From 6bae0fa25439022ab077e7f5fd3984551c5fb2d8 Mon Sep 17 00:00:00 2001 From: xunuwu Date: Fri, 23 Feb 2024 05:34:33 +0100 Subject: [PATCH] lots of stuff --- .gitignore | 2 + .sops.yaml | 10 + Justfile | 20 +- flake.lock | 92 ++-- flake.nix | 4 +- home/profiles/default.nix | 4 +- home/profiles/nixdesk/default.nix | 2 + home/programs/games/default.nix | 6 +- home/programs/games/steam.nix | 1 + home/programs/media/jellyfin.nix | 1 - home/programs/misc/discord.nix | 4 +- home/programs/misc/thunderbird.nix | 8 + home/programs/music/spotify.nix | 3 + home/terminal/shell/zsh.nix | 16 +- hosts/default.nix | 20 +- hosts/hopper/default.nix | 4 + hosts/nixdesk/default.nix | 9 +- pkgs/default.nix | 3 + pkgs/jdnbtexplorer/default.nix | 55 +++ secrets/default.nix | 1 - secrets/hopper/code-server | 24 + secrets/hopper/default.nix | 29 ++ secrets/hopper/serverenv | 24 + secrets/hopper/wireguard | 24 + secrets/hopper/wireguard.yaml | 31 ++ secrets/nixdesk/default.nix | 9 +- secrets/nixdesk/wireguard | 24 + system/core/default.nix | 2 +- system/core/ssh.nix | 2 +- system/core/tools.nix | 1 + system/default.nix | 1 + system/desktop/awesome.nix | 2 +- system/desktop/x11/default.nix | 5 + system/desktop/x11/nosleep.nix | 8 + system/desktop/x11/xclip.nix | 3 + system/network/networkd.nix | 4 - system/services/containers/server/default.nix | 436 ++++++++++++++++++ .../containers/server/statistics/default.nix | 146 ++++++ .../containers/server/statistics/loki.yaml | 48 ++ system/services/flatpak.nix | 3 + system/services/transmission.nix | 10 + system/services/wireguard.nix | 81 ++++ 42 files changed, 1109 insertions(+), 73 deletions(-) create mode 100644 .gitignore create mode 100644 home/programs/misc/thunderbird.nix create mode 100644 home/programs/music/spotify.nix create mode 100644 pkgs/default.nix create mode 100644 pkgs/jdnbtexplorer/default.nix create mode 100644 secrets/hopper/code-server create mode 100644 secrets/hopper/default.nix create mode 100644 secrets/hopper/serverenv create mode 100644 secrets/hopper/wireguard create mode 100644 secrets/hopper/wireguard.yaml create mode 100644 secrets/nixdesk/wireguard create mode 100644 system/desktop/x11/default.nix create mode 100644 system/desktop/x11/nosleep.nix create mode 100644 system/desktop/x11/xclip.nix create mode 100644 system/services/containers/server/default.nix create mode 100644 system/services/containers/server/statistics/default.nix create mode 100644 system/services/containers/server/statistics/loki.yaml create mode 100644 system/services/flatpak.nix create mode 100644 system/services/transmission.nix create mode 100644 system/services/wireguard.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..726d2d6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +result +.direnv diff --git a/.sops.yaml b/.sops.yaml index 13b33c5..3b446ac 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -12,3 +12,13 @@ creation_rules: - *xun - *nixdesk - *hopper + - path_regex: secrets/nixdesk + key_groups: + - age: + - *xun + - *nixdesk + - path_regex: secrets/hopper + key_groups: + - age: + - *xun + - *hopper diff --git a/Justfile b/Justfile index fe6c653..ce17f88 100644 --- a/Justfile +++ b/Justfile @@ -1,6 +1,16 @@ -remote OPERATION HOST: - nixos-rebuild \ - --flake .#{{HOST}} \ - --target-host xun@{{HOST}} \ - --use-remote-sudo \ +hostname := `hostname` + +local OPERATION: + sudo nixos-rebuild \ + --flake .#{{hostname}} \ + {{OPERATION}} + + +remote OPERATION HOST HOSTNAME *FLAGS: + nixos-rebuild \ + --fast \ + --flake .#{{HOST}} \ + --target-host xun@{{HOSTNAME}} \ + --use-remote-sudo \ + {{FLAGS}} \ {{OPERATION}} diff --git a/flake.lock b/flake.lock index 60db70a..259fab7 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1706647585, - "narHash": "sha256-HwAWgXIUn0a2FIS5Mye0sAZj1BZ4++YKWzIPM7coFjs=", + "lastModified": 1708452844, + "narHash": "sha256-zlmcdVoD/7M15OrEJFjJ19s84cudaOd66DTyso0ERic=", "owner": "rycee", "repo": "nur-expressions", - "rev": "9343a32ef3fc2d3be2f3c5266a09c63cc5019438", + "rev": "a32606b39b9b56062efdef8f001d1e88f7647f59", "type": "gitlab" }, "original": { @@ -60,11 +60,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1706569497, - "narHash": "sha256-oixb0IDb5eZYw6BaVr/R/1pSoMh4rfJHkVnlgeRIeZs=", + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "60c614008eed1d0383d21daac177a3e036192ed8", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", "type": "github" }, "original": { @@ -122,11 +122,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1704982712, - "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", "type": "github" }, "original": { @@ -188,11 +188,11 @@ }, "hardware": { "locked": { - "lastModified": 1706182238, - "narHash": "sha256-Ti7CerGydU7xyrP/ow85lHsOpf+XMx98kQnPoQCSi1g=", + "lastModified": 1708091350, + "narHash": "sha256-o28BJYi68qqvHipT7V2jkWxDiMS1LF9nxUsou+eFUPQ=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "f84eaffc35d1a655e84749228cde19922fcf55f1", + "rev": "106d3fec43bcea19cb2e061ca02531d54b542ce3", "type": "github" }, "original": { @@ -231,11 +231,11 @@ ] }, "locked": { - "lastModified": 1706473109, - "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=", + "lastModified": 1708451036, + "narHash": "sha256-tgZ38NummEdnXvxj4D0StHBzXgceAw8CptytHljH790=", "owner": "nix-community", "repo": "home-manager", - "rev": "d634c3abafa454551f2083b054cd95c3f287be61", + "rev": "517601b37c6d495274454f63c5a483c8e3ca6be1", "type": "github" }, "original": { @@ -321,11 +321,11 @@ ] }, "locked": { - "lastModified": 1706714349, - "narHash": "sha256-XCWHBWqfCGgP1EY+KWl2xAy1muJN/MTXChiBDbeAb/8=", + "lastModified": 1708433103, + "narHash": "sha256-Fxmfx7jSrLeMGYq634/RDWJwoKRw11ahDroOF0mIQiE=", "owner": "fufexan", "repo": "nix-gaming", - "rev": "015aeaa26b7eeafb14ed7e01dce74d1f2338157f", + "rev": "d154dc37e5a1179def36813fee1016a764090535", "type": "github" }, "original": { @@ -341,11 +341,11 @@ ] }, "locked": { - "lastModified": 1706411424, - "narHash": "sha256-BzziJYucEZvdCE985vjPoo3ztWcmUiSQ1wJ2CoT6jCc=", + "lastModified": 1708225687, + "narHash": "sha256-NJBDfvknI26beOFmjO2coeJMTTUCCtw2Iu+rvJ1Zb9k=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "c782f2a4f6fc94311ab5ef31df2f1149a1856181", + "rev": "17352eb241a8d158c4ac523b19d8d2a6c8efe127", "type": "github" }, "original": { @@ -361,11 +361,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1707182119, - "narHash": "sha256-Egt1PmjNAbx2nS0h/iWpaTCcOzLPHpRXzTJBt3waEAs=", + "lastModified": 1708391638, + "narHash": "sha256-ZbiupDt7BPhxJy6EfS8ShKAaKtW8qZblWE617Le1hCI=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "4e7767c214364217e0a7611dca3f3420555ceb20", + "rev": "64ff3452483eb29ad15e7e1a943831629368ae90", "type": "github" }, "original": { @@ -393,11 +393,11 @@ "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", "type": "github" }, "original": { @@ -411,11 +411,11 @@ "nixpkgs-lib_2": { "locked": { "dir": "lib", - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", "type": "github" }, "original": { @@ -428,27 +428,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", + "lastModified": 1708210246, + "narHash": "sha256-Q8L9XwrBK53fbuuIFMbjKvoV7ixfLFKLw4yV+SD28Y8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", + "rev": "69405156cffbdf2be50153f13cbdf9a0bea38e49", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1707092692, - "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=", + "lastModified": 1684570954, + "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "faf912b086576fd1a15fca610166c98d47bc667e", + "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3", "type": "github" }, "original": { @@ -460,11 +460,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1706550542, - "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", + "lastModified": 1708296515, + "narHash": "sha256-FyF489fYNAUy7b6dkYV6rGPyzp+4tThhr80KNAaF/yY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", + "rev": "b98a4e1746acceb92c509bc496ef3d0e5ad8d4aa", "type": "github" }, "original": { @@ -476,11 +476,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1706173671, - "narHash": "sha256-lciR7kQUK2FCAYuszyd7zyRRmTaXVeoZsCyK6QFpGdk=", + "lastModified": 1708151420, + "narHash": "sha256-MGT/4aGCWQPQiu6COqJdCj9kSpLPiShgbwpbC38YXC8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4fddc9be4eaf195d631333908f2a454b03628ee5", + "rev": "6e2f00c83911461438301db0dba5281197fe4b3a", "type": "github" }, "original": { @@ -510,11 +510,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1706410821, - "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=", + "lastModified": 1708456161, + "narHash": "sha256-Rh5kJvLZySEPkOxCIX1XA0SpDnYjjXSvixLwKsrcpVE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef", + "rev": "acfcce2a36da17ebb724d2e100d47881880c2e48", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 57705b3..12e9663 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ config, pkgs, ... - }: { + }: rec { devShells.default = pkgs.mkShell { packages = with pkgs; [ alejandra @@ -26,6 +26,8 @@ name = "dots"; }; + packages = import ./pkgs {inherit pkgs;}; + formatter = pkgs.alejandra; }; }; diff --git a/home/profiles/default.nix b/home/profiles/default.nix index c26a6a8..c1adb6d 100644 --- a/home/profiles/default.nix +++ b/home/profiles/default.nix @@ -1,6 +1,8 @@ { self, inputs, + system, + pkgs, ... }: let # get these into the module system @@ -24,7 +26,7 @@ inherit (inputs.home-manager.lib) homeManagerConfiguration; - pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; + pkgs = inputs.nixpkgs.legacyPackages.${system}; in { # we need to pass this to NixOS' HM module _module.args = {inherit homeImports;}; diff --git a/home/profiles/nixdesk/default.nix b/home/profiles/nixdesk/default.nix index 411d0b6..3d8ed06 100644 --- a/home/profiles/nixdesk/default.nix +++ b/home/profiles/nixdesk/default.nix @@ -16,8 +16,10 @@ # programs ../../programs/misc/keepassxc.nix ../../programs/misc/discord.nix + ../../programs/misc/thunderbird.nix ../../programs/music ../../programs/music/yams.nix + ../../programs/music/spotify.nix ../../programs/media ../../programs/media/jellyfin.nix # gaming diff --git a/home/programs/games/default.nix b/home/programs/games/default.nix index 958691c..8accb9e 100644 --- a/home/programs/games/default.nix +++ b/home/programs/games/default.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + self, + ... +}: { home.packages = with pkgs; [ heroic lutris diff --git a/home/programs/games/steam.nix b/home/programs/games/steam.nix index c08b481..3bddcf4 100644 --- a/home/programs/games/steam.nix +++ b/home/programs/games/steam.nix @@ -26,6 +26,7 @@ in { home.packages = with pkgs; [ steam-with-pkgs steam-run + steamtinkerlaunch protontricks ]; } diff --git a/home/programs/media/jellyfin.nix b/home/programs/media/jellyfin.nix index 94a7573..26cec11 100644 --- a/home/programs/media/jellyfin.nix +++ b/home/programs/media/jellyfin.nix @@ -1,6 +1,5 @@ {pkgs, ...}: { home.packages = with pkgs; [ jellyfin-media-player - jellycli ]; } diff --git a/home/programs/misc/discord.nix b/home/programs/misc/discord.nix index 6003f99..0ce69eb 100644 --- a/home/programs/misc/discord.nix +++ b/home/programs/misc/discord.nix @@ -1,7 +1,5 @@ {pkgs, ...}: { home.packages = with pkgs; [ - (discord.override { - withVencord = true; - }) + vesktop ]; } diff --git a/home/programs/misc/thunderbird.nix b/home/programs/misc/thunderbird.nix new file mode 100644 index 0000000..c44e972 --- /dev/null +++ b/home/programs/misc/thunderbird.nix @@ -0,0 +1,8 @@ +{ + programs.thunderbird = { + enable = true; + profiles.xun = { + isDefault = true; + }; + }; +} diff --git a/home/programs/music/spotify.nix b/home/programs/music/spotify.nix new file mode 100644 index 0000000..3a6c544 --- /dev/null +++ b/home/programs/music/spotify.nix @@ -0,0 +1,3 @@ +{pkgs, ...}: { + home.packages = [pkgs.spotify]; +} diff --git a/home/terminal/shell/zsh.nix b/home/terminal/shell/zsh.nix index 4839f95..795c2a0 100644 --- a/home/terminal/shell/zsh.nix +++ b/home/terminal/shell/zsh.nix @@ -16,10 +16,24 @@ ## KEYBINDS ## bindkey "^[[1;5D" backward-word bindkey "^[[1;5C" forward-word - WORDCHARS= # this makes ^w actually stop on directory delimiters etc + + # improve ^w behaviour + WORDCHARS= + + # shift-tab in completion menu + bindkey '^[[Z' reverse-menu-complete + zstyle ':completion:*' matcher-list 'm:{a-z}={A-Z}' # Case insensitive completion + bindkey '^[[Z' reverse-menu-complete # shift-tab in completion menu + + + ## MISC ## + # Show completion categories + zstyle ':completion:*:*:*:*:descriptions' format '%F{magenta}<-%d->%f' + + ## PROMPT ## autoload -Uz vcs_info precmd_vcs_info() { vcs_info } diff --git a/hosts/default.nix b/hosts/default.nix index 22ff0a9..253c67a 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -9,10 +9,12 @@ mod = "${self}/system"; # get the basic config to build on top of - inherit (import "${self}/system") desktop laptop; + inherit (import "${self}/system") desktop; # get these into the module system - specialArgs = {inherit inputs self;}; + specialArgs = { + inherit inputs self; + }; in { nixdesk = nixosSystem { inherit specialArgs; @@ -20,9 +22,13 @@ desktop ++ [ ./nixdesk - "${mod}/programs/gamemode.nix" - "${mod}/services/syncthing.nix" + "${self}/secrets" + "${self}/secrets/nixdesk" + + "${mod}/services/syncthing.nix" + "${mod}/desktop/x11/nosleep.nix" + { home-manager = { users.xun.imports = homeImports."xun@nixdesk"; @@ -37,6 +43,7 @@ ./hopper "${self}/secrets" + "${self}/secrets/hopper" "${mod}/core" @@ -57,6 +64,11 @@ "${mod}/services" "${mod}/services/pipewire.nix" "${mod}/services/syncthing.nix" + "${mod}/services/containers/server" + + #"${mod}/services/networkd-wireguard.nix" + #"${mod}/services/wireguard.nix" + #"${mod}/services/transmission.nix" { home-manager = { diff --git a/hosts/hopper/default.nix b/hosts/hopper/default.nix index 9fc0939..5ea61dc 100644 --- a/hosts/hopper/default.nix +++ b/hosts/hopper/default.nix @@ -8,6 +8,10 @@ networking.hostName = "hopper"; + #services.tailscale.extraUpFlags = [ + # "--ssh" + #]; + swapDevices = []; system.stateVersion = "23.11"; diff --git a/hosts/nixdesk/default.nix b/hosts/nixdesk/default.nix index 712a953..3a61c0b 100644 --- a/hosts/nixdesk/default.nix +++ b/hosts/nixdesk/default.nix @@ -1,6 +1,7 @@ { pkgs, inputs, + lib, ... }: { imports = [ @@ -15,7 +16,13 @@ boot.kernelPackages = pkgs.linuxPackages_latest; - swapDevices = []; + swapDevices = [ + { + device = "/var/lib/swapfile"; + randomEncryption.enable = true; + size = 16 * 1024; + } + ]; system.stateVersion = "23.11"; } diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..f559d30 --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,3 @@ +{pkgs, ...}: { + jdnbtexplorer = pkgs.qt6Packages.callPackage ./jdnbtexplorer {}; +} diff --git a/pkgs/jdnbtexplorer/default.nix b/pkgs/jdnbtexplorer/default.nix new file mode 100644 index 0000000..d234ca0 --- /dev/null +++ b/pkgs/jdnbtexplorer/default.nix @@ -0,0 +1,55 @@ +{ + lib, + python3, + which, + qttools, +}: let + myPython = python3.withPackages (pkgs: + with pkgs; [ + pyqt6 + pyside6 + (myPython.pkgs.buildPythonPackage rec { + pname = "NBT"; + version = "1.5.1"; + + src = myPython.pkgs.fetchPypi { + inherit pname version; + hash = "sha256-2juyE3YFy53+dEbxPxmzrn+vkg1DCjh/t4794n9mNsU="; + }; + }) + ]); +in + myPython.pkgs.buildPythonPackage rec { + pname = "jdNBTExplorer"; + version = "2.0"; + format = "pyproject"; + + src = builtins.fetchGit { + url = "https://codeberg.org/JakobDev/jdNBTExplorer"; + rev = "e70c9b030f88340b565c22759b6efd97172be551"; + }; + + nativeBuildInputs = [ + myPython + which + qttools + ]; + + propagatedBuildInputs = [ + myPython + ]; + + dontWrapQtApps = true; + + preFixup = '' + qtWrapperArgs+=("''${gappsWrapperArgs[@]}") + # You can manually patch scripts using: wrapQtApp "$out/bin/myapp". TODO: check when it's required. + ''; + + meta = with lib; { + changelog = "https://codeberg.org/JakobDev/jdNBTExplorer/releases/tag/${version}"; + description = "An Editor for Minecraft NBT files"; + homepage = "https://codeberg.org/JakobDev/jdNBTExplorer"; + license = licenses.gpl3Only; + }; + } diff --git a/secrets/default.nix b/secrets/default.nix index 820ff87..9ee30dc 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,6 +1,5 @@ { inputs, - config, lib, ... }: { diff --git a/secrets/hopper/code-server b/secrets/hopper/code-server new file mode 100644 index 0000000..1a5bdf8 --- /dev/null +++ b/secrets/hopper/code-server @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:UrmaXZ5U/yiBA0fIe+6OGD0a9hPMGO0AadM6dSw6armCsCHocN4nKYEgf1o67VSMR1IGmwxVEg9yT9o159jS4YnS6xE3EcygvmfrOD8X1aCWKK+eF3MWNmxjMrylTO5PYeZMu6R3,iv:ZFY9P+Zeva8U0Mhyq/zSGRs9ikRgK+tt8OFX9tusONA=,tag:CLyaeWre//r6HAaEctCBbQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUY2xXRkxjd0JqNWNuS1pu\ndVNUeE5JaWN2QkRUZzBPdnNCZjg5K0kxRnp3ClErcHk0MTB6aGpWYjcvb1NIWWVC\nY2NYbVNxRWVRbk4zdXNmcXpkRHRXbHMKLS0tIGQyekRtYkZOYmRVaVRVclFEK01Y\nZFdFZjlkTmFpU0lyZEs0Qkl5aHhEV0kK9bTzLFDrLCVGJiPLCwPLBtZm1Wl9pmqC\nMcMhpaWFPrV9VBbTXtHYoojDrwc+dHDvWIskBixhf7P7R+dOOpchhw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQnlTVGdMV0xhb215b1I5\nc2tqTHhHeDBMK29Eclp6NjVELy9reUYwTjA4ClBrVS9hWWhCeUsxbEJSNG9NRmZl\nQnZGVHdXM2svM1Iyc3NTT294NWk1RDAKLS0tIEZjUStFZDJoOHFrc0hsaUMrNXl4\nQys1M2xpRVhkUmI4U0taQllSWC93YXMKDJdRDZGGP/RFqquIY6m676vOL0CxEkrd\npIpZ88Y9/2oX0FUHxm8vV/xHXyKfWm5lU4xEcJ1tBV/Zm0jLbLQTMw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-02-21T19:46:40Z", + "mac": "ENC[AES256_GCM,data:8j1JzGceUdx/ha1kNYI7pVG9Qtc9dWqI+X9tBFgFJ94QAhH5r56PngsvPHDcx3Y3jHYH/eN2Nd3KESfabOS0TIxDk0ka4GpKYZY2uG6jerN88tisZ5FvatVGMDp6EPE3x0S6kjeYocbt0XBgxn32iTAC19gvS6FipZ6Df35HOQ8=,iv:PjJ51F0FKe5c0m6+cLN5d9cD5mbpKuTas48tEJ9Qr5E=,tag:CQzuGCkpE5o7GTI2Mc/rcQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/secrets/hopper/default.nix b/secrets/hopper/default.nix new file mode 100644 index 0000000..ea17a37 --- /dev/null +++ b/secrets/hopper/default.nix @@ -0,0 +1,29 @@ +{ + sops.secrets = { + wireguard = { + format = "binary"; + sopsFile = ./wireguard; + }; + wg-private = { + key = "PrivateKey"; + sopsFile = ./wireguard.yaml; + group = "systemd-network"; + mode = "0640"; + }; + wg-preshared = { + key = "PresharedKey"; + sopsFile = ./wireguard.yaml; + group = "systemd-network"; + mode = "0640"; + }; + + serverenv = { + format = "binary"; + sopsFile = ./serverenv; + }; + code-server = { + format = "binary"; + sopsFile = ./code-server; + }; + }; +} diff --git a/secrets/hopper/serverenv b/secrets/hopper/serverenv new file mode 100644 index 0000000..6ebf081 --- /dev/null +++ b/secrets/hopper/serverenv @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:GOiWi8l61RgpVeKWrlfwxWMbda8FgJGlHXl910qpblaTsxbrIe+aZoEqVyaSST/N4kip7m2fQsCaX5C827XKR16CZ1c5R/3oql8gDcu6lrkDTIbbttN/RUVfX6LD1Y0b,iv:nwZWzKpz4y7+LKDHoojMWBKOvybZeo/d/ZSzsMujXTI=,tag:SHnv4RuNrsQpQ30x1gjIOQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4clpZQ0doNGJwRkI3QXdX\na0RpWnJoSjlveUhzK1lPaXRYRnlhcFZPZVE0Cm1xamVNMWxVeVhXdmhWZTE3TDJa\nZnUxdWdwVU5Bd3czS2FRb3pkWDFrcEUKLS0tIG5BS2ZDN21Tbm9FNnZoRUIvV0N2\nQmY2UHowS24yS0hYTXJMKzJJdDgrTlkKW80YjK/+FF1jjqNFoJLUTtZENRS7D5Bq\nFq7Vmu/untXqA7yqojI9Og7pdWyAnAf737kq6XusCBA3KMz5C+BgMg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTmJYZzIra3RIWHFyT0RJ\nZ0JoeGduL1RmYWN2SC9Ua0RIN0dWSEN4QjB3CjgzMi9sN3RETTArRnIwNGZkM3FD\nZUJFVHpEdE5YVHhQRmoxY3VWWnFQdG8KLS0tIFo3Sy9qNE1nV2dWV1hSZEhLUENJ\nUk9walpjTUp6aXUvYjlIR2c2dlNscXMK3ZT6xLYaKtwxfEqhhxN9fgr4sBYMSHiY\nnfcj5NNxOYgY8q6Z7oJ9Yzk+8Jrv7SS/eIMCt+rk9+UOu3xl+r/TBw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-02-16T22:49:25Z", + "mac": "ENC[AES256_GCM,data:1V7ZORlvxVVynY7rkKxkEw8MLonW5BwdGqvZ8C9Y9QNIu/udVmQvFMOxHVkdTcYOgk/4pYK/jKNkaPCPtjfJvhnSQ3ZKfOQJWfTVhq+Ba8f2HYc2qLUDupyMtjhBY7W2Pt9yAlJHxpozblCnGty958yy7Z0V0NiiO9ETA837fUQ=,iv:IqAr2BETDyPSdhzYWKEts+9AK5coOGY5/99QZ6HufyA=,tag:3oes+CnEb4zcdNp7QQOahg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/secrets/hopper/wireguard b/secrets/hopper/wireguard new file mode 100644 index 0000000..f6789d7 --- /dev/null +++ b/secrets/hopper/wireguard @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:kCJQ4tuM0zzYUsUFAAWG/Q7Uxs4262XGg7ioE+n/D4De1RRGApDyOLVnt7xgPhKK3fyxfkqmUrLvlumc0KwC0wl3U0YzW77r0G+XhutE+pp3DboDiYBsGfvj/Yl8T+lV2Q9s9GLMtdshjh21DTVbXLLf4Z9Fw51oshsVZIfy+VBZvjCNlUD+6uXO3Jo/1qcwPnMvIsyqKQCAtFvfvoEyDO36/XCXoDwqs4V3NLQortL9KgTd6lClrWtZIBYj3HZcogwhnK2AqMVnHrFzizndYKK170Z2Llptz4aBQeUF40gqM16Tj4Rxjqy11o2e20rCy854yyxGf6pIYy4475h8sWPnqVGk1NaMUKHTxJ4sOqm6nC+yXSUSoj/kXKkxy74oOs29mih/SfHqj/xPsodOkX3sD7R/NcTZsyJ8wy5hJOfe7h3qFjthd6d0sc3bbbPPQtXz3ixKgN7brtJQHUhPgol8IJn6h63kBRmUu5GyZAimT/hidW/IsIfLRAV54JCcOCrUzygkrRFItDVk98PHekTrSJfm6dWd0z4=,iv:kPWXbr/kvsFxUjYP9XaPB/5EKv9R2evsbq+1beYN4L8=,tag:qee0e90KN9aTeteX2pxRVQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnU0lRS0I5cXh1V0xjb1RS\nVTlla014WWVybmNOTml5ejdOaTFiWWpTbFc4CmdVZHdvazhoNnlaeG5ibTBZREdG\nTjd4cXBjSGpsdTQyb1lMQloxWUZhZjgKLS0tIHRxa0o1TERZNlYyQUQzZUhnTnhT\nWUxEM2dnWGZmV2d6SXJVSXQ2bU1Ic2cKbPQwJSlna6Vysi2TznU3ovmWQXBbwryF\nM2dlOwPjv+lWM1DLfJRR3zUCugTuz0xjdTDLZlo1F/aaeWiAPm5j1w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VDl2dnFCbUtRdnlDTGVv\ndzBwUTh1OXRONDlGK2hXZ29YRytLbU9sNXlFClViaG9xRGw2OHZLTmZEQk9nSXU5\nZHI2aWVNSXp2Z2JxakpKUkkzQ21XZzQKLS0tIEpSM3Z4dW9VeVVEQ2JKYU5EK0hP\nYzBnK2d6TkF4VGJ6dlBrc291ZDFBYW8KtEnivQ5aj9FhnNHRL3jEQPYxSuO8QAuz\n9tIXoiU13+GOmvn8XG25cZjUIgCamd9c/uBVXFYFx3muGlmBwvn9cQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-02-10T16:33:02Z", + "mac": "ENC[AES256_GCM,data:HcavTZc4gd64JqL9QZxpUR9W8F3DEzjeSABTg16Tgo9jAcp703KV/EAfjGmO42397UGp3e2nSuqod7uAtpQAcHsFFvYADrFzjoxa//KA+OR3/fwWnfFWTqyC1cJa4IaZpjZJuj1Qj09NeihTuU3vRXGbn5KN5x91wcVE/UhzSXg=,iv:CacSKLYy6I8U4lwJEo535S9m2iRvgEcLvayYsnOCFko=,tag:j3PhJnidKwPPfd83ylQC+w==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/secrets/hopper/wireguard.yaml b/secrets/hopper/wireguard.yaml new file mode 100644 index 0000000..530b236 --- /dev/null +++ b/secrets/hopper/wireguard.yaml @@ -0,0 +1,31 @@ +PrivateKey: ENC[AES256_GCM,data:Eh8XY8HqxCr4kdutL99GBhNJEjT/QP2pHQhTe/O8juiKPHslzcen+x9JeJM=,iv:MC+g84kqoFqaD0N/WvKoEgy1kl/Z2SgMqpm3AqjJ1mA=,tag:trvHpJbSI6CHNp4ihwpiIg==,type:str] +PresharedKey: ENC[AES256_GCM,data:fT9RIvz/gXAop5UDlbWwVV1yHErbDW4ff5j2Xo1g1nVTPGzbDHZPtZD9+ts=,iv:sHrGX8gxPVkAydmalgUuZHKUn3O82eo7/vv7lA5hqDQ=,tag:/vb/zgrm/dXm1LBzojrlGw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYU05MHNPUmYwUlJ0empa + QzBJdUt6WENYNUp5ZVZ4ZjZ4cFl6eENXREhJCjIxcmRQbEpHNWU4VHFobFZJVlhM + eDE4bmMrZ1BnTlJoZXVpVFVWaW5sek0KLS0tIGxVZjNIMmVoUEVQaDdQcE9PWjht + NzkyYS9zY3Z5OG1ib0ZyN3FkYjlZOFEKmvYIrVv5qmwh+XEmKeCjcTGbWufg0PH0 + Vrws+EngJk5ceYTmiGK1k1/9CNPG+0sdUgr4VrVv6DFKTzOgWB/YVA== + -----END AGE ENCRYPTED FILE----- + - recipient: age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4eXpMT1kzTE1zTzQ3aFp0 + NHNVcFVVTXRVSEQ0QUZrK1FCTDI5WWNQbkNvCkoyUVdPVHlUdlM2RUtIOGFGQWRY + ZjJpTml5aE91MW5VTWZveGhVNXhETFEKLS0tIGM0ZDJVOWl3NVYwYTNLZEFaalY3 + QUp4aFBaYjc3YUp6UVkwZk9UVjNvWDgK+WBJxWWLtg+lTn7CkVqvJwnE6mZRImhL + k61Fabbqpm0FGtnOgQW2mVndd1jJEsCvJxfGix91nbXJLjImPXnlTQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-10T17:04:29Z" + mac: ENC[AES256_GCM,data:h4gfNcQX9dnm38JBvN3wCEbUefLqO7GdjmcX/7LHQIgVllo6nuPWrThJBYCSU7apwMkGiN+UfJu4+QBgqHTot2Ctiu6jCtMb3bszGDx8pagJTNYlXAsaR9i1/RHgorBfgDwvkMWucTas4/ceIi+P+wv7u63TA7A2TDj7xRTVXoo=,iv:yBO9KwUqtIwXA/UrFhII7x+CyStW1okAh47MNGOwStI=,tag:0xw7Lt1qr7J0Ba8Mzb+IYA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/nixdesk/default.nix b/secrets/nixdesk/default.nix index 0967ef4..24b5869 100644 --- a/secrets/nixdesk/default.nix +++ b/secrets/nixdesk/default.nix @@ -1 +1,8 @@ -{} +{ + sops.secrets = { + wireguard = { + format = "binary"; + sopsFile = ./wireguard; + }; + }; +} diff --git a/secrets/nixdesk/wireguard b/secrets/nixdesk/wireguard new file mode 100644 index 0000000..92da065 --- /dev/null +++ b/secrets/nixdesk/wireguard @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:IzWchx+R3y8ZV5JBNngcyAfm0XyOrDIn7IBQDeW8k0vH1ERjLeLbqb7VMjwFkGO764PfGO4REkbdlGDx1XWcy6vQ4oqiDM8dq5YF+0ttxrby01DGF0owouqsx3a9BzqhcWo+QCvZ3rWKVmLfFub0dfAPaH5Dxiijvetdq7KEM+7nmJS9AueYaQMMgoL8JCQIiUj+zsxwvoJVebDKLeBc0k3yRCIgQFXzQXRt1L99xMaF6wdTz7I9+K+6mAgb9JsuWRlewamaQMcffM/EuRfNIGweSJBQarvIrvEfh5BUVpkzT3OEjEP/mOdxXGe8O0qceoBkWrXete1r68ftHpPc2Bo9zeI7GDb+LZYTh220FZOhbQQ1E6yxUAwen7aJP/im9XNLeQYA8YBY+OwUvngeKLw1tFfPbPzEUfBBOvGXuT1kE6vAp2fa2NAPbqcqIMJRL9ZVZZQQ+4sQyBhf4n/bQshEAwl2aSEo8d4epSPrnRv+zDC00DEvdaAHO+IXs7MP9yXFu4tZ4b6PKhnZGtQ7e4QFHlCocMTr,iv:wVKHb+TI4vUB2nRtqvm7OuATZCuJscz64lHAi7s7ZE4=,tag:Yk06BCYsa3ZkmyS/hXMjrA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdGlGNXBLZFNuenRlOFVt\nRHdXRUplaTNpRWhTamJxODZqV2lhRVE0bWtzCnpjT3VVVk1DUGxiSUhYdjRUb0hR\nZ2Y0dWw3TS83ZWg5Q1RTR215Sm1sVUkKLS0tIGFGNU94WjR3aU42VmpJekI5Szd4\nN2V1Nm1qT0xZWVdCL3lacW1qOTdrRTQKgDypLo9NN6KYO4yR5yXKbyxMP2/jXQ6R\nqM07tmwjJ4e6Cqeb3SyThbezBjBEER8ntaW4TfVlNsoULvtLCMAuKQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age155sscpw0x36t6s9usdrz7relpxqrtqnk98mrc7s0qcv2n0v3zd7sfl2xn8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjL2NSTnVYY05pcVNyT1g4\nT0hvanphU29Dd0dvMXZ4TjdVV2R4WnpxY1JVCmVQVlcwbE9EbmxPZWhTK3RudUJG\nQVhjZ2lzUmo1VjlNejlLejVkSXZhTFkKLS0tIFpaQ1JtTm9NOWIrWFdlZWlDTXBo\nRFVKNVVyRWlxZWtqUHVsVGFsRUtWeW8KHVaiwFMs7wTn7j/PZXqrpEtEJTTRaFi2\nK65QMNkbB8DCvmO950X+lpCkuCHXpTgI+yvzLgD2zvZurlu6h9zZDg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-02-12T18:06:06Z", + "mac": "ENC[AES256_GCM,data:BadLvKDJpsBow/+7q41Qz9nWgu+kL2VCvrN/++to0HWr+KquHiFfPZ6QISw/BrYhuqkQf9Spv1Hale88vB9I7By9nLy1D81jkSBg9/p6zKvyMcSUSszaMGdO3L56LvsHhUkA5t3CxsT6jus48Z/HBdKluE10aOwlY3ORI0yQn9U=,iv:ZUqoCno5fHphBbfKYuvOWA5wwdGzxarb5tWJhivNl7Y=,tag:zW7WJe2+SgNpGa1VSTbjSQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/system/core/default.nix b/system/core/default.nix index 522b2e7..8e2476f 100644 --- a/system/core/default.nix +++ b/system/core/default.nix @@ -16,7 +16,7 @@ "en_US.UTF-8/UTF-8" ]; }; - services.xserver.layout = "eu"; + services.xserver.xkb.layout = "eu"; # don't touch this system.stateVersion = lib.mkDefault "23.11"; diff --git a/system/core/ssh.nix b/system/core/ssh.nix index 1f4c657..172af79 100644 --- a/system/core/ssh.nix +++ b/system/core/ssh.nix @@ -11,7 +11,7 @@ }; startWhenNeeded = lib.mkDefault true; - openFirewall = lib.mkDefault false; + openFirewall = lib.mkDefault true; hostKeys = [ { path = "/etc/ssh/ssh_host_ed25519_key"; diff --git a/system/core/tools.nix b/system/core/tools.nix index a517837..15a43be 100644 --- a/system/core/tools.nix +++ b/system/core/tools.nix @@ -1,5 +1,6 @@ {pkgs, ...}: { environment.systemPackages = with pkgs; [ htop + ffmpeg ]; } diff --git a/system/default.nix b/system/default.nix index cad5047..40cd5c4 100644 --- a/system/default.nix +++ b/system/default.nix @@ -17,6 +17,7 @@ let ./services ./services/pipewire.nix + ./services/flatpak.nix ]; in { inherit desktop; diff --git a/system/desktop/awesome.nix b/system/desktop/awesome.nix index 8012199..1c1bada 100644 --- a/system/desktop/awesome.nix +++ b/system/desktop/awesome.nix @@ -1,6 +1,6 @@ { imports = [ - ./x11.nix + ./x11 ]; services.xserver = { enable = true; diff --git a/system/desktop/x11/default.nix b/system/desktop/x11/default.nix new file mode 100644 index 0000000..1376ab8 --- /dev/null +++ b/system/desktop/x11/default.nix @@ -0,0 +1,5 @@ +{lib, ...}: { + imports = [ + ./xclip.nix + ]; +} diff --git a/system/desktop/x11/nosleep.nix b/system/desktop/x11/nosleep.nix new file mode 100644 index 0000000..22bf299 --- /dev/null +++ b/system/desktop/x11/nosleep.nix @@ -0,0 +1,8 @@ +{ + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; +} diff --git a/system/desktop/x11/xclip.nix b/system/desktop/x11/xclip.nix new file mode 100644 index 0000000..45b4c09 --- /dev/null +++ b/system/desktop/x11/xclip.nix @@ -0,0 +1,3 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [xclip]; +} diff --git a/system/network/networkd.nix b/system/network/networkd.nix index 8969825..c6f2e65 100644 --- a/system/network/networkd.nix +++ b/system/network/networkd.nix @@ -2,10 +2,6 @@ networking.useNetworkd = true; systemd.network = { enable = true; - networks."10-lan" = { - matchConfig.Name = "lan"; - networkConfig.DHCP = "ipv4"; - }; }; services.resolved = { enable = true; diff --git a/system/services/containers/server/default.nix b/system/services/containers/server/default.nix new file mode 100644 index 0000000..8795fd6 --- /dev/null +++ b/system/services/containers/server/default.nix @@ -0,0 +1,436 @@ +{ + lib, + config, + pkgs, + ... +}: let + hostname = config.networking.hostName; + dashyConfig = { + pageInfo = { + #title = "Home Lab"; + }; + sections = [ + { + name = "*arr"; + icon = "hl-servarr"; + items = [ + { + title = "Sonarr"; + icon = "hl-sonarr"; + url = "http://${hostname}:8989"; + } + { + title = "Radarr"; + icon = "hl-radarr"; + url = "http://${hostname}:7878"; + } + { + title = "Prowlarr"; + icon = "hl-prowlarr"; + url = "http://${hostname}:9696"; + } + ]; + } + { + name = "Management"; + items = [ + { + title = "Jellyseerr"; + icon = "hl-jellyseerr"; + url = "http://${hostname}:5055"; + } + { + title = "Transmission"; + icon = "hl-transmission"; + url = "http://${hostname}:9091"; + } + ]; + } + ]; + }; +in { + imports = [ + #./statistics + ]; + #virtualisation.docker = { + # enable = true; + # enableOnBoot = true; + # autoPrune.enable = true; + #}; + + systemd.tmpfiles.rules = [ + "d /var/lib/code-server 0770 root root -" + "d /var/lib/movie-db 0770 root root -" + ]; + + users.groups."media" = {}; # create media group + + # this needs to be done manually since transmission is in a docker container + users.users."media" = { + isSystemUser = true; + group = "media"; + }; + + systemd.services."${config.virtualisation.oci-containers.backend}-transmission".serviceConfig = { + StateDirectory = [ + "${config.virtualisation.oci-containers.backend}/transmission/downloads" + "${config.virtualisation.oci-containers.backend}/transmission/config" + "${config.virtualisation.oci-containers.backend}/transmission/watch" + ]; + }; + + #systemd.services."${config.virtualisation.oci-containers.backend}-jellyfin".serviceConfig = { + # StateDirectory = [ + # "${config.virtualisation.oci-containers.backend}/jellyfin/config" + # "${config.virtualisation.oci-containers.backend}/jellyfin/cache" + # "${config.virtualisation.oci-containers.backend}/jellyfin/media" + # ]; + #}; + + services.jellyfin = { + enable = true; + openFirewall = true; + group = "media"; + }; + + #services.radarr = { + # enable = true; + # group = "media"; + # openFirewall = true; # 7878 + #}; + + #services.sonarr = { + # enable = true; + # group = "media"; + # openFirewall = true; # 8989 + #}; + + #services.prowlarr = { + # enable = true; + # openFirewall = true; # 9696 + #}; + + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + }; + + virtualisation.oci-containers = { + backend = "podman"; + + containers = { + gluetun = { + image = "qmcgaw/gluetun:latest"; + + volumes = [ + "${config.sops.secrets.wireguard.path}:/gluetun/wireguard/wg0.conf" + ]; + + ports = [ + # Transmission port + ## This bypasses the firewall, use 127.0.0.1:XXXX:XXXX + ## if you only want it to be accessible locally + "9091:9091" + "127.0.0.1:8191:8191" # flaresolverr + "9696:9696" # prowlarr + "8989:8989" # sonarr + "7878:7878" # radarr + "8443:8443" # code-server + ]; + + environment = { + VPN_SERVICE_PROVIDER = "airvpn"; + VPN_TYPE = "wireguard"; + SERVER_COUNTRIES = "Netherlands"; + FIREWALL_VPN_INPUT_PORTS = "11936,8443"; + }; + + extraOptions = [ + "--cap-add=NET_ADMIN" + "--device=/dev/net/tun:/dev/net/tun" + ]; + }; + + code-server = { + image = "lscr.io/linuxserver/code-server:latest"; + volumes = [ + "/var/lib/code-server:/config" + ]; + environmentFiles = [ + config.sops.secrets.code-server.path + ]; + extraOptions = [ + "--network=container:gluetun" + ]; + }; + + jellyseerr = { + image = "fallenbagel/jellyseerr:latest"; + ports = [ + "5055:5055" + ]; + volumes = [ + "/media/config/jellyseerr:/app/config" + ]; + extraOptions = [ + "--network=host" + ]; + }; + + recyclarr = { + image = "ghcr.io/recyclarr/recyclarr"; + volumes = [ + #"/media/config/recyclarr:/config" + "${pkgs.writeText "recyclarr.yml" '' + sonarr: + sonarr-main: + base_url: http://localhost:8989 + api_key: !env_var SONARR_API_KEY + delete_old_custom_formats: true + replace_existing_custom_formats: true + quality_definition: + type: series + custom_formats: + - trash_ids: + # Unwanted + - 85c61753df5da1fb2aab6f2a47426b09 # BR-DISK + - 9c11cd3f07101cdba90a2d81cf0e56b4 # LQ + - 47435ece6b99a0b477caf360e79ba0bb # x265 + # Misc + - ec8fa7296b64e8cd390a1600981f3923 # Repack/Proper + - eb3d5cc0a2be0db205fb823640db6a3c # Repack v2 + - 44e7c4de10ae50265753082e5dc76047 # Repack v3 + # Streaming Services + - d660701077794679fd59e8bdf4ce3a29 # AMZN + - f67c9ca88f463a48346062e8ad07713f # ATVP + - 36b72f59f4ea20aad9316f475f2d9fbb # DCU + - 89358767a60cc28783cdc3d0be9388a4 # DNSP + - 7a235133c87f7da4c8cccceca7e3c7a6 # HBO + - a880d6abc21e7c16884f3ae393f84179 # HMAX + - f6cce30f1733d5c8194222a7507909bb # HULU + - 0ac24a2a68a9700bcb7eeca8e5cd644c # iT + - d34870697c9db575f17700212167be23 # NF + - b2b980877494b560443631eb1f473867 # NLZ + - 1656adc6d7bb2c8cca6acfb6592db421 # PCOK + - c67a75ae4a1715f2bb4d492755ba4195 # PMTP + - 3ac5d84fce98bab1b531393e9c82f467 # QIBI + - c30d2958827d1867c73318a5a2957eb1 # RED + - ae58039e1319178e6be73caab5c42166 # SHO + - 1efe8da11bfd74fbbcd4d8117ddb9213 # STAN + - 5d2317d99af813b6529c7ebf01c83533 # VDL + - 77a7b25585c18af08f60b1547bb9b4fb # CC + # HQ Source Groups + - e6258996055b9fbab7e9cb2f75819294 # WEB Tier 01 + - 58790d4e2fdcd9733aa7ae68ba2bb503 # WEB Tier 02 + - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03 + - d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene + quality_profiles: + - name: TRaSH 720/1080 + - trash_ids: + - 949c16fe0a8147f50ba82cc2df9411c9 # Anime BD Tier 01 (Top SeaDex Muxers) + - ed7f1e315e000aef424a58517fa48727 # Anime BD Tier 02 (SeaDex Muxers) + - 096e406c92baa713da4a72d88030b815 # Anime BD Tier 03 (SeaDex Muxers) + - 30feba9da3030c5ed1e0f7d610bcadc4 # Anime BD Tier 04 (SeaDex Muxers) + - 545a76b14ddc349b8b185a6344e28b04 # Anime BD Tier 05 (Remuxes) + - 25d2afecab632b1582eaf03b63055f72 # Anime BD Tier 06 (FanSubs) + - 0329044e3d9137b08502a9f84a7e58db # Anime BD Tier 07 (P2P/Scene) + - c81bbfb47fed3d5a3ad027d077f889de # Anime BD Tier 08 (Mini Encodes) + - e0014372773c8f0e1bef8824f00c7dc4 # Anime Web Tier 01 (Muxers) + - 19180499de5ef2b84b6ec59aae444696 # Anime Web Tier 02 (Top FanSubs) + - e6258996055b9fbab7e9cb2f75819294 # WEB Tier 01 + - 58790d4e2fdcd9733aa7ae68ba2bb503 # WEB Tier 02 + - c27f2ae6a4e82373b0f1da094e2489ad # Anime Web Tier 03 (Official Subs) + - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03 + - 4fd5528a3a8024e6b49f9c67053ea5f3 # Anime Web Tier 04 (Official Subs) + - 29c2a13d091144f63307e4a8ce963a39 # Anime Web Tier 05 (FanSubs) + - dc262f88d74c651b12e9d90b39f6c753 # Anime Web Tier 06 (FanSubs) + # Unwanted + - b4a1b3d705159cdca36d71e57ca86871 # Anime Raws + - e3515e519f3b1360cbfc17651944354c # Anime LQ Groups + - 15a05bc7c1a36e2b57fd628f8977e2fc # AV1 + - 026d5aadd1a6b4e550b134cb6c72b3ca # Uncensored + - d2d7b8a9d39413da5f44054080e028a3 # v0 + - 9c14d194486c4014d422adc64092d794 # Dubs Only + - 07a32f77690263bb9fda1842db7e273f # VOSTFR + # Optionals + - 273bd326df95955e1b6c26527d1df89b # v1 + - 228b8ee9aa0a609463efca874524a6b8 # v2 + - 0e5833d3af2cc5fa96a0c29cd4477feb # v3 + - 4fc15eeb8f2f9a749f918217d4234ad8 # v4 + - b2550eb333d27b75833e25b8c2557b38 # 10bit + # Streaming Services + - d660701077794679fd59e8bdf4ce3a29 # AMZN + - 7dd31f3dee6d2ef8eeaa156e23c3857e # B-Global + - 4c67ff059210182b59cdd41697b8cb08 # Bilibili + - 3e0b26604165f463f3e8e192261e7284 # CR + - 89358767a60cc28783cdc3d0be9388a4 # DSNP + - 1284d18e693de8efe0fe7d6b3e0b9170 # FUNi + - 570b03b3145a25011bf073274a407259 # HIDIVE + - d34870697c9db575f17700212167be23 # NF + - 44a8ee6403071dd7b8a3a8dd3fe8cb20 # VRV + quality_profiles: + - name: TRaSH Anime + - trash_ids: + - 418f50b10f1907201b6cfdf881f467b7 # Anime Dual Audio + quality_profiles: + - name: TRaSH Anime + score: 2000 + radarr: + radarr-main: + base_url: http://localhost:7878 + api_key: !env_var RADARR_API_KEY + quality_definition: + type: movie + delete_old_custom_formats: true + replace_existing_custom_formats: true + custom_formats: + - trash_ids: + # HD Bluray + WEB + # Movie Versions + - 0f12c086e289cf966fa5948eac571f44 # Hybrid + - 570bc9ebecd92723d2d21500f4be314c # Remaster + - eca37840c13c6ef2dd0262b141a5482f # 4K Remaster + - e0c07d59beb37348e975a930d5e50319 # Criterion Collection + - 9d27d9d2181838f76dee150882bdc58c # Masters of Cinema + - 957d0f44b592285f26449575e8b1167e # Special Edition + - eecf3a857724171f968a66cb5719e152 # IMAX + - 9f6cbff8cfe4ebbc1bde14c7b7bec0de # IMAX Enhanced + # HQ Release Groups + - ed27ebfef2f323e964fb1f61391bcb35 # HD Bluray Tier 01 + - c20c8647f2746a1f4c4262b0fbbeeeae # HD Bluray Tier 02 + - c20f169ef63c5f40c2def54abaf4438e # WEB Tier 01 + - 403816d65392c79236dcb6dd591aeda4 # WEB Tier 02 + - af94e0fe497124d1f9ce732069ec8c3b # WEB Tier 03 + # Misc + - e7718d7a3ce595f289bfee26adc178f5 # Repack/Proper + - ae43b294509409a6a13919dedd4764c4 # Repack2 + # Unwanted + - ed38b889b31be83fda192888e2286d83 # BR-DISK + - 90a6f9a284dff5103f6346090e6280c8 # LQ + - dc98083864ea246d05a42df0d05f81cc # x265 + - b8cd450cbfa689c0259a01d9e29ba3d6 # 3D + # Streaming Services + - b3b3a6ac74ecbd56bcdbefa4799fb9df # AMZN + - 40e9380490e748672c2522eaaeb692f7 # ATVP + - cc5e51a9e85a6296ceefe097a77f12f4 # BCORE + - 84272245b2988854bfb76a16e60baea5 # DNSP + - 509e5f41146e278f9eab1ddaceb34515 # DBO + - 5763d1b0ce84aff3b21038eea8e9b8ad # HMAX + - 526d445d4c16214309f0fd2b3be18a89 # Hulu + - 2a6039655313bf5dab1e43523b62c374 # MA + - 170b1d363bd8516fbf3a3eb05d4faff6 # NF + - bf7e73dd1d85b12cc527dc619761c840 # Pathe + - c9fd353f8f5f1baf56dc601c4cb29920 # PCOK + - e36a0ba1bc902b26ee40818a1d59b8bd # PMTP + - c2863d2a50c9acad1fb50e53ece60817 # STAN + quality_profiles: + - name: TRaSH 720/1080 + ''}:/config/recyclarr.yml" + ]; + environmentFiles = [ + config.sops.secrets.serverenv.path + ]; + environment = { + PUID = toString config.users.users."media".uid; + PGID = toString config.users.groups."media".gid; + }; + extraOptions = [ + "--network=host" + ]; + }; + + prowlarr = { + image = "lscr.io/linuxserver/prowlarr:latest"; + volumes = [ + "/media/config/prowlarr:/config" + ]; + environment = { + PUID = toString config.users.users."media".uid; + PGID = toString config.users.groups."media".gid; + }; + dependsOn = ["gluetun"]; + extraOptions = [ + "--network=container:gluetun" + ]; + }; + + sonarr = { + image = "lscr.io/linuxserver/sonarr:latest"; + volumes = [ + "/media/config/sonarr:/config" + "/media/tvseries:/tv" + "/media/downloads:/downloads" + ]; + environment = { + PUID = toString config.users.users."media".uid; + PGID = toString config.users.groups."media".gid; + }; + dependsOn = ["gluetun"]; + extraOptions = [ + "--network=container:gluetun" + ]; + }; + + radarr = { + image = "lscr.io/linuxserver/radarr:latest"; + volumes = [ + "/media/config/radarr:/config" + "/media/movies:/movies" + "/media/downloads:/downloads" + ]; + environment = { + PUID = toString config.users.users."media".uid; + PGID = toString config.users.groups."media".gid; + }; + dependsOn = ["gluetun"]; + extraOptions = [ + "--network=container:gluetun" + ]; + }; + + flaresolverr = { + image = "flaresolverr/flaresolverr"; + environment = { + LOG_LEVEL = "info"; + }; + dependsOn = ["gluetun"]; + extraOptions = [ + "--network=container:gluetun" + ]; + }; + + transmission = { + image = "linuxserver/transmission:latest"; + volumes = [ + "/media/downloads:/downloads" + "/media/config/transmission/config:/config" + "/media/config/transmission/watch:/watch" + ]; + environment = { + PUID = toString config.users.users."media".uid; + PGID = toString config.users.groups."media".gid; + PEERPORT = "11936"; + USER = "xun"; + PASS = "password123"; + }; + dependsOn = ["gluetun"]; + extraOptions = [ + "--network=container:gluetun" + ]; + }; + + dashy = { + image = "lissy93/dashy"; + ports = [ + "8080:80" + ]; + volumes = [ + "${(pkgs.formats.yaml {}).generate "conf.yml" dashyConfig}:/app/public/conf.yml" + ]; + extraOptions = [ + "--network=host" + ]; + }; + }; + }; +} diff --git a/system/services/containers/server/statistics/default.nix b/system/services/containers/server/statistics/default.nix new file mode 100644 index 0000000..1b3bd65 --- /dev/null +++ b/system/services/containers/server/statistics/default.nix @@ -0,0 +1,146 @@ +{config, ...}: { + services.grafana = { + enable = true; + settings = { + server = { + http_addr = "0.0.0.0"; + }; + }; + }; + + services.loki = { + enable = true; + configuration = { + server.http_listen_port = 3030; + auth_enabled = false; + + ingester = { + lifecycler = { + address = "127.0.0.1"; + ring = { + kvstore = { + store = "inmemory"; + }; + replication_factor = 1; + }; + }; + chunk_idle_period = "1h"; + max_chunk_age = "1h"; + chunk_target_size = 999999; + chunk_retain_period = "30s"; + max_transfer_retries = 0; + }; + + schema_config = { + configs = [ + { + from = "2022-06-06"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v11"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + }; + + storage_config = { + boltdb_shipper = { + active_index_directory = "/var/lib/loki/boltdb-shipper-active"; + cache_location = "/var/lib/loki/boltdb-shipper-cache"; + cache_ttl = "24h"; + shared_store = "filesystem"; + }; + + filesystem = { + directory = "/var/lib/loki/chunks"; + }; + }; + + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + }; + + chunk_store_config = { + max_look_back_period = "0s"; + }; + + table_manager = { + retention_deletes_enabled = false; + retention_period = "0s"; + }; + + compactor = { + working_directory = "/var/lib/loki"; + shared_store = "filesystem"; + compactor_ring = { + kvstore = { + store = "inmemory"; + }; + }; + }; + }; + }; + + services.promtail = { + enable = true; + configuration = { + server = { + http_listen_port = 3031; + grpc_listen_port = 0; + }; + positions = { + filename = "/tmp/positions.yaml"; + }; + clients = [ + { + url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; + } + ]; + scrape_configs = [ + { + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "${config.networking.hostName}"; + }; + }; + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; + }; + # extraFlags + }; + + services.prometheus = { + enable = true; + port = 9001; + exporters = { + node = { + enable = true; + enabledCollectors = ["systemd"]; + port = 9002; + }; + }; + scrapeConfigs = [ + { + job_name = "${config.networking.hostName}"; + static_configs = [ + { + targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; + } + ]; + } + ]; + }; +} diff --git a/system/services/containers/server/statistics/loki.yaml b/system/services/containers/server/statistics/loki.yaml new file mode 100644 index 0000000..3ae6ec7 --- /dev/null +++ b/system/services/containers/server/statistics/loki.yaml @@ -0,0 +1,48 @@ +auth_enabled: false + +server: + http_listen_port: 3100 + +ingester: + lifecycler: + address: 0.0.0.0 + ring: + kvstore: + store: inmemory + replication_factor: 1 + final_sleep: 0s + chunk_idle_period: 1h # Any chunk not receiving new logs in this time will be flushed + max_chunk_age: 1h # All chunks will be flushed when they hit this age, default is 1h + chunk_target_size: 1048576 # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first + chunk_retain_period: 30s # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m) + max_transfer_retries: 0 # Chunk transfers disabled + +schema_config: + configs: + - from: 2020-10-24 + store: boltdb-shipper + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 24h + +storage_config: + boltdb_shipper: + active_index_directory: /var/lib/loki/boltdb-shipper-active + cache_location: /var/lib/loki/boltdb-shipper-cache + cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space + shared_store: filesystem + filesystem: + directory: /var/lib/loki/chunks + +limits_config: + reject_old_samples: true + reject_old_samples_max_age: 168h + +chunk_store_config: + max_look_back_period: 0s + +table_manager: + retention_deletes_enabled: false + retention_period: 0s diff --git a/system/services/flatpak.nix b/system/services/flatpak.nix new file mode 100644 index 0000000..1ff0c53 --- /dev/null +++ b/system/services/flatpak.nix @@ -0,0 +1,3 @@ +{ + services.flatpak.enable = true; +} diff --git a/system/services/transmission.nix b/system/services/transmission.nix new file mode 100644 index 0000000..c357052 --- /dev/null +++ b/system/services/transmission.nix @@ -0,0 +1,10 @@ +{ + lib, + config, + self, + ... +}: { + services.transmission = { + enable = true; + }; +} diff --git a/system/services/wireguard.nix b/system/services/wireguard.nix new file mode 100644 index 0000000..89036e0 --- /dev/null +++ b/system/services/wireguard.nix @@ -0,0 +1,81 @@ +{ + config, + pkgs, + ... +}: { + #networking.wg-quick.interfaces."wg0".configFile = config.sops.secrets.wireguard.path; + + # Sets tailscale to a high priority, to make sure tailscale + # traffic dosent go through wireguard (which wont work) + #systemd.services.tailscaled.serviceConfig = { + # ExecStartPost = "${pkgs.iproute2}/bin/ip rule add pref 65 table 52"; + # ExecStopPost = "${pkgs.iproute2}/bin/ip rule del pref 65 table 52"; + #}; + + ## https://wiki.archlinux.org/title/WireGuard#systemd-networkd:_routing_all_traffic_over_WireGuard + #environment.systemPackages = [pkgs.wireguard-tools]; + + #systemd.network = { + # netdevs."99-wg0" = { + # netdevConfig = { + # Name = "wg0"; + # Kind = "wireguard"; + # Description = "WireGuard tunnel wg0"; + # }; + # wireguardConfig = { + # ListenPort = 51871; + # PrivateKeyFile = config.sops.secrets.wg-private.path; + # }; + # wireguardPeers = [ + # { + # wireguardPeerConfig = { + # PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk="; + # PresharedKeyFile = config.sops.secrets.wg-preshared.path; + # AllowedIPs = [ + # "0.0.0.0" + # ]; + # Endpoint = "62.102.148.206:1637"; + # }; + # } + # ]; + # }; + # networks."50-wg0" = { + # name = "wg0"; + + # address = ["10.154.4.37/24"]; + # dns = ["10.128.0.1"]; + # domains = ["~."]; + # networkConfig = { + # DNSDefaultRoute = true; + # }; + + # routingPolicyRules = [ + # { + # routingPolicyRuleConfig = { + # FirewallMark = 34952; + # InvertRule = true; + # Table = 1000; + # Priority = 10; + # }; + # } + # { + # ## Allow local connections + # routingPolicyRuleConfig = { + # To = "192.168.0.0/24"; + # Priority = 9; + # }; + # } + # ]; + + # routes = [ + # { + # routeConfig = { + # Gateway = "10.128.0.1"; + # GatewayOnLink = true; + # Table = 1000; + # }; + # } + # ]; + # }; + #}; +}