peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:3321ec122a46bbb306f4f984899472d7996af2bd
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:be0a1be47d45db1430fcc663cf89b3dd1ce0399c
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

No commits in common. "3321ec122a46bbb306f4f984899472d7996af2bd" and "be0a1be47d45db1430fcc663cf89b3dd1ce0399c" have entirely different histories.
3321ec122a ... be0a1be47d

21 changed files with 94 additions and 141 deletions
Show Stats Expand all files Collapse all files

19
flake.nix
View File

@ -18,31 +18,26 @@
wrapPkgsSystem = { system }:
import nixpkgs rec {
inherit system;
unstablePkgs = wrapUnstablePkgsSystem { inherit system; };
unstable = wrapUnstablePkgsSystem { inherit system; };
config.allowUnfree = true;
overlays = [
(final: prev: { inherit unstablePkgs; })
(final: prev: { inherit unstable; })
];
};
wrapUnstablePkgsSystem = { system }:
import nixos-unstable {
inherit system;
config.allowUnfree = true;
};
wrapUtils = { pkgs, unstablePkgs, system }:
wrapUtils = { pkgs, unstable, system }:
let
inherit (pkgs.lib) makeScope;
inherit (pkgs) newScope;
in
makeScope newScope (self: rec {
makeScope newScope (self: {
inherit nixpkgs home-manager nixos-unstable;
inherit (self.callPackage ./lib/utils.nix { }) mkSysRole mkHomeRole;
inherit (user) mkUser;
user = self.callPackage ./lib/user.nix { };
host = self.callPackage ./lib/host.nix { };
});
@ -50,15 +45,15 @@
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };
utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstablePkgs = unstableLinuxX64; };
utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstable = unstableLinuxX64; };
pkgsLinuxAarch = wrapPkgsSystem { system = sysLinuxAarch; };
unstableLinuxAarch = wrapUnstablePkgsSystem { system = sysLinuxAarch; };
utilsLinuxAarch = wrapUtils { system = sysLinuxAarch; pkgs = pkgsLinuxAarch; unstablePkgs = unstableLinuxAarch; };
utilsLinuxAarch = wrapUtils { system = sysLinuxAarch; pkgs = pkgsLinuxAarch; unstable = unstableLinuxAarch; };
pkgsDarwin = wrapPkgsSystem { system = sysDarwin; };
unstableDarwin = wrapUnstablePkgsSystem { system = sysDarwin; };
utilsDarwin = wrapUtils { system = sysDarwin; pkgs = pkgsDarwin; unstablePkgs = unstableDarwin; };
utilsDarwin = wrapUtils { system = sysDarwin; pkgs = pkgsDarwin; unstable = unstableDarwin; };
in
{
nixosConfigurations = {

7
hosts/architect/default.nix
View File

@ -9,7 +9,7 @@ let
in
{
imports = [
./options.nix
# Include the results of the hardware scan.
./backup.nix
./hardware.nix
./firewall.nix
@ -132,11 +132,6 @@ in
driSupport = true;
};
architect.firewall = {
openTCP = [ 22 ];
openTCPVPN = [ 22 ];
};
services = {
fwupd.enable = true;
das_watchdog.enable = true;

9
hosts/architect/deluge.nix
View File

@ -4,15 +4,8 @@ let
domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
listenPorts = [ 51413 51414 ];
in
{
architect.firewall = {
openTCP = listenPorts;
openUDP = listenPorts;
};
services = {
deluge = {
enable = true;
@ -31,7 +24,7 @@ in
max_connections_global = 1000;
max_active_limit = 100;
max_active_downloading = 100;
listen_ports = listenPorts;
listen_ports = [ 51413 51414 ];
random_port = false;
enabled_plugins = [ "Label" "Extractor" ];
};

2
hosts/architect/dns.nix
View File

@ -6,8 +6,6 @@ let
dnscrypt_listen_port = "5353";
in
{
architect.firewall.openUDPVPN = [ 53 ];
services = {
dnsmasq = {
enable = true;

60
hosts/architect/firewall.nix
View File

@ -1,13 +1,54 @@
{ config, lib, ... }:
with import ./network.nix;
with lib;
let
openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
# TCP services
ssh_tcp = 22;
http_tcp = 80;
https_tcp = 443;
synapse_tcp = 8448;
gitea_tcp = 10022;
prosody_tcp = 5222;
minecraft_tcp = 25565;
# UDP services
dns_udp = 53;
wireguard_udp = 1194;
# TCP/UDP services
torrent_a = 51413;
torrent_b = 51414;
# grouping
open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
ssh_tcp
http_tcp
https_tcp
synapse_tcp
gitea_tcp
torrent_a
torrent_b
minecraft_tcp
];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
wireguard_udp
torrent_a
torrent_b
config.services.tailscale.port
];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
ssh_tcp
http_tcp
https_tcp
prosody_tcp
minecraft_tcp
];
open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
dns_udp
wireguard_udp
];
in
{
networking = {
@ -120,11 +161,10 @@ in
ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${openTCP}} accept
iifname ${wan-if} udp dport {${openUDP}} accept
iifname ${vpn-if} tcp dport {${openTCPVPN}} accept
iifname ${vpn-if} udp dport {${openUDPVPN}} accept
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept
jump filter_drop

5
hosts/architect/gitea.nix
View File

@ -1,12 +1,11 @@
{ config, lib, ... }:
{ lib, ... }:
let
domain = "git.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
services.gitea = {
enable = true;
database.type = "sqlite3";

2
hosts/architect/invidious.nix
View File

@ -9,7 +9,7 @@ in
invidious = {
enable = true;
port = 9092;
package = pkgs.unstablePkgs.invidious;
package = pkgs.unstable.invidious;
};
nginx.virtualHosts.${domain} = {

2
hosts/architect/jellyfin.nix
View File

@ -13,7 +13,7 @@ in
jellyfin = {
enable = true;
group = "media";
package = pkgs.unstablePkgs.jellyfin;
package = pkgs.unstable.jellyfin;
};
nginx.virtualHosts.${domain} = {

4
hosts/architect/minecraft.nix
View File

@ -5,13 +5,11 @@ let
network = import ./network.nix;
in
{
architect.firewall.openTCP = [ 25565 ];
services.minecraft-server = {
enable = true;
eula = true;
declarative = true;
package = pkgs.unstablePkgs.minecraft-server;
package = pkgs.unstable.minecraft-server;
serverProperties = { motd = "Welcome on the RuNas server!"; };
};

4
hosts/architect/nextcloud.nix
View File

@ -9,7 +9,7 @@ in
services = {
mysql = {
enable = true;
package = pkgs.unstablePkgs.mysql80;
package = pkgs.unstable.mysql80;
};
redis = {
@ -24,7 +24,7 @@ in
enable = true;
hostName = domain;
https = true;
package = pkgs.unstablePkgs.nextcloud25;
package = pkgs.unstable.nextcloud25;
datadir = "/services/nextcloud";
caching = {
redis = true;

5
hosts/architect/nginx.nix
View File

@ -1,11 +1,6 @@
{ services, pkgs, lib, ... }:
{
architect.firewall = {
openTCP = [ 80 443 ];
openTCPVPN = [ 80 443 ];
};
services.nginx = {
enable = true;
package = pkgs.openresty;

2
hosts/architect/nitter.nix
View File

@ -12,7 +12,7 @@ in
server = {
port = 9093;
hostname = domain;
staticDir = "${pkgs.unstablePkgs.nitter}/share/nitter/public";
staticDir = "${pkgs.unstable.nitter}/share/nitter/public";
};
preferences = {
replaceYouTube = "tube.giugl.io";

25
hosts/architect/options.nix
View File

@ -1,25 +0,0 @@
{ config, lib, ... }:
with lib;
{
options.architect.firewall = {
openTCP = mkOption {
type = types.listOf types.int;
default = [ ];
};
openUDP = mkOption {
type = types.listOf types.int;
default = [ ];
};
openTCPVPN = mkOption {
type = types.listOf types.int;
default = [ ];
};
openUDPVPN = mkOption {
type = types.listOf types.int;
default = [ ];
};
};
}

2
hosts/architect/plex.nix
View File

@ -7,7 +7,7 @@ in
{
services.plex = {
enable = true;
package = pkgs.unstablePkgs.plex;
package = pkgs.unstable.plex;
dataDir = "/plex";
};

4
hosts/architect/tailscale.nix
View File

@ -1,4 +1,4 @@
{ config, lib, ... }:
{ lib, ... }:
let
network = import ./network.nix;
@ -6,8 +6,6 @@ let
ifname = "ts0";
in
{
architect.firewall.openUDP = [ config.services.tailscale.port ];
services = {
tailscale = {
enable = true;

15
hosts/architect/wireguard.nix
View File

@ -1,14 +1,4 @@
{ config, lib, ... }:
with import ./network.nix;
let
listenPort = 1194;
in
{
architect.firewall = {
openUDP = lib.singleton listenPort;
openUDPVPN = lib.singleton listenPort;
};
with import ./network.nix; {
networking = {
extraHosts = ''
${architect-wg} architect.devs.giugl.io
@ -47,8 +37,7 @@ in
wireguard = {
interfaces.${vpn-if} = {
inherit listenPort;
listenPort = 1194;
ips = [ "10.3.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";

44
lib/host.nix
View File

@ -1,26 +1,18 @@
{ pkgs
, nixpkgs
, nixos-unstable
, unstablePkgs
, home-manager
, system
, mkHomeRole
, mkSysRole
, mkUser
, ...
}:
{ pkgs, nixpkgs, nixos-unstable, unstable, home-manager, user, system, ... }:
{
mkHost = { name, users, roles ? [ ], imports ? [ ] }:
let
mkRole = role: pkgs.callPackage (../roles + "/${role}.nix") { };
users_mod = (map
(u:
mkUser {
user.mkUser {
name = u.user;
roles = u.roles;
})
users);
roles_mod = (map (r: mkSysRole r) roles);
roles_mod = (map (r: mkRole r) roles);
add_imports = imports;
in
nixpkgs.lib.nixosSystem {
@ -28,36 +20,26 @@
modules = [
{
imports = users_mod ++ roles_mod ++ add_imports ++ [
(mkSysRole "common")
(mkSysRole "acme")
];
imports = users_mod ++ roles_mod ++ add_imports;
nixpkgs = { inherit pkgs; };
nix = {
nixPath = [
"nixpkgs=${nixpkgs}"
"unstable=${nixos-unstable}"
];
registry = {
nixpkgs.flake = nixpkgs;
unstable.flake = nixos-unstable;
};
};
nix.nixPath = [ "nixpkgs=${nixpkgs}" "unstable=${nixos-unstable}" ];
nix.registry.nixpkgs.flake = nixpkgs;
nix.registry.unstable.flake = nixos-unstable;
users.users.root = { shell = pkgs.zsh; };
home-manager = {
users.root.imports = pkgs.lib.singleton (mkHomeRole "common");
extraSpecialArgs.unstablePkgs = unstablePkgs;
users.root.imports = [ ../roles/home/common.nix ];
extraSpecialArgs.unstable = unstable;
useGlobalPkgs = true;
};
system.stateVersion = "22.11";
}
home-manager.nixosModules.home-manager
../roles/common.nix
../roles/acme.nix
../hosts/${name}/default.nix
];
};

14
lib/user.nix
View File

@ -1,9 +1,10 @@
{ pkgs, home-manager, mkHomeRole, ... }:
{ pkgs, unstable, home-manager, ... }:
{
mkUser = { name, roles ? [ ] }:
let
roles_mod = (map (r: mkHomeRole r) roles);
mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles);
in
{
users.groups.plugdev = { };
@ -20,12 +21,13 @@
extraGroups = [ "wheel" "plugdev" ];
};
home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod;
home-manager.users.${name}.imports = [ (mkRole "common") ] ++ roles_mod;
};
mkHMUser = { name, roles ? [ ] }:
mkHMUser = { name, roles }:
let
roles_mod = (map (r: mkHomeRole r) roles);
mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles);
in
home-manager.lib.homeManagerConfiguration {
inherit pkgs;
@ -37,7 +39,7 @@
if pkgs.stdenv.isLinux then "/home/${name}" else "/Users/${name}";
};
}
(mkHomeRole "common")
(mkRole "common")
] ++ roles_mod;
};
}

6
lib/utils.nix
View File

@ -1,6 +0,0 @@
{ ... }:
{
mkSysRole = role: import (../roles/${role}.nix);
mkHomeRole = role: import (../roles/home/${role}.nix);
}

2
roles/gnome.nix
View File

@ -22,7 +22,7 @@
environment.systemPackages = with pkgs; [
gnomeExtensions.appindicator
gnomeExtensions.sound-output-device-chooser
pkgs.unstablePkgs.gnomeExtensions.pop-shell
pkgs.unstable.gnomeExtensions.pop-shell
];
security.pam.services.gdm.enableGnomeKeyring = true;
}

2
roles/home/helix.nix
View File

@ -33,7 +33,7 @@
formatter = { command = "nixpkgs-fmt" }
'';
packages = with pkgs.unstablePkgs; [
packages = with pkgs.unstable; [
helix
clang-tools
rust-analyzer