==,type:str]
kirill: ENC[AES256_GCM,data:ZBFfZufBdRRaeXUWiISVPxGvou78kNn+U1nYSBJ7OR6IqyvZMec+/s3+dDiwySOJ58EYCCqUZ7pq05U0,iv:r+mHKvxfI32Y/AHVN0AQqj3OqkxECuU6LIFNzmGvZ5s=,tag:gJsG2pa2k4gBTD294DuNWg==,type:str] kirill: ENC[AES256_GCM,data:erI0exQOi8JccOQVkWIt8zwvrm45Yrt1MNccBYO2oE5eEuXmeDU7uL92U4h+rDH+NojYpVjl1IaRAyU5,iv:kRvqVs70OzXLOBpZ/bfN0TQMdhqV6RAzQiszPQ4ZIwM=,tag:1whNxpchBdzOiVxCwYAzFA==,type:str]
gitea: gitea:
mail: ENC[AES256_GCM,data:LFYWpjHPcu6CQgcUEVcFA0ewZRjzA36wsoATnVGj,iv:Jqn1+6xa+wdkmdG2z9b8jf4DzCqF0I0YSctbiMN2tKw=,tag:aQQJG9STQmnAu+Dp9lj6cg==,type:str] mail: ENC[AES256_GCM,data:RwQY3sOfcZMTWbvK5NWOprTSKTY5Fn/cECCh1MRC,iv:KjiYDiqmMO8u3m2VArdAva937cqfqNHKKMUkvnpDtkU=,tag:OpkSgrs8Rrz+XG5Q3tw+QQ==,type:str]
gitea-runner: gitea-runner:
master-token: ENC[AES256_GCM,data:hZc+sti6I1j3EQQc/wRb5exg0yO6+wq0NCdUJ6FN/wpwyhfWPdEJ5eWw+3bAsEpxdQ==,iv:uJXhf5DZtk1LROyfw8bn5ZjN329LbZyTlaSPMvzeNXs=,tag:IeGUODEvfELc2YS+TUP7/g==,type:str] master-token: ENC[AES256_GCM,data:VbOnxgDr8Ni0NTdJvnwnppY3Q+/bev7IoVhxTpjGAphxh0tieCPfbnBJweav+l8dtQ==,iv:FzB5h/O0GSeBv1ZzE/zojWR2C6RR90NsxYddreVSmU0=,tag:c1WDgG9BlzvXaf+afzZW5g==,type:str]
papermc: papermc:
rcon: ENC[AES256_GCM,data:t6EjQmR+7l9x,iv:Vg3Ht/FNDUSkpRcP4c3hR/GzXMFMH/uD1wkPGn/OyKQ=,tag:++OEAYFK2qE4gM/XMSGH+g==,type:str] rcon: ENC[AES256_GCM,data:h9DqMN3MAS2X,iv:M72Ku0n1BTaj9TuHmpj+xBcE/6nJvHWKB87HZ3pUKyE=,tag:QRN8e/SXKv0VGyOf9Fq49Q==,type:str]
discordToken: ENC[AES256_GCM,data:oRNbi3uDJClyRJgKycvJAt+2ZPT3hU9AVGmB1XMGqObz6O0DpdBlsmSCbwXwhvD2U0cMLUx7fdehdDUXTnk5qLR/eBSwD/k0+0U=,iv:WXRo7iSRn+/4oeHuuEhQsDNrxw1pWt21GDLeinVOmV0=,tag:IHWpKGlkmHwDI7j9MHTbtg==,type:str] discordToken: ENC[AES256_GCM,data:dII/1MKdUt/gjl6j+0mIyy0e03BmRwFPBle4fCx5ZYFjQ6zy9ByjFwVYKS8LlXTaPZQGknTBg0QHypRjE3XFW5uzvfp0OfTYm0o=,iv:bSkp6dKYeOuei9OkshO89ihfGMpRXE+8vb0iXEEkv0I=,tag:ICCUF/l8vJfzb/hgF9AYsg==,type:str]
nix-store: nix-store:
cache-key: ENC[AES256_GCM,data:SH0lBYa6ELoraxKmWo+hb3+rFRjFbVm1mj0YiVKUua5pVnC8Weihk4haTJZ1zShc3ADuinyHD/Ns+576bajWoE5jSGHXlgWQ8P+5fMZ0BkmZEuP5kooWRBk5t1aZilM3LJavwsYiE6E=,iv:KpwDXIXtaiNgVgcUQJJOnA+YLXVhJwILeq2dX1XkXgo=,tag:4kTemsodW0bhW9joQAPzhA==,type:str] cache-key: ENC[AES256_GCM,data:wEp8XH18N5P+h8EMognt93/VwXVF5/sxvEOrGzba/iK1W4nVZM8pStGAP0wI593MEB7Vobw+slWj4I3wwRJjOpDsK4EsgROUBein84Gn9uqk/liCEqjSAqZkktv4yX5p3dETZw+Ojak=,iv:oVKBfzJP8il3N6lH4JmaPaHSaqkUfmsM6cr+xumjAdE=,tag:+Gj9CzpoQknT+i6xAPZ7dg==,type:str]
matrix:
coturn-secret: ENC[AES256_GCM,data:BWYo08cS4oAYk7aK5yKT7xWkcxhOhxi3mZzl//xB/IqJ70x4ggGoiVudTxE=,iv:4YYWyxnwR1KcpjTNwvzrGWWVobr3LM6H6l/1/fbBQE4=,tag:qmXc+tzYKJR6hErgurx97Q==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -26,23 +28,23 @@ sops:
- recipient: age1u9xr3tmwskfsrxg6gus3hmh9eakjh2h22jklfmcu33kassaraues435vvc - recipient: age1u9xr3tmwskfsrxg6gus3hmh9eakjh2h22jklfmcu33kassaraues435vvc
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvajllWmw2U2U3eDFvY0Uw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVmZiM3RqVkphSm5aV0E5
S09kTGV1RDZVTU42QmlOZXcwWFl2RWNQeldRCklsSERCUUJKS1BNbkt4MWtoWFl3 ZW56NjEvdEFyQmI1NlEwaHNYOWN4aEp0bDN3CmcyTDY3QzJLSk5MSXZ4T0xONG5D
ZG9BVUFoQ1h5ZGlFelNzMEtIQmliTjgKLS0tIHZCWFBHUEw2TE9Yc0tZemtkUkNN NXRQejQrSlRWSHBQbnhVVVY5SGdmQzAKLS0tIGJWRWlPbVVicWhXcm1wMnBjbGpB
eXgrOTk1S0tDWWpHUkIveWZZdlYvMTQKyZMAYr6n5figUX2YUAAA37nxA5r1tyXh aXFvYzkvUDV6RTZTdzViZkVmeHY1MUkKoxyI003op6VxqTNFApFoAzIA1KwvKD51
F7/l2T4R+cXq3Oywf5EtezOMdl9Xprk0ZoubzT55p0TPtYwCNk6Chg== hjBPkP9e1B3fRWZXysva51G/Y2zc6ylv17qPE5TjaVw9OS2WqTQNWA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wyz7cfldqe9hh8qyw2qm42hkq9s7qdwqnrnv0u3s6vstv9649v0sh0z4em - recipient: age1wyz7cfldqe9hh8qyw2qm42hkq9s7qdwqnrnv0u3s6vstv9649v0sh0z4em
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSkt5NG4wdGVwMDlpMFhv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eGVWZnVUMUdyNys4cUFv
Vm56L1owRXJ2RTBhUVZ2aXpVVUVrZDV6M0FNCmYxTlNrQko0SmorWUV3VnRkOENK czl4THRPOFN6RXl1d3hoUlMzVittUmtjMGl3CnlCOElNVitLdXJQbmMxNTROdHRz
RDJzQkk0dVA0UVdDWEtxRDJEZFpSWVUKLS0tIGc1NFUzb1dhWUZlQWdpNFA4ZC9J MFl6NmxHWEY3anFsUkxpWGZHZ21iZ2sKLS0tIG1UT0VpaDBRNUpSY2lDcTRJMHpT
cFBmaUV4SWx3K21UUDA2YlBVY1NCazgK080jE+EELtQf8PmlaZs4RR+gjJEeEiTn ZnlzMlFUcEx5bHltdlg5ODVMVFNHNW8K7x38gdL5sbNLqTXdCxIHuX+yIy+XX8Vi
wwZXV8ufOGtLLwFtYlm8pdMXDtVrBywcRdzSo6/e73Y+GFxulTIFCQ== x90Ltb5GOAMkd6qzgup3bWuQazpZ/Gj25f6ql7L2Oenlw8/8S9vbeQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-05T17:43:22Z" lastmodified: "2024-10-09T07:20:47Z"
mac: ENC[AES256_GCM,data:OMwzBcK+KEaxZNTxCnlhDmm9efUkOtMk7vZUfxV9bCny80CdQhp9dD9a9bRPwn+lzgTj3CZLhLAubB3Eh01dqrbZ3DQt/p6xFQ54kCX0a18AHVSIrDcYQNez0MLcOI56RvJDofsO5Dh3i2sFXZ/gaxEjPBQPxlbH1KOrjCm480w=,iv:70i/TOlDF8Vru5FBu0fVb9IkG+Fg83zqcrcuyiHEHBc=,tag:A5qPz8KQl33Z5uHzMlTA0Q==,type:str] mac: ENC[AES256_GCM,data:fJ86HMwKQmbSTsAWAKC1cGxDqwkddTGHfFjQMa74RVxNh+yFlD+gEHFV2GKTRVji8kEUlp4qXqwtKnJ9Fx5zw0P1LHuCE9Q4j1Cxgs/j7XFTNMTvpt/8sVR1YC77Qp9LDwDxdDQK0GV4Z3BzoqjM20BHRbTWtCSyoNRmBP6Wcg8=,iv:BptqL9qXcyc5SaGvPMfUWDd0b22Viy5LJElbNGhpDYQ=,tag:jHMETvWq9IOCk+z63Dntpg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

View File

@ -42,6 +42,18 @@
group = "nix-serve"; group = "nix-serve";
mode = "0600"; mode = "0600";
}; };
coturn-secret = lib.mkIf config.services.coturn.enable {
owner = "turnserver";
group = "turnserver";
key = "matrix/coturn-secret";
};
turn-secret = lib.mkIf config.services.conduit.enable {
owner = "conduit";
group = "conduit";
key = "matrix/coturn-secret";
};
}; };
}; };

View File

@ -0,0 +1,223 @@
{
config,
lib,
pkgs,
bonLib,
...
}:
with lib; let
cfg = config.services.conduit;
format = pkgs.formats.toml {};
configFile = pkgs.writeText "config.toml" ''
${bonLib.toTOML {global = cfg.settings.global // lib.optionals (cfg.turn_secret_file != null) {turn_secret = "#turn_secret#";};}}
'';
in {
options.services.conduit = {
enable = mkEnableOption "conduit";
extraEnvironment = mkOption {
type = types.attrsOf types.str;
description = "Extra Environment variables to pass to the conduit server.";
default = {};
example = {RUST_BACKTRACE = "yes";};
};
package = mkOption {
type = types.package;
default = pkgs.matrix-conduit;
defaultText = literalExpression "pkgs.matrix-conduit";
description = "The package to use.";
};
turn_secret_file = mkOption {
type = types.nullOr types.path;
default = null;
description = "The path to the file with TURN secret.";
};
settings = mkOption {
type = types.submodule {
#freeformType = format.type;
options = {
global.server_name = mkOption {
type = types.str;
example = "example.com";
description = "The server_name is the name of this server. It is used as a suffix for user # and room ids.";
};
global.port = mkOption {
type = types.port;
default = 6167;
description = "The port Conduit will be running on. You need to set up a reverse proxy in your web server (e.g. apache or nginx), so all requests to /_matrix on port 443 and 8448 will be forwarded to the Conduit instance running on this port";
};
global.max_request_size = mkOption {
type = types.ints.positive;
default = 20000000;
description = "Max request size in bytes. Don't forget to also change it in the proxy.";
};
global.allow_registration = mkOption {
type = types.bool;
default = false;
description = "Whether new users can register on this server.";
};
global.allow_encryption = mkOption {
type = types.bool;
default = true;
description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
};
global.allow_federation = mkOption {
type = types.bool;
default = true;
description = ''
Whether this server federates with other servers.
'';
};
global.trusted_servers = mkOption {
type = types.listOf types.str;
default = ["matrix.org"];
description = "Servers trusted with signing server keys.";
};
global.address = mkOption {
type = types.str;
default = "::1";
description = "Address to listen on for connections by the reverse proxy/tls terminator.";
};
global.database_path = mkOption {
type = types.str;
default = "/var/lib/conduit/";
readOnly = true;
description = ''
Path to the conduit database, the directory where conduit will save its data.
Note that due to using the DynamicUser feature of systemd, this value should not be changed
and is set to be read only.
'';
};
global.database_backend = mkOption {
type = types.enum ["sqlite" "rocksdb"];
default = "sqlite";
example = "rocksdb";
description = ''
The database backend for the service. Switching it on an existing
instance will require manual migration of data.
'';
};
global.allow_check_for_updates = mkOption {
type = types.bool;
default = false;
description = ''
Whether to allow Conduit to automatically contact
<https://conduit.rs> hourly to check for important Conduit news.
Disabled by default because nixpkgs handles updates.
'';
};
global.well_known.client = mkOption {
type = types.nullOr types.str;
default = null;
description = "The URL that clients should use to connect to Conduit.";
};
global.well_known.server = mkOption {
type = types.nullOr types.str;
default = null;
description = "The hostname and port servers should use to connect to Conduit.";
};
global.turn_uris = mkOption {
type = types.listOf types.str;
default = [];
description = "The TURN URIs.";
};
global.turn_secret = mkOption {
type = types.nullOr types.str;
default = null;
description = "The TURN secret.";
};
global.turn_ttl = mkOption {
type = types.int;
default = 86400;
description = "The TURN TTL in seconds.";
};
};
};
default = {};
description = ''
Generates the conduit.toml configuration file. Refer to
<https://docs.conduit.rs/configuration.html>
for details on supported values.
Note that database_path can not be edited because the service's reliance on systemd StateDir.
'';
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.settings.global.turn_secret != null -> cfg.turn_secret_file == null;
message = "settings.global.turn_secret and turn_secret_file cannot be set at the same time";
}
];
users.users.conduit = {
description = "Conduit service user.";
isSystemUser = true;
group = "conduit";
};
users.groups.conduit = {};
systemd.services.conduit = let
runConfig = "/run/conduit/config.toml";
in {
description = "Conduit Matrix Server";
documentation = ["https://gitlab.com/famedly/conduit/"];
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
environment = mkMerge [
{CONDUIT_CONFIG = runConfig;}
cfg.extraEnvironment
];
preStart = ''
cat ${configFile} > ${runConfig}
${lib.optionalString (cfg.turn_secret_file != null) ''
${pkgs.replace-secret}/bin/replace-secret \
"#turn_secret#" \
${cfg.turn_secret_file} \
${runConfig}
''}
chmod 640 ${runConfig}
'';
serviceConfig = {
User = "conduit";
LockPersonality = true;
MemoryDenyWriteExecute = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
StateDirectory = "conduit";
StateDirectoryMode = "0700";
RuntimeDirectory = "conduit";
ExecStart = "${cfg.package}/bin/conduit";
Restart = "on-failure";
RestartSec = 10;
StartLimitBurst = 5;
UMask = "077";
};
};
systemd.tmpfiles.rules = [
"d /run/conduit 0700 conduit conduit - -"
];
};
}

View File

@ -101,14 +101,30 @@ in {
description = "List of addresses to ignore"; description = "List of addresses to ignore";
}; };
# TODO: add filter and anti filter options with optional file paths dataDir = mkOption {
# TODO ipset hashsize and maxelem type = types.path;
default = "/var/lib/zapret";
description = ''
Directory to store zapret files and antifilter lists.
'';
};
filterAddressesSource = mkOption {
type = types.nullOr types.str;
default = null;
example = ''https://antifilter.network/download/ipsmart.lst'';
description = "Link to external list of addresses to download and use.";
};
# TODO: ipset hashsize and maxelem
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users.tpws = { users.users.tpws = {
isSystemUser = true; isSystemUser = true;
group = "tpws"; group = "tpws";
home = cfg.dataDir;
createHome = true;
}; };
users.groups.tpws = {}; users.groups.tpws = {};
@ -126,6 +142,8 @@ in {
) )
gawk gawk
ipset ipset
wget
curl
]; ];
serviceConfig = { serviceConfig = {
@ -133,10 +151,11 @@ in {
Restart = "no"; Restart = "no";
TimeoutSec = "30sec"; TimeoutSec = "30sec";
IgnoreSIGPIPE = "no"; IgnoreSIGPIPE = "no";
KillMode = "none"; #KillMode = "none";
GuessMainPID = "no"; GuessMainPID = "no";
RemainAfterExit = "no"; RemainAfterExit = "no";
WorkingDirectory = cfg.dataDir;
ExecStart = "${cfg.package}/bin/zapret start"; ExecStart = "${cfg.package}/bin/zapret start";
ExecStop = let ExecStop = let
stop_script = pkgs.writeShellScriptBin "zapret-stop" '' stop_script = pkgs.writeShellScriptBin "zapret-stop" ''
@ -157,37 +176,25 @@ in {
DISABLE_IPV6=${toString cfg.disableIPV6} DISABLE_IPV6=${toString cfg.disableIPV6}
'' ''
]); ]);
# hardening
DevicePolicy = "closed";
KeyringMode = "private";
PrivateTmp = true;
PrivateMounts = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "invisible";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
}; };
preStart = let preStart = let
# zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" (lib.readFile cfg.package.passthru.antifilter.ipsmart)); zapretListFile = src: pkgs.writeText "zapretList" (createFilterList "zapret" src);
zapretListFile = pkgs.writeText "zapretList" (createFilterList "zapret" cfg.filterAddresses); nozapretListFile = src: pkgs.writeText "nozapretList" (createFilterList "nozapret" src);
nozapretListFile = pkgs.writeText "nozapretList" (createFilterList "nozapret" cfg.ignoreAddresses);
in '' in ''
${lib.optionalString (cfg.filterAddressesSource != null) "curl -L '${cfg.filterAddressesSource}' -o ${cfg.dataDir}/zapretList && sed -i -e 's/^/add zapret /' '${cfg.dataDir}/zapretList'"}
ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -! ipset create zapret hash:net family inet hashsize 262144 maxelem 522288 -!
ipset flush zapret ipset flush zapret
ipset restore -! < ${zapretListFile} ipset restore -! < ${
if (cfg.filterAddressesSource != null)
then "${cfg.dataDir}/zapretList"
else (zapretListFile cfg.filterAddresses)
}
ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -! ipset create nozapret hash:net family inet hashsize 262144 maxelem 522288 -!
ipset flush nozapret ipset flush nozapret
ipset restore -! < ${nozapretListFile} ipset restore -! < ${nozapretListFile cfg.ignoreAddresses}
''; '';
}; };
}; };

View File

@ -1,13 +0,0 @@
{
bonLib,
lib,
pkgs,
...
}:
(pkgs.blender.override {cudaSupport = true;}).overrideAttrs (old: {
meta =
old.meta
// {
description = old.meta.description + " (CUDA enabled)";
};
})

View File

@ -83,17 +83,12 @@ in
# Pass for cache # Pass for cache
blender = { # ISSUE: attribute 'targetPlatforms' missing
source = ./blender; #wezterm = {
platforms = ["x86_64-linux"]; # source = ./wezterm;
builder = {...}: import; # platforms = ["x86_64-linux"];
}; # builder = {...}: import;
#};
wezterm = {
source = ./wezterm;
platforms = ["x86_64-linux"];
builder = {...}: import;
};
# Container images # Container images

View File

@ -1,108 +1,16 @@
{ {
bonLib,
craneLib,
lib, lib,
pkgs, weztermPkgs,
version ? "2d0c5cddc91a9c59aef9a7667d90924e7cedd0ac",
hash ? "sha256-ZsDJQSUokodwFMP4FIZm2dYojf5iC4F/EeKC5VuQlqY=",
... ...
}: let }:
src = pkgs.fetchFromGitHub { weztermPkgs.default.overrideAttrs (old: {
owner = "wez";
repo = "wezterm";
rev = version;
hash = hash;
fetchSubmodules = true;
};
terminfo =
pkgs.runCommand "wezterm-terminfo"
{
nativeBuildInputs = [pkgs.ncurses];
} ''
mkdir -p $out/share/terminfo $out/nix-support
tic -x -o $out/share/terminfo ${src}/termwiz/data/wezterm.terminfo
'';
pkg = {
pname = "wezterm"; pname = "wezterm";
inherit version;
inherit src; meta =
old.meta
strictDeps = true; // {
doCheck = false;
nativeBuildInputs = with pkgs; [
installShellFiles
ncurses # tic for terminfo
pkg-config
python3
];
buildInputs = with pkgs; [
fontconfig
pkgs.zlib
libxkbcommon
openssl
wayland
cairo
xorg.libX11
xorg.libxcb
xorg.xcbutil
xorg.xcbutilimage
xorg.xcbutilkeysyms
xorg.xcbutilwm # contains xcb-ewmh among others
];
libPath = lib.makeLibraryPath (with pkgs; [
xorg.xcbutilimage
libGL
vulkan-loader
]);
postPatch = ''
echo ${version} > .tag
# tests are failing with: Unable to exchange encryption keys
# rm -r wezterm-ssh/tests
'';
preFixup = lib.optionalString pkgs.stdenv.isLinux ''
patchelf \
--add-needed "${pkgs.libGL}/lib/libEGL.so.1" \
--add-needed "${pkgs.vulkan-loader}/lib/libvulkan.so.1" \
$out/bin/wezterm-gui
'';
postInstall = ''
mkdir -p $out/nix-support
echo "${terminfo}" >> $out/nix-support/propagated-user-env-packages
install -Dm644 assets/icon/terminal.png $out/share/icons/hicolor/128x128/apps/org.wezfurlong.wezterm.png
install -Dm644 assets/wezterm.desktop $out/share/applications/org.wezfurlong.wezterm.desktop
install -Dm644 assets/wezterm.appdata.xml $out/share/metainfo/org.wezfurlong.wezterm.appdata.xml
install -Dm644 assets/shell-integration/wezterm.sh -t $out/etc/profile.d
installShellCompletion --cmd wezterm \
--bash assets/shell-completion/bash \
--fish assets/shell-completion/fish \
--zsh assets/shell-completion/zsh
install -Dm644 assets/wezterm-nautilus.py -t $out/share/nautilus-python/extensions
'';
meta = with lib; {
homepage = "https://github.com/wez/wezterm"; homepage = "https://github.com/wez/wezterm";
description = "A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust"; description = "A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust";
license = lib.licenses.mit; license = lib.licenses.mit;
maintainers = with bonLib.maintainers; [L-Nafaryus];
platforms = platforms.x86_64;
mainProgram = "wezterm";
}; };
}; })
in let
cargoArtifacts = craneLib.buildDepsOnly pkg;
in
craneLib.buildPackage (
pkg // {inherit cargoArtifacts;}
)