peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:73844fcf66e039ff96b31e3e6b177192bc4880f2
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:c47d25c94377a4d2a71ab528551df57caebef7ac
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

No commits in common. "73844fcf66e039ff96b31e3e6b177192bc4880f2" and "c47d25c94377a4d2a71ab528551df57caebef7ac" have entirely different histories.
73844fcf66 ... c47d25c943

25 changed files with 459 additions and 685 deletions
Show Stats Expand all files Collapse all files

1
cachix.nix
View File

@ -11,3 +11,4 @@ in {
inherit imports; inherit imports;
nix.binaryCaches = ["https://cache.nixos.org/"]; nix.binaryCaches = ["https://cache.nixos.org/"];
} }

1
cachix/ropfuscator.nix
View File

@ -9,3 +9,4 @@
]; ];
}; };
} }

94
flake.lock generated
View File

@ -1,36 +1,5 @@
{ {
"nodes": { "nodes": {
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1656928814,
"narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -38,64 +7,48 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1665475263, "lastModified": 1639871969,
"narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=", "narHash": "sha256-6feWUnMygRzA9tzkrfAzpA5/NBYg75bkFxnqb1DtD7E=",
"owner": "rycee", "owner": "rycee",
"repo": "home-manager", "repo": "home-manager",
"rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3", "rev": "697cc8c68ed6a606296efbbe9614c32537078756",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "rycee", "owner": "rycee",
"ref": "release-22.05", "ref": "release-21.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1665672983, "lastModified": 1639699734,
"narHash": "sha256-V7Va7CRKmQRy95xSdlga5nV7q3/PusZwNAF/leb5PcU=", "narHash": "sha256-tlX6WebGmiHb2Hmniff+ltYp+7dRfdsBxw9YczLsP60=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bb2fb1524795f2d720cd13a2eb4d35d3a7a0d888", "rev": "03ec468b14067729a285c2c7cfa7b9434a04816c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "master", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1665596265, "lastModified": 1639794673,
"narHash": "sha256-H7Ku1SF+7zDEqw8QOyEDA5blMJQW9MvdfgB+K3KJNLw=", "narHash": "sha256-bjauV0+Z4WmxeiHXecyiEOEwo+XysO6kx36beeatbl0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9234f5a17e1a7820b5e91ecd4ff0de449e293383", "rev": "2627c4b795107ba94562626925f5a9a2bc62ebc6",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-22.05", "ref": "nixos-21.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1659190188,
"narHash": "sha256-LudYrDFPFaQMW0l68TYkPWRPKmqpxIFU1nWfylIp9AQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a3fddd46a7f3418d7e3940ded94701aba569161d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -104,28 +57,7 @@
"inputs": { "inputs": {
"home-manager": "home-manager", "home-manager": "home-manager",
"nixos-unstable": "nixos-unstable", "nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs"
"vim-extra-plugins": "vim-extra-plugins"
}
},
"vim-extra-plugins": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1665671907,
"narHash": "sha256-+YXxqH7OROLJ9G4va5BZb4a8aIzulaUZbnH+R1iWoaw=",
"owner": "m15a",
"repo": "nixpkgs-vim-extra-plugins",
"rev": "6c1624b0942cdecf7f30aa4d411cb3578bc29a38",
"type": "github"
},
"original": {
"owner": "m15a",
"repo": "nixpkgs-vim-extra-plugins",
"type": "github"
} }
} }
}, },

23
flake.nix
View File

@ -1,26 +1,22 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
nixos-unstable.url = "github:NixOS/nixpkgs/master"; nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
home-manager = { home-manager = {
url = "github:rycee/home-manager/release-22.05"; url = "github:rycee/home-manager/release-21.11";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
vim-extra-plugins.url = "github:m15a/nixpkgs-vim-extra-plugins"; navidrome.url = "github:antifuchs/nixpkgs/fix-151550";
}; };
outputs = outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager, navidrome}:
inputs@{ self, nixpkgs, nixos-unstable, home-manager, vim-extra-plugins }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
overlays = [ overlays = [ (final: prev: { inherit unstable; }) ];
(final: prev: { inherit unstable; })
vim-extra-plugins.overlays.default
];
}; };
unstable = import nixos-unstable { unstable = import nixos-unstable {
@ -42,6 +38,13 @@
user = "giulio"; user = "giulio";
roles = [ ]; roles = [ ];
}]; }];
imports = [
{
disabledModules = [ "services/audio/navidrome.nix" ];
imports =
[ (navidrome + "/nixos/modules/services/audio/navidrome.nix") ];
}
];
}; };
gAluminum = host.mkHost { gAluminum = host.mkHost {
name = "gAluminum"; name = "gAluminum";

6
hosts/architect/backup.nix
View File

@ -7,7 +7,7 @@
passwordFile = "/secrets/restic/data.key"; passwordFile = "/secrets/restic/data.key";
environmentFile = "/secrets/restic/credentials.txt"; environmentFile = "/secrets/restic/credentials.txt";
repository = "b2:architect:/"; repository = "b2:architect:/";
paths = [ "/var/lib" "/secrets" "/services" ]; paths = [ "/var/lib" "/secrets" ];
pruneOpts = [ pruneOpts = [
"--keep-daily 45" "--keep-daily 45"
"--keep-weekly 12" "--keep-weekly 12"
@ -15,8 +15,8 @@
"--keep-yearly 3" "--keep-yearly 3"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "monday 03:00"; OnCalendar = "monday 00:05";
RandomizedDelaySec = "1h"; RandomizedDelaySec = "2h";
}; };
}; };
}; };

35
hosts/architect/calibre.nix
View File

@ -1,35 +0,0 @@
{ lib, ... }:
let
domain = "books.giugl.io";
network = import ./network.nix;
in {
services = {
calibre-web = {
enable = true;
group = "media";
options = {
enableBookConversion = true;
enableBookUploading = true;
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8083";
extraConfig = ''
client_max_body_size 500M;
'';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "calibre-web" ];
}

56
hosts/architect/default.nix
View File

@ -23,29 +23,37 @@ in {
./matrix.nix ./matrix.nix
./fail2ban.nix ./fail2ban.nix
./dns.nix ./dns.nix
# ./minecraft.nix #./minecraft.nix
./prowlarr.nix ./prowlarr.nix
# ./plex.nix ./plex.nix
#./githubrunner.nix ./githubrunner.nix
./libreddit.nix ./libreddit.nix
./invidious.nix ./invidious.nix
./nitter.nix ./nitter.nix
./ccache.nix ./ccache.nix
./lidarr.nix ./lidarr.nix
# ./navidrome.nix ./navidrome.nix
./jellyfin.nix ./jellyfin.nix
./prosody.nix ./prosody.nix
./deluge.nix ./deluge.nix
# ./calibre.nix
../../cachix.nix
./docker.nix
]; ];
nixpkgs.config.permittedInsecurePackages = [ "nodejs-12.22.12" ];
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";
system.stateVersion = "21.11"; # Did you read the comment? system.stateVersion = "21.11"; # Did you read the comment?
users.users.giulio.openssh.authorizedKeys.keys = pubkeys; users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
services.fwupd.enable = true;
boot = { boot = {
kernelParams = [
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500"
];
kernel.sysctl= {
"net.ipv4.ip_forward" = 1;
"fs.protected_regular" = 0;
};
initrd = { initrd = {
availableKernelModules = [ "igc" "r8169" ]; availableKernelModules = [ "igc" "r8169" ];
network = { network = {
@ -53,33 +61,22 @@ in {
ssh = { ssh = {
enable = true; enable = true;
port = 22; port = 22;
hostKeys = [ /secrets/ssh_host_rsa_key ]; hostKeys = [ /boot/ssh_host_rsa_key ];
authorizedKeys = pubkeys; authorizedKeys = pubkeys;
}; };
# postCommands = '' postCommands = ''
# zpool import backedpool -f zpool import backedpool
# zpool import zpool -f zpool import zpool
# echo "zfs load-key -ar; killall zfs" >> /root/.profile mkdir /mnt-root
# ''; echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile
'';
}; };
}; };
};
services.fwupd.enable = true;
boot = {
kernelParams = [
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500"
"zfs_arc_max=1073741824"
"memmap=32M$0x4ca6f9478"
];
kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
loader = { loader = {
systemd-boot = { systemd-boot ={
enable = true; enable = true;
memtest86.enable = true; memtest86.enable = true;
}; };
@ -149,10 +146,7 @@ in {
openssh = { openssh = {
enable = true; enable = true;
passwordAuthentication = false; passwordAuthentication = false;
kbdInteractiveAuthentication = false; challengeResponseAuthentication = false;
extraConfig = ''
MaxAuthTries 15
'';
}; };
smartd.enable = true; smartd.enable = true;
}; };

12
hosts/architect/dns.nix
View File

@ -1,16 +1,10 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
adguard_webui_port = 3031;
adguard_dns_port = "5300";
dnscrypt_listen_port = "5353";
in
{ {
services = { services = {
dnsmasq = { dnsmasq = {
enable = true; enable = true;
# adguard port servers = [ "127.0.0.1#5300" ];
servers = [ "127.0.0.1#${adguard_dns_port}" ];
extraConfig = '' extraConfig = ''
localise-queries localise-queries
min-cache-ttl=120 min-cache-ttl=120
@ -20,13 +14,13 @@ in
adguardhome = { adguardhome = {
enable = true; enable = true;
port = adguard_webui_port; port = 3031;
}; };
dnscrypt-proxy2 = { dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ]; listen_addresses = [ "127.0.0.1:5353" ];
ipv4_servers = true; ipv4_servers = true;
ipv6_servers = false; ipv6_servers = false;
block_ipv6 = true; block_ipv6 = true;

10
hosts/architect/docker.nix
View File

@ -1,10 +0,0 @@
{
# virtualisation.docker = {
# enable = true;
# extraOptions = ''
# --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker
# '';
# enableOnBoot = false;
# };
users.users.giulio.extraGroups = [ "docker" ];
}

56
hosts/architect/firewall.nix
View File

@ -3,48 +3,28 @@
with import ./network.nix; with import ./network.nix;
let let
# TCP services
ssh_tcp = 22;
http_tcp = 80;
https_tcp = 443;
synapse_tcp = 8448;
gitea_tcp = 10022;
prosody_tcp = 5222;
minecraft_tcp = 25565;
# UDP services
dns_udp = 53;
wireguard_udp = 1194;
# TCP/UDP services
torrent_a = 51413;
torrent_b = 51414;
# grouping
open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
ssh_tcp 22 # ssh
http_tcp 80 # http
https_tcp 443 # https
synapse_tcp 8448 # matrix
gitea_tcp 10022 # gitea
torrent_a 18080 # monero
torrent_b 51413 # transmission
]; ];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
wireguard_udp 1194 # wireguard
torrent_a 51413 # transmission
torrent_b
]; ];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
ssh_tcp 22
http_tcp 80
https_tcp 443
prosody_tcp 32400 # plex
minecraft_tcp
]; ];
open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
dns_udp 53 # dns
wireguard_udp 1194 # vpn
]; ];
in { in {
@ -84,7 +64,6 @@ in {
oifname ${wan-if} ip saddr {${ oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," towan-wg
}} masquerade }} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade
} }
} }
@ -99,7 +78,6 @@ in {
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
@ -161,7 +139,7 @@ in {
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept
jump filter_drop jump filter_drop
} }
@ -187,8 +165,6 @@ in {
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," towan-wg
}} accept }} accept
oifname ${wan-if} ip saddr ${docker-net} accept
jump filter_drop jump filter_drop
} }

41
hosts/architect/hardware.nix
View File

@ -6,22 +6,22 @@
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-uuid/28ce6650-de21-4c1d-ae42-95d1e3507740"; device = "zpool/nixos/root";
fsType = "ext4"; fsType = "zfs";
}; };
fileSystems."/boot" = { fileSystems."/home" = {
device = "/dev/disk/by-uuid/B790-869D"; device = "zpool/data/home";
fsType = "vfat"; fsType = "zfs";
}; };
hardware.cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
fileSystems."/media" = { fileSystems."/media" = {
device = "datapool/media"; device = "datapool/media";
fsType = "zfs"; fsType = "zfs";
@ -32,26 +32,19 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/services" = { fileSystems."/var/lib" = {
device = "backedpool/services"; device = "backedpool/services";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/AF19-5616";
fsType = "vfat";
};
swapDevices = [{ swapDevices = [{
device = "/swapfile"; device = "/dev/sdc1";
size = 1024 * 64; size = 10000;
}]; }];
boot = {
initrd.luks.devices = {
root = {
device = "/dev/disk/by-uuid/bdd5f111-ecec-48d8-861f-94083098c724";
preLVM = true;
allowDiscards = true;
fallbackToPassword = true;
};
};
initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ "dm-snapshot" ];
};
} }

50
hosts/architect/hardware.nix.bk
View File

@ -1,50 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "zpool/nixos/root";
fsType = "zfs";
};
fileSystems."/home" = {
device = "zpool/data/home";
fsType = "zfs";
};
fileSystems."/media" = {
device = "datapool/media";
fsType = "zfs";
};
fileSystems."/secrets" = {
device = "backedpool/secrets";
fsType = "zfs";
};
fileSystems."/var/lib" = {
device = "backedpool/services";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/AF19-5616";
fsType = "vfat";
};
# swapDevices = [{
# device = "/dev/sdc1";
# size = 10000;
# }];
}

66
hosts/architect/home-assistant.nix
View File

@ -1,66 +0,0 @@
{ lib, config, pkgs, ... }:
let
domain = "home.giugl.io";
network = import ./network.nix;
host = "127.0.0.1";
port = 8123;
in {
services = {
mosquitto = {
enable = true;
listeners = [{
acl = [ "pattern readwrite #" ];
omitPasswordAuth = true;
settings.allow_anonymous = true;
}];
};
home-assistant = {
enable = true;
extraComponents = [
# Components required to complete the onboarding
"met"
"radio_browser"
];
config = {
default_config = { };
http = {
server_port = port;
server_host = host;
trusted_proxies = [ host ];
use_x_forwarded_for = true;
};
homeassistant = {
name = "Manduria";
latitude = 40.4;
longitude = 17.63;
unit_system = "metric";
time_zone = "Europe/Rome";
external_url = "http://${domain}";
};
};
};
nginx.virtualHosts.${domain} = {
# forceSSL = true;
# enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

35
hosts/architect/jellyfin.nix
View File

@ -1,8 +1,8 @@
{ pkgs, ... }: { pkgs, ... }:
let let
network = import ./network.nix; network = import ./network.nix;
domain = "media.giugl.io"; domain = "jellyfin.giugl.io";
in { in {
disabledModules = [ "services/misc/jellyfin.nix" ]; disabledModules = [ "services/misc/jellyfin.nix" ];
imports = [ ./modules/jellyfin.nix ]; imports = [ ./modules/jellyfin.nix ];
@ -15,32 +15,15 @@ in {
}; };
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; # forceSSL = true;
enableACME = true; # enableACME = true;
extraConfig = ''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
locations."/" = { locations."/" = {
proxyPass = "http://localhost:8096"; proxyPass = "http://localhost:8096";
# extraConfig = '' extraConfig = ''
# allow 10.0.0.0/24; allow 10.0.0.0/24;
# allow 10.3.0.0/24; allow 10.3.0.0/24;
# deny all; deny all;
# ''; '';
};
locations."/socket" = {
proxyPass = "http://localhost:8096";
proxyWebsockets = true;
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
}; };
}; };
}; };

152
hosts/architect/matrix.nix
View File

@ -4,52 +4,81 @@ let
domain = "matrix.giugl.io"; domain = "matrix.giugl.io";
webui_domain = "chat.giugl.io"; webui_domain = "chat.giugl.io";
network = import ./network.nix; network = import ./network.nix;
db_name = "matrix-synapse";
in { in {
services = { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
settings = { server_name = "${domain}";
server_name = "${domain}"; database_name = "synapse";
database_name = db_name; public_baseurl = "https://${domain}";
public_baseurl = "https://${domain}"; registration_shared_secret = "runas!";
registration_shared_secret = "runas!"; url_preview_enabled = true;
url_preview_enabled = true; dynamic_thumbnails = true;
dynamic_thumbnails = true; withJemalloc = true;
withJemalloc = true; # enable_registration = true;
# enable_registration = true; app_service_config_files = [
app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml"
"/var/lib/matrix-synapse/discord-registration.yaml" # "/var/lib/matrix-synapse/hookshot-registration.yml"
# "/var/lib/matrix-synapse/hookshot-registration.yml" # "/var/lib/matrix-synapse/telegram-registration.yaml"
# "/var/lib/matrix-synapse/telegram-registration.yaml" ];
]; extraConfig = ''
listeners = [{ auto_join_rooms:
port = 8008; - "#general:matrix.giugl.io"
bind_addresses = [ "::1" ]; max_upload_size: "50M"
type = "http"; '';
tls = false; listeners = [{
x_forwarded = true; port = 8008;
resources = [{ bind_address = "::1";
names = [ "client" "federation" ]; type = "http";
compress = false; tls = false;
}]; x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = false;
}]; }];
}; }];
turn_uris = [
"turns:turn.giugl.io:5349?transport=udp"
"turns:turn.giugl.io:5349?transport=tcp"
];
turn_shared_secret = "69duck duck fuck420";
turn_user_lifetime = "1h";
logConfig = ''
version: 1
#extraConfig = '' # In systemd's journal, loglevel is implicitly stored, so let's omit it
# auto_join_rooms: # from the message text.
# - "#general:matrix.giugl.io" formatters:
# max_upload_size: "50M" journal_fmt:
#''; format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARN
handlers: [journal]
disable_existing_loggers: False
'';
}; };
postgresql = { postgresql = {
enable = true; enable = true;
package = pkgs.postgresql; package = pkgs.postgresql_11;
ensureDatabases = [ db_name ]; ensureDatabases = [ "synapse" ];
ensureUsers = [{ ensureUsers = [{
name = db_name; name = "matrix-synapse";
ensurePermissions = { "DATABASE \"${db_name}\"" = "ALL PRIVILEGES"; }; ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; };
}]; }];
}; };
@ -119,8 +148,61 @@ in {
}; };
}; };
}; };
# telegram bridge
# mautrix-telegram = {
# enable = true;
# environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env;
# settings = {
# homeserver = {
# address = "https://${domain}";
# domain = "${domain}";
# };
# appservice = {
# provisioning.enabled = false;
# id = "telegram";
# };
# bridge = {
# permissions = {
# "@pepe:${domain}" = "admin";
# "${domain}" = "puppeting";
# };
# # Animated stickers conversion requires additional packages in the
# # service's path.
# # If this isn't a fresh installation, clearing the bridge's uploaded
# # file cache might be necessary (make a database backup first!):
# # delete from telegram_file where \
# # mime_type in ('application/gzip', 'application/octet-stream')
# animated_sticker = {
# target = "gif";
# args = {
# width = 256;
# height = 256;
# fps = 30; # only for webm
# background = "020202"; # only for gif, transparency not supported
# };
# };
# encryption = {
# allow = true;
# default = true;
# };
# };
# };
# };
}; };
# systemd.services.mautrix-telegram.path = with pkgs; [
# lottieconverter # for animated stickers conversion, unfree package
# ffmpeg # if converting animated stickers to webm (very slow!)
# ];
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${webui_domain} ${network.architect-lan} ${domain} ${webui_domain}
${network.architect-wg} ${domain} ${webui_domain} ${network.architect-wg} ${domain} ${webui_domain}

8
hosts/architect/modules/jellyfin.nix
View File

@ -50,10 +50,12 @@ in {
serviceConfig = rec { serviceConfig = rec {
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
StateDirectory = "/jellyfin"; # # Allows access to drm devices for transcoding with hardware acceleration
CacheDirectory = "/jellyfin/cache"; # SupplementaryGroups = [ "video" ];
StateDirectory = "jellyfin";
CacheDirectory = "jellyfin";
ExecStart = ExecStart =
"${cfg.package}/bin/jellyfin --datadir '/jellyfin' --cachedir '/jellyfin/cache'"; "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'";
Restart = "on-failure"; Restart = "on-failure";
# Security options: # Security options:

55
hosts/architect/navidrome.nix
View File

@ -3,15 +3,13 @@
let let
domain = "music.giugl.io"; domain = "music.giugl.io";
network = import ./network.nix; network = import ./network.nix;
library_path = "/media/Music";
beets_config = "/media/beets.conf";
in { in {
services = { services = {
navidrome = { navidrome = {
enable = true; enable = true;
settings = { settings = {
MusicFolder = library_path; MusicFolder = "/media/Music";
LastFM.enable = true; LastFM.enable = true;
LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20"; LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20";
LastFM.Secret = "d1296896126f4caae47407aecf080b25"; LastFM.Secret = "d1296896126f4caae47407aecf080b25";
@ -36,51 +34,14 @@ in {
}; };
}; };
systemd.services = { systemd.services."beets-rename" = {
"beets-update" = { enable = true;
enable = true; serviceConfig = {
# requires = [ "remove-badmp3.service" "remove-badflac.service" ]; Type = "oneshot";
before = [ "beets-import.service" ]; ExecStart =
serviceConfig = { "${pkgs.findutils}/bin/find /media/Music -type d -mindepth 2 -maxdepth 2 -exec ${pkgs.beets}/bin/beet -c /media/config.conf import --flat -q {} \\;";
Type = "oneshot";
ExecStart = "${pkgs.beets}/bin/beet -c ${beets_config} update";
};
};
"beets-import" = {
enable = true;
path = [ pkgs.imagemagick ];
requires = [ "beets-update.service" ];
after = [ "beets-update.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart =
"${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}";
};
startAt = "daily";
};
"remove-badmp3" = {
enable = true;
before = [ "beets-import.service" "beets-update.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = ''
${pkgs.findutils}/bin/find ${library_path} -name "*.mp3" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.mp3val}/bin/mp3val "{}" | grep -Pi error 1>/dev/null && ${pkgs.busybox}/bin/rm "{}"' \;
'';
};
};
"remove-badflac" = {
enable = true;
before = [ "beets-import.service" "beets-update.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = ''
${pkgs.findutils}/bin/find ${library_path} -name "*.flac" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.flac}/bin/flac -st "{}" || ${pkgs.busybox}/bin/rm "{}"' \;
'';
};
}; };
startAt = "daily";
}; };
networking.extraHosts = '' networking.extraHosts = ''

14
hosts/architect/network.nix
View File

@ -3,14 +3,12 @@ rec {
wan-if = "enp5s0"; wan-if = "enp5s0";
vpn-if = "wg0"; vpn-if = "wg0";
proxy-if = "proxy"; proxy-if = "proxy";
docker-if = "docker0";
# nets # nets
lan-net = "10.0.0.0/24"; lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24"; vpn-net = "10.3.0.0/24";
proxy-net = "10.4.0.0/24"; proxy-net = "10.4.0.0/24";
external_lan-net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16";
# ips # ips
dvr-lan = "10.0.0.2"; dvr-lan = "10.0.0.2";
@ -49,19 +47,19 @@ rec {
parina-wg = "10.3.0.31"; parina-wg = "10.3.0.31";
nilo-wg = "10.3.0.32"; nilo-wg = "10.3.0.32";
parina-ipad-wg = "10.3.0.33"; parina-ipad-wg = "10.3.0.33";
kclvm-wg = "10.3.0.34";
eleonora-wg = "10.3.0.100"; eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.203"; angellane-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201"; hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202"; dodino-wg = "10.3.0.202";
wolfsonhouse-wg = "10.3.0.203";
# groups # groups
gdevices-wg = gdevices-wg =
[ galuminum-wg oneplus-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg; [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
c2c-wg = [ ] ++ gdevices-wg; c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ] towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ] ++ gdevices-wg
++ gdevices-wg ++ routers-wg; ++ routers-wg;
gamenet-wg = [ gamenet-wg = [
andrew-wg andrew-wg
galuminum-wg galuminum-wg

4
hosts/architect/nextcloud.nix
View File

@ -8,13 +8,13 @@ in {
mysql.enable = true; mysql.enable = true;
mysql.package = pkgs.unstable.mysql80; mysql.package = pkgs.unstable.mysql80;
redis.servers."default".enable = true; redis.enable = true;
nextcloud = { nextcloud = {
enable = true; enable = true;
hostName = "${domain}"; hostName = "${domain}";
https = true; https = true;
package = pkgs.unstable.nextcloud24; package = pkgs.unstable.nextcloud23;
caching.redis = true; caching.redis = true;

43
hosts/architect/nginx.nix
View File

@ -8,26 +8,29 @@
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts."architect.devs.giugl.io" = { # virtualHosts."giugl.io" = {
default = true; # default = true;
enableACME = true; # enableACME = true;
addSSL = true; # addSSL = true;
root = "/var/lib/nginx/error_pages"; # root = "/var/lib/nginx/error_pages";
extraConfig = "error_page 404 /index.htm;"; # extraConfig = "error_page 404 /index.htm;";
#
locations = { # locations = {
"/" = { return = "404"; }; # "/" = {
# return = "404";
"/index.htm" = { }; # };
#
"/style.css" = { }; # "/index.htm" = {
# };
"/wat.jpg" = { }; #
}; # "/style.css" = {
}; # };
appendConfig = '' #
worker_processes 24; # "/wat.jpg" = {
''; # };
# };
# };
}; };
users.groups.acme.members = [ "nginx" ]; users.groups.acme.members = [ "nginx" ];
} }

7
hosts/architect/prosody.nix
View File

@ -35,10 +35,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
''; '';
users.groups = { users.groups.acme.members = [ "prosody" ];
acme.members = [ "prosody" ];
nginx.members = [ "prosody" ];
};
} }

38
hosts/architect/wireguard.nix
View File

@ -28,25 +28,25 @@ with import ./network.nix; {
${mikey-wg} mikey.devs.giugl.io ${mikey-wg} mikey.devs.giugl.io
${andrew-wg} andrew.devs.giugl.io ${andrew-wg} andrew.devs.giugl.io
${mikeylaptop-wg} mikeylaptop.devs.giugl.io ${mikeylaptop-wg} mikeylaptop.devs.giugl.io
${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io ${frznn-wg} frznn.devs.giugl.io
${ludo-wg} ludo.devs.giugl.io ${ludo-wg} ludo.devs.giugl.io
${parina-wg} parina.devs.giugl.io ${parina-wg} parina.devs.giugl.io
${parina-ipad-wg} parinaipad.devs.giugl.io ${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io ${nilo-wg} nilo.devs.giugl.io
${kclvm-wg} kclvm.devs.giugl.io
''; '';
wireguard = { wireguard = {
# interfaces.${proxy-if} = { interfaces.${proxy-if} = {
# ips = [ "10.4.0.2/32" ]; ips = [ "10.4.0.2/32" ];
# privateKeyFile = "/secrets/wireguard/proxy.key"; privateKeyFile = "/secrets/wireguard/proxy.key";
# peers = [{ peers = [{
# publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
# allowedIPs = [ "10.4.0.1/32" ]; allowedIPs = [ "10.4.0.1/32" ];
# endpoint = "giugl.io:1195"; endpoint = "giugl.io:1195";
# persistentKeepalive = 21; persistentKeepalive = 21;
# }]; }];
# }; };
interfaces.${vpn-if} = { interfaces.${vpn-if} = {
listenPort = 1194; listenPort = 1194;
@ -120,6 +120,12 @@ with import ./network.nix; {
publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc="; publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
} }
{
# angellane
allowedIPs = [ angellane-wg ];
publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0=";
}
{ {
# hotpottino # hotpottino
allowedIPs = [ hotpottino-wg ]; allowedIPs = [ hotpottino-wg ];
@ -193,8 +199,8 @@ with import ./network.nix; {
} }
{ {
# angel-lane # wolfsonhouse
allowedIPs = [ angellane-wg ]; allowedIPs = [ wolfsonhouse-wg ];
publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ="; publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
} }
@ -257,12 +263,6 @@ with import ./network.nix; {
allowedIPs = [ parina-ipad-wg ]; allowedIPs = [ parina-ipad-wg ];
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
} }
{
# kcl vm
allowedIPs = [ kclvm-wg ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
}
]; ];
}; };
}; };

66
lib/host.nix
View File

@ -1,44 +1,44 @@
{ pkgs, nixpkgs, nixos-unstable, unstable, home-manager, user, ... }: { pkgs, nixpkgs, nixos-unstable, unstable, home-manager, user, ... }:
{ {
mkHost = { name, users, roles ? [ ], imports ? [ ] }: mkHost = { name, users, roles ? [], imports ? [] }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
mkRole = role: import (../roles + "/${role}.nix"); mkRole = role : import (../roles + "/${role}.nix");
users_mod = (map (u: users_mod= (map (u: user.mkUser {name = u.user; roles = u.roles; }) users);
user.mkUser { roles_mod = (map (r: mkRole r) roles);
name = u.user; add_imports = imports;
roles = u.roles; in nixpkgs.lib.nixosSystem {
}) users); inherit system;
roles_mod = (map (r: mkRole r) roles);
add_imports = imports;
in nixpkgs.lib.nixosSystem {
inherit system;
modules = [ modules = [
{ {
imports = users_mod ++ roles_mod ++ add_imports; imports = users_mod ++ roles_mod ++ add_imports;
nixpkgs = { inherit pkgs; }; nixpkgs = {
pkgs = pkgs;
};
nix.nixPath = [ "nixpkgs=${nixpkgs}" "unstable=${nixos-unstable}" ]; nix.nixPath = [
nix.registry.nixpkgs.flake = nixpkgs; "nixpkgs=${nixpkgs}"
nix.registry.unstable.flake = nixos-unstable; "unstable=${nixos-unstable}"
];
nix.registry.nixpkgs.flake = nixpkgs;
nix.registry.unstable.flake = nixos-unstable;
users.users.root = { shell = pkgs.zsh; }; users.users.root = {
shell = pkgs.zsh;
};
home-manager = { home-manager.users.root.imports = [ ../roles/home/common.nix ];
users.root.imports = [ ../roles/home/common.nix ]; home-manager.extraSpecialArgs.unstable = unstable;
extraSpecialArgs.unstable = unstable; }
useGlobalPkgs = true;
};
}
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
../roles/common.nix ../roles/common.nix
../roles/acme.nix ../roles/acme.nix
../hosts/${name}/default.nix ../hosts/${name}/default.nix
]; ];
}; };
} }

10
roles/acme.nix
View File

@ -1,8 +1,4 @@
{ { ... }: {
security.acme = { security.acme.acceptTerms = true;
acceptTerms = true; security.acme.email = "sysadmin@giugl.io";
defaults = {
email = "sysadmin@giugl.io";
};
};
} }

261
roles/home/common.nix
View File

@ -1,22 +1,21 @@
{ config, pkgs, ... }: { config, pkgs, unstable, ... }:
{ {
imports = [ ./zsh.nix ./git.nix ]; imports = [ ./zsh.nix ./git.nix ];
home = { home = {
stateVersion = "21.05"; stateVersion = "21.05";
sessionVariables = { sessionVariables = {
EDITOR = "nvim"; EDITOR = "nvim";
VISUAL = "nvim"; VISUAL = "nvim";
}; };
packages = with pkgs; [ rizin sshfs nixfmt victor-mono ]; packages = with pkgs; [ rizin sshfs nixfmt victor-mono ];
}; };
programs.neovim = { programs.neovim = {
enable = true; enable = true;
viAlias = true; package = unstable.neovim-unwrapped;
vimAlias = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
nodePackages.prettier nodePackages.prettier
nodePackages.pyright nodePackages.pyright
@ -26,26 +25,6 @@
clang-tools clang-tools
rustfmt rustfmt
]; ];
plugins = with pkgs.vimPlugins; [
vim-nix
molokai
vim-airline
vim-airline-themes
vim-lsp
vim-indent-guides
vim-signify
vim-fugitive
vimtex
neoformat
nvim-lspconfig
vim-vsnip
nvim-cmp
cmp-nvim-lsp
(nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars))
nvim-treesitter-textobjects
pkgs.vimExtraPlugins.leap-nvim
];
extraConfig = '' extraConfig = ''
" syntax " syntax
syntax enable syntax enable
@ -58,16 +37,38 @@
set wildmode=longest:full,full set wildmode=longest:full,full
" remapping popup menu (command autocompletion) " remapping popup menu (command autocompletion)
cnoremap <expr> <up> pumvisible() ? "<C-p>" : "<up> " cnoremap <expr> <up> pumvisible() ? "<C-p>" : "<up>
cnoremap <expr> <down> pumvisible() ? "<C-n>" : "<down>" " cnoremap <expr> <down> pumvisible() ? "<C-n>" : "<down>"
cnoremap <expr> <CR> pumvisible() ? "<C-e>":"<CR>" " cnoremap <expr> <CR> pumvisible() ? "<C-e>":"<CR>"
" set line numbers " set line numbers
set number set number
" enable indent guides " enable indent guides
let g:indent_guides_enable_on_vim_startup = 1 let g:indent_guides_enable_on_vim_startup = 1
" Exit Vim if NERDTree is the only window left.
autocmd BufEnter * if tabpagenr('$') == 1 && winnr('$') == 1 && exists('b:NERDTree') && b:NERDTree.isTabTree() |
\ quit | endif
" Start NERDTree. If a file is specified, move the cursor to its window.
autocmd StdinReadPre * let s:std_in=1
autocmd VimEnter * NERDTree | if argc() > 0 || exists("s:std_in") | wincmd p | endif
" Start NERDTree when Vim starts with a directory argument.
autocmd StdinReadPre * let s:std_in=1
autocmd VimEnter * if argc() == 1 && isdirectory(argv()[0]) && !exists('s:std_in') |
\ execute 'NERDTree' argv()[0] | wincmd p | enew | execute 'cd '.argv()[0] | endif
" Exit Vim if NERDTree is the only window left.
autocmd BufEnter * if tabpagenr('$') == 1 && winnr('$') == 1 && exists('b:NERDTree') && b:NERDTree.isTabTree() |
\ quit | endif
" Start interactive EasyAlign in visual mode (e.g. vipga)
xmap ga <Plug>(EasyAlign)
" Start interactive EasyAlign for a motion/text object (e.g. gaip)
nmap ga <Plug>(EasyAlign)
" Highlight row and column " Highlight row and column
set cul set cul
set cuc set cuc
@ -86,105 +87,123 @@
let g:neoformat_basic_format_trim = 1 let g:neoformat_basic_format_trim = 1
lua << EOF lua << EOF
------------------
-- Setup nvim-cmp.
------------------
-- Setup leap-nvim keymappings -- Set completeopt to have a better completion experience
require('leap').add_default_mappings() vim.o.completeopt = 'menuone,noselect'
------------------ local cmp = require'cmp'
-- Setup nvim-cmp.
------------------
-- Set completeopt to have a better completion experience cmp.setup({
vim.o.completeopt = 'menuone,noselect' snippet = {
-- REQUIRED - you must specify a snippet engine
local cmp = require'cmp' expand = function(args)
vim.fn["vsnip#anonymous"](args.body) -- For `vsnip` users.
cmp.setup({ end,
snippet = {
-- REQUIRED - you must specify a snippet engine
expand = function(args)
vim.fn["vsnip#anonymous"](args.body) -- For `vsnip` users.
end,
},
mapping = {
['<C-b>'] = cmp.mapping(cmp.mapping.scroll_docs(-4), { 'i', 'c' }),
['<C-f>'] = cmp.mapping(cmp.mapping.scroll_docs(4), { 'i', 'c' }),
['<C-Space>'] = cmp.mapping(cmp.mapping.complete(), { 'i', 'c' }),
['<C-y>'] = cmp.config.disable, -- Specify `cmp.config.disable` if you want to remove the default `<C-y>` mapping.
['<C-e>'] = cmp.mapping({
i = cmp.mapping.abort(),
c = cmp.mapping.close(),
}),
['<CR>'] = cmp.mapping.confirm({ select = true }), -- Accept currently selected item. Set `select` to `false` to only confirm explicitly selected items.
},
sources = cmp.config.sources({
{ name = 'nvim_lsp' },
{ name = 'vsnip' }, -- For vsnip users.
}, {
{ name = 'buffer' },
})
})
-- Use buffer source for `/` (if you enabled `native_menu`, this won't work anymore).
cmp.setup.cmdline('/', {
sources = {
{ name = 'buffer' }
}
})
-- Use cmdline & path source for ':' (if you enabled `native_menu`, this won't work anymore).
cmp.setup.cmdline(':', {
sources = cmp.config.sources({
{ name = 'path' }
}, {
{ name = 'cmdline' }
})
})
-- Setup lspconfig.
local capabilities = require('cmp_nvim_lsp').update_capabilities(vim.lsp.protocol.make_client_capabilities())
--------------
-- LSP Servers
--------------
require'lspconfig'.pyright.setup{
capabilities = capabilities
}
require'lspconfig'.rust_analyzer.setup{
capabilities = capabilities
}
require'lspconfig'.rnix.setup{
capabilities = capabilities
}
require'lspconfig'.clangd.setup{
capabilities = capabilities,
cmd = {
"clangd",
"--background-index",
"--clang-tidy",
},
}
-------------------
-- TreeSitter setup
-------------------
require'nvim-treesitter.configs'.setup {
highlight = {
enable = true,
custom_captures = {
-- Highlight the @foo.bar capture group with the "Identifier" highlight group.
["foo.bar"] = "Identifier",
}, },
-- Setting this to true will run `:h syntax` and tree-sitter at the same time. mapping = {
-- Set this to `true` if you depend on 'syntax' being enabled (like for indentation). ['<C-b>'] = cmp.mapping(cmp.mapping.scroll_docs(-4), { 'i', 'c' }),
-- Using this option may slow down your editor, and you may see some duplicate highlights. ['<C-f>'] = cmp.mapping(cmp.mapping.scroll_docs(4), { 'i', 'c' }),
-- Instead of true it can also be a list of languages ['<C-Space>'] = cmp.mapping(cmp.mapping.complete(), { 'i', 'c' }),
additional_vim_regex_highlighting = false, ['<C-y>'] = cmp.config.disable, -- Specify `cmp.config.disable` if you want to remove the default `<C-y>` mapping.
}, ['<C-e>'] = cmp.mapping({
} i = cmp.mapping.abort(),
c = cmp.mapping.close(),
}),
['<CR>'] = cmp.mapping.confirm({ select = true }), -- Accept currently selected item. Set `select` to `false` to only confirm explicitly selected items.
},
sources = cmp.config.sources({
{ name = 'nvim_lsp' },
{ name = 'vsnip' }, -- For vsnip users.
}, {
{ name = 'buffer' },
})
})
-- Use buffer source for `/` (if you enabled `native_menu`, this won't work anymore).
cmp.setup.cmdline('/', {
sources = {
{ name = 'buffer' }
}
})
-- Use cmdline & path source for ':' (if you enabled `native_menu`, this won't work anymore).
cmp.setup.cmdline(':', {
sources = cmp.config.sources({
{ name = 'path' }
}, {
{ name = 'cmdline' }
})
})
-- Setup lspconfig.
local capabilities = require('cmp_nvim_lsp').update_capabilities(vim.lsp.protocol.make_client_capabilities())
--------------
-- LSP Servers
--------------
require'lspconfig'.pyright.setup{
capabilities = capabilities
}
require'lspconfig'.rust_analyzer.setup{
capabilities = capabilities
}
require'lspconfig'.rnix.setup{
capabilities = capabilities
}
require'lspconfig'.clangd.setup{
capabilities = capabilities,
cmd = {
"clangd",
"--background-index",
"--clang-tidy",
},
}
-------------------
-- TreeSitter setup
-------------------
require'nvim-treesitter.configs'.setup {
highlight = {
enable = true,
custom_captures = {
-- Highlight the @foo.bar capture group with the "Identifier" highlight group.
["foo.bar"] = "Identifier",
},
-- Setting this to true will run `:h syntax` and tree-sitter at the same time.
-- Set this to `true` if you depend on 'syntax' being enabled (like for indentation).
-- Using this option may slow down your editor, and you may see some duplicate highlights.
-- Instead of true it can also be a list of languages
additional_vim_regex_highlighting = false,
},
}
EOF EOF
''; '';
viAlias = true;
vimAlias = true;
plugins = with unstable.vimPlugins; [
vim-nix
molokai
vim-airline
vim-airline-themes
vim-lsp
vim-indent-guides
vim-signify
nerdtree
vim-easy-align
vim-fugitive
vimtex
neoformat
nvim-lspconfig
vim-vsnip
nvim-cmp
cmp-nvim-lsp
(nvim-treesitter.withPlugins (_: unstable.tree-sitter.allGrammars))
nvim-treesitter-textobjects
];
}; };
} }