diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 421c851..3018a91 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -6,8 +6,10 @@ let ]; hostname = "architect"; network = import ./network.nix; -in { - imports = [ # Include the results of the hardware scan. +in +{ + imports = [ + # Include the results of the hardware scan. ./backup.nix ./hardware.nix ./firewall.nix @@ -29,7 +31,7 @@ in { ./invidious.nix ./nitter.nix ./lidarr.nix -# ./navidrome.nix + # ./navidrome.nix ./jellyfin.nix ./prosody.nix ./deluge.nix @@ -43,7 +45,7 @@ in { ]; time.timeZone = "Europe/Rome"; -# system.stateVersion = "21.11"; + # system.stateVersion = "21.11"; users.users.giulio.openssh.authorizedKeys.keys = pubkeys; boot = { initrd = { diff --git a/hosts/architect/deluge.nix b/hosts/architect/deluge.nix index 69d0ece..1a5c131 100644 --- a/hosts/architect/deluge.nix +++ b/hosts/architect/deluge.nix @@ -4,7 +4,8 @@ let domain = "htdel.giugl.io"; network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; -in { +in +{ services = { deluge = { enable = true; diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index fe97ecf..d8542e7 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -let +let adguard_webui_port = 3031; adguard_dns_port = "5300"; dnscrypt_listen_port = "5353"; diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index 96e38c4..c25ab23 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -9,13 +9,13 @@ let https_tcp = 443; synapse_tcp = 8448; gitea_tcp = 10022; - prosody_tcp = 5222; + prosody_tcp = 5222; minecraft_tcp = 25565; # UDP services dns_udp = 53; wireguard_udp = 1194; - + # TCP/UDP services torrent_a = 51413; torrent_b = 51414; @@ -49,7 +49,8 @@ let wireguard_udp ]; -in { +in +{ networking = { # needed to use nftables firewall.enable = false; @@ -58,171 +59,171 @@ in { nftables = { enable = true; ruleset = '' - table ip raw { - chain PREROUTING { - type filter hook prerouting priority raw; policy accept; - } + table ip raw { + chain PREROUTING { + type filter hook prerouting priority raw; policy accept; + } - chain OUTPUT { - type filter hook output priority raw; policy accept; - } - } + chain OUTPUT { + type filter hook output priority raw; policy accept; + } + } - table ip nat { - chain PREROUTING { - type nat hook prerouting priority dstnat; policy accept; - } + table ip nat { + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + } - chain INPUT { - type nat hook input priority 100; policy accept; - } + chain INPUT { + type nat hook input priority 100; policy accept; + } - chain OUTPUT { - type nat hook output priority -100; policy accept; - } + chain OUTPUT { + type nat hook output priority -100; policy accept; + } - chain POSTROUTING { - type nat hook postrouting priority srcnat; policy accept; - oifname ${wan-if} ip saddr {${ - lib.concatStringsSep "," towan-wg - }} masquerade - oifname ${wan-if} ip saddr ${docker-net} masquerade - oifname ${wan-if} ip saddr ${tailscale-net} masquerade - } - } + chain POSTROUTING { + type nat hook postrouting priority srcnat; policy accept; + oifname ${wan-if} ip saddr {${ + lib.concatStringsSep "," towan-wg + }} masquerade + oifname ${wan-if} ip saddr ${docker-net} masquerade + oifname ${wan-if} ip saddr ${tailscale-net} masquerade + } + } - table ip mangle { - chain PREROUTING { - type filter hook prerouting priority mangle; policy drop; - ct state invalid,untracked drop comment "drop invalid" - ip daddr 255.255.255.255 accept comment "allow broadcast traffic" - ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" - iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" - iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" - iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" - iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" - iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" - iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" - iifname ${tailscale-if} ip saddr ${tailscale-net} accept - iifname "lo" accept comment "bind any ip to intf lo" - jump mangle_drop - } + table ip mangle { + chain PREROUTING { + type filter hook prerouting priority mangle; policy drop; + ct state invalid,untracked drop comment "drop invalid" + ip daddr 255.255.255.255 accept comment "allow broadcast traffic" + ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" + iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" + iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" + iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" + iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" + iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" + iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" + iifname ${tailscale-if} ip saddr ${tailscale-net} accept + iifname "lo" accept comment "bind any ip to intf lo" + jump mangle_drop + } - chain INPUT { - type filter hook input priority mangle; policy accept; - } + chain INPUT { + type filter hook input priority mangle; policy accept; + } - chain FORWARD { - type filter hook forward priority mangle; policy accept; - } + chain FORWARD { + type filter hook forward priority mangle; policy accept; + } - chain OUTPUT { - type route hook output priority mangle; policy accept; - } + chain OUTPUT { + type route hook output priority mangle; policy accept; + } - chain POSTROUTING { - type filter hook postrouting priority mangle; policy accept; - } + chain POSTROUTING { + type filter hook postrouting priority mangle; policy accept; + } - chain mangle_drop { - ip protocol icmp jump mangle_drop_icmp - ip protocol udp jump mangle_drop_udp - ip protocol tcp jump mangle_drop_tcp - log prefix "MANGLE-DROP-UNK " - drop - } + chain mangle_drop { + ip protocol icmp jump mangle_drop_icmp + ip protocol udp jump mangle_drop_udp + ip protocol tcp jump mangle_drop_tcp + log prefix "MANGLE-DROP-UNK " + drop + } - chain mangle_drop_icmp { - log prefix "MANGLE-DROP-ICMP " - drop - } + chain mangle_drop_icmp { + log prefix "MANGLE-DROP-ICMP " + drop + } - chain mangle_drop_tcp { - log prefix "MANGLE-DROP-TCP " - drop - } + chain mangle_drop_tcp { + log prefix "MANGLE-DROP-TCP " + drop + } - chain mangle_drop_udp { - log prefix "MANGLE-DROP-UDP " - drop - } - } + chain mangle_drop_udp { + log prefix "MANGLE-DROP-UDP " + drop + } + } - table ip filter { - chain INPUT { - type filter hook input priority filter; policy drop; + table ip filter { + chain INPUT { + type filter hook input priority filter; policy drop; - ct state established,related accept - iifname "lo" accept comment "loopback" - ip daddr 255.255.255.255 accept comment "allow broadcast traffic" - ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" - ip saddr ${lan-net} accept comment "lan > local" - ip saddr ${tailscale-net} accept comment "tailscale > local" - ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" + ct state established,related accept + iifname "lo" accept comment "loopback" + ip daddr 255.255.255.255 accept comment "allow broadcast traffic" + ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" + ip saddr ${lan-net} accept comment "lan > local" + ip saddr ${tailscale-net} accept comment "tailscale > local" + ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" - iifname ${wan-if} tcp dport {${open_tcp_ports}} accept - iifname ${wan-if} udp dport {${open_udp_ports}} accept - iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept - iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept - iifname ${vpn-if} icmp type echo-request accept - iifname ${docker-if} udp dport 53 accept - jump filter_drop - } + iifname ${wan-if} tcp dport {${open_tcp_ports}} accept + iifname ${wan-if} udp dport {${open_udp_ports}} accept + iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept + iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept + iifname ${vpn-if} icmp type echo-request accept + iifname ${docker-if} udp dport 53 accept + jump filter_drop + } - chain FORWARD { - type filter hook forward priority filter; policy drop; - ct state established,related accept + chain FORWARD { + type filter hook forward priority filter; policy drop; + ct state established,related accept - # gdevices talking to everyone in VPN - ip saddr {${ - lib.concatStringsSep "," gdevices - }} ip daddr ${vpn-net} accept - ip saddr {${ - lib.concatStringsSep "," gamenet-wg - }} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept + # gdevices talking to everyone in VPN + ip saddr {${ + lib.concatStringsSep "," gdevices + }} ip daddr ${vpn-net} accept + ip saddr {${ + lib.concatStringsSep "," gamenet-wg + }} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept - # nat to wan - oifname ${wan-if} ip saddr {${ - lib.concatStringsSep "," towan-wg - }} accept + # nat to wan + oifname ${wan-if} ip saddr {${ + lib.concatStringsSep "," towan-wg + }} accept - oifname ${wan-if} ip saddr ${docker-net} accept - oifname ${wan-if} ip saddr ${tailscale-net} accept + oifname ${wan-if} ip saddr ${docker-net} accept + oifname ${wan-if} ip saddr ${tailscale-net} accept - jump filter_drop - } + jump filter_drop + } - chain OUTPUT { - type filter hook output priority filter; policy drop; - ct state established,related accept - accept comment "local > *" - jump filter_drop - } + chain OUTPUT { + type filter hook output priority filter; policy drop; + ct state established,related accept + accept comment "local > *" + jump filter_drop + } - chain filter_drop { - ip protocol icmp jump filter_drop_icmp - ip protocol udp jump filter_drop_udp - ip protocol tcp jump filter_drop_tcp - log prefix "DROP-UNK " - drop - } + chain filter_drop { + ip protocol icmp jump filter_drop_icmp + ip protocol udp jump filter_drop_udp + ip protocol tcp jump filter_drop_tcp + log prefix "DROP-UNK " + drop + } - chain filter_drop_icmp { - log prefix "DROP-icmp " - drop - } + chain filter_drop_icmp { + log prefix "DROP-icmp " + drop + } - chain filter_drop_tcp { - log prefix "DROP-tcp " - drop - } + chain filter_drop_tcp { + log prefix "DROP-tcp " + drop + } - chain filter_drop_udp { - log prefix "DROP-udp " - drop - } - } - ''; + chain filter_drop_udp { + log prefix "DROP-udp " + drop + } + } + ''; }; }; } diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index 718c73d..bc1bb3d 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -26,8 +26,8 @@ in enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:3000"; - # it does not work, it breaks gitea's web portal - # extraConfig = auth_block { access_role = "git"; }; + # it does not work, it breaks gitea's web portal + # extraConfig = auth_block { access_role = "git"; }; }; }; diff --git a/hosts/architect/hardware.nix b/hosts/architect/hardware.nix index d3fa051..ceddaf2 100644 --- a/hosts/architect/hardware.nix +++ b/hosts/architect/hardware.nix @@ -38,7 +38,7 @@ }; swapDevices = [{ device = "/swapfile"; - size = 1024 * 64; + size = 1024 * 64; }]; boot = { diff --git a/hosts/architect/home-assistant.nix b/hosts/architect/home-assistant.nix index 5936300..daa3f0c 100644 --- a/hosts/architect/home-assistant.nix +++ b/hosts/architect/home-assistant.nix @@ -5,7 +5,8 @@ let network = import ./network.nix; host = "127.0.0.1"; port = 8123; -in { +in +{ services = { mosquitto = { enable = true; diff --git a/hosts/architect/keycloak.nix b/hosts/architect/keycloak.nix index a157887..6972892 100644 --- a/hosts/architect/keycloak.nix +++ b/hosts/architect/keycloak.nix @@ -3,7 +3,8 @@ let network = import ./network.nix; domain = "auth.giugl.io"; -in { +in +{ services = { keycloak = { enable = true; @@ -36,7 +37,7 @@ in { locations = { "/" = { return = "301 https://${domain}/realms/master/account"; }; - + "/admin" = { proxyPass = "http://127.0.0.1:${ toString config.services.keycloak.settings.http-port diff --git a/hosts/architect/lezzo.nix b/hosts/architect/lezzo.nix index 570d102..cc31b57 100644 --- a/hosts/architect/lezzo.nix +++ b/hosts/architect/lezzo.nix @@ -16,7 +16,7 @@ in forceSSL = true; root = lezzo_root; - + locations."/.git" = { return = "404"; }; }; diff --git a/hosts/architect/lidarr.nix b/hosts/architect/lidarr.nix index 9f965d0..15f3a9b 100644 --- a/hosts/architect/lidarr.nix +++ b/hosts/architect/lidarr.nix @@ -4,7 +4,8 @@ let domain = "htlid.giugl.io"; network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; -in { +in +{ services = { lidarr = { enable = true; diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix index fb9c5cf..5c912b8 100644 --- a/hosts/architect/matrix.nix +++ b/hosts/architect/matrix.nix @@ -27,7 +27,7 @@ in ]; auto_join_rooms = [ "#general:${domain}" "#music:${domain}" "#movies:${domain}" ]; - + oidc_providers = [{ idp_id = "keycloak"; idp_name = "Architect SSO"; @@ -97,9 +97,9 @@ in return 200 '${builtins.toJSON client}'; ''; -# locations."/".extraConfig = '' -# return 404; -# ''; + # locations."/".extraConfig = '' + # return 404; + # ''; # forward all Matrix API calls to the synapse Matrix homeserver locations."/_matrix" = { diff --git a/hosts/architect/minio.nix b/hosts/architect/minio.nix index 29a31f3..6e03f79 100644 --- a/hosts/architect/minio.nix +++ b/hosts/architect/minio.nix @@ -3,7 +3,8 @@ let domain = "s3.giugl.io"; network = import ./network.nix; -in { +in +{ services = { minio.enable = true; diff --git a/hosts/architect/modules/jellyfin.nix b/hosts/architect/modules/jellyfin.nix index e62b076..f5e70f2 100644 --- a/hosts/architect/modules/jellyfin.nix +++ b/hosts/architect/modules/jellyfin.nix @@ -63,21 +63,21 @@ in { AmbientCapabilities = ""; CapabilityBoundingSet = ""; - # # ProtectClock= adds DeviceAllow=char-rtc r - # DeviceAllow = [ - # "char-drm r" - # "/dev/nvidia0 r" - # "/dev/nvidiactl r" - # "/dev/nvidia-uvm r" - # "/dev/nvidia-uvm-tools r" - # ]; + # # ProtectClock= adds DeviceAllow=char-rtc r + # DeviceAllow = [ + # "char-drm r" + # "/dev/nvidia0 r" + # "/dev/nvidiactl r" + # "/dev/nvidia-uvm r" + # "/dev/nvidia-uvm-tools r" + # ]; DeviceAllow = ""; LockPersonality = true; PrivateTmp = true; PrivateUsers = true; -# ProtectClock = true; + # ProtectClock = true; ProtectControlGroups = true; ProtectHostname = true; ProtectKernelLogs = true; @@ -87,7 +87,7 @@ in { RemoveIPC = true; RestrictNamespaces = true; - # # AF_NETLINK needed because Jellyfin monitors the network connection + # # AF_NETLINK needed because Jellyfin monitors the network connection RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictRealtime = true; RestrictSUIDSGID = true; diff --git a/hosts/architect/navidrome.nix b/hosts/architect/navidrome.nix index 6f183c3..ae3f660 100644 --- a/hosts/architect/navidrome.nix +++ b/hosts/architect/navidrome.nix @@ -6,7 +6,8 @@ let library_path = "/media/Music"; beets_config = "/media/beets.conf"; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; -in { +in +{ services = { navidrome = { enable = true; diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index ef90a6c..9dd39a9 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -60,7 +60,7 @@ rec { architect-ts = "100.67.205.28"; giuliopc-ts = "100.124.78.64"; dodino-ts = "100.106.244.35"; - + # groups gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ]; towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]; diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index 10ef813..24b45ea 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -4,7 +4,8 @@ let domain = "cloud.giugl.io"; network = import ./network.nix; redis_port = 6379; -in { +in +{ services = { mysql = { enable = true; diff --git a/hosts/architect/nitter.nix b/hosts/architect/nitter.nix index 4a856a1..3921a15 100644 --- a/hosts/architect/nitter.nix +++ b/hosts/architect/nitter.nix @@ -3,7 +3,8 @@ let domain = "tweet.giugl.io"; network = import ./network.nix; -in { +in +{ services = { nitter = { enable = true; diff --git a/hosts/architect/nzbget.nix b/hosts/architect/nzbget.nix index 136fcaf..07fedfe 100644 --- a/hosts/architect/nzbget.nix +++ b/hosts/architect/nzbget.nix @@ -4,7 +4,8 @@ let domain = "htnzb.giugl.io"; network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; -in { +in +{ services = { nzbget = { enable = true; diff --git a/hosts/architect/openid.nix b/hosts/architect/openid.nix index 6aaef44..cd2fd31 100644 --- a/hosts/architect/openid.nix +++ b/hosts/architect/openid.nix @@ -2,7 +2,7 @@ { openresty_oidc_block = - { access_role ? "", whitelisted_ips ? [] }: '' + { access_role ? "", whitelisted_ips ? [ ] }: '' access_by_lua_block { local opts = { discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix index 7053044..891f85f 100644 --- a/hosts/architect/plex.nix +++ b/hosts/architect/plex.nix @@ -3,7 +3,8 @@ let domain = "media.giugl.io"; network = import ./network.nix; -in { +in +{ services.plex = { enable = true; package = pkgs.unstable.plex; diff --git a/hosts/architect/prosody.nix b/hosts/architect/prosody.nix index 67542cc..1413ed4 100644 --- a/hosts/architect/prosody.nix +++ b/hosts/architect/prosody.nix @@ -5,7 +5,8 @@ let conference_domain = "conference.${domain}"; upload_domain = "uploads.${domain}"; network = import ./network.nix; -in { +in +{ services = { prosody = { enable = true; diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix index ac52d62..17fdeba 100644 --- a/hosts/architect/prowlarr.nix +++ b/hosts/architect/prowlarr.nix @@ -3,7 +3,8 @@ let domain = "htpro.giugl.io"; network = import ./network.nix; -in { +in +{ services = { prowlarr.enable = true; diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix index 637126c..0d042d0 100644 --- a/hosts/architect/radarr.nix +++ b/hosts/architect/radarr.nix @@ -4,7 +4,8 @@ let domain = "htrad.giugl.io"; network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; -in { +in +{ services = { radarr = { enable = true; diff --git a/hosts/architect/runas.nix b/hosts/architect/runas.nix index 09662ae..99eb081 100644 --- a/hosts/architect/runas.nix +++ b/hosts/architect/runas.nix @@ -16,7 +16,7 @@ in forceSSL = true; locations."/".root = runas_root; - + locations."/.git" = { return = "404"; }; }; diff --git a/hosts/architect/searx.nix b/hosts/architect/searx.nix index 4e87a91..6f726f6 100644 --- a/hosts/architect/searx.nix +++ b/hosts/architect/searx.nix @@ -10,7 +10,7 @@ in searx = { enable = true; package = pkgs.searxng; -# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206"; + # package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206"; environmentFile = /secrets/searx/env; settings = { diff --git a/hosts/architect/sonarr.nix b/hosts/architect/sonarr.nix index d18f290..93c5aa1 100644 --- a/hosts/architect/sonarr.nix +++ b/hosts/architect/sonarr.nix @@ -4,7 +4,8 @@ let domain = "htson.giugl.io"; network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; -in { +in +{ services = { sonarr = { enable = true; diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix index 596c896..49fd1ad 100644 --- a/hosts/architect/tailscale.nix +++ b/hosts/architect/tailscale.nix @@ -2,9 +2,10 @@ let network = import ./network.nix; - + ifname = "ts0"; -in { +in +{ services = { tailscale = { enable = true; @@ -18,4 +19,4 @@ in { ${network.dodino-ts} dodino.devs.giugl.io ${network.giuliophone-ts} chuck.devs.giugl.io ''; -} \ No newline at end of file +} diff --git a/hosts/architect/transmission.nix b/hosts/architect/transmission.nix index d2615c2..a6fe466 100644 --- a/hosts/architect/transmission.nix +++ b/hosts/architect/transmission.nix @@ -3,7 +3,8 @@ let domain = "httra.giugl.io"; network = import ./network.nix; -in { +in +{ services = { transmission = { enable = true; diff --git a/hosts/gAluminum/default.nix b/hosts/gAluminum/default.nix index 3dddb54..f687240 100644 --- a/hosts/gAluminum/default.nix +++ b/hosts/gAluminum/default.nix @@ -9,7 +9,8 @@ let export __VK_LAYER_NV_optimus=NVIDIA_only exec -a "$0" "$@" ''; -in { +in +{ imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ]; boot = { @@ -70,5 +71,5 @@ in { programs.steam.enable = true; environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ]; -# system.stateVersion = "21.05"; # Did you read the comment? + # system.stateVersion = "21.05"; # Did you read the comment? } diff --git a/lib/host.nix b/lib/host.nix index 68b34d2..03e0a3c 100644 --- a/lib/host.nix +++ b/lib/host.nix @@ -5,14 +5,17 @@ let mkRole = role: import (../roles + "/${role}.nix"); - users_mod = (map (u: - user.mkUser { - name = u.user; - roles = u.roles; - }) users); + users_mod = (map + (u: + user.mkUser { + name = u.user; + roles = u.roles; + }) + users); roles_mod = (map (r: mkRole r) roles); add_imports = imports; - in nixpkgs.lib.nixosSystem { + in + nixpkgs.lib.nixosSystem { inherit system; modules = [ diff --git a/lib/user.nix b/lib/user.nix index e5296b9..16d4852 100644 --- a/lib/user.nix +++ b/lib/user.nix @@ -5,7 +5,8 @@ let mkRole = role: import (../roles/home + "/${role}.nix"); roles_mod = (map (r: mkRole r) roles); - in { + in + { users.groups.plugdev = { }; fileSystems."/home/${name}/Downloads" = { @@ -27,7 +28,8 @@ let mkRole = role: import (../roles/home + "/${role}.nix"); roles_mod = (map (r: mkRole r) roles); - in home-manager.lib.homeManagerConfiguration { + in + home-manager.lib.homeManagerConfiguration { inherit pkgs; modules = [ { diff --git a/roles/acme.nix b/roles/acme.nix index 1a620f0..de54f19 100644 --- a/roles/acme.nix +++ b/roles/acme.nix @@ -1,4 +1,4 @@ -{ +{ security.acme = { acceptTerms = true; defaults = { diff --git a/roles/home/desktop.nix b/roles/home/desktop.nix index d9a8752..df38fe0 100644 --- a/roles/home/desktop.nix +++ b/roles/home/desktop.nix @@ -9,7 +9,8 @@ let name = "guake"; package = pkgs.guake; }); -in { +in +{ imports = [ ./gnome.nix ]; nixpkgs.config.allowUnfree = true; diff --git a/roles/home/ssh.nix b/roles/home/ssh.nix index fa39b09..39159f0 100644 --- a/roles/home/ssh.nix +++ b/roles/home/ssh.nix @@ -10,12 +10,12 @@ user = "root"; identityFile = "~/.ssh/architectproxy"; }; - + "192.35.222.32" = { user = "giulio"; identityFile = "~/.ssh/gitlab-ucsb"; }; - + "tommy.devs.giugl.io" = { user = "giulio"; identityFile = "~/.ssh/tommypc";