peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:c47d25c94377a4d2a71ab528551df57caebef7ac
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
...
compare: peperunas:73844fcf66e039ff96b31e3e6b177192bc4880f2
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

25 Commits
c47d25c943 ... 73844fcf66

Author SHA1 Message Date
Giulio De Pasquale
73844fcf66 Updated lock 2022-10-13 18:08:15 +02:00
Giulio De Pasquale
bb1bab2f2f Added vimExtraPlugins 2022-10-13 18:08:08 +02:00
Giulio De Pasquale
71f8e1e11e Remove easyalign, nerdtree and other unused plugins. Reordered vim plugins, added leap 2022-10-13 18:07:39 +02:00
Giulio De Pasquale
bb5bf44156 Set meme as default site on nginx 2022-10-13 16:04:56 +02:00
Giulio De Pasquale
efe8e4d575 Update lock 2022-10-11 21:34:54 +02:00
Giulio De Pasquale
b5a0e38e59 Do not use unstable neovim 2022-10-11 21:33:07 +02:00
Giulio De Pasquale
8a00748447 Open additional torrent port 2022-10-11 21:31:55 +02:00
Giulio De Pasquale
8622e9d4f3 Add swapfile 2022-10-11 21:31:16 +02:00
Giulio De Pasquale
54f30c0120 Add prosody to nginx group 2022-10-11 21:30:49 +02:00
Giulio De Pasquale
17168caa41 Calibre open to public, max 500M uploads 2022-10-11 21:29:58 +02:00
Giulio De Pasquale
184e6fafce Backup /services 2022-10-11 21:29:41 +02:00
Giulio De Pasquale
f1f018a1a1 Expose jellyfin to public 2022-10-09 23:24:27 +02:00
Giulio De Pasquale
dfb25e3c72 Better variable names for DNS 2022-10-09 23:23:58 +02:00
Giulio De Pasquale
41d0053278 home assistant 2022-10-09 23:23:44 +02:00
Giulio De Pasquale
f2aefa3fb7 Firewall ports named, removed unused services 2022-08-25 15:09:36 +02:00
Giulio De Pasquale
ad9b9b2e02 Use Nixpkgs default PostgreSQL. Fix permission by escaping name 2022-07-25 21:33:32 +02:00
Giulio De Pasquale
eed29e8d10 Use variable for db_name 2022-07-25 21:29:41 +02:00
Giulio De Pasquale
92ea949c6d Debloat matrix 2022-07-19 00:58:49 +02:00
Giulio De Pasquale
02a81c1dd4 Bump to 22.05 2022-07-17 20:30:45 +02:00
Giulio De Pasquale
7bd60d982b mah boh 2022-07-06 20:34:12 +02:00
Giulio De Pasquale
b640bd32a1 Move proxy directive to main block, allow javascript for casting 2022-04-05 17:07:56 +02:00
Giulio De Pasquale
895d17ab68 Allow docker interface to network on WAN 2022-04-05 17:00:25 +02:00
Giulio De Pasquale
8312f69c98 Enable docker 2022-04-05 14:07:35 +02:00
Giulio De Pasquale
bc637c5710 Modified backup start time 2022-04-05 14:05:08 +02:00
Giulio De Pasquale
c18f4a590e Calibre and cachix 2022-04-05 14:04:53 +02:00
25 changed files with 678 additions and 452 deletions
Show Stats Expand all files Collapse all files

1
cachix.nix
View File

@ -11,4 +11,3 @@ in {
inherit imports; inherit imports;
nix.binaryCaches = ["https://cache.nixos.org/"]; nix.binaryCaches = ["https://cache.nixos.org/"];
} }

1
cachix/ropfuscator.nix
View File

@ -9,4 +9,3 @@
]; ];
}; };
} }

94
flake.lock generated
View File

@ -1,5 +1,36 @@
{ {
"nodes": { "nodes": {
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1656928814,
"narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -7,48 +38,64 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1639871969, "lastModified": 1665475263,
"narHash": "sha256-6feWUnMygRzA9tzkrfAzpA5/NBYg75bkFxnqb1DtD7E=", "narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=",
"owner": "rycee", "owner": "rycee",
"repo": "home-manager", "repo": "home-manager",
"rev": "697cc8c68ed6a606296efbbe9614c32537078756", "rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "rycee", "owner": "rycee",
"ref": "release-21.11", "ref": "release-22.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1639699734, "lastModified": 1665672983,
"narHash": "sha256-tlX6WebGmiHb2Hmniff+ltYp+7dRfdsBxw9YczLsP60=", "narHash": "sha256-V7Va7CRKmQRy95xSdlga5nV7q3/PusZwNAF/leb5PcU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "03ec468b14067729a285c2c7cfa7b9434a04816c", "rev": "bb2fb1524795f2d720cd13a2eb4d35d3a7a0d888",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-unstable", "ref": "master",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1639794673, "lastModified": 1665596265,
"narHash": "sha256-bjauV0+Z4WmxeiHXecyiEOEwo+XysO6kx36beeatbl0=", "narHash": "sha256-H7Ku1SF+7zDEqw8QOyEDA5blMJQW9MvdfgB+K3KJNLw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2627c4b795107ba94562626925f5a9a2bc62ebc6", "rev": "9234f5a17e1a7820b5e91ecd4ff0de449e293383",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-21.11", "ref": "nixos-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1659190188,
"narHash": "sha256-LudYrDFPFaQMW0l68TYkPWRPKmqpxIFU1nWfylIp9AQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a3fddd46a7f3418d7e3940ded94701aba569161d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -57,7 +104,28 @@
"inputs": { "inputs": {
"home-manager": "home-manager", "home-manager": "home-manager",
"nixos-unstable": "nixos-unstable", "nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs",
"vim-extra-plugins": "vim-extra-plugins"
}
},
"vim-extra-plugins": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1665671907,
"narHash": "sha256-+YXxqH7OROLJ9G4va5BZb4a8aIzulaUZbnH+R1iWoaw=",
"owner": "m15a",
"repo": "nixpkgs-vim-extra-plugins",
"rev": "6c1624b0942cdecf7f30aa4d411cb3578bc29a38",
"type": "github"
},
"original": {
"owner": "m15a",
"repo": "nixpkgs-vim-extra-plugins",
"type": "github"
} }
} }
}, },

23
flake.nix
View File

@ -1,22 +1,26 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-unstable.url = "github:NixOS/nixpkgs/master";
home-manager = { home-manager = {
url = "github:rycee/home-manager/release-21.11"; url = "github:rycee/home-manager/release-22.05";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
navidrome.url = "github:antifuchs/nixpkgs/fix-151550"; vim-extra-plugins.url = "github:m15a/nixpkgs-vim-extra-plugins";
}; };
outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager, navidrome}: outputs =
inputs@{ self, nixpkgs, nixos-unstable, home-manager, vim-extra-plugins }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
overlays = [ (final: prev: { inherit unstable; }) ]; overlays = [
(final: prev: { inherit unstable; })
vim-extra-plugins.overlays.default
];
}; };
unstable = import nixos-unstable { unstable = import nixos-unstable {
@ -38,13 +42,6 @@
user = "giulio"; user = "giulio";
roles = [ ]; roles = [ ];
}]; }];
imports = [
{
disabledModules = [ "services/audio/navidrome.nix" ];
imports =
[ (navidrome + "/nixos/modules/services/audio/navidrome.nix") ];
}
];
}; };
gAluminum = host.mkHost { gAluminum = host.mkHost {
name = "gAluminum"; name = "gAluminum";

6
hosts/architect/backup.nix
View File

@ -7,7 +7,7 @@
passwordFile = "/secrets/restic/data.key"; passwordFile = "/secrets/restic/data.key";
environmentFile = "/secrets/restic/credentials.txt"; environmentFile = "/secrets/restic/credentials.txt";
repository = "b2:architect:/"; repository = "b2:architect:/";
paths = [ "/var/lib" "/secrets" ]; paths = [ "/var/lib" "/secrets" "/services" ];
pruneOpts = [ pruneOpts = [
"--keep-daily 45" "--keep-daily 45"
"--keep-weekly 12" "--keep-weekly 12"
@ -15,8 +15,8 @@
"--keep-yearly 3" "--keep-yearly 3"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "monday 00:05"; OnCalendar = "monday 03:00";
RandomizedDelaySec = "2h"; RandomizedDelaySec = "1h";
}; };
}; };
}; };

35
hosts/architect/calibre.nix Normal file
View File

@ -0,0 +1,35 @@
{ lib, ... }:
let
domain = "books.giugl.io";
network = import ./network.nix;
in {
services = {
calibre-web = {
enable = true;
group = "media";
options = {
enableBookConversion = true;
enableBookUploading = true;
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8083";
extraConfig = ''
client_max_body_size 500M;
'';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "calibre-web" ];
}

56
hosts/architect/default.nix
View File

@ -23,37 +23,29 @@ in {
./matrix.nix ./matrix.nix
./fail2ban.nix ./fail2ban.nix
./dns.nix ./dns.nix
#./minecraft.nix # ./minecraft.nix
./prowlarr.nix ./prowlarr.nix
./plex.nix # ./plex.nix
./githubrunner.nix #./githubrunner.nix
./libreddit.nix ./libreddit.nix
./invidious.nix ./invidious.nix
./nitter.nix ./nitter.nix
./ccache.nix ./ccache.nix
./lidarr.nix ./lidarr.nix
./navidrome.nix # ./navidrome.nix
./jellyfin.nix ./jellyfin.nix
./prosody.nix ./prosody.nix
./deluge.nix ./deluge.nix
# ./calibre.nix
../../cachix.nix
./docker.nix
]; ];
nixpkgs.config.permittedInsecurePackages = [ "nodejs-12.22.12" ];
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";
system.stateVersion = "21.11"; # Did you read the comment? system.stateVersion = "21.11"; # Did you read the comment?
users.users.giulio.openssh.authorizedKeys.keys = pubkeys; users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
services.fwupd.enable = true;
boot = { boot = {
kernelParams = [
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500"
];
kernel.sysctl= {
"net.ipv4.ip_forward" = 1;
"fs.protected_regular" = 0;
};
initrd = { initrd = {
availableKernelModules = [ "igc" "r8169" ]; availableKernelModules = [ "igc" "r8169" ];
network = { network = {
@ -61,22 +53,33 @@ in {
ssh = { ssh = {
enable = true; enable = true;
port = 22; port = 22;
hostKeys = [ /boot/ssh_host_rsa_key ]; hostKeys = [ /secrets/ssh_host_rsa_key ];
authorizedKeys = pubkeys; authorizedKeys = pubkeys;
}; };
postCommands = '' # postCommands = ''
zpool import backedpool # zpool import backedpool -f
zpool import zpool # zpool import zpool -f
mkdir /mnt-root # echo "zfs load-key -ar; killall zfs" >> /root/.profile
echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile # '';
'';
}; };
}; };
};
services.fwupd.enable = true;
boot = {
kernelParams = [
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500"
"zfs_arc_max=1073741824"
"memmap=32M$0x4ca6f9478"
];
kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
loader = { loader = {
systemd-boot ={ systemd-boot = {
enable = true; enable = true;
memtest86.enable = true; memtest86.enable = true;
}; };
@ -146,7 +149,10 @@ in {
openssh = { openssh = {
enable = true; enable = true;
passwordAuthentication = false; passwordAuthentication = false;
challengeResponseAuthentication = false; kbdInteractiveAuthentication = false;
extraConfig = ''
MaxAuthTries 15
'';
}; };
smartd.enable = true; smartd.enable = true;
}; };

12
hosts/architect/dns.nix
View File

@ -1,10 +1,16 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
adguard_webui_port = 3031;
adguard_dns_port = "5300";
dnscrypt_listen_port = "5353";
in
{ {
services = { services = {
dnsmasq = { dnsmasq = {
enable = true; enable = true;
servers = [ "127.0.0.1#5300" ]; # adguard port
servers = [ "127.0.0.1#${adguard_dns_port}" ];
extraConfig = '' extraConfig = ''
localise-queries localise-queries
min-cache-ttl=120 min-cache-ttl=120
@ -14,13 +20,13 @@
adguardhome = { adguardhome = {
enable = true; enable = true;
port = 3031; port = adguard_webui_port;
}; };
dnscrypt-proxy2 = { dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
listen_addresses = [ "127.0.0.1:5353" ]; listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ];
ipv4_servers = true; ipv4_servers = true;
ipv6_servers = false; ipv6_servers = false;
block_ipv6 = true; block_ipv6 = true;

10
hosts/architect/docker.nix Normal file
View File

@ -0,0 +1,10 @@
{
# virtualisation.docker = {
# enable = true;
# extraOptions = ''
# --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker
# '';
# enableOnBoot = false;
# };
users.users.giulio.extraGroups = [ "docker" ];
}

56
hosts/architect/firewall.nix
View File

@ -3,28 +3,48 @@
with import ./network.nix; with import ./network.nix;
let let
# TCP services
ssh_tcp = 22;
http_tcp = 80;
https_tcp = 443;
synapse_tcp = 8448;
gitea_tcp = 10022;
prosody_tcp = 5222;
minecraft_tcp = 25565;
# UDP services
dns_udp = 53;
wireguard_udp = 1194;
# TCP/UDP services
torrent_a = 51413;
torrent_b = 51414;
# grouping
open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
22 # ssh ssh_tcp
80 # http http_tcp
443 # https https_tcp
8448 # matrix synapse_tcp
10022 # gitea gitea_tcp
18080 # monero torrent_a
51413 # transmission torrent_b
]; ];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
1194 # wireguard wireguard_udp
51413 # transmission torrent_a
torrent_b
]; ];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
22 ssh_tcp
80 http_tcp
443 https_tcp
32400 # plex prosody_tcp
minecraft_tcp
]; ];
open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
53 # dns dns_udp
1194 # vpn wireguard_udp
]; ];
in { in {
@ -64,6 +84,7 @@ in {
oifname ${wan-if} ip saddr {${ oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," towan-wg
}} masquerade }} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade
} }
} }
@ -78,6 +99,7 @@ in {
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
@ -139,7 +161,7 @@ in {
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept
jump filter_drop jump filter_drop
} }
@ -165,6 +187,8 @@ in {
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," towan-wg
}} accept }} accept
oifname ${wan-if} ip saddr ${docker-net} accept
jump filter_drop jump filter_drop
} }

41
hosts/architect/hardware.nix
View File

@ -6,22 +6,22 @@
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" = {
device = "zpool/nixos/root"; device = "/dev/disk/by-uuid/28ce6650-de21-4c1d-ae42-95d1e3507740";
fsType = "zfs"; fsType = "ext4";
}; };
fileSystems."/home" = { fileSystems."/boot" = {
device = "zpool/data/home"; device = "/dev/disk/by-uuid/B790-869D";
fsType = "zfs"; fsType = "vfat";
}; };
hardware.cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
fileSystems."/media" = { fileSystems."/media" = {
device = "datapool/media"; device = "datapool/media";
fsType = "zfs"; fsType = "zfs";
@ -32,19 +32,26 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib" = { fileSystems."/services" = {
device = "backedpool/services"; device = "backedpool/services";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/AF19-5616";
fsType = "vfat";
};
swapDevices = [{ swapDevices = [{
device = "/dev/sdc1"; device = "/swapfile";
size = 10000; size = 1024 * 64;
}]; }];
boot = {
initrd.luks.devices = {
root = {
device = "/dev/disk/by-uuid/bdd5f111-ecec-48d8-861f-94083098c724";
preLVM = true;
allowDiscards = true;
fallbackToPassword = true;
};
};
initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ "dm-snapshot" ];
};
} }

50
hosts/architect/hardware.nix.bk Normal file
View File

@ -0,0 +1,50 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "zpool/nixos/root";
fsType = "zfs";
};
fileSystems."/home" = {
device = "zpool/data/home";
fsType = "zfs";
};
fileSystems."/media" = {
device = "datapool/media";
fsType = "zfs";
};
fileSystems."/secrets" = {
device = "backedpool/secrets";
fsType = "zfs";
};
fileSystems."/var/lib" = {
device = "backedpool/services";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/AF19-5616";
fsType = "vfat";
};
# swapDevices = [{
# device = "/dev/sdc1";
# size = 10000;
# }];
}

66
hosts/architect/home-assistant.nix Normal file
View File

@ -0,0 +1,66 @@
{ lib, config, pkgs, ... }:
let
domain = "home.giugl.io";
network = import ./network.nix;
host = "127.0.0.1";
port = 8123;
in {
services = {
mosquitto = {
enable = true;
listeners = [{
acl = [ "pattern readwrite #" ];
omitPasswordAuth = true;
settings.allow_anonymous = true;
}];
};
home-assistant = {
enable = true;
extraComponents = [
# Components required to complete the onboarding
"met"
"radio_browser"
];
config = {
default_config = { };
http = {
server_port = port;
server_host = host;
trusted_proxies = [ host ];
use_x_forwarded_for = true;
};
homeassistant = {
name = "Manduria";
latitude = 40.4;
longitude = 17.63;
unit_system = "metric";
time_zone = "Europe/Rome";
external_url = "http://${domain}";
};
};
};
nginx.virtualHosts.${domain} = {
# forceSSL = true;
# enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

35
hosts/architect/jellyfin.nix
View File

@ -1,8 +1,8 @@
{ pkgs, ... }: { pkgs, ... }:
let let
network = import ./network.nix; network = import ./network.nix;
domain = "jellyfin.giugl.io"; domain = "media.giugl.io";
in { in {
disabledModules = [ "services/misc/jellyfin.nix" ]; disabledModules = [ "services/misc/jellyfin.nix" ];
imports = [ ./modules/jellyfin.nix ]; imports = [ ./modules/jellyfin.nix ];
@ -15,15 +15,32 @@ in {
}; };
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
# forceSSL = true; forceSSL = true;
# enableACME = true; enableACME = true;
extraConfig = ''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
locations."/" = { locations."/" = {
proxyPass = "http://localhost:8096"; proxyPass = "http://localhost:8096";
extraConfig = '' # extraConfig = ''
allow 10.0.0.0/24; # allow 10.0.0.0/24;
allow 10.3.0.0/24; # allow 10.3.0.0/24;
deny all; # deny all;
''; # '';
};
locations."/socket" = {
proxyPass = "http://localhost:8096";
proxyWebsockets = true;
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
}; };
}; };
}; };

152
hosts/architect/matrix.nix
View File

@ -4,81 +4,52 @@ let
domain = "matrix.giugl.io"; domain = "matrix.giugl.io";
webui_domain = "chat.giugl.io"; webui_domain = "chat.giugl.io";
network = import ./network.nix; network = import ./network.nix;
db_name = "matrix-synapse";
in { in {
services = { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
server_name = "${domain}"; settings = {
database_name = "synapse"; server_name = "${domain}";
public_baseurl = "https://${domain}"; database_name = db_name;
registration_shared_secret = "runas!"; public_baseurl = "https://${domain}";
url_preview_enabled = true; registration_shared_secret = "runas!";
dynamic_thumbnails = true; url_preview_enabled = true;
withJemalloc = true; dynamic_thumbnails = true;
# enable_registration = true; withJemalloc = true;
app_service_config_files = [ # enable_registration = true;
"/var/lib/matrix-synapse/discord-registration.yaml" app_service_config_files = [
# "/var/lib/matrix-synapse/hookshot-registration.yml" "/var/lib/matrix-synapse/discord-registration.yaml"
# "/var/lib/matrix-synapse/telegram-registration.yaml" # "/var/lib/matrix-synapse/hookshot-registration.yml"
]; # "/var/lib/matrix-synapse/telegram-registration.yaml"
extraConfig = '' ];
auto_join_rooms: listeners = [{
- "#general:matrix.giugl.io" port = 8008;
max_upload_size: "50M" bind_addresses = [ "::1" ];
''; type = "http";
listeners = [{ tls = false;
port = 8008; x_forwarded = true;
bind_address = "::1"; resources = [{
type = "http"; names = [ "client" "federation" ];
tls = false; compress = false;
x_forwarded = true; }];
resources = [{
names = [ "client" "federation" ];
compress = false;
}]; }];
}]; };
turn_uris = [
"turns:turn.giugl.io:5349?transport=udp"
"turns:turn.giugl.io:5349?transport=tcp"
];
turn_shared_secret = "69duck duck fuck420";
turn_user_lifetime = "1h";
logConfig = ''
version: 1
# In systemd's journal, loglevel is implicitly stored, so let's omit it #extraConfig = ''
# from the message text. # auto_join_rooms:
formatters: # - "#general:matrix.giugl.io"
journal_fmt: # max_upload_size: "50M"
format: '%(name)s: [%(request)s] %(message)s' #'';
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARN
handlers: [journal]
disable_existing_loggers: False
'';
}; };
postgresql = { postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_11; package = pkgs.postgresql;
ensureDatabases = [ "synapse" ]; ensureDatabases = [ db_name ];
ensureUsers = [{ ensureUsers = [{
name = "matrix-synapse"; name = db_name;
ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; }; ensurePermissions = { "DATABASE \"${db_name}\"" = "ALL PRIVILEGES"; };
}]; }];
}; };
@ -148,61 +119,8 @@ in {
}; };
}; };
}; };
# telegram bridge
# mautrix-telegram = {
# enable = true;
# environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env;
# settings = {
# homeserver = {
# address = "https://${domain}";
# domain = "${domain}";
# };
# appservice = {
# provisioning.enabled = false;
# id = "telegram";
# };
# bridge = {
# permissions = {
# "@pepe:${domain}" = "admin";
# "${domain}" = "puppeting";
# };
# # Animated stickers conversion requires additional packages in the
# # service's path.
# # If this isn't a fresh installation, clearing the bridge's uploaded
# # file cache might be necessary (make a database backup first!):
# # delete from telegram_file where \
# # mime_type in ('application/gzip', 'application/octet-stream')
# animated_sticker = {
# target = "gif";
# args = {
# width = 256;
# height = 256;
# fps = 30; # only for webm
# background = "020202"; # only for gif, transparency not supported
# };
# };
# encryption = {
# allow = true;
# default = true;
# };
# };
# };
# };
}; };
# systemd.services.mautrix-telegram.path = with pkgs; [
# lottieconverter # for animated stickers conversion, unfree package
# ffmpeg # if converting animated stickers to webm (very slow!)
# ];
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${webui_domain} ${network.architect-lan} ${domain} ${webui_domain}
${network.architect-wg} ${domain} ${webui_domain} ${network.architect-wg} ${domain} ${webui_domain}

8
hosts/architect/modules/jellyfin.nix
View File

@ -50,12 +50,10 @@ in {
serviceConfig = rec { serviceConfig = rec {
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
# # Allows access to drm devices for transcoding with hardware acceleration StateDirectory = "/jellyfin";
# SupplementaryGroups = [ "video" ]; CacheDirectory = "/jellyfin/cache";
StateDirectory = "jellyfin";
CacheDirectory = "jellyfin";
ExecStart = ExecStart =
"${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; "${cfg.package}/bin/jellyfin --datadir '/jellyfin' --cachedir '/jellyfin/cache'";
Restart = "on-failure"; Restart = "on-failure";
# Security options: # Security options:

55
hosts/architect/navidrome.nix
View File

@ -3,13 +3,15 @@
let let
domain = "music.giugl.io"; domain = "music.giugl.io";
network = import ./network.nix; network = import ./network.nix;
library_path = "/media/Music";
beets_config = "/media/beets.conf";
in { in {
services = { services = {
navidrome = { navidrome = {
enable = true; enable = true;
settings = { settings = {
MusicFolder = "/media/Music"; MusicFolder = library_path;
LastFM.enable = true; LastFM.enable = true;
LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20"; LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20";
LastFM.Secret = "d1296896126f4caae47407aecf080b25"; LastFM.Secret = "d1296896126f4caae47407aecf080b25";
@ -34,14 +36,51 @@ in {
}; };
}; };
systemd.services."beets-rename" = { systemd.services = {
enable = true; "beets-update" = {
serviceConfig = { enable = true;
Type = "oneshot"; # requires = [ "remove-badmp3.service" "remove-badflac.service" ];
ExecStart = before = [ "beets-import.service" ];
"${pkgs.findutils}/bin/find /media/Music -type d -mindepth 2 -maxdepth 2 -exec ${pkgs.beets}/bin/beet -c /media/config.conf import --flat -q {} \\;"; serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.beets}/bin/beet -c ${beets_config} update";
};
};
"beets-import" = {
enable = true;
path = [ pkgs.imagemagick ];
requires = [ "beets-update.service" ];
after = [ "beets-update.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart =
"${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}";
};
startAt = "daily";
};
"remove-badmp3" = {
enable = true;
before = [ "beets-import.service" "beets-update.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = ''
${pkgs.findutils}/bin/find ${library_path} -name "*.mp3" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.mp3val}/bin/mp3val "{}" | grep -Pi error 1>/dev/null && ${pkgs.busybox}/bin/rm "{}"' \;
'';
};
};
"remove-badflac" = {
enable = true;
before = [ "beets-import.service" "beets-update.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = ''
${pkgs.findutils}/bin/find ${library_path} -name "*.flac" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.flac}/bin/flac -st "{}" || ${pkgs.busybox}/bin/rm "{}"' \;
'';
};
}; };
startAt = "daily";
}; };
networking.extraHosts = '' networking.extraHosts = ''

14
hosts/architect/network.nix
View File

@ -3,12 +3,14 @@ rec {
wan-if = "enp5s0"; wan-if = "enp5s0";
vpn-if = "wg0"; vpn-if = "wg0";
proxy-if = "proxy"; proxy-if = "proxy";
docker-if = "docker0";
# nets # nets
lan-net = "10.0.0.0/24"; lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24"; vpn-net = "10.3.0.0/24";
proxy-net = "10.4.0.0/24"; proxy-net = "10.4.0.0/24";
external_lan-net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16";
# ips # ips
dvr-lan = "10.0.0.2"; dvr-lan = "10.0.0.2";
@ -47,19 +49,19 @@ rec {
parina-wg = "10.3.0.31"; parina-wg = "10.3.0.31";
nilo-wg = "10.3.0.32"; nilo-wg = "10.3.0.32";
parina-ipad-wg = "10.3.0.33"; parina-ipad-wg = "10.3.0.33";
kclvm-wg = "10.3.0.34";
eleonora-wg = "10.3.0.100"; eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.200"; angellane-wg = "10.3.0.203";
hotpottino-wg = "10.3.0.201"; hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202"; dodino-wg = "10.3.0.202";
wolfsonhouse-wg = "10.3.0.203";
# groups # groups
gdevices-wg = gdevices-wg =
[ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ]; [ galuminum-wg oneplus-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg; c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ] ++ gdevices-wg towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ]
++ routers-wg; ++ gdevices-wg ++ routers-wg;
gamenet-wg = [ gamenet-wg = [
andrew-wg andrew-wg
galuminum-wg galuminum-wg

4
hosts/architect/nextcloud.nix
View File

@ -8,13 +8,13 @@ in {
mysql.enable = true; mysql.enable = true;
mysql.package = pkgs.unstable.mysql80; mysql.package = pkgs.unstable.mysql80;
redis.enable = true; redis.servers."default".enable = true;
nextcloud = { nextcloud = {
enable = true; enable = true;
hostName = "${domain}"; hostName = "${domain}";
https = true; https = true;
package = pkgs.unstable.nextcloud23; package = pkgs.unstable.nextcloud24;
caching.redis = true; caching.redis = true;

43
hosts/architect/nginx.nix
View File

@ -8,29 +8,26 @@
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
# virtualHosts."giugl.io" = { virtualHosts."architect.devs.giugl.io" = {
# default = true; default = true;
# enableACME = true; enableACME = true;
# addSSL = true; addSSL = true;
# root = "/var/lib/nginx/error_pages"; root = "/var/lib/nginx/error_pages";
# extraConfig = "error_page 404 /index.htm;"; extraConfig = "error_page 404 /index.htm;";
#
# locations = {
# "/" = {
# return = "404";
# };
#
# "/index.htm" = {
# };
#
# "/style.css" = {
# };
#
# "/wat.jpg" = {
# };
# };
# };
};
locations = {
"/" = { return = "404"; };
"/index.htm" = { };
"/style.css" = { };
"/wat.jpg" = { };
};
};
appendConfig = ''
worker_processes 24;
'';
};
users.groups.acme.members = [ "nginx" ]; users.groups.acme.members = [ "nginx" ];
} }

7
hosts/architect/prosody.nix
View File

@ -35,7 +35,10 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
''; '';
users.groups.acme.members = [ "prosody" ]; users.groups = {
acme.members = [ "prosody" ];
nginx.members = [ "prosody" ];
};
} }

38
hosts/architect/wireguard.nix
View File

@ -28,25 +28,25 @@ with import ./network.nix; {
${mikey-wg} mikey.devs.giugl.io ${mikey-wg} mikey.devs.giugl.io
${andrew-wg} andrew.devs.giugl.io ${andrew-wg} andrew.devs.giugl.io
${mikeylaptop-wg} mikeylaptop.devs.giugl.io ${mikeylaptop-wg} mikeylaptop.devs.giugl.io
${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io ${frznn-wg} frznn.devs.giugl.io
${ludo-wg} ludo.devs.giugl.io ${ludo-wg} ludo.devs.giugl.io
${parina-wg} parina.devs.giugl.io ${parina-wg} parina.devs.giugl.io
${parina-ipad-wg} parinaipad.devs.giugl.io ${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io ${nilo-wg} nilo.devs.giugl.io
${kclvm-wg} kclvm.devs.giugl.io
''; '';
wireguard = { wireguard = {
interfaces.${proxy-if} = { # interfaces.${proxy-if} = {
ips = [ "10.4.0.2/32" ]; # ips = [ "10.4.0.2/32" ];
privateKeyFile = "/secrets/wireguard/proxy.key"; # privateKeyFile = "/secrets/wireguard/proxy.key";
peers = [{ # peers = [{
publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; # publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
allowedIPs = [ "10.4.0.1/32" ]; # allowedIPs = [ "10.4.0.1/32" ];
endpoint = "giugl.io:1195"; # endpoint = "giugl.io:1195";
persistentKeepalive = 21; # persistentKeepalive = 21;
}]; # }];
}; # };
interfaces.${vpn-if} = { interfaces.${vpn-if} = {
listenPort = 1194; listenPort = 1194;
@ -120,12 +120,6 @@ with import ./network.nix; {
publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc="; publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
} }
{
# angellane
allowedIPs = [ angellane-wg ];
publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0=";
}
{ {
# hotpottino # hotpottino
allowedIPs = [ hotpottino-wg ]; allowedIPs = [ hotpottino-wg ];
@ -199,8 +193,8 @@ with import ./network.nix; {
} }
{ {
# wolfsonhouse # angel-lane
allowedIPs = [ wolfsonhouse-wg ]; allowedIPs = [ angellane-wg ];
publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ="; publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
} }
@ -263,6 +257,12 @@ with import ./network.nix; {
allowedIPs = [ parina-ipad-wg ]; allowedIPs = [ parina-ipad-wg ];
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
} }
{
# kcl vm
allowedIPs = [ kclvm-wg ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
}
]; ];
}; };
}; };

66
lib/host.nix
View File

@ -1,44 +1,44 @@
{ pkgs, nixpkgs, nixos-unstable, unstable, home-manager, user, ... }: { pkgs, nixpkgs, nixos-unstable, unstable, home-manager, user, ... }:
{ {
mkHost = { name, users, roles ? [], imports ? [] }: mkHost = { name, users, roles ? [ ], imports ? [ ] }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
mkRole = role : import (../roles + "/${role}.nix"); mkRole = role: import (../roles + "/${role}.nix");
users_mod= (map (u: user.mkUser {name = u.user; roles = u.roles; }) users); users_mod = (map (u:
roles_mod = (map (r: mkRole r) roles); user.mkUser {
add_imports = imports; name = u.user;
in nixpkgs.lib.nixosSystem { roles = u.roles;
inherit system; }) users);
roles_mod = (map (r: mkRole r) roles);
add_imports = imports;
in nixpkgs.lib.nixosSystem {
inherit system;
modules = [ modules = [
{ {
imports = users_mod ++ roles_mod ++ add_imports; imports = users_mod ++ roles_mod ++ add_imports;
nixpkgs = { nixpkgs = { inherit pkgs; };
pkgs = pkgs;
};
nix.nixPath = [ nix.nixPath = [ "nixpkgs=${nixpkgs}" "unstable=${nixos-unstable}" ];
"nixpkgs=${nixpkgs}" nix.registry.nixpkgs.flake = nixpkgs;
"unstable=${nixos-unstable}" nix.registry.unstable.flake = nixos-unstable;
];
nix.registry.nixpkgs.flake = nixpkgs;
nix.registry.unstable.flake = nixos-unstable;
users.users.root = { users.users.root = { shell = pkgs.zsh; };
shell = pkgs.zsh;
};
home-manager.users.root.imports = [ ../roles/home/common.nix ]; home-manager = {
home-manager.extraSpecialArgs.unstable = unstable; users.root.imports = [ ../roles/home/common.nix ];
} extraSpecialArgs.unstable = unstable;
useGlobalPkgs = true;
};
}
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
../roles/common.nix ../roles/common.nix
../roles/acme.nix ../roles/acme.nix
../hosts/${name}/default.nix ../hosts/${name}/default.nix
]; ];
}; };
} }

10
roles/acme.nix
View File

@ -1,4 +1,8 @@
{ ... }: { {
security.acme.acceptTerms = true; security.acme = {
security.acme.email = "sysadmin@giugl.io"; acceptTerms = true;
defaults = {
email = "sysadmin@giugl.io";
};
};
} }

247
roles/home/common.nix
View File

@ -1,21 +1,22 @@
{ config, pkgs, unstable, ... }: { config, pkgs, ... }:
{ {
imports = [ ./zsh.nix ./git.nix ]; imports = [ ./zsh.nix ./git.nix ];
home = { home = {
stateVersion = "21.05"; stateVersion = "21.05";
sessionVariables = { sessionVariables = {
EDITOR = "nvim"; EDITOR = "nvim";
VISUAL = "nvim"; VISUAL = "nvim";
}; };
packages = with pkgs; [ rizin sshfs nixfmt victor-mono ]; packages = with pkgs; [ rizin sshfs nixfmt victor-mono ];
}; };
programs.neovim = { programs.neovim = {
enable = true; enable = true;
package = unstable.neovim-unwrapped; viAlias = true;
vimAlias = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
nodePackages.prettier nodePackages.prettier
nodePackages.pyright nodePackages.pyright
@ -25,6 +26,26 @@
clang-tools clang-tools
rustfmt rustfmt
]; ];
plugins = with pkgs.vimPlugins; [
vim-nix
molokai
vim-airline
vim-airline-themes
vim-lsp
vim-indent-guides
vim-signify
vim-fugitive
vimtex
neoformat
nvim-lspconfig
vim-vsnip
nvim-cmp
cmp-nvim-lsp
(nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars))
nvim-treesitter-textobjects
pkgs.vimExtraPlugins.leap-nvim
];
extraConfig = '' extraConfig = ''
" syntax " syntax
syntax enable syntax enable
@ -37,38 +58,16 @@
set wildmode=longest:full,full set wildmode=longest:full,full
" remapping popup menu (command autocompletion) " remapping popup menu (command autocompletion)
" cnoremap <expr> <up> pumvisible() ? "<C-p>" : "<up> cnoremap <expr> <up> pumvisible() ? "<C-p>" : "<up>
" cnoremap <expr> <down> pumvisible() ? "<C-n>" : "<down>" cnoremap <expr> <down> pumvisible() ? "<C-n>" : "<down>"
" cnoremap <expr> <CR> pumvisible() ? "<C-e>":"<CR>" cnoremap <expr> <CR> pumvisible() ? "<C-e>":"<CR>"
" set line numbers " set line numbers
set number set number
" enable indent guides " enable indent guides
let g:indent_guides_enable_on_vim_startup = 1 let g:indent_guides_enable_on_vim_startup = 1
" Exit Vim if NERDTree is the only window left.
autocmd BufEnter * if tabpagenr('$') == 1 && winnr('$') == 1 && exists('b:NERDTree') && b:NERDTree.isTabTree() |
\ quit | endif
" Start NERDTree. If a file is specified, move the cursor to its window.
autocmd StdinReadPre * let s:std_in=1
autocmd VimEnter * NERDTree | if argc() > 0 || exists("s:std_in") | wincmd p | endif
" Start NERDTree when Vim starts with a directory argument.
autocmd StdinReadPre * let s:std_in=1
autocmd VimEnter * if argc() == 1 && isdirectory(argv()[0]) && !exists('s:std_in') |
\ execute 'NERDTree' argv()[0] | wincmd p | enew | execute 'cd '.argv()[0] | endif
" Exit Vim if NERDTree is the only window left.
autocmd BufEnter * if tabpagenr('$') == 1 && winnr('$') == 1 && exists('b:NERDTree') && b:NERDTree.isTabTree() |
\ quit | endif
" Start interactive EasyAlign in visual mode (e.g. vipga)
xmap ga <Plug>(EasyAlign)
" Start interactive EasyAlign for a motion/text object (e.g. gaip)
nmap ga <Plug>(EasyAlign)
" Highlight row and column " Highlight row and column
set cul set cul
set cuc set cuc
@ -87,123 +86,105 @@
let g:neoformat_basic_format_trim = 1 let g:neoformat_basic_format_trim = 1
lua << EOF lua << EOF
------------------
-- Setup nvim-cmp.
------------------
-- Set completeopt to have a better completion experience -- Setup leap-nvim keymappings
vim.o.completeopt = 'menuone,noselect' require('leap').add_default_mappings()
local cmp = require'cmp' ------------------
-- Setup nvim-cmp.
------------------
cmp.setup({ -- Set completeopt to have a better completion experience
snippet = { vim.o.completeopt = 'menuone,noselect'
-- REQUIRED - you must specify a snippet engine
expand = function(args) local cmp = require'cmp'
vim.fn["vsnip#anonymous"](args.body) -- For `vsnip` users.
end, cmp.setup({
}, snippet = {
mapping = { -- REQUIRED - you must specify a snippet engine
['<C-b>'] = cmp.mapping(cmp.mapping.scroll_docs(-4), { 'i', 'c' }), expand = function(args)
['<C-f>'] = cmp.mapping(cmp.mapping.scroll_docs(4), { 'i', 'c' }), vim.fn["vsnip#anonymous"](args.body) -- For `vsnip` users.
['<C-Space>'] = cmp.mapping(cmp.mapping.complete(), { 'i', 'c' }), end,
['<C-y>'] = cmp.config.disable, -- Specify `cmp.config.disable` if you want to remove the default `<C-y>` mapping. },
['<C-e>'] = cmp.mapping({ mapping = {
i = cmp.mapping.abort(), ['<C-b>'] = cmp.mapping(cmp.mapping.scroll_docs(-4), { 'i', 'c' }),
c = cmp.mapping.close(), ['<C-f>'] = cmp.mapping(cmp.mapping.scroll_docs(4), { 'i', 'c' }),
}), ['<C-Space>'] = cmp.mapping(cmp.mapping.complete(), { 'i', 'c' }),
['<CR>'] = cmp.mapping.confirm({ select = true }), -- Accept currently selected item. Set `select` to `false` to only confirm explicitly selected items. ['<C-y>'] = cmp.config.disable, -- Specify `cmp.config.disable` if you want to remove the default `<C-y>` mapping.
}, ['<C-e>'] = cmp.mapping({
sources = cmp.config.sources({ i = cmp.mapping.abort(),
{ name = 'nvim_lsp' }, c = cmp.mapping.close(),
{ name = 'vsnip' }, -- For vsnip users. }),
}, { ['<CR>'] = cmp.mapping.confirm({ select = true }), -- Accept currently selected item. Set `select` to `false` to only confirm explicitly selected items.
{ name = 'buffer' }, },
}) sources = cmp.config.sources({
{ name = 'nvim_lsp' },
{ name = 'vsnip' }, -- For vsnip users.
}, {
{ name = 'buffer' },
}) })
})
-- Use buffer source for `/` (if you enabled `native_menu`, this won't work anymore). -- Use buffer source for `/` (if you enabled `native_menu`, this won't work anymore).
cmp.setup.cmdline('/', { cmp.setup.cmdline('/', {
sources = { sources = {
{ name = 'buffer' } { name = 'buffer' }
} }
})
-- Use cmdline & path source for ':' (if you enabled `native_menu`, this won't work anymore).
cmp.setup.cmdline(':', {
sources = cmp.config.sources({
{ name = 'path' }
}, {
{ name = 'cmdline' }
}) })
})
-- Use cmdline & path source for ':' (if you enabled `native_menu`, this won't work anymore). -- Setup lspconfig.
cmp.setup.cmdline(':', { local capabilities = require('cmp_nvim_lsp').update_capabilities(vim.lsp.protocol.make_client_capabilities())
sources = cmp.config.sources({
{ name = 'path' }
}, {
{ name = 'cmdline' }
})
})
-- Setup lspconfig. --------------
local capabilities = require('cmp_nvim_lsp').update_capabilities(vim.lsp.protocol.make_client_capabilities()) -- LSP Servers
--------------
-------------- require'lspconfig'.pyright.setup{
-- LSP Servers capabilities = capabilities
-------------- }
require'lspconfig'.rust_analyzer.setup{
capabilities = capabilities
}
require'lspconfig'.rnix.setup{
capabilities = capabilities
}
require'lspconfig'.clangd.setup{
capabilities = capabilities,
cmd = {
"clangd",
"--background-index",
"--clang-tidy",
},
}
require'lspconfig'.pyright.setup{ -------------------
capabilities = capabilities -- TreeSitter setup
} -------------------
require'lspconfig'.rust_analyzer.setup{ require'nvim-treesitter.configs'.setup {
capabilities = capabilities highlight = {
} enable = true,
require'lspconfig'.rnix.setup{ custom_captures = {
capabilities = capabilities -- Highlight the @foo.bar capture group with the "Identifier" highlight group.
} ["foo.bar"] = "Identifier",
require'lspconfig'.clangd.setup{
capabilities = capabilities,
cmd = {
"clangd",
"--background-index",
"--clang-tidy",
}, },
} -- Setting this to true will run `:h syntax` and tree-sitter at the same time.
-- Set this to `true` if you depend on 'syntax' being enabled (like for indentation).
------------------- -- Using this option may slow down your editor, and you may see some duplicate highlights.
-- TreeSitter setup -- Instead of true it can also be a list of languages
------------------- additional_vim_regex_highlighting = false,
require'nvim-treesitter.configs'.setup { },
highlight = { }
enable = true,
custom_captures = {
-- Highlight the @foo.bar capture group with the "Identifier" highlight group.
["foo.bar"] = "Identifier",
},
-- Setting this to true will run `:h syntax` and tree-sitter at the same time.
-- Set this to `true` if you depend on 'syntax' being enabled (like for indentation).
-- Using this option may slow down your editor, and you may see some duplicate highlights.
-- Instead of true it can also be a list of languages
additional_vim_regex_highlighting = false,
},
}
EOF EOF
''; '';
viAlias = true;
vimAlias = true;
plugins = with unstable.vimPlugins; [
vim-nix
molokai
vim-airline
vim-airline-themes
vim-lsp
vim-indent-guides
vim-signify
nerdtree
vim-easy-align
vim-fugitive
vimtex
neoformat
nvim-lspconfig
vim-vsnip
nvim-cmp
cmp-nvim-lsp
(nvim-treesitter.withPlugins (_: unstable.tree-sitter.allGrammars))
nvim-treesitter-textobjects
];
}; };
} }