diff --git a/.sops.yaml b/.sops.yaml index 1ba9252..8e82441 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,20 +5,21 @@ keys: - &skydrive_lap age1ar5h06qv72pduau043r04kschwcq0x0lm33wqvxzdh9grmp3cq3sy0ngnz creation_rules: - - path_regex: system/dev/dn-server/secret.yaml + - path_regex: system/dev/dn-server/sops/secret.yaml key_groups: - age: - *dn_server - *dn_pre7780 - - path_regex: system/dev/dn-pre7780/secret.yaml + - path_regex: system/dev/dn-pre7780/sops/secret.yaml key_groups: - age: - *dn_pre7780 - - path_regex: system/dev/dn-lap/secret.yaml + - path_regex: system/dev/dn-lap/sops/secret.yaml key_groups: - age: + - *dn_server - *dn_lap - - path_regex: system/dev/skydrive-lap/secret.yaml + - path_regex: system/dev/skydrive-lap/sops/secret.yaml key_groups: - age: - *skydrive_lap diff --git a/flake.lock b/flake.lock index 8dd86f9..d866a7f 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1754887838, - "narHash": "sha256-npC+H+Wl60EdrV75sjqm+bbbLbKgCCGn4ALSM0B2OWA=", + "lastModified": 1759033501, + "narHash": "sha256-QhcOFLJYC9CiSVPkci62ghMEAJChzl+L98To1pKvnRQ=", "owner": "KZDKM", "repo": "Hyprspace", - "rev": "2b61fd2115262243b03aa9afe8dfd8a78e71636c", + "rev": "e54884da1d6a1af76af9d053887bf3750dd554fd", "type": "github" }, "original": { @@ -45,7 +45,9 @@ "actual-budget-server": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1759471829, @@ -81,11 +83,11 @@ ] }, "locked": { - "lastModified": 1753216019, - "narHash": "sha256-zik7WISrR1ks2l6T1MZqZHb/OqroHdJnSnAehkE0kCk=", + "lastModified": 1759499898, + "narHash": "sha256-UNzYHLWfkSzLHDep5Ckb5tXc0fdxwPIrT+MY4kpQttM=", "owner": "hyprwm", "repo": "aquamarine", - "rev": "be166e11d86ba4186db93e10c54a141058bdce49", + "rev": "655e067f96fd44b3f5685e17f566b0e4d535d798", "type": "github" }, "original": { @@ -101,16 +103,16 @@ "flake-parts": "flake-parts", "nix-github-actions": "nix-github-actions", "nixpkgs": [ - "nixpkgs" + "nixpkgs-stable" ], "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1757683818, - "narHash": "sha256-q7q0pWT+wu5AUU1Qlbwq8Mqb+AzHKhaMCVUq/HNZfo8=", + "lastModified": 1758711588, + "narHash": "sha256-0nZlCCDC5PfndsQJXXtcyrtrfW49I3KadGMDlutzaGU=", "owner": "zhaofengli", "repo": "attic", - "rev": "7c5d79ad62cda340cb8c80c99b921b7b7ffacf69", + "rev": "12cbeca141f46e1ade76728bce8adc447f2166c6", "type": "github" }, "original": { @@ -124,11 +126,11 @@ "fromYaml": "fromYaml" }, "locked": { - "lastModified": 1746562888, - "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", + "lastModified": 1755819240, + "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", "owner": "SenchoPens", "repo": "base16.nix", - "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", + "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", "type": "github" }, "original": { @@ -197,11 +199,11 @@ ] }, "locked": { - "lastModified": 1754708376, - "narHash": "sha256-RtOqlQ8i4EFCtPJYT6hX39EEO7sjGzSbO3tKIto/Yw4=", + "lastModified": 1759542305, + "narHash": "sha256-ODiAXnQWTSSc0j2fkJ0JQBdjQktfcBTX//legwStGns=", "owner": "caelestia-dots", "repo": "cli", - "rev": "9489f0d4f629bfd8751ff55784a9587d54eb40f1", + "rev": "ebbd636b7962fa7fe41d406dcd1088958715161e", "type": "github" }, "original": { @@ -219,11 +221,11 @@ "quickshell": "quickshell" }, "locked": { - "lastModified": 1755178159, - "narHash": "sha256-ZmsQ3ZRa6U/5Axw+foMJwZpmsVdjHhat8wnY85UKQ+g=", + "lastModified": 1759890778, + "narHash": "sha256-DzxhtmepaYmtDNI5LZUI6SroMn5XPV4wv8w83aVyeBo=", "owner": "caelestia-dots", "repo": "shell", - "rev": "fa39593ca497c27ca8631091a75d883e4e3c46f2", + "rev": "7e878fd3731993ef693a163d17f03bf5415639a5", "type": "github" }, "original": { @@ -237,15 +239,15 @@ "flake-schemas": "flake-schemas", "home-manager": "home-manager", "jovian": "jovian", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1755119384, - "narHash": "sha256-2wIRUehzcbn3Q3CaXHTfE5bj0fSG6c+RLEeXOmk1Mg4=", + "lastModified": 1760152188, + "narHash": "sha256-k9sqEYgJ2QH257T4p6MeKCHLYi2k9XH7Cjv8LPrtuvY=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "99bb796d77a42ad265f9cebaf489f4e3468f50b8", + "rev": "3f06ccee77dcae294d48cf7741dd3647fc3613a7", "type": "github" }, "original": { @@ -292,11 +294,11 @@ ] }, "locked": { - "lastModified": 1754971456, - "narHash": "sha256-p04ZnIBGzerSyiY2dNGmookCldhldWAu03y0s3P8CB0=", + "lastModified": 1758287904, + "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=", "owner": "nix-community", "repo": "disko", - "rev": "8246829f2e675a46919718f9a64b71afe3bfb22d", + "rev": "67ff9807dd148e704baadbd4fd783b54282ca627", "type": "github" }, "original": { @@ -314,11 +316,11 @@ ] }, "locked": { - "lastModified": 1755083788, - "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=", + "lastModified": 1760181346, + "narHash": "sha256-g9NdxhEDLqFS/OPjlH0wAl7ylb8NzAAMmELeiXrQtA0=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "523078b104590da5850a61dfe291650a6b49809c", + "rev": "ff7a2437e8f455a24f7cccaef742edcd08acd10b", "type": "github" }, "original": { @@ -330,11 +332,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1748383148, - "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=", + "lastModified": 1758112371, + "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf", + "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d", "type": "github" }, "original": { @@ -552,11 +554,11 @@ ] }, "locked": { - "lastModified": 1754487366, - "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "lastModified": 1759362264, + "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", "type": "github" }, "original": { @@ -566,27 +568,6 @@ } }, "flake-parts_4": { - "inputs": { - "nixpkgs-lib": [ - "neovim-nightly-overlay", - "hercules-ci-effects", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751413152, - "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", - "type": "github" - }, - "original": { - "id": "flake-parts", - "type": "indirect" - } - }, - "flake-parts_5": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_2" }, @@ -604,13 +585,34 @@ "type": "github" } }, - "flake-parts_6": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ "nvf", "nixpkgs" ] }, + "locked": { + "lastModified": 1759362264, + "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_6": { + "inputs": { + "nixpkgs-lib": [ + "stylix", + "nixpkgs" + ] + }, "locked": { "lastModified": 1756770412, "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", @@ -625,27 +627,6 @@ "type": "github" } }, - "flake-parts_7": { - "inputs": { - "nixpkgs-lib": [ - "stylix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751413152, - "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-root": { "locked": { "lastModified": 1723604017, @@ -785,7 +766,25 @@ }, "flake-utils_7": { "inputs": { - "systems": "systems_13" + "systems": "systems_11" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_8": { + "inputs": { + "systems": "systems_14" }, "locked": { "lastModified": 1731533236, @@ -828,11 +827,11 @@ "zon2nix": "zon2nix" }, "locked": { - "lastModified": 1756057928, - "narHash": "sha256-JHP75eqmFxMWkdiR97qgwsP17kUS7jownP/NMDfIH1Y=", + "lastModified": 1760128918, + "narHash": "sha256-2BAJkbGXebSCxbe4KHdtpH4optMmptw7Ibw1Bs23TPc=", "owner": "ghostty-org", "repo": "ghostty", - "rev": "400576f0b0dcb7743c9a11cc07ba831cc29f057a", + "rev": "c5ad7563f92656ec02bd08856b46431f2e222e69", "type": "github" }, "original": { @@ -851,11 +850,11 @@ ] }, "locked": { - "lastModified": 1754416808, - "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=", + "lastModified": 1759523803, + "narHash": "sha256-PTod9NG+i3XbbnBKMl/e5uHDBYpwIWivQ3gOWSEuIEM=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864", + "rev": "cfc9f7bb163ad8542029d303e599c0f7eee09835", "type": "github" }, "original": { @@ -949,18 +948,21 @@ }, "hercules-ci-effects": { "inputs": { - "flake-parts": "flake-parts_4", + "flake-parts": [ + "neovim-nightly-overlay", + "flake-parts" + ], "nixpkgs": [ "neovim-nightly-overlay", "nixpkgs" ] }, "locked": { - "lastModified": 1752595130, - "narHash": "sha256-CNBgr4OZSuklGtNOa9CnTNo9+Xceqn/EDAC1Tc43fH8=", + "lastModified": 1758022363, + "narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=", "owner": "hercules-ci", "repo": "hercules-ci-effects", - "rev": "5f2e09654b2e70ba643e41609d9f9b6640f22113", + "rev": "1a3667d33e247ad35ca250698d63f49a5453d824", "type": "github" }, "original": { @@ -977,11 +979,11 @@ ] }, "locked": { - "lastModified": 1754886238, - "narHash": "sha256-LTQomWOwG70lZR+78ZYSZ9sYELWNq3HJ7/tdHzfif/s=", + "lastModified": 1760061988, + "narHash": "sha256-CeuMo7fjWm3XaoK+b1PGyaVIlE1GHudoxk9jrJFvfbY=", "owner": "nix-community", "repo": "home-manager", - "rev": "0d492b89d1993579e63b9dbdaed17fd7824834da", + "rev": "c7f4214faca2f196c551b767c12a70bfa0614510", "type": "github" }, "original": { @@ -997,11 +999,11 @@ ] }, "locked": { - "lastModified": 1755121891, - "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=", + "lastModified": 1760130406, + "narHash": "sha256-GKMwBaFRw/C1p1VtjDz4DyhyzjKUWyi1K50bh8lgA2E=", "owner": "nix-community", "repo": "home-manager", - "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426", + "rev": "d305eece827a3fe317a2d70138f53feccaf890a1", "type": "github" }, "original": { @@ -1055,11 +1057,11 @@ ] }, "locked": { - "lastModified": 1754305013, - "narHash": "sha256-u+M2f0Xf1lVHzIPQ7DsNCDkM1NYxykOSsRr4t3TbSM4=", + "lastModified": 1759490292, + "narHash": "sha256-T6iWzDOXp8Wv0KQOCTHpBcmAOdHJ6zc/l9xaztW6Ivc=", "owner": "hyprwm", "repo": "hyprgraphics", - "rev": "4c1d63a0f22135db123fc789f174b89544c6ec2d", + "rev": "9431db625cd9bb66ac55525479dce694101d6d7a", "type": "github" }, "original": { @@ -1084,11 +1086,11 @@ ] }, "locked": { - "lastModified": 1750621377, - "narHash": "sha256-8u6b5oAdX0rCuoR8wFenajBRmI+mzbpNig6hSCuWUzE=", + "lastModified": 1759490292, + "narHash": "sha256-T6iWzDOXp8Wv0KQOCTHpBcmAOdHJ6zc/l9xaztW6Ivc=", "owner": "hyprwm", "repo": "hyprgraphics", - "rev": "b3d628d01693fb9bb0a6690cd4e7b80abda04310", + "rev": "9431db625cd9bb66ac55525479dce694101d6d7a", "type": "github" }, "original": { @@ -1109,11 +1111,11 @@ ] }, "locked": { - "lastModified": 1755092449, - "narHash": "sha256-HVdEAFT1jJ96Gn+bPxq22CQBfUQeq/PYilLKqWcLMhE=", + "lastModified": 1759869223, + "narHash": "sha256-2Y2D2wuNqSldprawq8BSca90gSYSR5ZKL5ZW2YAV2F8=", "owner": "horriblename", "repo": "hyprgrass", - "rev": "2b65ef7878b95e7c5f07e94f2ecf7450830532a2", + "rev": "fdfa60d464a18ae20b7a7bc63c0d2336f37c164b", "type": "github" }, "original": { @@ -1132,17 +1134,17 @@ "hyprlang": "hyprlang", "hyprutils": "hyprutils", "hyprwayland-scanner": "hyprwayland-scanner", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "systems": "systems_6", "xdph": "xdph" }, "locked": { - "lastModified": 1755071134, - "narHash": "sha256-jYxnXkjlVVa1lxg0lyBCvb34MLJham3+FEs3Wuo1TP8=", + "lastModified": 1760143218, + "narHash": "sha256-nHgQ3UTtQXzaOBwGqOFJ/zc69IGaT+U1ddFv4CpSjtU=", "ref": "refs/heads/main", - "rev": "aa6a78f0a4e17c49ed4aff8b58c3f7ec7ef0408f", - "revCount": 6361, + "rev": "d599513d4a72d66ac62ffdedc41d6653fa81b39e", + "revCount": 6493, "submodules": true, "type": "git", "url": "https://github.com/hyprwm/Hyprland" @@ -1170,11 +1172,11 @@ ] }, "locked": { - "lastModified": 1754935480, - "narHash": "sha256-GHN5Yq/zyexUkffW0tUPrGgHljlYfJZgzrxd/3S9ASI=", + "lastModified": 1760143196, + "narHash": "sha256-UPKU7QXmJ8vJO59bGzT0UFhvncWb14odLJXzcvSu73U=", "owner": "hyprwm", "repo": "hyprland-plugins", - "rev": "984669ebb57f0d17f271598e82e1d2ab55296f20", + "rev": "f6dd103dfb12f8939bf8049ee35a2b3eb7564dc3", "type": "github" }, "original": { @@ -1263,11 +1265,11 @@ ] }, "locked": { - "lastModified": 1753819801, - "narHash": "sha256-tHe6XeNeVeKapkNM3tcjW4RuD+tB2iwwoogWJOtsqTI=", + "lastModified": 1759080228, + "narHash": "sha256-RgDoAja0T1hnF0pTc56xPfLfFOO8Utol2iITwYbUhTk=", "owner": "hyprwm", "repo": "hyprland-qtutils", - "rev": "b308a818b9dcaa7ab8ccab891c1b84ebde2152bc", + "rev": "629b15c19fa4082e4ce6be09fdb89e8c3312aed7", "type": "github" }, "original": { @@ -1292,11 +1294,11 @@ ] }, "locked": { - "lastModified": 1753622892, - "narHash": "sha256-0K+A+gmOI8IklSg5It1nyRNv0kCNL51duwnhUO/B8JA=", + "lastModified": 1758927902, + "narHash": "sha256-LZgMds7M94+vuMql2bERQ6LiFFdhgsEFezE4Vn+Ys3A=", "owner": "hyprwm", "repo": "hyprlang", - "rev": "23f0debd2003f17bd65f851cd3f930cff8a8c809", + "rev": "4dafa28d4f79877d67a7d1a654cddccf8ebf15da", "type": "github" }, "original": { @@ -1321,11 +1323,11 @@ ] }, "locked": { - "lastModified": 1750371198, - "narHash": "sha256-/iuJ1paQOBoSLqHflRNNGyroqfF/yvPNurxzcCT0cAE=", + "lastModified": 1758927902, + "narHash": "sha256-LZgMds7M94+vuMql2bERQ6LiFFdhgsEFezE4Vn+Ys3A=", "owner": "hyprwm", "repo": "hyprlang", - "rev": "cee01452bca58d6cadb3224e21e370de8bc20f0b", + "rev": "4dafa28d4f79877d67a7d1a654cddccf8ebf15da", "type": "github" }, "original": { @@ -1346,11 +1348,11 @@ "systems": "systems_7" }, "locked": { - "lastModified": 1754413248, - "narHash": "sha256-d2C75Ij8JCuNwy6Vgq32Fe1iSrEOOnBnOX4JZJvtAFA=", + "lastModified": 1760023949, + "narHash": "sha256-fu0B4duamVdbkPio/czu1XhsPLRXUJpZLDrSk3nih4U=", "owner": "hyprwm", "repo": "hyprlock", - "rev": "347e05a40ec3bc48b3f21f44dea551d07773e214", + "rev": "36ec73f166d9434a3f27c96c575198906f77644a", "type": "github" }, "original": { @@ -1397,11 +1399,11 @@ ] }, "locked": { - "lastModified": 1754481650, - "narHash": "sha256-6u6HdEFJh5gY6VfyMQbhP7zDdVcqOrCDTkbiHJmAtMI=", + "lastModified": 1759619523, + "narHash": "sha256-r1ed7AR2ZEb2U8gy321/Xcp1ho2tzn+gG1te/Wxsj1A=", "owner": "hyprwm", "repo": "hyprutils", - "rev": "df6b8820c4a0835d83d0c7c7be86fbc555f1f7fd", + "rev": "3df7bde01efb3a3e8e678d1155f2aa3f19e177ef", "type": "github" }, "original": { @@ -1422,11 +1424,11 @@ ] }, "locked": { - "lastModified": 1751061882, - "narHash": "sha256-g9n8Vrbx+2JYM170P9BbvGHN39Wlkr4U+V2WLHQsXL8=", + "lastModified": 1759619523, + "narHash": "sha256-r1ed7AR2ZEb2U8gy321/Xcp1ho2tzn+gG1te/Wxsj1A=", "owner": "hyprwm", "repo": "hyprutils", - "rev": "4737241eaf8a1e51671a2a088518071f9a265cf4", + "rev": "3df7bde01efb3a3e8e678d1155f2aa3f19e177ef", "type": "github" }, "original": { @@ -1447,11 +1449,11 @@ ] }, "locked": { - "lastModified": 1751897909, - "narHash": "sha256-FnhBENxihITZldThvbO7883PdXC/2dzW4eiNvtoV5Ao=", + "lastModified": 1755184602, + "narHash": "sha256-RCBQN8xuADB0LEgaKbfRqwm6CdyopE1xIEhNc67FAbw=", "owner": "hyprwm", "repo": "hyprwayland-scanner", - "rev": "fcca0c61f988a9d092cbb33e906775014c61579d", + "rev": "b3b0f1f40ae09d4447c20608e5a4faf8bf3c492d", "type": "github" }, "original": { @@ -1472,11 +1474,11 @@ ] }, "locked": { - "lastModified": 1750371869, - "narHash": "sha256-lGk4gLjgZQ/rndUkzmPYcgbHr8gKU5u71vyrjnwfpB4=", + "lastModified": 1755184602, + "narHash": "sha256-RCBQN8xuADB0LEgaKbfRqwm6CdyopE1xIEhNc67FAbw=", "owner": "hyprwm", "repo": "hyprwayland-scanner", - "rev": "aa38edd6e3e277ae6a97ea83a69261a5c3aab9fd", + "rev": "b3b0f1f40ae09d4447c20608e5a4faf8bf3c492d", "type": "github" }, "original": { @@ -1494,11 +1496,11 @@ ] }, "locked": { - "lastModified": 1754639028, - "narHash": "sha256-w1+XzPBAZPbeGLMAgAlOjIquswo6Q42PMep9KSrRzOA=", + "lastModified": 1759815224, + "narHash": "sha256-HbdOyjqHm38j6o5mV24i0bn+r5ykS+VJBnWJuZ0fE+A=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "d49809278138d17be77ab0ef5506b26dc477fa62", + "rev": "ee974f496a080c61b3164992c850f43741edcc52", "type": "github" }, "original": { @@ -1507,18 +1509,6 @@ "type": "github" } }, - "kaiu-font": { - "flake": false, - "locked": { - "narHash": "sha256-qXJTfvW2oBJ5cSFAp6a6uAOTJilxHZ58v2ntn62T7sA=", - "type": "file", - "url": "https://files.net.dn/kaiu.ttf" - }, - "original": { - "type": "file", - "url": "https://files.net.dn/kaiu.ttf" - } - }, "lanzaboote": { "inputs": { "crane": "crane_2", @@ -1564,6 +1554,26 @@ "type": "github" } }, + "mail-server": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760422027, + "narHash": "sha256-UAuVT+mL9Q6hABWWlRhFfJ51DMrG3L/xdJTT3+FgCjM=", + "owner": "dachxy", + "repo": "nix-mail-server", + "rev": "a9df5bb2406f45b1d878f8b5681d8710a5cf40fb", + "type": "github" + }, + "original": { + "owner": "dachxy", + "repo": "nix-mail-server", + "type": "github" + } + }, "marks-nvim": { "flake": false, "locked": { @@ -1589,11 +1599,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1755102374, - "narHash": "sha256-v6xhTSgnGQoF1a51BB6OQWN8HXiYbZtVL+54TRuk9zk=", + "lastModified": 1760115376, + "narHash": "sha256-DCKRMxudVOddhA0AlDmRLeoUmPONkUBYv1MiK7mWbY8=", "owner": "microvm-nix", "repo": "microvm.nix", - "rev": "0a5cda80e48191959cf5a9c0552532599ef2cee4", + "rev": "5103fad040940b6b01891ed44b1d8bebd71249c6", "type": "github" }, "original": { @@ -1604,11 +1614,11 @@ }, "mnw": { "locked": { - "lastModified": 1756659871, - "narHash": "sha256-v6Rh4aQ6RKjM2N02kK9Usn0Ix7+OY66vNpeklc1MnGE=", + "lastModified": 1758834834, + "narHash": "sha256-Y7IvY4F8vajZyp3WGf+KaiIVwondEkMFkt92Cr9NZmg=", "owner": "Gerg-L", "repo": "mnw", - "rev": "ed6cc3e48557ba18266e598a5ebb6602499ada16", + "rev": "cfbc7d1cc832e318d0863a5fc91d940a96034001", "type": "github" }, "original": { @@ -1624,15 +1634,15 @@ "git-hooks": "git-hooks", "hercules-ci-effects": "hercules-ci-effects", "neovim-src": "neovim-src", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1755112706, - "narHash": "sha256-8RiIwry9yHcbgRoHCvh7hnB+5bTSKOXXSbla1DUqYSU=", + "lastModified": 1760168241, + "narHash": "sha256-87aML9i/zVm5WSCEx59PUpCrpkLbXEqcLEFPNn5+2iE=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "8b2a6a10e76f6c0c07c27c4abf0259e1a9ec2784", + "rev": "d5ef90cf4577df3e3daef7e070d200cca64c889f", "type": "github" }, "original": { @@ -1644,11 +1654,11 @@ "neovim-src": { "flake": false, "locked": { - "lastModified": 1755040869, - "narHash": "sha256-vEzYYF+uaFAG0c5X18NmGPChYkRTYEI/i+5buZC1PnE=", + "lastModified": 1760105690, + "narHash": "sha256-ZII7EvSnJueiV/a595uOsIdbWcXVWhO5pCvvJp2/mco=", "owner": "neovim", "repo": "neovim", - "rev": "35be59cc7b8d39f91b70aa57eaa09dc9b4636806", + "rev": "fafc329bbd1e15f9ab595568e8cd8b10295113dd", "type": "github" }, "original": { @@ -1708,11 +1718,11 @@ ] }, "locked": { - "lastModified": 1754800038, - "narHash": "sha256-UbLO8/0pVBXLJuyRizYOJigtzQAj8Z2bTnbKSec/wN0=", + "lastModified": 1759637156, + "narHash": "sha256-8NI1SqntLfKl6Q0Luemc3aIboezSJElofUrqipF5g78=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "b65f8d80656f9fcbd1fecc4b7f0730f468333142", + "rev": "0ca69684091aa3a6b1fe994c4afeff305b15e915", "type": "github" }, "original": { @@ -1725,14 +1735,16 @@ "inputs": { "flake-compat": "flake-compat_8", "flake-utils": "flake-utils_6", - "nixpkgs": "nixpkgs_6" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1755137329, - "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=", + "lastModified": 1760147325, + "narHash": "sha256-mBHP1GhvuRE/n8ZXh1lfh+Tn+5oOwB2zCuoPs2mM7IQ=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "d9330bc35048238597880e89fb173799de9db5e9", + "rev": "701fd12530b71a059e7a130fb58b28cb15c38bfb", "type": "github" }, "original": { @@ -1741,9 +1753,30 @@ "type": "github" } }, + "nix-search-tv": { + "inputs": { + "flake-utils": "flake-utils_7", + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1758135610, + "narHash": "sha256-z7Mt//II4pvOJ4hzbgNRErk/MpXzgkGQm7VimXDG/H8=", + "owner": "3timeslazy", + "repo": "nix-search-tv", + "rev": "5bcc012b9f6ae069c984e994f85eb7976b4d58a3", + "type": "github" + }, + "original": { + "owner": "3timeslazy", + "repo": "nix-search-tv", + "type": "github" + } + }, "nix-tmodloader": { "inputs": { - "nixpkgs": "nixpkgs_7" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1734377184, @@ -1761,7 +1794,7 @@ }, "nixd": { "inputs": { - "flake-parts": "flake-parts_5", + "flake-parts": "flake-parts_4", "flake-root": "flake-root", "nixpkgs": [ "nixpkgs" @@ -1769,11 +1802,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1756563652, - "narHash": "sha256-0MvTa6l071JAbePgP3qTkNXr1CbeGDmqyDyvVHxetqg=", + "lastModified": 1759830669, + "narHash": "sha256-MvFhaBavW6beDnhDBiEBfWFDE1pat5kOgGeOPYE9zyk=", "owner": "nix-community", "repo": "nixd", - "rev": "15a3376f65de9e7984429b975777f3569430b8a6", + "rev": "62c94242843cbed00ee4c5b2cd6e781b4a9b7854", "type": "github" }, "original": { @@ -1784,16 +1817,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759417375, - "narHash": "sha256-O7eHcgkQXJNygY6AypkF9tFhsoDQjpNEojw3eFs73Ow=", - "owner": "nixos", + "lastModified": 1760038930, + "narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "dc704e6102e76aad573f63b74c742cd96f8f1e6c", + "rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixpkgs-unstable", + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -1857,90 +1890,42 @@ "type": "github" } }, - "nixpkgs_10": { + "nixpkgs-stable_3": { "locked": { - "lastModified": 1753934836, - "narHash": "sha256-G06FmIBj0I5bMW1Q8hAEIl5N7IHMK7+Ta4KA+BmneDA=", + "lastModified": 1760139962, + "narHash": "sha256-4xggC56Rub3WInz5eD7EZWXuLXpNvJiUPahGtMkwtuc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8679b16e11becd487b45d568358ddf9d5640d860", + "rev": "7e297ddff44a3cc93673bb38d0374df8d0ad73e4", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_11": { - "locked": { - "lastModified": 1752596105, - "narHash": "sha256-lFNVsu/mHLq3q11MuGkMhUUoSXEdQjCHvpReaGP1S2k=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "dab3a6e781554f965bde3def0aa2fda4eb8f1708", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_12": { - "locked": { - "lastModified": 1727348695, - "narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1755027561, - "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3", - "type": "github" + "lastModified": 1758360447, + "narHash": "sha256-XDY3A83bclygHDtesRoaRTafUd80Q30D/Daf9KSG6bs=", + "rev": "8eaee110344796db060382e15d3af0a9fc396e0e", + "type": "tarball", + "url": "https://releases.nixos.org/nixos/unstable/nixos-25.11pre864002.8eaee1103447/nixexprs.tar.xz" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "type": "tarball", + "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" } }, "nixpkgs_3": { "locked": { - "lastModified": 1755972213, - "narHash": "sha256-VYK7aDAv8H1enXn1ECRHmGbeY6RqLnNwUJkOwloIsko=", - "rev": "73e96df7cff5783f45e21342a75a1540c4eddce4", - "type": "tarball", - "url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre850642.73e96df7cff5/nixexprs.tar.xz" - }, - "original": { - "type": "tarball", - "url": "https://channels.nixos.org/nixos-unstable-small/nixexprs.tar.xz" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1754725699, - "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=", + "lastModified": 1759381078, + "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054", + "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", "type": "github" }, "original": { @@ -1950,13 +1935,29 @@ "type": "github" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 1759977445, + "narHash": "sha256-LYr4IDfuihCkFAkSYz5//gT2r1ewcWBYgd5AxPzPLIo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2dad7af78a183b6c486702c18af8a9544f298377", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_5": { "locked": { - "lastModified": 1754990257, - "narHash": "sha256-eEq2wlYNF2t89PsNyEv5Sz4lSxdukZCj4SdhZBVAGpI=", + "lastModified": 1757584362, + "narHash": "sha256-XeTX/w16rUNUNBsfaOVCDoMMa7Xu7KvIMT7tn1zIEcg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "372d9eeeafa5b15913201e2b92e8e539ac7c64d1", + "rev": "d33e926c80e6521a55da380a4c4c44a7462af405", "type": "github" }, "original": { @@ -1968,64 +1969,64 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1748929857, - "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", + "lastModified": 1760103332, + "narHash": "sha256-BMsGVfKl4Q80Pr9T1AkCRljO1bpwCmY8rTBVj8XGuhA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", + "rev": "870493f9a8cb0b074ae5b411b2f232015db19a65", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_7": { "locked": { - "lastModified": 1755027561, - "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=", - "owner": "nixos", + "lastModified": 1759570798, + "narHash": "sha256-kbkzsUKYzKhuvMOuxt/aTwWU2mnrwoY964yN3Y4dE98=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3", + "rev": "0d4f673a88f8405ae14484e6a1ea870e0ba4ca26", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_8": { "locked": { - "lastModified": 1755027561, - "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=", - "owner": "nixos", + "lastModified": 1756288264, + "narHash": "sha256-Om8adB1lfkU7D33VpR+/haZ2gI5r3Q+ZbIPzE5sYnwE=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3", + "rev": "ddd1826f294a0ee5fdc198ab72c8306a0ea73aa9", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_9": { "locked": { - "lastModified": 1744868846, - "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", - "owner": "NixOS", + "lastModified": 1727348695, + "narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", + "owner": "nixos", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -2042,11 +2043,11 @@ ] }, "locked": { - "lastModified": 1751906969, - "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=", + "lastModified": 1758998580, + "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=", "owner": "nix-community", "repo": "NUR", - "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25", + "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728", "type": "github" }, "original": { @@ -2058,19 +2059,19 @@ "nvf": { "inputs": { "flake-compat": "flake-compat_9", - "flake-parts": "flake-parts_6", + "flake-parts": "flake-parts_5", "mnw": "mnw", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_11" + "systems": "systems_12" }, "locked": { - "lastModified": 1756870502, - "narHash": "sha256-0diPvHFwQbKvKkz0bmEVEoFIzL4rdD80CaApHaj6hzs=", + "lastModified": 1760153667, + "narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", "owner": "NotAShelf", "repo": "nvf", - "rev": "7b009c945d2f0213409aa0bae07c79d28b92d625", + "rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", "type": "github" }, "original": { @@ -2089,11 +2090,11 @@ ] }, "locked": { - "lastModified": 1754416808, - "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=", + "lastModified": 1758108966, + "narHash": "sha256-ytw7ROXaWZ7OfwHrQ9xvjpUWeGVm86pwnEd1QhzawIo=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864", + "rev": "54df955a695a84cd47d4a43e08e1feaf90b1fd9b", "type": "github" }, "original": { @@ -2137,11 +2138,11 @@ ] }, "locked": { - "lastModified": 1753595452, - "narHash": "sha256-vqkSDvh7hWhPvNjMjEDV4KbSCv2jyl2Arh73ZXe274k=", + "lastModified": 1759610621, + "narHash": "sha256-P3UPFd95mS/3aNgy40nCXAmyfR2bEEBd+tX6xfkYFb0=", "ref": "refs/heads/master", - "rev": "a5431dd02dc23d9ef1680e67777fed00fe5f7cda", - "revCount": 665, + "rev": "c5c438f1cd1a76660a8658ef929a3d19e968e2ce", + "revCount": 689, "type": "git", "url": "https://git.outfoxxed.me/outfoxxed/quickshell" }, @@ -2167,16 +2168,18 @@ "hyprland-plugins": "hyprland-plugins", "hyprlock": "hyprlock", "hyprtasking": "hyprtasking", - "kaiu-font": "kaiu-font", "lanzaboote": "lanzaboote", + "mail-server": "mail-server", "marks-nvim": "marks-nvim", "microvm": "microvm", "neovim-nightly-overlay": "neovim-nightly-overlay", "nix-index-database": "nix-index-database", "nix-minecraft": "nix-minecraft", + "nix-search-tv": "nix-search-tv", "nix-tmodloader": "nix-tmodloader", "nixd": "nixd", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_6", + "nixpkgs-stable": "nixpkgs-stable_3", "nvf": "nvf", "sops-nix": "sops-nix", "stylix": "stylix", @@ -2193,11 +2196,11 @@ ] }, "locked": { - "lastModified": 1754880555, - "narHash": "sha256-tG6l0wiX8V8IvG4HFYY8IYN5vpNAxQ+UWunjjpE6SqU=", + "lastModified": 1760063676, + "narHash": "sha256-s5Fjh43skH2L+avOGioLmEHoYZffDbg3abV5h0gjeew=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "17c591a44e4eb77f05f27cd37e1cfc3f219c7fc4", + "rev": "897deed0923cc5a1d560c5176abe0d172ec9716d", "type": "github" }, "original": { @@ -2235,11 +2238,11 @@ ] }, "locked": { - "lastModified": 1753930086, - "narHash": "sha256-Os6Ta5zamfAllmQNlvkbGZLHn06zJy3hVXRk+Dy2yMo=", + "lastModified": 1759199574, + "narHash": "sha256-w24RYly3VSVKp98rVfCI1nFYfQ0VoWmShtKPCbXgK6A=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "17b672c10c1798696a516cb879edbc2ebd0f58a4", + "rev": "381776b12d0d125edd7c1930c2041a1471e586c0", "type": "github" }, "original": { @@ -2256,11 +2259,11 @@ ] }, "locked": { - "lastModified": 1752633862, - "narHash": "sha256-Bj7ozT1+5P7NmvDcuAXJvj56txcXuAhk3Vd9FdWFQzk=", + "lastModified": 1756348497, + "narHash": "sha256-xJp3VnoYh4kpsaKFO/7SsGbwOz7pI1ZmjbqpXEuR2cw=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "8668ca94858206ac3db0860a9dec471de0d995f8", + "rev": "0adf92c70d23fb4f703aea5d3ebb51ac65994f7f", "type": "github" }, "original": { @@ -2271,14 +2274,14 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_7" }, "locked": { - "lastModified": 1754988908, - "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", + "lastModified": 1759635238, + "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", + "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133", "type": "github" }, "original": { @@ -2290,11 +2293,11 @@ "spectrum": { "flake": false, "locked": { - "lastModified": 1754675037, - "narHash": "sha256-afS08F7lfMUBR4qrBxinN1kuxu+DoHQ5TPNVp9VS/OA=", + "lastModified": 1759482047, + "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", "ref": "refs/heads/main", - "rev": "586577f3015397afacd83bc185454f4cc3c8028f", - "revCount": 955, + "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", + "revCount": 996, "type": "git", "url": "https://spectrum-os.org/git/spectrum" }, @@ -2310,13 +2313,13 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_7", + "flake-parts": "flake-parts_6", "gnome-shell": "gnome-shell", "nixpkgs": [ "nixpkgs" ], "nur": "nur", - "systems": "systems_12", + "systems": "systems_13", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -2324,11 +2327,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1755546184, - "narHash": "sha256-KxRj/8SydDk3gzamS0VEewo5pu8JAYhSZ5GPcImPGNQ=", + "lastModified": 1759690047, + "narHash": "sha256-Vlpa0d1xOgPO9waHwxJNi6LcD2PYqB3EjwLRtSxXlHc=", "owner": "nix-community", "repo": "stylix", - "rev": "9810b32b9b7520e3b37358ff8e793fb5034c3299", + "rev": "09022804b2bcd217f3a41a644d26b23d30375d12", "type": "github" }, "original": { @@ -2340,15 +2343,17 @@ "swww": { "inputs": { "flake-compat": "flake-compat_10", - "nixpkgs": "nixpkgs_10", + "nixpkgs": [ + "nixpkgs" + ], "rust-overlay": "rust-overlay_3" }, "locked": { - "lastModified": 1754041947, - "narHash": "sha256-KzuedC2yJU56sRBeMlndPuXK6UWHxSUtgAmJ/+Gww6I=", + "lastModified": 1759428786, + "narHash": "sha256-vn3/hpRTI330+yJOoow7wBWMUk2LbnYgyR0v4/LX08o=", "owner": "LGFae", "repo": "swww", - "rev": "63d71f2b8c6d1533b5fef748dfc490dd461e343c", + "rev": "b9aaba38c79e9915c62328861def7353f53dcdbd", "type": "github" }, "original": { @@ -2432,6 +2437,21 @@ "type": "github" } }, + "systems_14": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "systems_2": { "locked": { "lastModified": 1681028828, @@ -2588,11 +2608,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1750770351, - "narHash": "sha256-LI+BnRoFNRa2ffbe3dcuIRYAUcGklBx0+EcFxlHj0SY=", + "lastModified": 1757716333, + "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=", "owner": "tinted-theming", "repo": "schemes", - "rev": "5a775c6ffd6e6125947b393872cde95867d85a2a", + "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559", "type": "github" }, "original": { @@ -2604,11 +2624,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1751159871, - "narHash": "sha256-UOHBN1fgHIEzvPmdNMHaDvdRMgLmEJh2hNmDrp3d3LE=", + "lastModified": 1757811970, + "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "bded5e24407cec9d01bd47a317d15b9223a1546c", + "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e", "type": "github" }, "original": { @@ -2620,11 +2640,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1751158968, - "narHash": "sha256-ksOyv7D3SRRtebpXxgpG4TK8gZSKFc4TIZpR+C98jX8=", + "lastModified": 1757811247, + "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "86a470d94204f7652b906ab0d378e4231a5b3384", + "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e", "type": "github" }, "original": { @@ -2641,11 +2661,11 @@ ] }, "locked": { - "lastModified": 1754847726, - "narHash": "sha256-2vX8QjO5lRsDbNYvN9hVHXLU6oMl+V/PsmIiJREG4rE=", + "lastModified": 1760120816, + "narHash": "sha256-gq9rdocpmRZCwLS5vsHozwB6b5nrOBDNc2kkEaTXHfg=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "7d81f6fb2e19bf84f1c65135d1060d829fae2408", + "rev": "761ae7aff00907b607125b2f57338b74177697ed", "type": "github" }, "original": { @@ -2703,11 +2723,11 @@ ] }, "locked": { - "lastModified": 1753633878, - "narHash": "sha256-js2sLRtsOUA/aT10OCDaTjO80yplqwOIaLUqEe0nMx0=", + "lastModified": 1755354946, + "narHash": "sha256-zdov5f/GcoLQc9qYIS1dUTqtJMeDqmBmo59PAxze6e4=", "owner": "hyprwm", "repo": "xdg-desktop-portal-hyprland", - "rev": "371b96bd11ad2006ed4f21229dbd1be69bed3e8a", + "rev": "a10726d6a8d0ef1a0c645378f983b6278c42eaa0", "type": "github" }, "original": { @@ -2718,16 +2738,16 @@ }, "yazi": { "inputs": { - "flake-utils": "flake-utils_7", - "nixpkgs": "nixpkgs_11", + "flake-utils": "flake-utils_8", + "nixpkgs": "nixpkgs_8", "rust-overlay": "rust-overlay_4" }, "locked": { - "lastModified": 1755419104, - "narHash": "sha256-X/MltojjlzWUPXk1OT8qDotuV9s8jL+Dp4wx56NUzT4=", + "lastModified": 1759765472, + "narHash": "sha256-YYfXBsw57fH6s/hXR24rv8/nr35oQl1CBH7p4WcK8RA=", "owner": "sxyazi", "repo": "yazi", - "rev": "9810196565513aca32bac41471ff4979a2a381ef", + "rev": "554cb52cc581df9a41e0778ebd448925cd3aca55", "type": "github" }, "original": { @@ -2738,14 +2758,14 @@ }, "zen-browser": { "inputs": { - "nixpkgs": "nixpkgs_12" + "nixpkgs": "nixpkgs_9" }, "locked": { - "lastModified": 1756537342, - "narHash": "sha256-2WMNWyuGE6RCjHFg0KD4lQV9eRpJkgyQBuZR3Nih2rk=", + "lastModified": 1759642033, + "narHash": "sha256-irUhy22si6jwWSj2AYkOOuf949P4PFMihVUvU1qt1Jo=", "owner": "dachxy", "repo": "zen-browser-flake", - "rev": "7a385cf911db37e18b337d488bba7e10084cd8d5", + "rev": "7978da3c80968b1b61c97a3f3858640a8583bfb9", "type": "github" }, "original": { @@ -2770,11 +2790,11 @@ ] }, "locked": { - "lastModified": 1748261582, - "narHash": "sha256-3i0IL3s18hdDlbsf0/E+5kyPRkZwGPbSFngq5eToiAA=", + "lastModified": 1759192380, + "narHash": "sha256-0BWJgt4OSzxCESij5oo8WLWrPZ+1qLp8KUQe32QeV4Q=", "owner": "mitchellh", "repo": "zig-overlay", - "rev": "aafb1b093fb838f7a02613b719e85ec912914221", + "rev": "0bcd1401ed43d10f10cbded49624206553e92f57", "type": "github" }, "original": { @@ -2785,24 +2805,20 @@ }, "zon2nix": { "inputs": { - "flake-utils": [ - "ghostty", - "flake-utils" - ], - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1756000480, - "narHash": "sha256-fR5pdcjO0II5MNdCzqvyokyuFkmff7/FyBAjUS6sMfA=", + "lastModified": 1758405547, + "narHash": "sha256-WgaDgvIZMPvlZcZrpPMjkaalTBnGF2lTG+62znXctWM=", "owner": "jcollie", "repo": "zon2nix", - "rev": "d9dc9ef1ab9ae45b5c9d80c6a747cc9968ee0c60", + "rev": "bf983aa90ff169372b9fa8c02e57ea75e0b42245", "type": "github" }, "original": { "owner": "jcollie", "repo": "zon2nix", - "rev": "d9dc9ef1ab9ae45b5c9d80c6a747cc9968ee0c60", + "rev": "bf983aa90ff169372b9fa8c02e57ea75e0b42245", "type": "github" } } diff --git a/flake.nix b/flake.nix index 00420d2..c224a70 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,13 @@ { - description = "DACHXY NixOS with hyprland"; + description = "DACHXY's NixOS with hyprland"; inputs = { + nixpkgs-stable = { + url = "github:nixos/nixpkgs/nixos-25.05"; + }; + nixpkgs = { - url = "github:nixos/nixpkgs/nixos-unstable"; + url = "github:nixos/nixpkgs/nixpkgs-unstable"; }; firefox = { @@ -68,10 +72,12 @@ nix-minecraft = { url = "github:Infinidoge/nix-minecraft"; + inputs.nixpkgs.follows = "nixpkgs"; }; nix-tmodloader = { url = "github:andOrlando/nix-tmodloader"; + inputs.nixpkgs.follows = "nixpkgs"; }; sops-nix = { @@ -85,6 +91,7 @@ swww = { url = "github:LGFae/swww"; + inputs.nixpkgs.follows = "nixpkgs"; }; zen-browser = { @@ -132,416 +139,117 @@ attic = { url = "github:zhaofengli/attic"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - kaiu-font = { - url = "https://files.net.dn/kaiu.ttf"; - flake = false; + inputs.nixpkgs.follows = "nixpkgs-stable"; }; actual-budget-server = { url = "github:dachxy/actual-budget-flake"; + inputs.nixpkgs.follows = "nixpkgs"; }; + + mail-server = { + url = "github:dachxy/nix-mail-server"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nix-search-tv.url = "github:3timeslazy/nix-search-tv"; }; outputs = { self, nixpkgs, - nix-index-database, - lanzaboote, - home-manager, + nixpkgs-stable, ... }@inputs: let - system = "x86_64-linux"; - nix-version = "25.05"; + inherit (builtins) mapAttrs; - pkgs = import nixpkgs { - inherit system; - }; - - inherit (pkgs) lib; - - helper = import ./helper { inherit pkgs lib; }; - - # Declare COMMON modules here - common-settings = { - modules = [ - home-manager.nixosModules.default - nix-index-database.nixosModules.nix-index - inputs.sops-nix.nixosModules.sops - inputs.chaotic.nixosModules.default - inputs.actual-budget-api.nixosModules.default - inputs.stylix.nixosModules.stylix - inputs.attic.nixosModules.atticd - ]; - args = { - inherit - helper - inputs - system - nix-version - self - ; - }; - }; - - # Declaring All Devices - devices = { - # Home Computer + hosts = { dn-pre7780 = { - hostname = "dn-pre7780"; - domain = "net.dn"; - username = "danny"; - extra-modules = [ - lanzaboote.nixosModules.lanzaboote - ./system/dev/dn-pre7780 - - # VM - inputs.microvm.nixosModules.host - { - networking.useNetworkd = true; - systemd.network.enable = true; - systemd.network.networks."10-lan" = { - matchConfig.Name = [ - "enp0s31f6" - "vm-*" - ]; - networkConfig = { - Bridge = "br0"; - }; - }; - - systemd.network.netdevs."br0" = { - netdevConfig = { - Name = "br0"; - Kind = "bridge"; - }; - }; - - systemd.network.networks."10-lan-bridge" = { - matchConfig.Name = "br0"; - networkConfig = { - Address = [ "192.168.0.5/24" ]; - Gateway = "192.168.0.1"; - DNS = [ "192.168.0.1" ]; - }; - - linkConfig.RequiredForOnline = "routable"; - }; - - microvm.vms = { - vm-1 = { - flake = self; - updateFlake = "git+file:///etc/nixos"; - autostart = false; - }; - vm-2 = { - flake = self; - updateFlake = "git+file:///etc/nixos"; - autostart = false; - }; - }; - } - ]; - overlays = [ ]; + system = "x86_64-linux"; + path = ./system/dev/dn-pre7780; }; - - # Laptop - dn-lap = { - hostname = "dn-lap"; - username = "danny"; - domain = "net.dn"; - extra-modules = [ - lanzaboote.nixosModules.lanzaboote - ./system/dev/dn-lap - ]; - overlays = [ - ]; - }; - - # Server dn-server = { - hostname = "dn-server"; - username = "danny"; - domain = "net.dn"; - extra-modules = [ - inputs.nix-minecraft.nixosModules.minecraft-servers - inputs.nix-tmodloader.nixosModules.tmodloader - ./system/dev/dn-server - ./pkgs/options/dovecot.nix - ]; - overlays = [ - inputs.nix-minecraft.overlay - inputs.nix-tmodloader.overlay - (import ./pkgs/overlays/dovecot.nix) - ]; + system = "x86_64-linux"; + path = ./system/dev/dn-server; + }; + dn-lap = { + system = "x86_64-linux"; + path = ./system/dev/dn-lap; }; - - # Skydrive skydrive-lap = { - hostname = "skydrive-lap"; - username = "skydrive"; - domain = "sky.dn"; - extra-modules = [ - inputs.nix-minecraft.nixosModules.minecraft-servers - inputs.nix-tmodloader.nixosModules.tmodloader - inputs.disko.nixosModules.disko - ./system/dev/skydrive-lap - ]; - overlays = [ - inputs.nix-minecraft.overlay - inputs.nix-tmodloader.overlay - ]; + system = "x86_64-linux"; + path = ./system/dev/skydrive-lap; }; }; in { - nixosConfigurations = - (builtins.mapAttrs ( - dev: conf: - let - domain = if conf.domain != null then conf.domain else "local"; - inherit (conf) username hostname; - in - nixpkgs.lib.nixosSystem { - modules = [ - { - environment.systemPackages = [ - inputs.attic.packages.${system}.attic - ]; - system.stateVersion = nix-version; - home-manager = { - backupFileExtension = "backup-hm"; - useUserPackages = true; - useGlobalPkgs = true; - extraSpecialArgs = { - inherit - helper - inputs - system - nix-version - devices - username - ; - }; - users."${username}" = lib.mkIf (!((conf ? isVM) && (conf.isVM))) { - imports = [ - inputs.hyprland.homeManagerModules.default - inputs.caelestia-shell.homeManagerModules.default - inputs.zen-browser.homeManagerModules.${system}.default - inputs.nvf.homeManagerModules.default - { - home = { - homeDirectory = "/home/${username}"; - stateVersion = nix-version; - }; - # Let Home Manager install and manage itself. - programs.home-manager.enable = true; - } - ]; - }; - }; - networking = { - inherit domain; - hostName = hostname; - }; - nixpkgs.hostPlatform = system; - nixpkgs.config.allowUnfree = true; - nixpkgs.overlays = (import ./pkgs/overlays) ++ conf.overlays; - } - ] - ++ common-settings.modules - ++ conf.extra-modules; - specialArgs = { - inherit username; - } - // common-settings.args; - } - ) devices) - // - # VM For k8s - ( - let - vmList = - let - kubeMasterIP = "192.168.0.6"; - kubeMasterHostname = "api.kube"; - kubeMasterAPIServerPort = 6443; - kubeApi = "https://${kubeMasterHostname}:${toString kubeMasterAPIServerPort}"; - in - { - # master - vm-1 = { - ip = "192.168.0.6"; - mac = "02:00:00:00:00:01"; - extraConfig = { - networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}"; - environment.systemPackages = with pkgs; [ - kompose - kubectl - kubernetes - ]; - - services.kubernetes = { - roles = [ - "master" - "node" - ]; - - masterAddress = kubeMasterHostname; - apiserverAddress = kubeApi; - easyCerts = true; - apiserver = { - securePort = kubeMasterAPIServerPort; - advertiseAddress = kubeMasterIP; - }; - - addons.dns.enable = true; - }; - - systemd.services.link-kube-config = { - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.writeShellScript "link-kube-config.sh" '' - target="/etc/kubernetes/cluster-admin.kubeconfig" - if [ -e "$target" ]; then - [ ! -d "/root/.kube" ] && mkdir -p "/root/.kube" - ln -sf $target /root/.kube/config - fi - ''}"; - }; - }; - }; - }; - # Node - vm-2 = { - ip = "192.168.0.7"; - mac = "02:00:00:00:00:02"; - extraConfig = { - networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}"; - - environment.systemPackages = with pkgs; [ - kompose - kubectl - kubernetes - ]; - - services.kubernetes = { - roles = [ "node" ]; - masterAddress = kubeMasterHostname; - easyCerts = true; - - kubelet.kubeconfig.server = kubeApi; - apiserverAddress = kubeApi; - addons.dns.enable = true; - }; - }; - }; - }; - - mkMicrovm = name: value: { - hypervisor = "qemu"; - vcpu = 4; - mem = 8192; - interfaces = [ - { - type = "tap"; - id = "${name}"; - mac = value.mac; - } - ]; - shares = [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - }; - in - lib.mapAttrs' ( - name: value: - lib.nameValuePair name ( - nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - inputs.microvm.nixosModules.microvm - value.extraConfig - { - microvm = mkMicrovm name value; - system.stateVersion = lib.trivial.release; - networking.hostName = name; - networking.domain = "kube"; - networking.firewall.enable = false; - users.users.root.password = ""; - services.getty.autologinUser = "root"; - - programs.fish.enable = true; - programs.bash = { - shellInit = '' - if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] - then - shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" - exec ${pkgs.fish}/bin/fish $LOGIN_OPTION - fi - ''; - }; - - systemd.network.enable = true; - systemd.network.networks."20-lan" = { - matchConfig.Type = "ether"; - networkConfig = { - Address = [ "${value.ip}/24" ]; - Gateway = "192.168.0.1"; - DNS = [ "192.168.0.1" ]; - DHCP = "no"; - }; - }; - - systemd.services.br-netfilter = { - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "/run/current-system/sw/bin/modprobe br_netfilter"; - }; - }; - - environment.systemPackages = with pkgs; [ - dig.dnsutils - openssl - - fishPlugins.done - fishPlugins.fzf-fish - fishPlugins.forgit - fishPlugins.hydro - fzf - fishPlugins.grc - grc - git - ]; - } - ]; - } - ) - ) vmList - ) - // { - vps = nixpkgs.lib.nixosSystem { + # ==== NixOS Configuration ==== # + nixosConfigurations = mapAttrs ( + hostname: conf: + let + inherit (conf) path system; + pkgs = import nixpkgs { inherit system; - specialArgs = common-settings.args; - modules = [ - inputs.disko.nixosModules.disko - ./system/dev/generic - ]; }; - }; + pkgs-stable = import nixpkgs-stable { + inherit system; + }; + helper = import ./helper { + inherit + pkgs + ; + lib = pkgs.lib; + }; + in + nixpkgs.lib.nixosSystem { + specialArgs = { + inherit (conf) system; + inherit + helper + inputs + self + pkgs-stable + ; + }; + modules = [ + # ==== Common Configuration ==== # + { + nixpkgs.hostPlatform = system; + nixpkgs.config.allowUnfree = true; + nixpkgs.overlays = [ + inputs.mail-server.overlay + inputs.nix-minecraft.overlay + inputs.nix-tmodloader.overlay + ] + ++ (import ./pkgs/overlays); + } - packages."${system}" = { - vm-1 = self.nixosConfigurations.vm-1.config.microvm.declaredRunner; - vm-2 = self.nixosConfigurations.vm-2.config.microvm.declaredRunner; - }; + # ==== Common Modules ==== # + inputs.home-manager.nixosModules.default + inputs.nix-index-database.nixosModules.nix-index + inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops + inputs.nix-minecraft.nixosModules.minecraft-servers + inputs.nix-tmodloader.nixosModules.tmodloader + inputs.chaotic.nixosModules.default + inputs.actual-budget-api.nixosModules.default + inputs.stylix.nixosModules.stylix + inputs.attic.nixosModules.atticd + inputs.mail-server.nixosModules.default + ./options + + # ==== Private Configuration ==== # + (import path { inherit hostname; }) + ]; + } + ) hosts; + + # ==== MicroVM Packages ==== # + # packages."${system}" = { + # vm-1 = self.nixosConfigurations.vm-1.config.microvm.declaredRunner; + # vm-2 = self.nixosConfigurations.vm-2.config.microvm.declaredRunner; + # }; }; } diff --git a/helper/default.nix b/helper/default.nix index 566bf8c..391a156 100644 --- a/helper/default.nix +++ b/helper/default.nix @@ -34,7 +34,7 @@ in systemctl --user start "$SERVICE_NAME" notify-send ${ optionalString (notify-icon != "") "-i ${notify-icon}" - }"${icon} ''\${SERVICE_NAME^}" "starting" + } "${icon} ''\${SERVICE_NAME^}" "starting" fi esac @@ -48,4 +48,47 @@ in jq -nc --argjson a "$json1" --argjson b "$EXTRA_JSON" '$a + $b' ''; + + grafana = { + mkDashboard = + { + name, + src, + templateList, + conf ? { }, + }: + let + template = toJSON templateList; + in + pkgs.stdenvNoCC.mkDerivation ( + { + inherit src; + pname = "${name}-grafana-dashboard-srouce"; + version = "1.0"; + dontBuild = true; + nativeBuildInputs = with pkgs; [ jq ]; + + installPhase = '' + PROM_TEMPLATE='${template}' + OUTPUT_PATH="$out" + + mkdir -p $out + + if [ -f "$src" ]; then + echo "adding template filename: $(basename $src)" + jq --argjson TEMPLATE "$PROM_TEMPLATE" '.templating.list += $TEMPLATE' \ + "$src" > "$OUTPUT_PATH/$(basename $src)" + else + find . -name "*.json" | while read DASHBOARD_FILE; do + echo "adding template filename: $DASHBOARD_FILE" + jq --argjson TEMPLATE "$PROM_TEMPLATE" ' + .templating.list += $TEMPLATE + ' "$DASHBOARD_FILE" > "$OUTPUT_PATH/$DASHBOARD_FILE" + done + fi + ''; + } + // conf + ); + }; } diff --git a/home/user/hypr/bind.nix b/home/user/hypr/bind.nix index 1bf4664..aba71dd 100644 --- a/home/user/hypr/bind.nix +++ b/home/user/hypr/bind.nix @@ -1,14 +1,15 @@ +{ mainMod }: { - mainMod, + osConfig, config, - nvidia-offload-enabled, lib, pkgs, - monitors ? [ ], + ... }: with builtins; let - inherit (lib) optionalString; + inherit (osConfig.systemConf.hyprland) monitors; + nvidia-offload-enabled = osConfig.hardware.nvidia.prime.offload.enableOffloadCmd; notransTag = "notrans"; @@ -41,85 +42,87 @@ let in toString (if (monitorsNum == 0) then 1 else monitorsNum); in -[ - ''${mainMod}, F, exec, ${browser}'' - ''${mainMod}, RETURN, exec, ${terminal}'' - ''CTRL ALT, T, exec, ${terminal}'' - ''${mainMod}, Q, killactive, '' +{ + wayland.windowManager.hyprland.settings.bind = [ + ''${mainMod}, F, exec, ${browser}'' + ''${mainMod}, RETURN, exec, ${terminal}'' + ''CTRL ALT, T, exec, ${terminal}'' + ''${mainMod}, Q, killactive, '' - ''${mainMod}, M, exec, ${toggleWlogout}'' - ''${mainMod}, E, exec, ${filemanager}'' - ''${mainMod}, V, togglefloating, '' - ''ALT, SPACE, exec, rofi -config ~/.config/rofi/apps.rasi -show drun'' - ''${mainMod}, W, exec, ${rofiWall}'' - ''${mainMod}, P, pseudo, # dwindle'' - ''${mainMod}, S, togglesplit, # dwindle'' - ''CTRL ${mainMod} SHIFT, L, exec, hyprlock'' + ''${mainMod}, M, exec, ${toggleWlogout}'' + ''${mainMod}, E, exec, ${filemanager}'' + ''${mainMod}, V, togglefloating, '' + ''ALT, SPACE, exec, rofi -config ~/.config/rofi/apps.rasi -show drun'' + ''${mainMod}, W, exec, ${rofiWall}'' + ''${mainMod}, P, pseudo, # dwindle'' + ''${mainMod}, S, togglesplit, # dwindle'' + ''CTRL ${mainMod} SHIFT, L, exec, hyprlock'' - # Toggle transparent - ''${mainMod}, n, tagwindow, ${notransTag}'' + # Toggle transparent + ''${mainMod}, n, tagwindow, ${notransTag}'' - # Bitwarden Selector - ''CTRL ${mainMod}, P, exec, ${rbwSelector}'' + # Bitwarden Selector + ''CTRL ${mainMod}, P, exec, ${rbwSelector}'' - # Screenshot - ''${mainMod} SHIFT, s, exec, hyprshot -m region ${clipboardOnly}'' - ''CTRL SHIFT, s, exec, hyprshot -m window ${clipboardOnly}'' - ''CTRL SHIFT ${mainMod}, s, exec, hyprshot -m output ${clipboardOnly}'' - ''CTRL ALT, s, exec, hyprshot -m active -m window ${clipboardOnly}'' + # Screenshot + ''${mainMod} SHIFT, s, exec, hyprshot -m region ${clipboardOnly}'' + ''CTRL SHIFT, s, exec, hyprshot -m window ${clipboardOnly}'' + ''CTRL SHIFT ${mainMod}, s, exec, hyprshot -m output ${clipboardOnly}'' + ''CTRL ALT, s, exec, hyprshot -m active -m window ${clipboardOnly}'' - ''${mainMod}, PERIOD, exec, rofi -modi emoji -show emoji'' - ''CTRL ${mainMod}, c, exec, rofi -show calc -modi calc -no-show-match -no-sort'' - ''${mainMod}, X, exec, sleep 0.1 && swaync-client -t -sw'' - ''${mainMod} SHIFT, C, centerwindow'' - '',F11, fullscreen'' - ''${mainMod}, C, exec, code'' + ''${mainMod}, PERIOD, exec, rofi -modi emoji -show emoji'' + ''CTRL ${mainMod}, c, exec, rofi -show calc -modi calc -no-show-match -no-sort'' + ''${mainMod}, X, exec, sleep 0.1 && swaync-client -t -sw'' + ''${mainMod} SHIFT, C, centerwindow'' + '',F11, fullscreen'' + ''${mainMod}, C, exec, code'' - # Color Picker - ''${mainMod} SHIFT, P, exec, hyprpicker -f hex -a -z'' + # Color Picker + ''${mainMod} SHIFT, P, exec, hyprpicker -f hex -a -z'' - # Cycle windows - ''ALT, TAB, cyclenext'' - ''ALT, TAB, bringactivetotop'' + # Cycle windows + ''ALT, TAB, cyclenext'' + ''ALT, TAB, bringactivetotop'' - ''${mainMod}, h, movefocus, l'' - ''${mainMod}, l, movefocus, r'' - ''${mainMod}, k, movefocus, u'' - ''${mainMod}, j, movefocus, d'' + ''${mainMod}, h, movefocus, l'' + ''${mainMod}, l, movefocus, r'' + ''${mainMod}, k, movefocus, u'' + ''${mainMod}, j, movefocus, d'' - ''${mainMod}, mouse_down, workspace, e-${scrollStep}'' - ''${mainMod}, mouse_up, workspace, e+${scrollStep}'' + ''${mainMod}, mouse_down, workspace, e-${scrollStep}'' + ''${mainMod}, mouse_up, workspace, e+${scrollStep}'' - ''${mainMod} SHIFT, l, movewindow, r'' - ''${mainMod} SHIFT, h, movewindow, l'' - ''${mainMod} SHIFT, k, movewindow, u'' - ''${mainMod} SHIFT, j, movewindow, d'' + ''${mainMod} SHIFT, l, movewindow, r'' + ''${mainMod} SHIFT, h, movewindow, l'' + ''${mainMod} SHIFT, k, movewindow, u'' + ''${mainMod} SHIFT, j, movewindow, d'' - # Media - '',XF86AudioPrev, exec, playerctl previous'' - '',XF86AudioNext, exec, playerctl next'' - ''${mainMod} CTRL, COMMA, exec, playerctl previous'' - ''${mainMod} CTRL, PERIOD, exec, playerctl next'' - '',XF86AudioPlay, exec, playerctl play-pause'' - '',XF86AudioStop, exec, playerctl stop'' - '',XF86AudioMute, exec, wpctl set-mute @DEFAULT_SINK@ toggle'' + # Media + '',XF86AudioPrev, exec, playerctl previous'' + '',XF86AudioNext, exec, playerctl next'' + ''${mainMod} CTRL, COMMA, exec, playerctl previous'' + ''${mainMod} CTRL, PERIOD, exec, playerctl next'' + '',XF86AudioPlay, exec, playerctl play-pause'' + '',XF86AudioStop, exec, playerctl stop'' + '',XF86AudioMute, exec, wpctl set-mute @DEFAULT_SINK@ toggle'' - ''${mainMod}, G, workspace, ${toString gamingWorkspace}'' - ''${mainMod} SHIFT, G, movetoworkspace, ${toString gamingWorkspace}'' -] -++ ( - # workspaces - # binds $mainMod + [shift +] {1..9} to [move to] workspace {1..9} - builtins.concatLists ( - builtins.genList ( - i: - let - ws = i + 1; - in - [ - "${mainMod}, code:1${toString i}, workspace, ${toString ws}" - "${mainMod} SHIFT, code:1${toString i}, movetoworkspace, ${toString ws}" - ] - ) 9 - ) -) + ''${mainMod}, G, workspace, ${toString gamingWorkspace}'' + ''${mainMod} SHIFT, G, movetoworkspace, ${toString gamingWorkspace}'' + ] + ++ ( + # workspaces + # binds $mainMod + [shift +] {1..9} to [move to] workspace {1..9} + builtins.concatLists ( + builtins.genList ( + i: + let + ws = i + 1; + in + [ + "${mainMod}, code:1${toString i}, workspace, ${toString ws}" + "${mainMod} SHIFT, code:1${toString i}, movetoworkspace, ${toString ws}" + ] + ) 9 + ) + ); +} diff --git a/home/user/hypr/input.nix b/home/user/hypr/input.nix index ded6a42..c828657 100644 --- a/home/user/hypr/input.nix +++ b/home/user/hypr/input.nix @@ -1,35 +1,37 @@ +{ ... }: { - input = { - kb_layout = "us"; + wayland.windowManager.hyprland.settings = { + input = { + kb_layout = "us"; - kb_variant = ""; - kb_model = ""; - kb_rules = ""; + kb_variant = ""; + kb_model = ""; + kb_rules = ""; - repeat_delay = 250; - repeat_rate = 35; + repeat_delay = 250; + repeat_rate = 35; - follow_mouse = 1; - accel_profile = "flat"; + follow_mouse = 1; + accel_profile = "flat"; - kb_options = [ "caps:escape" ]; + kb_options = [ "caps:escape" ]; - touchpad = { - natural_scroll = true; + touchpad = { + natural_scroll = true; + }; + + sensitivity = -0.1; # -1.0 - 1.0, 0 means no modification. + }; + binds = { + scroll_event_delay = 0; }; - sensitivity = -0.1; # -1.0 - 1.0, 0 means no modification. - }; - binds = { - scroll_event_delay = 0; - }; + cursor = { + no_hardware_cursors = true; + }; - cursor = { - no_hardware_cursors = true; - }; - - gestures = { - workspace_swipe = true; - workspace_swipe_fingers = 3; + gesture = [ + "3, horizontal, workspace" + ]; }; } diff --git a/home/user/hypr/window.nix b/home/user/hypr/window.nix index cb5c6c3..00c43ea 100644 --- a/home/user/hypr/window.nix +++ b/home/user/hypr/window.nix @@ -1,77 +1,74 @@ -{ lib }: +{ lib, ... }: { - xwayland = { - force_zero_scaling = true; - }; - - general = { - gaps_in = 5; - gaps_out = 10; - border_size = 2; - "col.active_border" = lib.mkForce "rgb(EBDBB2) rgb(24273A) rgb(24273A) rgb(EBDBB2) 45deg"; - "col.inactive_border" = lib.mkForce "rgb(24273A) rgb(24273A) rgb(24273A) rgb(24273A) 45deg"; - layout = "dwindle"; - }; - - decoration = { - rounding = 10; - blur = { - enabled = true; - size = 5; - passes = 3; - new_optimizations = true; - ignore_opacity = "on"; - xray = false; + wayland.windowManager.hyprland.settings = { + xwayland = { + force_zero_scaling = true; }; - active_opacity = 0.8; - inactive_opacity = 0.8; - fullscreen_opacity = 1.0; - }; - animations = { - enabled = true; - bezier = [ - "linear, 0, 0, 1, 1" - "md3_standard, 0.2, 0, 0, 1" - "md3_decel, 0.05, 0.7, 0.1, 1" - "md3_accel, 0.3, 0, 0.8, 0.15" - "overshot, 0.05, 0.9, 0.1, 1.1" - "crazyshot, 0.1, 1.5, 0.76, 0.92" - "hyprnostretch, 0.05, 0.9, 0.1, 1.0" - "menu_decel, 0.1, 1, 0, 1" - "menu_accel, 0.38, 0.04, 1, 0.07" - "easeInOutCirc, 0.85, 0, 0.15, 1" - "easeOutCirc, 0, 0.55, 0.45, 1" - "easeOutExpo, 0.16, 1, 0.3, 1" - "softAcDecel, 0.26, 0.26, 0.15, 1" - "md2, 0.4, 0, 0.2, 1" - ]; - animation = [ - "windows, 1, 3, md3_decel, popin 60%" - "windowsIn, 1, 3, md3_decel, popin 60%" - "windowsOut, 1, 3, md3_accel, popin 60%" - "border, 1, 10, default" - "fade, 1, 3, md3_decel" - "workspaces, 1, 7, menu_decel, slide" - "specialWorkspace, 1, 3, md3_decel, slidevert" - ]; - }; + general = { + gaps_in = 5; + gaps_out = 10; + border_size = 2; + "col.active_border" = lib.mkForce "rgb(EBDBB2) rgb(24273A) rgb(24273A) rgb(EBDBB2) 45deg"; + "col.inactive_border" = lib.mkForce "rgb(24273A) rgb(24273A) rgb(24273A) rgb(24273A) 45deg"; + layout = "dwindle"; + }; - dwindle = { - pseudotile = true; - preserve_split = true; - }; + decoration = { + rounding = 10; + blur = { + enabled = true; + size = 5; + passes = 3; + new_optimizations = true; + ignore_opacity = "on"; + xray = false; + }; + active_opacity = 0.8; + inactive_opacity = 0.8; + fullscreen_opacity = 1.0; + }; - master = { - new_on_top = true; - }; + animations = { + enabled = true; + bezier = [ + "linear, 0, 0, 1, 1" + "md3_standard, 0.2, 0, 0, 1" + "md3_decel, 0.05, 0.7, 0.1, 1" + "md3_accel, 0.3, 0, 0.8, 0.15" + "overshot, 0.05, 0.9, 0.1, 1.1" + "crazyshot, 0.1, 1.5, 0.76, 0.92" + "hyprnostretch, 0.05, 0.9, 0.1, 1.0" + "menu_decel, 0.1, 1, 0, 1" + "menu_accel, 0.38, 0.04, 1, 0.07" + "easeInOutCirc, 0.85, 0, 0.15, 1" + "easeOutCirc, 0, 0.55, 0.45, 1" + "easeOutExpo, 0.16, 1, 0.3, 1" + "softAcDecel, 0.26, 0.26, 0.15, 1" + "md2, 0.4, 0, 0.2, 1" + ]; + animation = [ + "windows, 1, 3, md3_decel, popin 60%" + "windowsIn, 1, 3, md3_decel, popin 60%" + "windowsOut, 1, 3, md3_accel, popin 60%" + "border, 1, 10, default" + "fade, 1, 3, md3_decel" + "workspaces, 1, 7, menu_decel, slide" + "specialWorkspace, 1, 3, md3_decel, slidevert" + ]; + }; - gestures = { - workspace_swipe = true; - workspace_swipe_cancel_ratio = 0.15; - }; + dwindle = { + pseudotile = true; + preserve_split = true; + }; - misc = { - force_default_wallpaper = 0; + master = { + new_on_top = true; + }; + + misc = { + force_default_wallpaper = 0; + }; }; } diff --git a/home/user/hypr/windowrule.nix b/home/user/hypr/windowrule.nix index ce0efd7..8396cdb 100644 --- a/home/user/hypr/windowrule.nix +++ b/home/user/hypr/windowrule.nix @@ -1,125 +1,123 @@ +{ ... }: let - inherit (builtins) map concatLists; top = "60"; right = "100%-w-10"; notransTag = "notrans"; in { - windowrule = [ - "pseudo, class:(org.fcitx.)" - "float, class:file_progress" - "float, class:confirm" - "float, class:dialog" - "float, class:download" - "float, class:notification" - "float, class:error" - "float, class:splash" - "float, class:confirmreset" - "float, title:Open File" - "float, title:branchdialog" - "float, class:pavucontrol-qt" - "float, class:pavucontrol" - "float, class:file-roller" - "fullscreen, title:wlogout" - "float, title:wlogout" - "fullscreen, title:wlogout" + wayland.windowManager.hyprland.settings = { + windowrule = [ + "pseudo, class:(org.fcitx.)" + "float, class:file_progress" + "float, class:confirm" + "float, class:dialog" + "float, class:download" + "float, class:notification" + "float, class:error" + "float, class:splash" + "float, class:confirmreset" + "float, title:Open File" + "float, title:branchdialog" + "float, class:pavucontrol-qt" + "float, class:pavucontrol" + "float, class:file-roller" + "fullscreen, title:wlogout" + "float, title:wlogout" + "fullscreen, title:wlogout" - "float, title:^(Media viewer)$" - "float, title:^(File Operation Progress)$" - "float, class:^(it.mijorus.smile)" - "float, class:^(xdg-desktop-portal-gtk)$" - "float, title:^(Steam Settings)$" + "float, title:^(Media viewer)$" + "float, title:^(File Operation Progress)$" + "float, class:^(it.mijorus.smile)" + "float, class:^(xdg-desktop-portal-gtk)$" + "float, title:^(Steam Settings)$" - "fullscreen, initialClass:^(cs2)$" + "fullscreen, initialClass:^(cs2)$" - # Zen browser - "opacity 0.9999 override, initialClass:^(zen)(.*)" + # Zen browser + "opacity 0.9999 override, initialClass:^(zen)(.*)" - # Ghostty - "opacity 0.9999 override, initialClass:^(com.mitchellh.ghostty)$" + # Ghostty + "opacity 0.9999 override, initialClass:^(com.mitchellh.ghostty)$" - # Picture in picture windows - "float, title:^(Picture-in-Picture)$" - "pin, title:^(Picture-in-Picture)$" - "float, class:^(vesktop)$,title:^(Discord Popout)$" - "pin, class:^(vesktop)$,title:^(Discord Popout)$" - "float, class:^(steam)$,title:^(Friends List)$" + # Picture in picture windows + "float, title:^(Picture-in-Picture)$" + "pin, title:^(Picture-in-Picture)$" + "float, class:^(vesktop)$,title:^(Discord Popout)$" + "pin, class:^(vesktop)$,title:^(Discord Popout)$" + "float, class:^(steam)$,title:^(Friends List)$" - # Meidia control - "move ${right} ${top}, class: ^(org.pulseaudio.pavucontrol)$" - "size 30% 33%, class: ^(org.pulseaudio.pavucontrol)$" + # Meidia control + "move ${right} ${top}, class: ^(org.pulseaudio.pavucontrol)$" + "size 30% 33%, class: ^(org.pulseaudio.pavucontrol)$" - # Local Send (File Sharing) - "move ${right} 8%, class: ^(localsend_app)$" - "size 20% 80%, class: ^(localsend_app)$" + # Local Send (File Sharing) + "move ${right} 8%, class: ^(localsend_app)$" + "size 20% 80%, class: ^(localsend_app)$" - # Bluetooth - "move ${right} ${top}, class: ^(blueberry.py)$" - "size 25% 45%, class: ^(blueberry.py)$" + # Bluetooth + "move ${right} ${top}, class: ^(blueberry.py)$" + "size 25% 45%, class: ^(blueberry.py)$" - # Media Control - "float, class: ^(org.pulseaudio.pavucontrol)$" - "pin, class: ^(org.pulseaudio.pavucontrol)$" - "animation slide top 20%, class: ^(org.pulseaudio.pavucontrol)$" + # Media Control + "float, class: ^(org.pulseaudio.pavucontrol)$" + "pin, class: ^(org.pulseaudio.pavucontrol)$" + "animation slide top 20%, class: ^(org.pulseaudio.pavucontrol)$" - # Local Send (File Sharing) - "float, class: ^(localsend_app)$" - "pin, class: ^(localsend_app)$" - "animation slide right 20%, class: ^(localsend_app)$" + # Local Send (File Sharing) + "float, class: ^(localsend_app)$" + "pin, class: ^(localsend_app)$" + "animation slide right 20%, class: ^(localsend_app)$" - # Airplay - "move ${right} 10%, class: ^(GStreamer)$" - "size 21% 80%, class: ^(GStreamer)$" - "pin, class: ^(GStreamer)$" - "float, class: ^(GStreamer)$" - "opacity 1.0 override 1.0 override, class: ^(GStreamer)$" - "noblur, class: ^(GStreamer)$" - "animation slide right 20%, class: ^(GStreamer)$" - "keepaspectratio, class: ^(GStreamer)$" + # Airplay + "move ${right} 10%, class: ^(GStreamer)$" + "size 21% 80%, class: ^(GStreamer)$" + "pin, class: ^(GStreamer)$" + "float, class: ^(GStreamer)$" + "opacity 1.0 override 1.0 override, class: ^(GStreamer)$" + "noblur, class: ^(GStreamer)$" + "animation slide right 20%, class: ^(GStreamer)$" + "keepaspectratio, class: ^(GStreamer)$" - # Bluetooth - "float, class: ^(blueberry.py)$" - "pin, class: ^(blueberry.py)$" - "animation slide top 20%, class: ^(blueberry.py)$" + # Bluetooth + "float, class: ^(blueberry.py)$" + "pin, class: ^(blueberry.py)$" + "animation slide top 20%, class: ^(blueberry.py)$" - # Steam - "workspace: 7 silent, class: ^(steam)$" - "workspace: unset, class: ^(steam)$, floating: 1" + # Steam + "workspace 7 silent, class: ^(steam)$" + "workspace unset, class: ^(steam)$, floating: 1" - # steam game - "workspace: 7 silent, class: ^(steam_app_)(.*)" + # steam game + "workspace 7 silent, class: ^(steam_app_)(.*)" - # Line - "workspace: 2, initialTitle: ^(LINE)$" - "float, initialTitle: ^(LINE)$" + # VLC + "workspace 3, initialClass: ^(vlc), floating: 0" - # VLC - "workspace: 3, initialClass: ^(vlc), floating: 0" + # discord + "workspace 4 silent, initialClass: ^(discord), floating: 0" - # discord - "workspace: 4 silent, initialClass: ^(discord), floating: 0" + # Davinci resolve + "center 1, initialClass: ^(resolve), floating: 1" - # Davinci resolve - "center 1, initialClass: ^(resolve), floating: 1" + # Disable Tansparent + "opacity 1.0 override 1.0 override, tag:${notransTag}" + "noblur, tag: ^(${notransTag})$" + ]; - # Disable Tansparent - "opacity 1.0 override 1.0 override, tag:${notransTag}" - "noblur, tag: ^(${notransTag})$" - ]; - - layerrule = [ - "blur, waybar" - "blur, logout_dialog" - "unset, rofi" - "blur, rofi" - "ignorezero, rofi" - "unset, swaync-control-center" - "unset, swaync-notification-window" - "blur, swaync-control-center" - "blur, swaync-notification-window" - "ignorezero, swaync-control-center" - "ignorezero, swaync-notification-window" - "ignorealpha 0.1, swaync-control-center" - "ignorealpha 0.1, swaync-notification-window" - ]; + layerrule = [ + "blur, waybar" + "blur, logout_dialog" + "unset, rofi" + "blur, rofi" + "ignorezero, rofi" + "unset, swaync-control-center" + "unset, swaync-notification-window" + "blur, swaync-control-center" + "blur, swaync-notification-window" + "ignorezero, swaync-control-center" + "ignorezero, swaync-notification-window" + "ignorealpha 0.1, swaync-control-center" + "ignorealpha 0.1, swaync-notification-window" + ]; + }; } diff --git a/home/user/hypr/workspace.nix b/home/user/hypr/workspace.nix index 728ca67..43d091f 100644 --- a/home/user/hypr/workspace.nix +++ b/home/user/hypr/workspace.nix @@ -1,5 +1,6 @@ -{ monitors }: +{ osConfig, ... }: let + inherit (osConfig.systemConf.hyprland) monitors; inherit (builtins) length genList @@ -14,7 +15,9 @@ let currentNum = index - (monitorNum * (index / monitorNum)); default = if index < monitorNum then "true" else "false"; in - "${toString (index + 1)}, monitor:${elemAt monitors currentNum}, default:${default}" + "${toString (index + 1)}, monitor:desc:${(elemAt monitors currentNum).desc}, default:${default}" ) workspaceNum; in -if (monitorNum > 0) then workspaceList else [ ] +{ + wayland.windowManager.hyprland.settings.workspace = if (monitorNum > 0) then workspaceList else [ ]; +} diff --git a/home/user/hyprland.nix b/home/user/hyprland.nix index e680b86..5e5abd6 100644 --- a/home/user/hyprland.nix +++ b/home/user/hyprland.nix @@ -1,16 +1,13 @@ -{ - monitors ? [ ], -}: { pkgs, lib, - config, inputs, system, osConfig, ... }: let + inherit (osConfig.systemConf.hyprland) monitors; terminal = "ghostty"; execOnceScript = pkgs.writeShellScript "hyprlandExecOnce" '' @@ -40,6 +37,14 @@ in sunsetr ]; + imports = [ + (import ./hypr/bind.nix { inherit mainMod; }) + ./hypr/workspace.nix + ./hypr/window.nix + ./hypr/windowrule.nix + ./hypr/input.nix + ]; + wayland.windowManager.hyprland = { enable = true; xwayland.enable = true; @@ -60,22 +65,12 @@ in settings = { "$mainMod" = mainMod; + debug = { disable_logs = true; }; - bind = ( - import ./hypr/bind.nix { - inherit - mainMod - pkgs - monitors - config - lib - ; - nvidia-offload-enabled = osConfig.hardware.nvidia.prime.offload.enableOffloadCmd; - } - ); + ecosystem.no_update_news = true; bindm = [ # Move/resize windows with mainMod + LMB/RMB and dragging @@ -102,7 +97,8 @@ in monitor = [ ", prefered, 0x0, 1" - ]; + ] + ++ (map (x: "desc:${x.desc},${x.props}") osConfig.systemConf.hyprland.monitors); plugin = { hyprwinrap = { @@ -128,16 +124,12 @@ in ''GDK_PIXBUF_MODULE_FILE, ${pkgs.librsvg}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache'' ]; - workspace = (import ./hypr/workspace.nix { inherit monitors; }); misc = { disable_hyprland_logo = true; force_default_wallpaper = 0; disable_splash_rendering = true; }; - } - // (import ./hypr/window.nix { inherit lib; }) - // (import ./hypr/windowrule.nix) - // (import ./hypr/input.nix); + }; }; # === Swww === # @@ -161,7 +153,8 @@ in let font = "CaskaydiaCove Nerd Font"; font2 = "SF Pro Display Bold"; - mainMonitor = if ((builtins.length monitors) > 0) then builtins.elemAt monitors 0 else ""; + mainMonitor = + if ((builtins.length monitors) > 0) then "desc:${(builtins.elemAt monitors 0).desc}" else ""; in { background = { @@ -270,7 +263,6 @@ in valign = "center"; } ]; - }; }; @@ -546,10 +538,10 @@ in # === rofi === # programs.rofi = { enable = true; - package = pkgs.rofi-wayland; + package = pkgs.rofi; plugins = with pkgs; [ - rofi-emoji-wayland - (rofi-calc.override { rofi-unwrapped = rofi-wayland-unwrapped; }) + rofi-emoji + rofi-calc ]; }; diff --git a/options/default.nix b/options/default.nix new file mode 100644 index 0000000..de7b84b --- /dev/null +++ b/options/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./systemconf.nix + ]; +} diff --git a/options/systemconf.nix b/options/systemconf.nix new file mode 100644 index 0000000..9a58703 --- /dev/null +++ b/options/systemconf.nix @@ -0,0 +1,129 @@ +{ + inputs, + system, + config, + helper, + lib, + ... +}: +let + inherit (lib) + mkOption + mkEnableOption + types + mkIf + optionals + ; + + stateVersion = "25.05"; + + cfg = config.systemConf; + monitorType = + with types; + submodule { + options = { + desc = mkOption { + type = str; + description = "Hyprland monitor description"; + example = "ASUSTek COMPUTER INC ASUS VG32VQ1B 0x00002271"; + }; + output = mkOption { + type = str; + description = "Hyprland monitor output"; + example = "DP-6"; + }; + props = mkOption { + type = str; + description = "Hyprland monitor properties"; + default = "prefered, 0x0, 1"; + example = "2560x1440@180, -1440x-600, 1, transform, 1"; + }; + }; + }; +in +{ + options.systemConf = { + hostname = mkOption { + type = types.str; + description = "Hostname for system"; + }; + + domain = mkOption { + type = types.str; + default = "local"; + description = ''Domain for system''; + }; + + username = mkOption { + type = types.str; + description = "Main username"; + }; + + hyprland = { + enable = (mkEnableOption "Enable hyprland") // { + default = false; + }; + monitors = mkOption { + type = with types; listOf monitorType; + default = [ ]; + example = [ + { + desc = "ASUSTek COMPUTER INC ASUS VG32VQ1B 0x00002271"; + output = "DP-6"; + props = "2560x1440@165, 0x0, 1"; + } + ]; + description = "Monitors used for hyprland and waybar"; + }; + }; + + enableHomeManager = (mkEnableOption "Home manager") // { + default = true; + }; + + nvidia = { + enable = true; + }; + }; + + config = { + # ==== System ==== # + networking = { + inherit (cfg) domain; + hostName = cfg.hostname; + }; + environment.systemPackages = [ + inputs.attic.packages.${system}.attic + ]; + system.stateVersion = stateVersion; + + # ==== Home Manager ==== # + home-manager = mkIf cfg.enableHomeManager { + backupFileExtension = "backup-hm"; + useUserPackages = true; + useGlobalPkgs = true; + extraSpecialArgs = { + inherit helper inputs system; + inherit (cfg) username; + }; + users."${cfg.username}" = { + imports = [ + inputs.hyprland.homeManagerModules.default + inputs.caelestia-shell.homeManagerModules.default + inputs.zen-browser.homeManagerModules.${system}.default + inputs.nvf.homeManagerModules.default + { + home = { + homeDirectory = "/home/${cfg.username}"; + stateVersion = stateVersion; + }; + programs.home-manager.enable = true; + } + ] + ++ (optionals cfg.hyprland.enable [ + ../home/user/hyprland.nix + ]); + }; + }; + }; +} diff --git a/pkgs/options/dovecot.nix b/pkgs/options/dovecot.nix deleted file mode 100644 index 6c55db8..0000000 --- a/pkgs/options/dovecot.nix +++ /dev/null @@ -1,868 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -let - inherit (lib) - attrValues - concatMapStringsSep - concatStrings - concatStringsSep - flatten - imap1 - literalExpression - mapAttrsToList - mkEnableOption - mkIf - mkOption - optional - optionalAttrs - optionalString - singleton - types - nameValuePair - mapAttrs' - listToAttrs - filter - ; - inherit (lib.strings) match hasPrefix; - - cfg = config.services.dovecot; - dovecotPkg = pkgs.dovecot; - - pversion = dovecotPkg.version; - isVersion24 = hasPrefix "2.4" pversion; - - baseDir = "/run/dovecot"; - stateDir = "/var/lib/dovecot"; - - sieveScriptSettings = mapAttrs' ( - to: _: nameValuePair "sieve_${to}" "${stateDir}/sieve/${to}" - ) cfg.sieve.scripts; - imapSieveMailboxSettings = listToAttrs ( - flatten ( - imap1 ( - idx: el: - singleton { - name = "imapsieve_mailbox${toString idx}_name"; - value = el.name; - } - ++ optional (el.from != null) { - name = "imapsieve_mailbox${toString idx}_from"; - value = el.from; - } - ++ optional (el.causes != [ ]) { - name = "imapsieve_mailbox${toString idx}_causes"; - value = concatStringsSep "," el.causes; - } - ++ optional (el.before != null) { - name = "imapsieve_mailbox${toString idx}_before"; - value = "file:${stateDir}/imapsieve/before/${baseNameOf el.before}"; - } - ++ optional (el.after != null) { - name = "imapsieve_mailbox${toString idx}_after"; - value = "file:${stateDir}/imapsieve/after/${baseNameOf el.after}"; - } - ) cfg.imapsieve.mailbox - ) - ); - - mkExtraConfigCollisionWarning = term: '' - You referred to ${term} in `services.dovecot.extraConfig`. - - Due to gradual transition to structured configuration for plugin configuration, it is possible - this will cause your plugin configuration to be ignored. - - Consider setting `services.dovecot.pluginSettings.${term}` instead. - ''; - - # Those settings are automatically set based on other parts - # of this module. - automaticallySetPluginSettings = [ - "sieve_plugins" - "sieve_extensions" - "sieve_global_extensions" - "sieve_pipe_bin_dir" - ] - ++ (builtins.attrNames sieveScriptSettings) - ++ (builtins.attrNames imapSieveMailboxSettings); - - # The idea is to match everything that looks like `$term =` - # but not `# $term something something` - # or `# $term = some value` because those are comments. - configContainsSetting = lines: term: (match "[[:blank:]]*${term}[[:blank:]]*=.*" lines) != null; - - warnAboutExtraConfigCollisions = map mkExtraConfigCollisionWarning ( - filter (configContainsSetting cfg.extraConfig) automaticallySetPluginSettings - ); - - sievePipeBinScriptDirectory = pkgs.linkFarm "sieve-pipe-bins" ( - map (el: { - name = builtins.unsafeDiscardStringContext (baseNameOf el); - path = el; - }) cfg.sieve.pipeBins - ); - - dovecotConf = concatStrings [ - (optionalString isVersion24 '' - dovecot_config_version = ${pversion} - dovecot_storage_version = ${pversion} - '') - - '' - base_dir = ${baseDir} - protocols = ${(concatStringsSep " " cfg.protocols)} - sendmail_path = /run/wrappers/bin/sendmail - mail_plugin_dir = /run/current-system/sw/lib/dovecot/modules - # defining mail_plugins must be done before the first protocol {} filter because of https://doc.dovecot.org/configuration_manual/config_file/config_file_syntax/#variable-expansion - mail_plugins = ${concatStringsSep " " cfg.mailPlugins.globally.enable} - '' - - (concatStringsSep "\n" ( - mapAttrsToList (protocol: plugins: '' - protocol ${protocol} { - mail_plugins = $mail_plugins ${concatStringsSep " " plugins.enable} - } - '') cfg.mailPlugins.perProtocol - )) - - ( - if cfg.sslServerCert == null then - '' - ssl = no - auth_allow_cleartext = yes - '' - else - '' - ssl_server_cert_file = ${cfg.sslServerCert} - ssl_server_key_file = ${cfg.sslServerKey} - ${optionalString (cfg.sslCACert != null) ("ssl_server_ca_file = " + cfg.sslCACert)} - ${optionalString cfg.enableDHE ''ssl_server_dh_file = ${config.security.dhparams.params.dovecot.path}''} - auth_allow_cleartext = no - '' - ) - - '' - default_internal_user = ${cfg.user} - default_internal_group = ${cfg.group} - ${optionalString (cfg.mailUser != null) "mail_uid = ${cfg.mailUser}"} - ${optionalString (cfg.mailGroup != null) "mail_gid = ${cfg.mailGroup}"} - - - mail_driver = maildir - mail_path = ${cfg.mailLocation} - mail_inbox_path = ${cfg.mailLocation}/.INBOX - - maildir_copy_with_hardlinks = yes - ${ - if isVersion24 then - '' - pop3_uidl_format = %{uidvalidity | hex(8)}%{user | hex(8)} - '' - else - '' - pop3_uidl_format = %08Xv%08Xu - '' - } - - auth_mechanisms = plain login - - service auth { - user = root - } - '' - - (optionalString cfg.enablePAM '' - userdb passwd { - } - - passdb pam { - session = yes - service_name = dovecot - ${optionalString cfg.showPAMFailure "failure_show_msg=yes"} - } - '') - - (optionalString (cfg.mailboxes != { }) '' - namespace inbox { - inbox=yes - ${concatStringsSep "\n" (map mailboxConfig (attrValues cfg.mailboxes))} - } - '') - - (optionalString cfg.enableQuota '' - service quota-status { - executable = ${dovecotPkg}/libexec/dovecot/quota-status -p postfix - inet_listener quota { - port ${cfg.quotaPort} - } - client_limit = 1 - } - - quota "User quota" { - driver = count - - storage = { - size = ${cfg.quotaGlobalPerUser} - grace = 10M - } - - status { - success = DUNNO - nouser = DUNNO - overquota = "552 5.2.2 Mailbox is full" - } - } - '') - - # General plugin settings: - # - sieve is mostly generated here, refer to `pluginSettings` to follow - # the control flow. - '' - ${concatStringsSep "\n" ( - mapAttrsToList ( - key: value: - if (key == "sieve_extensions") then - '' - ${key} { - ${value} - } - '' - else - "${key} = ${value}" - ) cfg.pluginSettings - )} - '' - - (optionalString cfg.enableHealthCheck ( - let - healthCheckWrapper = pkgs.writeShellScript "health-check-wrapper.sh" '' - export PATH="${pkgs.coreutils}/bin:${pkgs.gnused}/bin:$PATH" - ${pkgs.dovecot}/libexec/dovecot/health-check.sh - ''; - in - '' - service health-check { - executable = script -p ${healthCheckWrapper} - inet_listener health-check { - port = ${toString cfg.healthCheckPort} - } - } - '' - )) - - cfg.extraConfig - ]; - - mailboxConfig = - mailbox: - '' - mailbox "${mailbox.name}" { - auto = ${toString mailbox.auto} - '' - + optionalString (mailbox.autoexpunge != null) '' - autoexpunge = ${mailbox.autoexpunge} - '' - + optionalString (mailbox.specialUse != null) '' - special_use = \${toString mailbox.specialUse} - '' - + "}"; - - mailboxes = - { name, ... }: - { - options = { - name = mkOption { - type = types.strMatching ''[^"]+''; - example = "Spam"; - default = name; - readOnly = true; - description = "The name of the mailbox."; - }; - auto = mkOption { - type = types.enum [ - "no" - "create" - "subscribe" - ]; - default = "no"; - example = "subscribe"; - description = "Whether to automatically create or create and subscribe to the mailbox or not."; - }; - specialUse = mkOption { - type = types.nullOr ( - types.enum [ - "All" - "Archive" - "Drafts" - "Flagged" - "Junk" - "Sent" - "Trash" - ] - ); - default = null; - example = "Junk"; - description = "Null if no special use flag is set. Other than that every use flag mentioned in the RFC is valid."; - }; - autoexpunge = mkOption { - type = types.nullOr types.str; - default = null; - example = "60d"; - description = '' - To automatically remove all email from the mailbox which is older than the - specified time. - ''; - }; - }; - }; -in -{ - options.services.dovecot = { - enable = mkEnableOption "the dovecot POP3/IMAP server"; - - enablePop3 = mkEnableOption "starting the POP3 listener (when Dovecot is enabled)"; - - enableImap = mkEnableOption "starting the IMAP listener (when Dovecot is enabled)" // { - default = true; - }; - - enableLmtp = mkEnableOption "starting the LMTP listener (when Dovecot is enabled)"; - - enableHealthCheck = mkEnableOption "starting the HealthCheck listener (when Dovecot is enabled)"; - - healthCheckPort = mkOption { - type = types.int; - default = 5001; - description = "Listen port for health check service"; - }; - - protocols = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "Additional listeners to start when Dovecot is enabled."; - }; - - user = mkOption { - type = types.str; - default = "dovecot"; - description = "Dovecot user name."; - }; - - group = mkOption { - type = types.str; - default = "dovecot"; - description = "Dovecot group name."; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - example = "mail_debug = yes"; - description = "Additional entries to put verbatim into Dovecot's config file."; - }; - - mailPlugins = - let - plugins = - hint: - types.submodule { - options = { - enable = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "mail plugins to enable as a list of strings to append to the ${hint} `$mail_plugins` configuration variable"; - }; - }; - }; - in - mkOption { - type = - with types; - submodule { - options = { - globally = mkOption { - description = "Additional entries to add to the mail_plugins variable for all protocols"; - type = plugins "top-level"; - example = { - enable = [ "virtual" ]; - }; - default = { - enable = [ ]; - }; - }; - perProtocol = mkOption { - description = "Additional entries to add to the mail_plugins variable, per protocol"; - type = attrsOf (plugins "corresponding per-protocol"); - default = { }; - example = { - imap = [ "imap_acl" ]; - }; - }; - }; - }; - description = "Additional entries to add to the mail_plugins variable, globally and per protocol"; - example = { - globally.enable = [ "acl" ]; - perProtocol.imap.enable = [ "imap_acl" ]; - }; - default = { - globally.enable = [ ]; - perProtocol = { }; - }; - }; - - configFile = mkOption { - type = types.nullOr types.path; - default = null; - description = "Config file used for the whole dovecot configuration."; - apply = v: if v != null then v else pkgs.writeText "dovecot.conf" dovecotConf; - }; - - mailLocation = mkOption { - type = types.str; - default = "/var/spool/mail/%{user}"; # Same as inbox, as postfix - example = "~/mail"; - description = '' - Location that dovecot will use for mail folders. Dovecot mail_location option. - ''; - }; - - mailUser = mkOption { - type = types.nullOr types.str; - default = null; - description = "Default user to store mail for virtual users."; - }; - - mailGroup = mkOption { - type = types.nullOr types.str; - default = null; - description = "Default group to store mail for virtual users."; - }; - - createMailUser = - mkEnableOption '' - automatically creating the user - given in {option}`services.dovecot.user` and the group - given in {option}`services.dovecot.group`'' - // { - default = true; - }; - - sslCACert = mkOption { - type = types.nullOr types.str; - default = null; - description = "Path to the server's CA certificate key."; - }; - - sslServerCert = mkOption { - type = types.nullOr types.str; - default = null; - description = "Path to the server's public key."; - }; - - sslServerKey = mkOption { - type = types.nullOr types.str; - default = null; - description = "Path to the server's private key."; - }; - - enablePAM = mkEnableOption "creating a own Dovecot PAM service and configure PAM user logins" // { - default = true; - }; - - enableDHE = mkEnableOption "ssl_dh and generation of primes for the key exchange" // { - default = true; - }; - - showPAMFailure = mkEnableOption "showing the PAM failure message on authentication error (useful for OTPW)"; - - mailboxes = mkOption { - type = - with types; - coercedTo (listOf unspecified) ( - list: - listToAttrs ( - map (entry: { - name = entry.name; - value = removeAttrs entry [ "name" ]; - }) list - ) - ) (attrsOf (submodule mailboxes)); - default = { }; - example = literalExpression '' - { - Spam = { specialUse = "Junk"; auto = "create"; }; - } - ''; - description = "Configure mailboxes and auto create or subscribe them."; - }; - - enableQuota = mkEnableOption "the dovecot quota service"; - - quotaPort = mkOption { - type = types.str; - default = "12340"; - description = '' - The Port the dovecot quota service binds to. - If using postfix, add check_policy_service inet:localhost:12340 to your smtpd_recipient_restrictions in your postfix config. - ''; - }; - quotaGlobalPerUser = mkOption { - type = types.str; - default = "100G"; - example = "10G"; - description = "Quota limit for the user in bytes. Supports suffixes b, k, M, G, T and %."; - }; - - pluginSettings = mkOption { - # types.str does not coerce from packages, like `sievePipeBinScriptDirectory`. - type = types.attrsOf ( - types.oneOf [ - types.str - types.package - ] - ); - default = { }; - example = literalExpression '' - { - sieve = "file:~/sieve;active=~/.dovecot.sieve"; - } - ''; - description = '' - Plugin settings for dovecot in general, e.g. `sieve`, `sieve_default`, etc. - - Some of the other knobs of this module will influence by default the plugin settings, but you - can still override any plugin settings. - - If you override a plugin setting, its value is cleared and you have to copy over the defaults. - ''; - }; - - imapsieve.mailbox = mkOption { - default = [ ]; - description = "Configure Sieve filtering rules on IMAP actions"; - type = types.listOf ( - types.submodule ( - { config, ... }: - { - options = { - name = mkOption { - description = '' - This setting configures the name of a mailbox for which administrator scripts are configured. - - The settings defined hereafter with matching sequence numbers apply to the mailbox named by this setting. - - This setting supports wildcards with a syntax compatible with the IMAP LIST command, meaning that this setting can apply to multiple or even all ("*") mailboxes. - ''; - example = "Junk"; - type = types.str; - }; - - from = mkOption { - default = null; - description = '' - Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot.imapsieve.mailbox..name when the message originates from the indicated mailbox. - - This setting supports wildcards with a syntax compatible with the IMAP LIST command, meaning that this setting can apply to multiple or even all ("*") mailboxes. - ''; - example = "*"; - type = types.nullOr types.str; - }; - - causes = mkOption { - default = [ ]; - description = '' - Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot.imapsieve.mailbox..name when one of the listed IMAPSIEVE causes apply. - - This has no effect on the user script, which is always executed no matter the cause. - ''; - example = [ - "COPY" - "APPEND" - ]; - type = types.listOf ( - types.enum [ - "APPEND" - "COPY" - "FLAG" - ] - ); - }; - - before = mkOption { - default = null; - description = '' - When an IMAP event of interest occurs, this sieve script is executed before any user script respectively. - - This setting each specify the location of a single sieve script. The semantics of this setting is similar to sieve_before: the specified scripts form a sequence together with the user script in which the next script is only executed when an (implicit) keep action is executed. - ''; - example = literalExpression "./report-spam.sieve"; - type = types.nullOr types.path; - }; - - after = mkOption { - default = null; - description = '' - When an IMAP event of interest occurs, this sieve script is executed after any user script respectively. - - This setting each specify the location of a single sieve script. The semantics of this setting is similar to sieve_after: the specified scripts form a sequence together with the user script in which the next script is only executed when an (implicit) keep action is executed. - ''; - example = literalExpression "./report-spam.sieve"; - type = types.nullOr types.path; - }; - }; - } - ) - ); - }; - - sieve = { - plugins = mkOption { - default = [ ]; - example = [ "sieve_extprograms" ]; - description = "Sieve plugins to load"; - type = types.listOf types.str; - }; - - extensions = mkOption { - default = [ ]; - description = "Sieve extensions for use in user scripts"; - example = [ - "notify" - "imapflags" - "vnd.dovecot.filter" - ]; - type = types.listOf types.str; - }; - - globalExtensions = mkOption { - default = [ ]; - example = [ "vnd.dovecot.environment" ]; - description = "Sieve extensions for use in global scripts"; - type = types.listOf types.str; - }; - - scripts = mkOption { - type = types.attrsOf types.path; - default = { }; - description = "Sieve scripts to be executed. Key is a sequence, e.g. 'before2', 'after' etc."; - }; - - pipeBins = mkOption { - default = [ ]; - example = literalExpression '' - map lib.getExe [ - (pkgs.writeShellScriptBin "learn-ham.sh" "exec ''${pkgs.rspamd}/bin/rspamc learn_ham") - (pkgs.writeShellScriptBin "learn-spam.sh" "exec ''${pkgs.rspamd}/bin/rspamc learn_spam") - ] - ''; - description = "Programs available for use by the vnd.dovecot.pipe extension"; - type = types.listOf types.path; - }; - }; - }; - - config = mkIf cfg.enable { - security.pam.services.dovecot = mkIf cfg.enablePAM { }; - - security.dhparams = mkIf (cfg.sslServerCert != null && cfg.enableDHE) { - enable = true; - params.dovecot = { }; - }; - - services.dovecot = { - protocols = - optional cfg.enableImap "imap" ++ optional cfg.enablePop3 "pop3" ++ optional cfg.enableLmtp "lmtp"; - - mailPlugins = mkIf cfg.enableQuota { - globally.enable = [ "quota" ]; - perProtocol.imap.enable = [ "imap_quota" ]; - }; - - sieve.plugins = - optional (cfg.imapsieve.mailbox != [ ]) "sieve_imapsieve" - ++ optional (cfg.sieve.pipeBins != [ ]) "sieve_extprograms"; - - sieve.globalExtensions = optional (cfg.sieve.pipeBins != [ ]) "vnd.dovecot.pipe"; - - pluginSettings = lib.mapAttrs (n: lib.mkDefault) ( - { - # sieve_plugins = concatStringsSep " " cfg.sieve.plugins; - # sieve_extensions = concatMapStrings (p: p + " = yes\n") cfg.sieve.extensions; - # sieve_global_extensions = concatStringsSep " " (map (el: "+${el}") cfg.sieve.globalExtensions); - # sieve_pipe_bin_dir = sievePipeBinScriptDirectory; - } - // sieveScriptSettings - // imapSieveMailboxSettings - ); - }; - - users.users = { - dovenull = { - uid = config.ids.uids.dovenull2; - description = "Dovecot user for untrusted logins"; - group = "dovenull"; - }; - } - // optionalAttrs (cfg.user == "dovecot") { - dovecot = { - uid = config.ids.uids.dovecot; - description = "Dovecot user"; - group = cfg.group; - }; - } - // optionalAttrs (cfg.createMailUser && cfg.mailUser != null) { - ${cfg.mailUser} = { - description = "Virtual Mail User"; - isSystemUser = true; - } - // optionalAttrs (cfg.mailGroup != null) { group = cfg.mailGroup; }; - }; - - users.groups = { - dovenull.gid = config.ids.gids.dovenull2; - } - // optionalAttrs (cfg.group == "dovecot") { - dovecot.gid = config.ids.gids.dovecot; - } - // optionalAttrs (cfg.createMailUser && cfg.mailGroup != null) { - ${cfg.mailGroup} = { }; - }; - - environment.etc."dovecot/dovecot.conf".source = cfg.configFile; - - systemd.services.dovecot = { - description = "Dovecot IMAP/POP3 server"; - documentation = [ - "man:dovecot(1)" - "https://doc.dovecot.org" - ]; - - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - restartTriggers = [ cfg.configFile ]; - - startLimitIntervalSec = 60; # 1 min - serviceConfig = { - Type = "notify"; - ExecStart = "${dovecotPkg}/sbin/dovecot -F"; - ExecReload = "${dovecotPkg}/sbin/doveadm reload"; - - CapabilityBoundingSet = [ - "CAP_CHOWN" - "CAP_DAC_OVERRIDE" - "CAP_FOWNER" - "CAP_KILL" # Required for child process management - "CAP_NET_BIND_SERVICE" - "CAP_SETGID" - "CAP_SETUID" - "CAP_SYS_CHROOT" - "CAP_SYS_RESOURCE" - ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = false; # e.g for sendmail - OOMPolicy = "continue"; - PrivateTmp = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = lib.mkDefault false; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "full"; - PrivateDevices = true; - Restart = "on-failure"; - RestartSec = "1s"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" # e.g. getifaddrs in sieve handling - "AF_UNIX" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = false; # sets sgid on maildirs - RuntimeDirectory = [ "dovecot" ]; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service @resources" - "~@privileged" - "@chown @setuid capset chroot" - ]; - }; - - # When copying sieve scripts preserve the original time stamp - # (should be 0) so that the compiled sieve script is newer than - # the source file and Dovecot won't try to compile it. - preStart = '' - rm -rf ${stateDir}/sieve ${stateDir}/imapsieve - '' - + optionalString (cfg.sieve.scripts != { }) '' - mkdir -p ${stateDir}/sieve - ${concatStringsSep "\n" ( - mapAttrsToList (to: from: '' - if [ -d '${from}' ]; then - mkdir '${stateDir}/sieve/${to}' - cp -p "${from}/"*.sieve '${stateDir}/sieve/${to}' - else - cp -p '${from}' '${stateDir}/sieve/${to}' - fi - ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}' - '') cfg.sieve.scripts - )} - chown -R '${cfg.mailUser}:${cfg.mailGroup}' '${stateDir}/sieve' - '' - + optionalString (cfg.imapsieve.mailbox != [ ]) '' - mkdir -p ${stateDir}/imapsieve/{before,after} - - ${concatMapStringsSep "\n" ( - el: - optionalString (el.before != null) '' - cp -p ${el.before} ${stateDir}/imapsieve/before/${baseNameOf el.before} - ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/imapsieve/before/${baseNameOf el.before}' - '' - + optionalString (el.after != null) '' - cp -p ${el.after} ${stateDir}/imapsieve/after/${baseNameOf el.after} - ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/imapsieve/after/${baseNameOf el.after}' - '' - ) cfg.imapsieve.mailbox} - - ${optionalString ( - cfg.mailUser != null && cfg.mailGroup != null - ) "chown -R '${cfg.mailUser}:${cfg.mailGroup}' '${stateDir}/imapsieve'"} - ''; - }; - - environment.systemPackages = [ dovecotPkg ]; - - warnings = warnAboutExtraConfigCollisions; - - assertions = [ - { - assertion = - (cfg.sslServerCert == null) == (cfg.sslServerKey == null) - && (cfg.sslCACert != null -> !(cfg.sslServerCert == null || cfg.sslServerKey == null)); - message = "dovecot needs both sslServerCert and sslServerKey defined for working crypto"; - } - { - assertion = cfg.showPAMFailure -> cfg.enablePAM; - message = "dovecot is configured with showPAMFailure while enablePAM is disabled"; - } - { - assertion = cfg.sieve.scripts != { } -> (cfg.mailUser != null && cfg.mailGroup != null); - message = "dovecot requires mailUser and mailGroup to be set when `sieve.scripts` is set"; - } - ]; - - }; - - meta.maintainers = [ lib.maintainers.dblsaiko ]; -} diff --git a/pkgs/overlays/dovecot.nix b/pkgs/overlays/dovecot.nix deleted file mode 100644 index 06abfa3..0000000 --- a/pkgs/overlays/dovecot.nix +++ /dev/null @@ -1,34 +0,0 @@ -final: prev: { - dovecot = prev.dovecot.overrideAttrs (oldAttrs: rec { - version = "2.4.0"; - - src = prev.fetchurl { - url = "https://dovecot.org/releases/${prev.lib.versions.majorMinor version}/${oldAttrs.pname}-${version}.tar.gz"; - hash = "sha256-6Q5J+MMbCaUIJJpP7oYF+qZf4yCBm/ytryUkEmJT1a4="; - }; - - # Dovecot 2.4 Not need this patch anymore - patches = builtins.filter ( - patch: (!(prev.lib.hasInfix "Support-openssl-3.0.patch" (toString patch))) - ) oldAttrs.patches; - - # Dovecot 2.4 Not need this patch anymore - postPatch = - prev.lib.replaceStrings - [ - # bash - '' - # DES-encrypted passwords are not supported by NixPkgs anymore - sed '/test_password_scheme("CRYPT"/d' -i src/auth/test-libpassword.c - '' - ] - [ - # bash - '' - # DES-encrypted passwords are not supported by NixPkgs anymore - sed '/test_password_scheme("CRYPT"/d' -i src/lib-auth/test-password-scheme.c - '' - ] - oldAttrs.postPatch; - }); -} diff --git a/system/dev/ahlap/default.nix b/system/dev/ahlap/default.nix deleted file mode 100644 index f41f46b..0000000 --- a/system/dev/ahlap/default.nix +++ /dev/null @@ -1,113 +0,0 @@ -{ - username, - config, - lib, - pkgs, - ... -}: -let - faceIcon = pkgs.fetchurl { - url = "https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRwExkFtlGxRWflUTcPCfneHSC8E0WuIWNbvkQ4-5_R8x4BXCYx"; - hash = "sha256-OXP3iv7JOz/uhw4P90m54yY5j79gDBBVdoySFZmYAZY="; - }; - - monitors = [ - ]; -in -{ - imports = [ - ./hardware-configuration.nix - ../../modules/presets/basic.nix - - # Nvidia GPU Driver - (import ../../modules/nvidia.nix { - nvidia-mode = "offload"; - intel-bus-id = "PCI:0:2:0"; - nvidia-bus-id = "PCI:59:0:0"; - }) - - ./boot.nix # Extra Boot Options - ../../modules/gaming.nix - ../../modules/wine.nix - ../../modules/localsend.nix - (import ../../modules/airplay.nix { hostname = config.networking.hostName; }) - # (import ../../modules/virtualization.nix { inherit username; }) - # ../../modules/wireguard.nix - ]; - - home-manager = { - users."${username}" = { - imports = [ - ../../../home/presets/basic.nix - - { - home.file.".face" = { - source = lib.mkForce faceIcon; - }; - } - - # Hyprland - (import ../../../home/user/hyprland.nix { inherit monitors; }) - { - wayland.windowManager.hyprland = { - settings = { - input = { - kb_options = lib.mkForce [ ]; - }; - }; - }; - } - - (import ../../../home/user/waybar.nix { - settings = [ - # monitor 1 - { - output = "eDP-1"; - modules-left = [ - "custom/os" - "hyprland/workspaces" - "clock" - "custom/cava" - "mpris" - ]; - modules-right = ( - [ - "wlr/taskbar" - ] - ++ ( - if config.programs.gamemode.enable then - [ - "custom/gamemode" - ] - else - [ ] - ) - ++ [ - # "custom/bitwarden" - "custom/airplay" - "custom/wallRand" - "custom/recording" - "idle_inhibitor" - "network" - "cpu" - "memory" - "pulseaudio" - "custom/swaync" - ] - ); - } - ]; - }) - - # Git - (import ../../../home/user/git.nix { - inherit username; - email = "skyblocksians@gmail.com"; - }) - ]; - }; - }; - - users.users."${username}".openssh.authorizedKeys.keys = [ - ]; -} diff --git a/system/dev/dn-lap/boot.nix b/system/dev/dn-lap/common/boot.nix similarity index 100% rename from system/dev/dn-lap/boot.nix rename to system/dev/dn-lap/common/boot.nix diff --git a/system/dev/dn-lap/common/default.nix b/system/dev/dn-lap/common/default.nix new file mode 100644 index 0000000..801a109 --- /dev/null +++ b/system/dev/dn-lap/common/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./boot.nix + ./hardware-configuration.nix + ]; +} diff --git a/system/dev/dn-lap/hardware-configuration.nix b/system/dev/dn-lap/common/hardware-configuration.nix similarity index 100% rename from system/dev/dn-lap/hardware-configuration.nix rename to system/dev/dn-lap/common/hardware-configuration.nix diff --git a/system/dev/dn-lap/default.nix b/system/dev/dn-lap/default.nix index 1ae7d00..6fa9b2b 100644 --- a/system/dev/dn-lap/default.nix +++ b/system/dev/dn-lap/default.nix @@ -1,87 +1,39 @@ +{ hostname }: { - username, config, ... }: let - monitors = [ - ''desc:LG Display 0x0665'' - ]; + username = "danny"; in { - imports = [ - ./hardware-configuration.nix - ./boot.nix - ./sops-conf.nix - ../../modules/printer.nix - ../../modules/presets/basic.nix - ../../modules/gaming.nix - ../../modules/virtualization.nix - ../../modules/wine.nix - ../../modules/wireguard.nix - (import ../../modules/airplay.nix { }) - # ../../modules/battery-life.nix - ]; - - home-manager = { - users."${username}" = { - imports = [ - ../../../home/presets/basic.nix - (import ../../../home/user/bitwarden.nix { - email = "danny@dn-server.net.dn"; - baseUrl = "https://bitwarden.net.dn"; - }) - - # Hyprland - (import ../../../home/user/hyprland.nix { inherit monitors; }) + systemConf = { + inherit hostname username; + domain = "net.dn"; + hyprland = { + enable = true; + monitors = [ { - wayland.windowManager.hyprland = { - settings = { - monitor = [ - ''desc:LG Display 0x0665, preferred, 0x0, 1.25'' - ]; - }; - }; - + desc = "LG Display 0x0665"; + output = "eDP-1"; + props = "preferred, 0x0, 1.25"; } - - # waybar - (import ../../../home/user/waybar.nix { - settings = [ - { - output = "eDP-1"; - height = 46; - modules-left = [ - "custom/os" - "hyprland/workspaces" - "clock" - "mpris" - ]; - modules-right = [ - "wlr/taskbar" - "temperature" - "custom/wallRand" - "custom/wireguard" - "custom/recording" - "idle_inhibitor" - "network" - "pulseaudio" - "battery" - "custom/swaync" - ]; - } - ]; - }) - - # Git - (import ../../../home/user/git.nix { - inherit username; - email = "danny10132024@gmail.com"; - }) ]; }; }; + imports = [ + ../../modules/presets/basic.nix + ./common + ./games + ./home + ./office + ./services + ./sops + ./utility + ./virtualisation + ]; + users.users."${username}".openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn" diff --git a/system/dev/dn-lap/games/default.nix b/system/dev/dn-lap/games/default.nix new file mode 100644 index 0000000..7bf3a6e --- /dev/null +++ b/system/dev/dn-lap/games/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ../../../modules/gaming.nix + ]; +} diff --git a/system/dev/dn-lap/home/default.nix b/system/dev/dn-lap/home/default.nix new file mode 100644 index 0000000..725eda1 --- /dev/null +++ b/system/dev/dn-lap/home/default.nix @@ -0,0 +1,51 @@ +{ config, ... }: +let + inherit (config.systemConf) username; +in +{ + home-manager = { + users."${username}" = { + imports = [ + ../../../../home/presets/basic.nix + (import ../../../../home/user/bitwarden.nix { + email = "danny@dn-server.net.dn"; + baseUrl = "https://bitwarden.net.dn"; + }) + + # waybar + (import ../../../../home/user/waybar.nix { + settings = [ + { + output = "eDP-1"; + height = 46; + modules-left = [ + "custom/os" + "hyprland/workspaces" + "clock" + "mpris" + ]; + modules-right = [ + "wlr/taskbar" + "temperature" + "custom/wallRand" + "custom/wireguard" + "custom/recording" + "idle_inhibitor" + "network" + "pulseaudio" + "battery" + "custom/swaync" + ]; + } + ]; + }) + + # Git + (import ../../../../home/user/git.nix { + inherit username; + email = "danny10132024@gmail.com"; + }) + ]; + }; + }; +} diff --git a/system/dev/dn-lap/office/default.nix b/system/dev/dn-lap/office/default.nix new file mode 100644 index 0000000..e9f294a --- /dev/null +++ b/system/dev/dn-lap/office/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ../../../modules/printer.nix + ]; +} diff --git a/system/dev/dn-lap/services/default.nix b/system/dev/dn-lap/services/default.nix new file mode 100644 index 0000000..b2e5388 --- /dev/null +++ b/system/dev/dn-lap/services/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ../../../modules/wireguard.nix + ]; +} diff --git a/system/dev/dn-lap/sops/default.nix b/system/dev/dn-lap/sops/default.nix new file mode 100644 index 0000000..08b0fca --- /dev/null +++ b/system/dev/dn-lap/sops/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./sops-conf.nix + ]; +} diff --git a/system/dev/dn-lap/secret.yaml b/system/dev/dn-lap/sops/secret.yaml similarity index 52% rename from system/dev/dn-lap/secret.yaml rename to system/dev/dn-lap/sops/secret.yaml index dbcddce..4767e71 100644 --- a/system/dev/dn-lap/secret.yaml +++ b/system/dev/dn-lap/sops/secret.yaml @@ -1,22 +1,26 @@ wireguard: conf: ENC[AES256_GCM,data:GKUlc2K+pJCZHrasZtC/ql8ojYOyIqquOa6gTD3BycvCIU62OO0X0Zi1XW858AzQokHNd3vE+m18XPk1/am5I9FBc0+vGlVctNZgcPLKYObsxF40aZU+NU+Ip1wjNP/V6t0zyt6ur7R7Si9HePhZZqDEpdyBzR2Jjl8DrfC9NiRTVQaHw1D72yjwOGZCkeY7n8PRW9wW9UkzuJNmFHDxF4nUaeP3k3fpfLFEOVyyjvy8Ba995tVWOfJgkMng57VgIr36jzMXWlkpSTB06wWEIfgVpbQpzkFyxWwA4sxhMJfp4JvO3IvzUvkGn3W14Z/SVcg5km7q5aXff9m1/Srn,iv:Oxa377J9Wufm036iFcm+RvitNiWWNPXmUrm9BwrUfBo=,tag:kM4PR/u+j1RkET2Z7FTIPA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: + - recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkczZGckdvWVdlaFFxQmox + eWM5eGtoOHIvbTlEc0RnSVN1REVMSTBXZURrCktDeUxMZUY1cHRtKzRLTDNDUU9E + aldkcFZ2a0ZzUXdOSjZWeHVPZ1FJY1UKLS0tIGZZTlk4OWtZcERXME5YNk96cmc5 + M3RPbkRxSFRXeEU5MFZxLzl4clpabDAKiCaiEKZwaCUGi6DRtzb786c8qB+EiiCn + YHrCvm5F72vAmDAozqtTjZM1Dt4yQDxPNMWKFyUzxY0TDpboGrgBHA== + -----END AGE ENCRYPTED FILE----- - recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ankwMFc5R3lRK2svRzBL - VVRUMjNRYisyRTNxM1hHeDNsbGVGT2hFUkEwCkpoVWR4MXVuWlJpZEt3eGJiYm5t - SUZubUJqSUEwNnk1K1RsWFVucmFoVEkKLS0tIFd1TitJMHNxc2xwWCtwWnJSWWhN - SnFxQ2Z0MVZ6Nm5oRy96TjFKR0Y3dEkKsT9FjBvrjUZCAx0XKb5Vj5I7VsJixdtf - LTNIAxt20mkyuddr6AaFFN8xsjz0TlwEQRgSGAmm3As2KGKohduMsQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1SzNGcVFkSS93VnQyUlZw + YkM0U1BUTTF4ajY5VU5LOHpYbTBaYnBsUFZnCmx2a0R1VCtkcTUrT2VNMGRRc29H + R1hVSHNDSjlwdk1RUXZYdkpFeUFkY1EKLS0tIDdVdU92STZIN0JmK0ZPeldsYlRG + eWFnVWcrUVpRVDQveTloWk9LVm4yd28KppalVePvXwPks+2TKHqG8a+uZjpgQo3I + edhrdNan56Ly5mLFyXmGlww88nqQMTZq4DODtyfF4+rRlyv0i4AEEg== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-04-22T05:44:47Z" mac: ENC[AES256_GCM,data:DODaAnKe5ExNhXxfOq874bXGy44A3aw+KWnpeDr3OAbocVMvM0uE55r0x9JEbMakVWiDZq0SCP2K6XiTT74hX90tmwvl8jr9HYqAqscOZ75mRfc2NmZJRWuxJj6nA0U+4/A6dm2ftSXP09rH/WjKGpLObLbpOKQledM+U5Ggzjo=,iv:WEhgMOX+L471+ZrBicoBsJAlTxLl9Nc608SPJ3p6XpY=,tag:e/eKKmy4Z8+mC9Ixg0X6+A==,type:str] - pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/system/dev/dn-lap/sops-conf.nix b/system/dev/dn-lap/sops/sops-conf.nix similarity index 100% rename from system/dev/dn-lap/sops-conf.nix rename to system/dev/dn-lap/sops/sops-conf.nix diff --git a/system/dev/dn-lap/utility/default.nix b/system/dev/dn-lap/utility/default.nix new file mode 100644 index 0000000..0b0e277 --- /dev/null +++ b/system/dev/dn-lap/utility/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + (import ../../../modules/airplay.nix { }) + ]; +} diff --git a/system/dev/dn-lap/virtualisation/default.nix b/system/dev/dn-lap/virtualisation/default.nix new file mode 100644 index 0000000..42d2c81 --- /dev/null +++ b/system/dev/dn-lap/virtualisation/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ../../../modules/virtualization.nix + ../../../modules/wine.nix + ]; +} diff --git a/system/dev/dn-pre7780/boot.nix b/system/dev/dn-pre7780/common/boot.nix similarity index 100% rename from system/dev/dn-pre7780/boot.nix rename to system/dev/dn-pre7780/common/boot.nix diff --git a/system/dev/dn-pre7780/common/default.nix b/system/dev/dn-pre7780/common/default.nix new file mode 100644 index 0000000..e7dc4f0 --- /dev/null +++ b/system/dev/dn-pre7780/common/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./boot.nix + ./nvidia.nix + ./hardware-configuration.nix + ]; +} diff --git a/system/dev/dn-pre7780/hardware-configuration.nix b/system/dev/dn-pre7780/common/hardware-configuration.nix similarity index 100% rename from system/dev/dn-pre7780/hardware-configuration.nix rename to system/dev/dn-pre7780/common/hardware-configuration.nix diff --git a/system/dev/dn-pre7780/common/nvidia.nix b/system/dev/dn-pre7780/common/nvidia.nix new file mode 100644 index 0000000..7bd12e1 --- /dev/null +++ b/system/dev/dn-pre7780/common/nvidia.nix @@ -0,0 +1,16 @@ +{ lib, config, ... }: +let + inherit (lib) mkForce; +in +{ + imports = [ + (import ../../../modules/nvidia.nix { + nvidia-mode = "offload"; + intel-bus-id = "PCI:0:2:0"; + nvidia-bus-id = "PCI:1:0:0"; + }) + ]; + + hardware.nvidia.package = mkForce config.boot.kernelPackages.nvidiaPackages.latest; + hardware.nvidia.open = mkForce true; +} diff --git a/system/dev/dn-pre7780/default.nix b/system/dev/dn-pre7780/default.nix index 6f6842f..c187b0c 100644 --- a/system/dev/dn-pre7780/default.nix +++ b/system/dev/dn-pre7780/default.nix @@ -1,19 +1,37 @@ +{ hostname }: { + self, + inputs, pkgs, - username, config, lib, ... }: let - inherit (lib) optionalString; - protonGEVersion = "10-15"; - monitors = [ - "desc:ASUSTek COMPUTER INC ASUS VG32VQ1B 0x00002271" - "desc:Acer Technologies XV272U V3 1322131231233" - ]; + username = "danny"; in { + systemConf = { + inherit hostname username; + domain = "net.dn"; + enableHomeManager = true; + hyprland = { + enable = true; + monitors = [ + { + desc = "ASUSTek COMPUTER INC ASUS VG32VQ1B 0x00002271"; + output = "DP-6"; + props = "2560x1440@165, 0x0, 1"; + } + { + desc = "Acer Technologies XV272U V3 1322131231233"; + output = "DP-5"; + props = "2560x1440@180, -1440x-600, 1, transform, 1"; + } + ]; + }; + }; + networking.firewall.allowedTCPPortRanges = [ { from = 8000; @@ -25,57 +43,15 @@ in } ]; - hardware.nvidia.package = lib.mkForce config.boot.kernelPackages.nvidiaPackages.latest; - hardware.nvidia.open = lib.mkForce true; - imports = [ - ./boot.nix # Extra Boot Options - ./sops-conf.nix # Secret - ./nginx.nix - ./mail.nix - # (import ./netbird.nix { - # domain = "pre7780.dn"; - # coturnPassFile = config.sops.secrets."netbird/coturn/password".path; - # idpSecret = config.sops.secrets."netbird/oidc/secret".path; - # dataStoreEncryptionKey = config.sops.secrets."netbird/dataStoreKey".path; - # }) - ./hardware-configuration.nix - ../../modules/presets/basic.nix - ../../modules/sunshine.nix - - # Nvidia GPU Driver - (import ../../modules/nvidia.nix { - nvidia-mode = "offload"; - intel-bus-id = "PCI:0:2:0"; - nvidia-bus-id = "PCI:1:0:0"; - }) - - ../../modules/gaming.nix - # ../../modules/secure-boot.nix - ../../modules/virtualization.nix - ../../modules/wine.nix - ../../modules/wireguard.nix - ../../modules/localsend.nix - (import ../../modules/airplay.nix { hostname = "pre7780"; }) - (import ../../modules/rustdesk-server.nix { - relayHosts = [ - "10.0.0.0/24" - "192.168.0.0/24" - ]; - }) - - (import ../../modules/nextcloud.nix { - hostname = "nextcloud.pre7780.dn"; - configureACME = true; - https = true; - adminpassFile = config.sops.secrets."nextcloud/adminPassword".path; - trusted = [ "nextcloud.daccc.info" ]; - }) - - ../../modules/davinci-resolve.nix - ../../modules/webcam.nix - ../../modules/postgresql.nix + ./common + ./games + ./home + ./services + ./sops + ./utility + ./virtualisation ]; # Live Sync D @@ -84,151 +60,9 @@ in ensureDatabases = [ "livesyncd" ]; }; - # Power Management - services.tlp = { - enable = true; - settings = { - INTEL_GPU_MIN_FREQ_ON_AC = 500; - }; - }; - - environment.systemPackages = with pkgs; [ - rustdesk - ((blender.override { cudaSupport = true; }).overrideAttrs (prev: { - postInstall = '' - sed -i 's|Exec=blender %f|Exec=/run/current-system/sw/bin/nvidia-offload blender %f|' $out/share/applications/blender.desktop - ''; - })) + users.users.${username}.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMj/LeB3i/vca3YwGNpAjf922FgiY2svro48fUSQAjOv Shortcuts on :D" ]; - - services.openssh = { - settings = { - UseDns = false; - }; - }; - - users.users = { - ${username} = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMj/LeB3i/vca3YwGNpAjf922FgiY2svro48fUSQAjOv Shortcuts on :D" - ]; - }; - }; - - home-manager = { - users."${username}" = { - imports = [ - ../../../home/presets/basic.nix - - # Bitwarden client - (import ../../../home/user/bitwarden.nix { - email = "danny@net.dn"; - baseUrl = "https://bitwarden.net.dn"; - }) - - # waybar - (import ../../../home/user/waybar.nix { - settings = [ - # monitor 1 - { - output = "DP-6"; - height = 48; - modules-left = [ - "custom/os" - "hyprland/workspaces" - "clock" - "custom/cava" - "mpris" - ]; - modules-right = [ - "wlr/taskbar" - (optionalString config.programs.gamemode.enable "custom/gamemode") - "custom/bitwarden" - "custom/airplay" - "custom/wallRand" - "custom/wireguard" - "custom/recording" - "idle_inhibitor" - "network" - "cpu" - "memory" - "pulseaudio" - "custom/swaync" - ]; - } - # monitor 2 - { - output = "DP-5"; - height = 54; - modules-left = [ - "clock" - "mpris" - ]; - modules-right = [ - "wlr/taskbar" - "temperature" - "cpu" - "memory" - "pulseaudio" - ]; - } - ]; - }) - - # Hyprland - (import ../../../home/user/hyprland.nix { inherit monitors; }) - ./hyprland.nix - - # Git - (import ../../../home/user/git.nix { - inherit username; - email = "danny10132024@gmail.com"; - }) - - # (import ../../../home/user/wallpaper-engine.nix { - # monitorIdPairs = [ - # { - # monitor = "DP-6"; - # id = "3050040845"; - # } - # { - # monitor = "DP-5"; - # id = "2665674743"; - # } - # ]; - # }) - ]; - - home.file = { - # CS go - ".steam/steam/steamapps/common/Counter-Strike Global Offensive/game/csgo/cfg/autoexec.cfg".text = '' - fps_max "250" - - # Wheel Jump - bind "mwheeldown" "+jump" - bind "mwheelup" "+jump" - bind "space" "+jump" - - echo "AUTOEXEC LOADED SUCCESSFULLY!" - host_writeconfig - ''; - - # Proton GE - ".steam/root/compatibilitytools.d/GE-Proton${protonGEVersion}" = { - source = fetchTarball { - url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton${protonGEVersion}/GE-Proton${protonGEVersion}.tar.gz"; - sha256 = "sha256:0iv7vak4a42b5m772gqr6wnarswib6dmybfcdjn3snvwxcb6hbsm"; - }; - }; - ".steam/root/compatibilitytools.d/CachyOS-Proton10-0_v3" = { - source = fetchTarball { - url = "https://github.com/CachyOS/proton-cachyos/releases/download/cachyos-10.0-20250714-slr/proton-cachyos-10.0-20250714-slr-x86_64_v3.tar.xz"; - sha256 = "sha256:0hp22hkfv3f1p75im3xpif0pmixkq2i3hq3dhllzr2r7l1qx16iz"; - }; - }; - }; - }; - }; } diff --git a/system/dev/dn-pre7780/expr/default.nix b/system/dev/dn-pre7780/expr/default.nix new file mode 100644 index 0000000..7a7d90a --- /dev/null +++ b/system/dev/dn-pre7780/expr/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./netbird.nix + ]; +} diff --git a/system/dev/dn-pre7780/netbird.nix b/system/dev/dn-pre7780/expr/netbird.nix similarity index 99% rename from system/dev/dn-pre7780/netbird.nix rename to system/dev/dn-pre7780/expr/netbird.nix index cbe0647..dc3b40f 100644 --- a/system/dev/dn-pre7780/netbird.nix +++ b/system/dev/dn-pre7780/expr/netbird.nix @@ -9,6 +9,7 @@ let port = 51820; in { + services.netbird = { server = { enable = true; diff --git a/system/dev/dn-pre7780/expr/vm-settings.nix b/system/dev/dn-pre7780/expr/vm-settings.nix new file mode 100644 index 0000000..7898f9c --- /dev/null +++ b/system/dev/dn-pre7780/expr/vm-settings.nix @@ -0,0 +1,169 @@ +{ + pkgs, + lib, + inputs, + system, +}: +let + vmList = + let + kubeMasterIP = "192.168.0.6"; + kubeMasterHostname = "api.kube"; + kubeMasterAPIServerPort = 6443; + kubeApi = "https://${kubeMasterHostname}:${toString kubeMasterAPIServerPort}"; + in + { + # master + vm-1 = { + ip = "192.168.0.6"; + mac = "02:00:00:00:00:01"; + extraConfig = { + networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}"; + environment.systemPackages = with pkgs; [ + kompose + kubectl + kubernetes + ]; + + services.kubernetes = { + roles = [ + "master" + "node" + ]; + + masterAddress = kubeMasterHostname; + apiserverAddress = kubeApi; + easyCerts = true; + apiserver = { + securePort = kubeMasterAPIServerPort; + advertiseAddress = kubeMasterIP; + }; + + addons.dns.enable = true; + }; + + systemd.services.link-kube-config = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.writeShellScript "link-kube-config.sh" '' + target="/etc/kubernetes/cluster-admin.kubeconfig" + if [ -e "$target" ]; then + [ ! -d "/root/.kube" ] && mkdir -p "/root/.kube" + ln -sf $target /root/.kube/config + fi + ''}"; + }; + }; + }; + }; + # Node + vm-2 = { + ip = "192.168.0.7"; + mac = "02:00:00:00:00:02"; + extraConfig = { + networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}"; + + environment.systemPackages = with pkgs; [ + kompose + kubectl + kubernetes + ]; + + services.kubernetes = { + roles = [ "node" ]; + masterAddress = kubeMasterHostname; + easyCerts = true; + + kubelet.kubeconfig.server = kubeApi; + apiserverAddress = kubeApi; + addons.dns.enable = true; + }; + }; + }; + }; + + mkMicrovm = name: value: { + hypervisor = "qemu"; + vcpu = 4; + mem = 8192; + interfaces = [ + { + type = "tap"; + id = "${name}"; + mac = value.mac; + } + ]; + shares = [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ]; + }; +in +lib.mapAttrs' ( + name: value: + lib.nameValuePair name ( + lib.nixosSystem { + inherit system; + modules = [ + inputs.microvm.nixosModules.microvm + value.extraConfig + { + microvm = mkMicrovm name value; + system.stateVersion = lib.trivial.release; + networking.hostName = name; + networking.domain = "kube"; + networking.firewall.enable = false; + users.users.root.password = ""; + services.getty.autologinUser = "root"; + + programs.fish.enable = true; + programs.bash = { + shellInit = '' + if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] + then + shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" + exec ${pkgs.fish}/bin/fish $LOGIN_OPTION + fi + ''; + }; + + systemd.network.enable = true; + systemd.network.networks."20-lan" = { + matchConfig.Type = "ether"; + networkConfig = { + Address = [ "${value.ip}/24" ]; + Gateway = "192.168.0.1"; + DNS = [ "192.168.0.1" ]; + DHCP = "no"; + }; + }; + + systemd.services.br-netfilter = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "/run/current-system/sw/bin/modprobe br_netfilter"; + }; + }; + + environment.systemPackages = with pkgs; [ + dig.dnsutils + openssl + + fishPlugins.done + fishPlugins.fzf-fish + fishPlugins.forgit + fishPlugins.hydro + fzf + fishPlugins.grc + grc + git + ]; + } + ]; + } + ) +) vmList diff --git a/system/dev/dn-pre7780/expr/vm.nix b/system/dev/dn-pre7780/expr/vm.nix new file mode 100644 index 0000000..fdd9646 --- /dev/null +++ b/system/dev/dn-pre7780/expr/vm.nix @@ -0,0 +1,44 @@ +self: { + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.networks."10-lan" = { + matchConfig.Name = [ + "enp0s31f6" + "vm-*" + ]; + networkConfig = { + Bridge = "br0"; + }; + }; + + systemd.network.netdevs."br0" = { + netdevConfig = { + Name = "br0"; + Kind = "bridge"; + }; + }; + + systemd.network.networks."10-lan-bridge" = { + matchConfig.Name = "br0"; + networkConfig = { + Address = [ "192.168.0.5/24" ]; + Gateway = "192.168.0.1"; + DNS = [ "192.168.0.1" ]; + }; + + linkConfig.RequiredForOnline = "routable"; + }; + + microvm.vms = { + vm-1 = { + flake = self; + updateFlake = "git+file:///etc/nixos"; + autostart = false; + }; + vm-2 = { + flake = self; + updateFlake = "git+file:///etc/nixos"; + autostart = false; + }; + }; +} diff --git a/system/dev/dn-pre7780/games/default.nix b/system/dev/dn-pre7780/games/default.nix new file mode 100644 index 0000000..30e6300 --- /dev/null +++ b/system/dev/dn-pre7780/games/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ../../../modules/gaming.nix + ./game.nix + ]; +} diff --git a/system/dev/dn-pre7780/games/game.nix b/system/dev/dn-pre7780/games/game.nix new file mode 100644 index 0000000..372be48 --- /dev/null +++ b/system/dev/dn-pre7780/games/game.nix @@ -0,0 +1,59 @@ +{ + pkgs, + pkgs-stable, + config, + inputs, + ... +}: +let + protonGEVersion = "10-15"; + # ==== Needed for special import ==== # + shadps4-7 = pkgs.shadps4.overrideAttrs (_: rec { + version = "0.7.0"; + src = pkgs.fetchFromGitHub { + owner = "shadps4-emu"; + repo = "shadPS4"; + rev = "v.${version}"; + hash = "sha256-g55Ob74Yhnnrsv9+fNA1+uTJ0H2nyH5UT4ITHnrGKDo="; + fetchSubmodules = true; + }; + }); +in +{ + environment.systemPackages = [ + pkgs-stable.shadps4 + ]; + + home-manager = { + users."${config.systemConf.username}" = { + home.file = { + # CS go + ".steam/steam/steamapps/common/Counter-Strike Global Offensive/game/csgo/cfg/autoexec.cfg".text = '' + fps_max "250" + + # Wheel Jump + bind "mwheeldown" "+jump" + bind "mwheelup" "+jump" + bind "space" "+jump" + + echo "AUTOEXEC LOADED SUCCESSFULLY!" + host_writeconfig + ''; + + # Proton GE + ".steam/root/compatibilitytools.d/GE-Proton${protonGEVersion}" = { + source = fetchTarball { + url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton${protonGEVersion}/GE-Proton${protonGEVersion}.tar.gz"; + sha256 = "sha256:0iv7vak4a42b5m772gqr6wnarswib6dmybfcdjn3snvwxcb6hbsm"; + }; + }; + ".steam/root/compatibilitytools.d/CachyOS-Proton10-0_v3" = { + source = fetchTarball { + url = "https://github.com/CachyOS/proton-cachyos/releases/download/cachyos-10.0-20250714-slr/proton-cachyos-10.0-20250714-slr-x86_64_v3.tar.xz"; + sha256 = "sha256:0hp22hkfv3f1p75im3xpif0pmixkq2i3hq3dhllzr2r7l1qx16iz"; + }; + }; + }; + }; + }; +} diff --git a/system/dev/dn-pre7780/home/default.nix b/system/dev/dn-pre7780/home/default.nix new file mode 100644 index 0000000..03e3ce9 --- /dev/null +++ b/system/dev/dn-pre7780/home/default.nix @@ -0,0 +1,74 @@ +{ config, lib, ... }: +let + inherit (lib) optionalString; + inherit (config.systemConf) username; +in +{ + home-manager.users."${username}" = { + imports = [ + ../../../../home/presets/basic.nix + ./wm + + # Bitwarden client + (import ../../../../home/user/bitwarden.nix { + email = "danny@net.dn"; + baseUrl = "https://bitwarden.net.dn"; + }) + + # waybar + (import ../../../../home/user/waybar.nix { + settings = [ + # monitor 1 + { + output = "DP-6"; + height = 48; + modules-left = [ + "custom/os" + "hyprland/workspaces" + "clock" + "custom/cava" + "mpris" + ]; + modules-right = [ + "wlr/taskbar" + (optionalString config.programs.gamemode.enable "custom/gamemode") + "custom/bitwarden" + "custom/airplay" + "custom/wallRand" + "custom/wireguard" + "custom/recording" + "idle_inhibitor" + "network" + "cpu" + "memory" + "pulseaudio" + "custom/swaync" + ]; + } + # monitor 2 + { + output = "DP-5"; + height = 54; + modules-left = [ + "clock" + "mpris" + ]; + modules-right = [ + "wlr/taskbar" + "temperature" + "cpu" + "memory" + "pulseaudio" + ]; + } + ]; + }) + + # Git + (import ../../../../home/user/git.nix { + inherit username; + email = "danny10132024@gmail.com"; + }) + ]; + }; +} diff --git a/system/dev/dn-pre7780/home/wm/default.nix b/system/dev/dn-pre7780/home/wm/default.nix new file mode 100644 index 0000000..96e5300 --- /dev/null +++ b/system/dev/dn-pre7780/home/wm/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./hyprland.nix + ]; +} diff --git a/system/dev/dn-pre7780/hyprland.nix b/system/dev/dn-pre7780/home/wm/hyprland.nix similarity index 54% rename from system/dev/dn-pre7780/hyprland.nix rename to system/dev/dn-pre7780/home/wm/hyprland.nix index 42ac30d..b1c5198 100644 --- a/system/dev/dn-pre7780/hyprland.nix +++ b/system/dev/dn-pre7780/home/wm/hyprland.nix @@ -1,6 +1,6 @@ { pkgs, ... }: let - memeSelector = pkgs.callPackage ../../../home/scripts/memeSelector.nix { + memeSelector = pkgs.callPackage ../../../../../home/scripts/memeSelector.nix { url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/"; }; in @@ -11,10 +11,6 @@ in wayland.windowManager.hyprland = { settings = { - monitor = [ - ''desc:ASUSTek COMPUTER INC ASUS VG32VQ1B 0x00002271, 2560x1440@165, 0x0, 1'' - ''desc:Acer Technologies XV272U V3 1322131231233, 2560x1440@180, -1440x-600, 1, transform, 1'' - ]; misc = { vrr = 0; }; diff --git a/system/dev/dn-pre7780/services/default.nix b/system/dev/dn-pre7780/services/default.nix new file mode 100644 index 0000000..bc1d694 --- /dev/null +++ b/system/dev/dn-pre7780/services/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ../../../modules/postgresql.nix + ./mail.nix + ./nginx.nix + ./wireguard.nix + # ./netbird.nix + ]; +} diff --git a/system/dev/dn-pre7780/mail.nix b/system/dev/dn-pre7780/services/mail.nix similarity index 72% rename from system/dev/dn-pre7780/mail.nix rename to system/dev/dn-pre7780/services/mail.nix index 8715c15..9ed5358 100644 --- a/system/dev/dn-pre7780/mail.nix +++ b/system/dev/dn-pre7780/services/mail.nix @@ -1,4 +1,7 @@ -{ config, ... }: +{ + config, + ... +}: let domain = "daccc.info"; fqdn = "mx1.daccc.info"; @@ -6,7 +9,7 @@ in { networking.firewall.allowedTCPPorts = [ 8080 ]; imports = [ - (import ../../modules/stalwart.nix { + (import ../../../modules/stalwart.nix { inherit domain; enableNginx = false; @@ -30,9 +33,10 @@ in }; ldapConf = { type = "ldap"; - url = "ldap://10.0.0.1:389"; + url = "ldaps://ldap.net.dn"; + tls.enable = true; timeout = "30s"; - base-dn = "dc=net,dc=dn"; + base-dn = "ou=people,dc=net,dc=dn"; attributes = { name = "uid"; email = "mail"; @@ -44,28 +48,18 @@ in class = "objectClass"; }; filter = { - name = "(&(objectClass=inetOrgPerson)(uid=?))"; + name = "(&(objectClass=inetOrgPerson)(|(uid=?)(mail=?)))"; email = "(&(objectClass=inetOrgPerson)(mail=?))"; }; bind = { dn = "cn=admin,dc=net,dc=dn"; secret = "%{file:${config.sops.secrets."stalwart/ldap".path}}%"; auth = { - method = "lookup"; + method = "default"; }; }; }; - oidcConf = { - type = "oidc"; - timeout = "1s"; - endpoint.url = "https://keycloak.net.dn/realms/master/protocol/openid-connect/userinfo"; - endpoint.method = "userinfo"; - fields = { - email = "email"; - username = "preferred_username"; - full-name = "name"; - }; - }; }) ]; + } diff --git a/system/dev/dn-pre7780/services/netbird.nix b/system/dev/dn-pre7780/services/netbird.nix new file mode 100644 index 0000000..589b265 --- /dev/null +++ b/system/dev/dn-pre7780/services/netbird.nix @@ -0,0 +1,11 @@ +{ config, ... }: +{ + imports = [ + (import ../expr/netbird.nix { + domain = "pre7780.dn"; + coturnPassFile = config.sops.secrets."netbird/coturn/password".path; + idpSecret = config.sops.secrets."netbird/oidc/secret".path; + dataStoreEncryptionKey = config.sops.secrets."netbird/dataStoreKey".path; + }) + ]; +} diff --git a/system/dev/dn-pre7780/nginx.nix b/system/dev/dn-pre7780/services/nginx.nix similarity index 87% rename from system/dev/dn-pre7780/nginx.nix rename to system/dev/dn-pre7780/services/nginx.nix index 2144d9e..3ec86d5 100644 --- a/system/dev/dn-pre7780/nginx.nix +++ b/system/dev/dn-pre7780/services/nginx.nix @@ -9,9 +9,11 @@ acceptTerms = true; defaults = { validMinDays = 2; + webroot = null; server = "https://ca.net.dn/acme/acme/directory"; renewInterval = "daily"; - email = "danny@net.dn"; + email = "danny@pre7780.dn"; + dnsResolver = "10.0.0.1:53"; dnsProvider = "pdns"; dnsPropagationCheck = false; environmentFile = config.sops.secrets."acme/pdns".path; diff --git a/system/dev/dn-pre7780/services/wireguard.nix b/system/dev/dn-pre7780/services/wireguard.nix new file mode 100644 index 0000000..b2e5388 --- /dev/null +++ b/system/dev/dn-pre7780/services/wireguard.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ../../../modules/wireguard.nix + ]; +} diff --git a/system/dev/dn-pre7780/sops/default.nix b/system/dev/dn-pre7780/sops/default.nix new file mode 100644 index 0000000..08b0fca --- /dev/null +++ b/system/dev/dn-pre7780/sops/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./sops-conf.nix + ]; +} diff --git a/system/dev/dn-pre7780/secret.yaml b/system/dev/dn-pre7780/sops/secret.yaml similarity index 77% rename from system/dev/dn-pre7780/secret.yaml rename to system/dev/dn-pre7780/sops/secret.yaml index 50fd679..4d93c3b 100644 --- a/system/dev/dn-pre7780/secret.yaml +++ b/system/dev/dn-pre7780/sops/secret.yaml @@ -15,13 +15,17 @@ stalwart: dkimKey: ENC[AES256_GCM,data:oi+XvZ9hMMsgMtFnGPMbVBGagkwQzcPQDi1b0Zd54615V5yuOLHZxpLT5Z3LYlCOQmOcrCaIwn8lQKIZbAuAq6HDUVlNabjgnHeoq3XRIvcswO/B9pljL/22JCZleSrWSBh+WE+RwQIcqUIr0eNerXCUaAQLTE8lYn6mJMa/OoHJJ3R498OGyM/8rbuIMfKj5eqJnctsd9lRWeNmiq7hpQKJ8syLXMsRM9y79NJTPGJrIAJ/5F8SfUJ256/S2N25Cq61pkaXWxTcZzXFgAGU/sa3zsY86BRwEnFEVRMnygJWrVZW/ABYgRjL99r6OBQM8WTFpE8cK9GZTpylTm+QCS9lHsAA2rnUfLTs/09z41klbGSAu5jfokM5jhyFIjmDm9h3hEk4l0F4KTWgQ7avWqGVx4yVPktrVS6eh6W7+I0V6BOUhzH0Pp9xXWwhbFrMPYAYK5MQSLAS5nd3RCQWrxZwWh//ATiWdngUeWPyObxXSTmoV254k230sT39jQmqmTK5zIkOBvokPps9q3nPq1i3UIkSAXo0ZWI+GHiL1rnzJkMMGViugJdGEwUf8nWlYMcYkHmDRUZam6DIxzkf5svtd+kbDTxRa4GzeJrOYizgwDGpD5vRA9u8i7MYBS1Rhw3UVqZ9gkjtv8mqoOkDqVnHVnS2UPtsircecvjHmhu4Tq4hn8phX3F+2I8lhXUIalzPng5zjPGNUcDT+SoCbNeHuSWDDmMYQtzM3/xwae9quP9FXhr9IGGygmFUPGsl3cuxSJ3+Cq9/Hhd7bnTYnxYfv781qTmZsFclMUWNxUJQWLJ+5BQz6u1zW64wh+5SHUGrw7CHFsdgNAKv7YN+GJMNTHOjZr9RTL9R8opDm8Iho5IyQjMP401+DY30mOCq03WKJiC8qehgoaH16ssNV6ZuoHldu2N6JKmiwywgTRq8zQEo8jPnro772CQ9Tg0/5PnkhdlLdphDEIp60IbM+XWqMNwHY57fm6U+81PcgtsoRmI5OklrrhQjv+1aRgz0vRM80FOHMv7kxgEdNkb1x15B4g0ocBXEdLuxJEVaW4uWlP9EIivXOWwaPZf1QjT8ISuUQlFMXvtNj/V3SraW3K1bErJL5JnI16z803kdoAqYijf3IrRK49SKoCq6B2V8yo8iCRod2GFt1P3ADKb/uvJ6iCBSlFRFwiJYr8qu7TPXFCpsoySEmr1edBQdAkzXxFZLDMczHq2BzUo2RPfwtDubG1GMWxzrbZ1T6N3j1+GXiyTX7XuKdpSpFlXtPuJcCIrX4D4xnjv1SqqXEcKJO9oUcdMK6+Eem7wtVDBDDYpWellT+bLmtouvdEgjYE8VG5UGJJ5NpYoJAce9c7RE5/ozuvUH+uMfqfb8igZQlBMl6hbqO7j8m11i+ijS9T6Wu2DCSVIqqBHu8bouz1vyfq8l/whJCl1BkaZtiE5+NLkHoYSOuXGtVvEuXwMhvCWdnkxJtHZxxXQuCcBcVkD9Edg0YTslGv+XUvaYRlfZUqypqYZ9zJ21en9XPK3zafZ5gRLdY0xhXN4OKbGrXXL4cm5jfroTeez9iIL4fJGcA80PRHUGoLfK7ht2z0Lq3U91F4jz5KEhbaDtWDcMryr1Bwb6UXgLrezNM290g8J3GpXLBAdvqDXK79jSdPNqptGYt++VDeCdtA+P3z9K6aMWZzPURkLXxZ1bWy5YXP03MIkUpZWsc5lQmccUiyFe/Y+d9RSAZClmVxsQAY5y90d42EhkrOag06geziV9aaxgr57LdoPJQabD48bIbFFvimhV2DS3Gf/7gFtCXlm9oZiIqSHG+1TMKRp8XVwn6f70d76/Ba5Uiu0EX8V2x0Dsnin6GGynMBFCPKPXssHRe71SfRVxPJrzlLjtfTdPuzW5Q2k/U//z9SWd6Ao3+mzsbTC8MAYGeIzeE4GdsTs4ViEQWg5sSMSfjeKOFfgpTQi20LGomjF4gtTfnchEUBcUAarV6+hT/inYG2SlglyWwr2+LE3Ua5FWRXsZu4tBHcfE0axIb6Ju5KeogPVPo6cNoJCR2XLPNQakB9ONniCxPTW6zOx8h/A2UeIWMgbAn/jNYdd4kFu1IWBAQaZg5kSg1KmSAtnKgFmhb8A0Ope8h5fKfdX5tf0ulW0bjBz+rqNf2FQwcB/ScuEc65LSX+b0bzvIILuZfSRytFQpaQ4svjjA6mP4VIRoPRkkRl+gTEO+Ue4No4VZGE9+YdRFZ7OmtH6S1e5vu1rBiLuTVayHjuSWRu0OmxDiErP6uXPy8Q==,iv:Q5g9kxJKEKLHge2mcgk/UnTNMDFjzeLFLNjlY8KWe60=,tag:yL03NWRK2whOxNjcR3cPyA==,type:str] ldap: ENC[AES256_GCM,data:ygOPMCNIxvWxE9dPBeKGbA==,iv:t+p1/vjEZNDTw7LcaitzYv2xCPtlf/mmQhqXT1OFKXs=,tag:uPYp259FHZu5fut+Bc9eSA==,type:str] acme: - pdns: ENC[AES256_GCM,data:+InGSnaGIFVtDRlVltzWbZfquzodHUQrPeMRBnVNB9mrajlKr5dFK6DD8dXAvN7UjZFBfrgZefOPkmLR2ncLXGOV2Kl7jorVw50Y0f0iKl7mqwHaZKaQdk7cpGDkCrt/LvfbP9x7gVrs6pQpsU+c/P5rbBLRyejchh/WtiyzgowYIJxYohggeG09+l7YI3FR6U5wiymIRISpNBGEhwG0q17qdAhdtc49qP/K,iv:JcSlxAwHwU528S7iSpAnSbUZw7iO+LMjR3qGwRHp+Zk=,tag:twf2WOQb/yZ3GtN/hlikMA==,type:str] + pdns: ENC[AES256_GCM,data:eKnahc8HWboYCUpBuEUrdCMhN8A2N2VN0wrmzcyU2OfMeQaswIYSWV4sBzUbj/pono8PaVxK1FBKsn+Ycd4Y6tcxsAkbPfnPkOsbe0FJpz4t9RFLJBLw3U0YTE/TaURiDYipHnvPGYgyq3AziH/xa4WXZxLHGI0x+a/y3PpWy37rT87DWUT2kktPshdO7Mbwn7nSC78WByXmyaUMkT74Sc0FNmCgfijrHk/ATXGb,iv:y3eRZXFbqqf4VuuqHHYdIoiEa1zqRU1XIlEqooJ28lU=,tag:2bIALJFGZyIZT7fyo/y5Nw==,type:str] cloudflare: secret: ENC[AES256_GCM,data:tritGdt3bWm/YtfdF2kO8qIBisa2rGF9/Dpl8R79e6REe//YKZFqFg==,iv:UG53JZ55+gDCPJzKjbVaWnpgOdvqcRoDUg8ef9xOV9A=,tag:JD3s28dsA9G2fqtz4soATA==,type:str] netbird: oidc: secret: ENC[AES256_GCM,data:hSVMUEBL0kCvRLD3zd57SLhNIAFOR4eaJPcIIIIUJng=,iv:VhfseftQNlXSDCWuaYQUIklMUCkUbChyWbJl3qgD75M=,tag:vbqov0VgA0XNZfzcr3FZgA==,type:str] dataStoreKey: ENC[AES256_GCM,data:vV2wgo5qFS+DC1NmOjVddZW9HAsRMpUFH+t/70iQ3A5YXkhbWoCeSxZDyAg=,iv:tKqh28qj8gqHfcb44Ej731w6NKi29X4iEwIOQ4ZcCzA=,tag:ObAxVrUctm6pbmXSQw7j5w==,type:str] +crowdsec: + lapi.yaml: ENC[AES256_GCM,data:BpDlz/liFYVZTA66TMWDifGfT4R9l0W9/LOU33rrPVC4YKeFbB1gIxqkUOEDl8fxsou5Jx/MQivyz90lE8yxbcGV/Zzx4ZJaHN+jz6mfM6mADEWp/nUcfO9tECijOhPPYt/8aE3py38NlFZuafZ2CwdL7RmDX7YCjpiIYxXaIjSv61WPD1SLkOkusnoA7bJZ2xmJ/dfEMXEA4LCCOfGQ,iv:922rrz94pD3/R1kGlQyIFkoq/fRSyxaIQ5qllldQMCY=,tag:AAPlwiQP4KMzHZmcMH76AQ==,type:str] + capi.yaml: ENC[AES256_GCM,data:UuBESeHfKEPSIzP7RPNES0BVWwJsmPqLP3QJbAeAcm6eQ3sRzUSrVxY8A2yoiLD2lnuJPy2BbYHJpBR7VSfs7oUCc7LljgAp1uB2GH1y8YE46xJLo0TDp873bZJdcsO00ozsbtmWlGWJm7HLrzIUEe0mAjBzZeXe1WDJByGeVqupNLwpXSMaos2ktHjXA6hTGAdE5iIxBAXI6qjldWjRnlqE,iv:hZ2nUaOipU7Top0vsn23yU0XWP9SKcoj85xFo5hD/mU=,tag:32E2o+FOJXM9aMnLQA6KYA==,type:str] + consoleToken: ENC[AES256_GCM,data:Q6QWWwcvLd8+ddwPMBzyB+X4gh8I53qSLA==,iv:JD48L59nQYttglAfuKL/lNBzWgBfj01rkIeP8pqmo70=,tag:6cxsQViDGuzjScKkBuO4Bw==,type:str] sops: age: - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv @@ -33,7 +37,7 @@ sops: MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-01T05:31:13Z" - mac: ENC[AES256_GCM,data:a3CkOEZUYSeRa6Zj+2EQnusgkOu2xHvGXhW9Pr5ny9sEiUF+S9jLQeS9vZpDNnQc5F/BRf/r0K7BTSwyoaAGZn3vsm3ruTGpajqV43Ji8PzG8BEApV0USwAn+gM8K4mMAEU9AjiqQ6k4Zf/dbYzv/rDtxVTdSbwcpM8KjIBv//Q=,iv:aCk+M3wigrbhCEHtf1K9vwByIYnTxBi7VD1XEIYgiL8=,tag:PtJN8KlPZbed0bgEcgSY0w==,type:str] + lastmodified: "2025-10-13T06:51:06Z" + mac: ENC[AES256_GCM,data:1+X8f7lPwN+ELJ4DmkTN71Kzvvh4V3yiMilOOnz4NCqLRPdtpiQQz8W4VXkOkBONV5816IOCU2Br4kiQnPAkPEiwpJZzWQItqomZTp4gErSGmmMpVf2lbCRfsU2Eg1tgAaS1ZRQx8/o1vSIJtoPVKiqYdYSsNDx2zbafWqn9+Rk=,iv:uZ4BWoJB6LazGy+RAzdhB8uUCSa109R4TdE6PguryR8=,tag:5G0GRihPQKl9n/fJjZr/Jw==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/system/dev/dn-pre7780/sops-conf.nix b/system/dev/dn-pre7780/sops/sops-conf.nix similarity index 77% rename from system/dev/dn-pre7780/sops-conf.nix rename to system/dev/dn-pre7780/sops/sops-conf.nix index 7d7867d..0d654eb 100644 --- a/system/dev/dn-pre7780/sops-conf.nix +++ b/system/dev/dn-pre7780/sops/sops-conf.nix @@ -10,17 +10,8 @@ in owner = "nextcloud"; group = "nextcloud"; }; - "openldap/adminPassword" = mkIf config.services.openldap.enable { - owner = config.users.users.openldap.name; - group = config.users.users.openldap.group; - mode = "0660"; - }; + "lam/env" = { }; - "dovecot/openldap" = mkIf (config.services.postfix.enable && config.services.openldap.enable) { - owner = config.services.dovecot2.user; - group = config.services.dovecot2.group; - mode = "0660"; - }; "netbird/oidc/secret" = mkIf config.services.netbird.server.dashboard.enable { owner = "netbird"; @@ -36,6 +27,18 @@ in "acme/pdns" = mkIf (hasAttr "acme" config.users.users) { owner = "acme"; }; + "crowdsec/lapi.yaml" = mkIf config.services.crowdsec.enable { + owner = "crowdsec"; + mode = "0600"; + }; + "crowdsec/capi.yaml" = mkIf config.services.crowdsec.enable { + owner = "crowdsec"; + mode = "0600"; + }; + "crowdsec/consoleToken" = mkIf config.services.crowdsec.enable { + owner = "crowdsec"; + mode = "0600"; + }; } // (optionalAttrs config.services.stalwart-mail.enable ( let diff --git a/system/dev/dn-pre7780/utility/airplay.nix b/system/dev/dn-pre7780/utility/airplay.nix new file mode 100644 index 0000000..685d42e --- /dev/null +++ b/system/dev/dn-pre7780/utility/airplay.nix @@ -0,0 +1,5 @@ +{ + imports = [ + (import ../../../modules/airplay.nix { hostname = "pre7780"; }) + ]; +} diff --git a/system/dev/dn-pre7780/utility/blender.nix b/system/dev/dn-pre7780/utility/blender.nix new file mode 100644 index 0000000..f5c80c3 --- /dev/null +++ b/system/dev/dn-pre7780/utility/blender.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + rustdesk + ((blender.override { cudaSupport = true; }).overrideAttrs (prev: { + postInstall = '' + sed -i 's|Exec=blender %f|Exec=/run/current-system/sw/bin/nvidia-offload blender %f|' $out/share/applications/blender.desktop + ''; + })) + ]; +} diff --git a/system/dev/dn-pre7780/utility/davinci-resolve.nix b/system/dev/dn-pre7780/utility/davinci-resolve.nix new file mode 100644 index 0000000..6b95868 --- /dev/null +++ b/system/dev/dn-pre7780/utility/davinci-resolve.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ../../../modules/davinci-resolve.nix + ]; +} diff --git a/system/dev/dn-pre7780/utility/default.nix b/system/dev/dn-pre7780/utility/default.nix new file mode 100644 index 0000000..b3b91ba --- /dev/null +++ b/system/dev/dn-pre7780/utility/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ../../../modules/localsend.nix + ./airplay.nix + ./davinci-resolve.nix + ./blender.nix + ]; +} diff --git a/system/dev/dn-pre7780/virtualisation/default.nix b/system/dev/dn-pre7780/virtualisation/default.nix new file mode 100644 index 0000000..42d2c81 --- /dev/null +++ b/system/dev/dn-pre7780/virtualisation/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ../../../modules/virtualization.nix + ../../../modules/wine.nix + ]; +} diff --git a/system/dev/dn-server/backup.nix b/system/dev/dn-server/common/backup.nix similarity index 100% rename from system/dev/dn-server/backup.nix rename to system/dev/dn-server/common/backup.nix diff --git a/system/dev/dn-server/boot.nix b/system/dev/dn-server/common/boot.nix similarity index 100% rename from system/dev/dn-server/boot.nix rename to system/dev/dn-server/common/boot.nix diff --git a/system/dev/dn-server/common/default.nix b/system/dev/dn-server/common/default.nix new file mode 100644 index 0000000..8096874 --- /dev/null +++ b/system/dev/dn-server/common/default.nix @@ -0,0 +1,14 @@ +{ + imports = [ + ../../../modules/presets/minimal.nix + ../../../modules/bluetooth.nix + ../../../modules/gc.nix + ../../../modules/stylix.nix + ../../../modules/postgresql.nix + ./backup.nix + ./boot.nix + ./hardware-configuration.nix + ./networking.nix + ./nvidia.nix + ]; +} diff --git a/system/dev/dn-server/hardware-configuration.nix b/system/dev/dn-server/common/hardware-configuration.nix similarity index 99% rename from system/dev/dn-server/hardware-configuration.nix rename to system/dev/dn-server/common/hardware-configuration.nix index 64a8c38..26f5e11 100644 --- a/system/dev/dn-server/hardware-configuration.nix +++ b/system/dev/dn-server/common/hardware-configuration.nix @@ -4,7 +4,6 @@ { config, lib, - pkgs, modulesPath, ... }: diff --git a/system/dev/dn-server/networking.nix b/system/dev/dn-server/common/networking.nix similarity index 58% rename from system/dev/dn-server/networking.nix rename to system/dev/dn-server/common/networking.nix index 1888e05..0071bab 100644 --- a/system/dev/dn-server/networking.nix +++ b/system/dev/dn-server/common/networking.nix @@ -2,18 +2,11 @@ with lib; { networking = { - domain = "net.dn"; networkmanager = { enable = true; insertNameservers = mkForce [ "127.0.0.1" ]; }; enableIPv6 = true; - firewall = { - enable = true; - allowedTCPPorts = [ - 443 - 80 - ]; - }; + firewall.enable = true; }; } diff --git a/system/dev/dn-server/common/nvidia.nix b/system/dev/dn-server/common/nvidia.nix new file mode 100644 index 0000000..02f6199 --- /dev/null +++ b/system/dev/dn-server/common/nvidia.nix @@ -0,0 +1,9 @@ +{ + imports = [ + (import ../../../modules/nvidia.nix { + nvidia-mode = "offload"; + intel-bus-id = "PCI:0:2:0"; + nvidia-bus-id = "PCI:1:0:0"; + }) + ]; +} diff --git a/system/dev/dn-server/default.nix b/system/dev/dn-server/default.nix index 8a24e1b..62558c3 100644 --- a/system/dev/dn-server/default.nix +++ b/system/dev/dn-server/default.nix @@ -1,157 +1,33 @@ +{ hostname }: { pkgs, lib, inputs, system, - username, config, ... }: let - inherit (lib) optionalAttrs; - inherit (builtins) toString; + username = "danny"; in { + systemConf = { + inherit hostname username; + domain = "net.dn"; + hyprland.enable = false; + }; + imports = [ - (import ../../modules/nvidia.nix { - nvidia-mode = "offload"; - intel-bus-id = "PCI:0:2:0"; - nvidia-bus-id = "PCI:1:0:0"; - }) - ./backup.nix - ./security.nix - ./sops-conf.nix - ./boot.nix - ./hardware-configuration.nix - ./networking.nix - ./services.nix - ./nginx.nix - ./step-ca.nix - ./atticd.nix - ../../modules/presets/minimal.nix - ../../modules/bluetooth.nix - ../../modules/gc.nix - ../../modules/mail-server - ../../modules/stylix.nix - (import ../../modules/paperless-ngx.nix { - domain = "paperless.net.dn"; - passwordFile = config.sops.secrets."paperless/adminPassword".path; - }) - (import ../../modules/prometheus.nix { - fqdn = "metrics.net.dn"; - selfMonitor = true; - configureNginx = true; - scrapes = [ - (optionalAttrs config.services.pdns-recursor.enable { - job_name = "powerdns_recursor"; - static_configs = [ - { - targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ]; - } - ]; - }) - ]; - }) - (import ../../modules/actual { - fqdn = "actual.net.dn"; - }) - (import ../../modules/nextcloud.nix { - hostname = "nextcloud.net.dn"; - adminpassFile = config.sops.secrets."nextcloud/adminPassword".path; - trusted = [ "nextcloud.daccc.info" ]; - }) - (import ../../modules/vaultwarden.nix { - domain = "bitwarden.net.dn"; - }) - (import ../../modules/grafana.nix { - domain = "grafana.net.dn"; - passFile = config.sops.secrets."grafana/password".path; - smtpHost = config.mail-server.domain; - smtpDomain = config.mail-server.domain; - extraSettings = { - "auth.generic_oauth" = - let - OIDCBaseUrl = "https://keycloak.net.dn/realms/master/protocol/openid-connect"; - in - { - enabled = true; - allow_sign_up = true; - client_id = "grafana"; - client_secret = ''$__file{${config.sops.secrets."grafana/client_secret".path}}''; - scopes = "openid email profile offline_access roles"; - email_attribute_path = "email"; - login_attribute_path = "username"; - name_attribute_path = "full_name"; - auth_url = "${OIDCBaseUrl}/auth"; - token_url = "${OIDCBaseUrl}/token"; - api_url = "${OIDCBaseUrl}/userinfo"; - role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"; - }; - }; - }) - ../../modules/postgresql.nix + ./common + ./home + ./network + ./nix + ./security + ./services + ./sops ]; environment.systemPackages = with pkgs; [ openssl ]; - - mail-server = { - enable = true; - configureACME = true; - mailDir = "~/Maildir"; - caFile = "" + ../../extra/ca.crt; - virtualMailDir = "/var/mail/vhosts"; - domain = "net.dn"; - rootAlias = "${username}"; - networks = [ - "127.0.0.0/8" - "10.0.0.0/24" - ]; - virtual = '' - admin@net.dn ${username}@net.dn - postmaster@net.dn ${username}@net.dn - ''; - openFirewall = true; - oauth = { - passwordFile = config.sops.secrets."oauth/password".path; - }; - ldap = { - passwordFile = config.sops.secrets."ldap/password".path; - webEnv = config.sops.secrets."ldap/env".path; - }; - rspamd = { - trainerSecret = config.sops.secrets."rspamd-trainer".path; - }; - }; - - home-manager = { - users."${username}" = { - imports = [ - ../../../home/user/config.nix - ../../../home/user/direnv.nix - ../../../home/user/environment.nix - ../../../home/user/nvf - ../../../home/user/shell.nix - ../../../home/user/tmux.nix - ../../../home/user/yazi.nix - { - home.packages = with pkgs; [ - inputs.ghostty.packages.${system}.default - (python3.withPackages ( - p: with p; [ - pip - ] - )) - ]; - } - - # Git - (import ../../../home/user/git.nix { - inherit username; - email = "danny10132024@gmail.com"; - }) - ]; - }; - }; } diff --git a/system/dev/dn-server/home/default.nix b/system/dev/dn-server/home/default.nix new file mode 100644 index 0000000..4f17989 --- /dev/null +++ b/system/dev/dn-server/home/default.nix @@ -0,0 +1,34 @@ +{ + inputs, + config, + pkgs, + ... +}: +let + inherit (config.systemConf) username; +in +{ + home-manager = { + users."${username}" = { + imports = [ + ../../../../home/user/config.nix + ../../../../home/user/direnv.nix + ../../../../home/user/environment.nix + ../../../../home/user/nvf + ../../../../home/user/shell.nix + ../../../../home/user/yazi.nix + { + home.packages = with pkgs; [ + inputs.ghostty.packages.${system}.default + ]; + } + + # Git + (import ../../../../home/user/git.nix { + inherit username; + email = "danny10132024@gmail.com"; + }) + ]; + }; + }; +} diff --git a/system/dev/dn-server/network/default.nix b/system/dev/dn-server/network/default.nix new file mode 100644 index 0000000..d94f68f --- /dev/null +++ b/system/dev/dn-server/network/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./nginx.nix + ./services.nix + ./step-ca.nix + ]; +} diff --git a/system/dev/dn-server/nginx.nix b/system/dev/dn-server/network/nginx.nix similarity index 100% rename from system/dev/dn-server/nginx.nix rename to system/dev/dn-server/network/nginx.nix diff --git a/system/dev/dn-server/services.nix b/system/dev/dn-server/network/services.nix similarity index 97% rename from system/dev/dn-server/services.nix rename to system/dev/dn-server/network/services.nix index 99ec1ed..df9c6bd 100644 --- a/system/dev/dn-server/services.nix +++ b/system/dev/dn-server/network/services.nix @@ -1,11 +1,10 @@ { config, lib, - username, ... }: let - inherit username; + inherit (config.systemConf) username; ethInterface = "enp0s31f6"; sshPorts = [ 30072 ]; @@ -319,6 +318,7 @@ in gpgsql-host=/var/run/postgresql gpgsql-dbname=pdns gpgsql-user=pdns + gpgsql-dnssec=yes webserver=yes webserver-port=8081 local-port=5359 @@ -372,6 +372,9 @@ in }; }; + systemd.services.pdns-recursor.before = [ "acme-setup.service" ]; + systemd.services.pdns.before = [ "acme-setup.service" ]; + users.users = { root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn" @@ -386,7 +389,7 @@ in virtualisation = { oci-containers = { - backend = "podman"; + backend = "docker"; containers = { uptime-kuma = { extraOptions = [ "--network=host" ]; diff --git a/system/dev/dn-server/step-ca.nix b/system/dev/dn-server/network/step-ca.nix similarity index 100% rename from system/dev/dn-server/step-ca.nix rename to system/dev/dn-server/network/step-ca.nix diff --git a/system/dev/dn-server/atticd.nix b/system/dev/dn-server/nix/atticd.nix similarity index 100% rename from system/dev/dn-server/atticd.nix rename to system/dev/dn-server/nix/atticd.nix diff --git a/system/dev/dn-server/nix/default.nix b/system/dev/dn-server/nix/default.nix new file mode 100644 index 0000000..d02a15c --- /dev/null +++ b/system/dev/dn-server/nix/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./atticd.nix + ]; +} diff --git a/system/dev/dn-server/secret.yaml b/system/dev/dn-server/secret.yaml deleted file mode 100644 index e5eec72..0000000 --- a/system/dev/dn-server/secret.yaml +++ /dev/null @@ -1,56 +0,0 @@ -wireguard: - privateKey: ENC[AES256_GCM,data:0lryTtUwLxr7d+EKdu618HwVAl9kSDkDfkpTrX5cMGJATXMmEnaMEVGPYnY=,iv:XG107Tnt/Md56q9vK/Eh5uyzvFT+JrcD0UAUdqky+EA=,tag:RAQIkl6zRQzFuzorg2aeew==,type:str] -nextcloud: - adminPassword: ENC[AES256_GCM,data:O2rK18+riVrvloqqLsMUXw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:yh1ccDmthARLND0NwpLTCA==,type:str] -step_ca: - password: ENC[AES256_GCM,data:3EWxpk/ktZHJreqnR9ln5pfdPjgigoCC4lyoRWugHas=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:UHZagnLvorZUrPq43YU+Gw==,type:str] -vaultwarden: ENC[AES256_GCM,data:TDKzc3xPGUiopJ6aXV5a9k8mFN/4NQpfp69vWqQRjpAzWnIM290s4FTnsxJAX0NFfjiuQODhhxTuSmFOXR3+Ti9djSrqJ/ZjrVAMvV4NlpBg6klrCgcDtIfbZ0GqZjdoQYHcCz7V33fQGyTmqehjuVxdlatuLGoekSnuGbfBwY8FQgB+JECy8Y16r+ejplopw60+d43rvYXX4g8v0r4Gey567HVVB/zVizNDocentMaf99UiO/GBSOgbuKlU7+TfC0xhVcekEfZusZd7+LHZshfAjg==,iv:JcExp8YkGwV2nMbCK+n0KSL3+SryJZ0iKtVcU/Q+Cgs=,tag:dnDNa5faICuPUWy4nT49rg==,type:str] -ldap: - password: ENC[AES256_GCM,data:pqPj3Ar6xBLhHl4Q363sHw==,iv:bX7N9/oNMhtE/KbPah2ge4s87P2VsxHGoFkOyl83dxs=,tag:OaYsvds1tiw/x19UTAyizw==,type:str] - env: ENC[AES256_GCM,data:LwrcgbeJf4Sb0Bx+OZ/qCf811bDpDcloltUZIzpQYz0zc1gnRExFxLStLDYeq3vv6DEjgfRdoB61Y1fb,iv:1jK/J2qfKODrbrNpSHl110jPvbNLl0zI//laowerJOc=,tag:TWa//iCY+SuAgp/PSfPkEg==,type:str] -oauth: - password: ENC[AES256_GCM,data:0iW80Iz4whkuyl8qvHN96Q==,iv:BI1n7Jjklye6WM2ss7jpaGgokrJpAG2Ipil7VrY30XM=,tag:zu//brQdDL7mZEkPOKUqPw==,type:str] -powerdns-admin: - secret: ENC[AES256_GCM,data:PH5KE++Oo13xo/DcnI9U6+Ht9oIi4T3n5L7c09eDxf6zZesbg4lFLsq0/hrVFiElErXpC5W2k7NOjqGA385UPQ==,iv:xaSgzhqMU9+ud1xfXLVkg3v2xcmIo35BOhml5VfHKBI=,tag:blQXoyYWzfiF5RGO7ynz9g==,type:str] - salt: ENC[AES256_GCM,data:GITNFfimGPdPzOi2XD0ri2GMax30i+RwzNQrKL8nCOE=,iv:/lRVfNOpERS963+9JNf8wATIY9FcicT8xQ9Cbw2by/s=,tag:6193YZCQABce52qX6ISvzQ==,type:str] -powerdns: ENC[AES256_GCM,data:humQiv+ilGAjU0qMsv0zoKlI20PKxA0VS75ivjkPb/bfzkbvEtH+3u/T8r4OogIhOJtl50+iRZl1imcrXf7drH0A69zUIhBS0xCagmj7,iv:orfh5F4uCYq2IplG0Y7Q/RcSqIm5Xyzn3ejzPsm+/0k=,tag:XeSBbIyYmWSWlyu2gypDzQ==,type:str] -rspamd-trainer: ENC[AES256_GCM,data:XTKk0cBe+qIeTsTxlhPTPEbZS0cCoWH+,iv:M/xk7LywcRiKQM9LrnTnCKu3OS/YBf23CRkxh4ll1+c=,tag:LZUEvgTC1GPxS7iD9jVy/w==,type:str] -acme: - env: ENC[AES256_GCM,data:TWCrj3ZaUHfegDuJJtHQgt516auYu/3qpe35lfha6c3RLHABXtRArD8P6RPZE3HVdpFM0mvxkyme5MW8IMv2yhN9JPz5HLWZv0rjzkbhVyWem0X47c49jF20SnoMZ4yo+X4PZZ9GJKR4fu+0YrQkQXPJB773Yj2scQKx3Glh+iJoRLR8zLcM6JqbaJ4xHH+du6bs1PNyviB5NrGKnxYqzuVmBVLk,iv:ftoFg7i5KyYzdYaYCA8IPBsjHO1Ne/k361XPZ7HYqLo=,tag:v+X6fx/1dU0yoa0bHBLkDw==,type:str] -postsrsd: - secret: ENC[AES256_GCM,data:9BZPa+A/vE4PLapUdaZIQ7QJ3W0x6DrFTnTPrFUJPc2LC9q2RO2gHXIV2bc=,iv:ydGnCESCLbwyGKc+5witXDkT3OgW27LKen7PkqUL6mU=,tag:XxAJripX3eNM4jGFoZZ1+g==,type:str] -grafana: - password: ENC[AES256_GCM,data:3g7PymgXA27VxsLJA7U=,iv:09F8yEGw4j1Jd0HXDQyHbFxsr3Vg23mvWF5eZkU2KU8=,tag:y9AwmYwQjE1JB56sI8r8mA==,type:str] - client_secret: ENC[AES256_GCM,data:znYMvBZH6eFeUZ7Mit0JEhm8hH97M+TKmCcesC/IS9Y=,iv:qywQIHIpgaS2pUcW1Uau//JU6UdMY52EVYCjhmnWJt4=,tag:Xo1h7ODXOkAnETfSYo4rfw==,type:str] -prometheus: - powerdns: - password: ENC[AES256_GCM,data:pvb/aAvB/F1r0PW4mGJKQEExP88PapnViYpniOedJSf5e89/LwSeqYMd4x36zcGSlCV6myC+Xl/H+QBCw0ezcw==,iv:UI7UuJYJizYCO0ReC4SEPgmdPJNUnNuxgvkrhB1o/EQ=,tag:nUjTP7IQNx1ei8COQCTj+g==,type:str] - nginxAuth: ENC[AES256_GCM,data:rYwuXHboAe3rf5e3kcJliKKXZ/Kcg60vnPGP+wukpaDdN8yJ00kk9cCNCjcvIyINEtL7TpEDjBX9oRsZT/E/FfWI6s133tDY,iv:Z/IiEi6oZm1Hv3m8c522GK6eYFf0syFn3A0o4S58DUI=,tag:y4n0Fm+l0OgGVHG+yttHfg==,type:str] -paperless: - adminPassword: ENC[AES256_GCM,data:4qeisBDEa4omAk6TrxmZfA==,iv:Mn6GJWzkd72xsvqlG0bD/3pp9YICqov356ZmlTda2eA=,tag:yLp5JE3nZ715QjIYrv5OeA==,type:str] -atticd: - secret: ENC[AES256_GCM,data:RfEztA2Nj+/1GU14TKmj0DhMyDh/d8YjXIAAs/our6DXjT/Oc/45s2yh6TX7gTY6sg+sQJ0xwLv13BaO2BL+o85rWt1BTWEWBnhR4ctlxtljDp0vsjM0NW37cXuq9AyUxEnPA3f5oxuBW+nqdPrJ8hppxz4NEg82CWdPpky/PdIz5pBaXS1PvrUtwPFMx2JzT2n9apf1iC3i6KkVIzdEa+WFI68hZAEKm1fVVCnxSGqfGJWEapBtY2O1NDOsjxP9QlyR3yad+dAQZ7aTJ1gY93cDggaxiOutjilKBtx3MxHLjIFzS9B0Q0VOnAdYJmxbeN+fGoimcam02ssoPAwso+12I3nrLBIslBoeJ5JPI2FypHqwkdIO0MWVvsD2vGcomdrnytaWyF8FS1RvtYQajv6YTjQ3RywsO8AqX7QqHu311/u2gx+ykIiSyIqnnbSZANVk2yXLjtdvkYTnq9Y8aF9qae3wJ9CC9nU2myjFqghjDKHH9HdnYjci1MvIOxR7Lgj1Zw+SS7+OHJ/RY9YVwGsoyJcZlUKR1es/jRRFFLx14kfv/AbEoZqkWie/Yx/Q5HSBvIoR4VPP2v1+gEDVIGsgOZ/tetRqw0tHdmDKLiu+vyW1m8UweIEn/XPz2B73636eGOlykEKEAbIzdOs9StifpgcnrkFADe+sWhYknWZ5lj3ihhANVSeqEQQ/NuUwGkmPiPJ3oH5fqVHB8HLgWA1fKRZOyk9wsEHUul+GUlSCS8+i5MlySunK7zy/C1+ZTbXZTLCDGWQo9XLPBnMS+AbkTRbLX+2RgWxaeZYb5PwlIIcGUIPkIHRXfaRaaQ9zt20fJ9S3Fo/o+wzO9ImInGupwuZ+3YI+iJLVi4FYpqpbHfiUsiHdIBlMeAXK2KeTQcv6MFMRJ8DlFrz6QUcmUs/ZwmJnXtYG+rxzgQQYO0RCQ+bJUwFMvdHCM4dZLVN26GsIyQIaQjYUxNW9PdXzAcuQYeV/iy+gLCN9LHmVpNWD+nvBnvfCp+pbDbznnU5twzx+T0GU9j7gBiUCLge9D+oGoIjzUYSxxS+v2g3uaa+kJnuYwFsyzafQnoKowqIXmJ0CKvoOwy3h1LAUVZXiDoi4/DI7cbl9GkEjA0SdunJZsZqdN21Jllc/Z7XvFRXuL3aW746DoBb1iPsYHvljXIGaEwP8ZAhx4+cAXUgp2hJBWIBZ0L4LGfMGIPwJd7DfpH90/brXHQB3lk9VOJigSFNeePYhm8bVD2oi1lsQFXKnNA6SRqzBda8V/z6XJVS5TBqZQ/kvxoQFLEQCHtTJK8se/UfWdWkqEvqKrAW8NTnTeAzozTEK8NLTB0GlKUMQdU/B5PjZYvhU8wBG4HaQc0gVC8tghOnBWV+i0VoDGUV/zZkb3LvTtnyRcFM+1zPbtqksHN3yafaU8nrHFL5Tzd7yVnC3cL+1MNqk1lZkwRAJsuCVm8Yp/nQqVoj+eVZP6WDc8AVxKjFth+eKaBxqg+YJzJEIDX86dlWEzEQeZfRFnIuuvOWO/GWr5s0KXYnTV5PQ7TZwqY+F2vX8jTW0/cRwvLp+y83p+DaOWVz9kOayW9IOKa3nXJvuMhLd7KbJEfIDdmrOEqRd5TDJ8KZPxsBEz3xkL5s/7uUqlXGJv4bO7D0+4xYqV1PMGrEx+fCFpjIMvyaJaFEW0F1DFRMBoTq9WFSQwQqBULeGdpXtORvgTSeFQgMoMaUnSZJVP55x+Kbpz+RSbw++LF+eSCkH015dIgNB9I2p3OzhdFL43r5K7TAqOj2JWJ7Res7+1fKIS0bK8pPqTyR3iDu8LMVmkJbUXcesGBhEEdprceP9rc8UUO5a/wdYWTaZFrn9Xq9qD12FkPjk1MFnXmiusCnq1aboL4N72WpIci5TSgrkDYFL05u1Jhh0Gqgw/VeK2PIWQ5v+JGb/gdYaJBBXWGFejKBLWZxQthoy1+SghzBOK9TGiGzD1gkCY1a2lZ3H+9Z8h3hSa7HBoSYHq1Rnk5qVuVmH0f4rtB8Qg89uw9jVj+ElF8WCOMlB3pxX3zmVue/GLAWRygk5iTZI9A1Rza7ENGetIF9muGIa0mPIDLNGtIaIIcJ8AAhELXlCuqpvyg+pqMZSA9eMU5pwCf/xmm5IansRhZhXqyns+224ftWPUd7XQY6CSHgeeWqy9DrbffAxzhUIFMHShEGOVfCOP7GXRP4j45nysu4BxXg/3El023huB9FCV7CcHXYxsTjHf8/2J2swROjxOe/FXadst/A7DGjWLGpRRVgBk5fqlSdmQcYNv6Fnu9Av9SuZJUJaF5OufMqaj0gOWutpFOzr6CFDzvrygZXgEsFeUP+kWwMr4WxXSXeTSj0TDhIfB+1eWBYCw+mB0teWAtFHFnB2skFL0d1SCp1zxW6wtAsOPApQcprIPNAccV6Y+GusrNRQehQ39SxplPJA/LPGTv3zz/buIsMvYFkOUxjEKYdCQFbz6gpjlz6nMerqy5V/fmYL0op6lg/VgZpK4Vdpm1dZyH5KXIc4BcygC8spA0hY5yTzplugyMZlJ2kdDhkst/jgiopo+l3kt/Kv//AgAbE9Fj7GEB/ZqrWkL3qxegesl0OHiHXZXQt9aZ0Dctpy8d+vj3pT4O76F8LuJlvwtesQayJTHWvOb0lMlzDByN2ehIYFRG1eXxbi9zqurRS8ZwO2/tU5RbXMgAfU/nd4TUY99DIWfz4zkFd1GBer0qySTlEyTH+XwqsQU590sUdO0H6oZrYwUFaylvfd6fSj49Zy80rBjcWdSFZmWU44/Kf0XS9bIuOUhTT+nXBiWEf7+phowRZSjtkKv+KBTRr6T7jOhh/ShY4b1ozrDhu6uQPMfw2fQp59wyBkRnuR5r+UL3sL4ToRbB6fmXFs2tmCz7XGmYmA1bmj49B03U6GO/vO7P1HRX/EgGWerIbULyq1DKxXgqAftjm7v88NKNR/aN5qzYwN5aE7ApJ9Apc3kxUve42Z39L+iRaGEM6eSz0/0jS+9DuHwMdF531oFcrgVbZllu6HRq5Zu6hYqUTpOxCq9fHOy6+GmKkLbGsWV0ta7ogj9S7q0oXzCgM4KG7Bm3IEjdirLRtqnkh8Cvy1vTfzR6SOgx3aYD9unyg9LctoZUTQzVBTkrNTozbPRw7qWQHfczmQNVdPH6UdaUfvvl671V91koFRcgCjWv2XFD88i4CVoqeFeDvGb5OoHdRBRkPrxO0NAMvqPnvlpYt9LukXXcF7z7mjNtURhBhP0BXmtXOpzbDZmCNSqp5iacLLqQkPiuccBln4eECu7qdhBDc5X0RnH/504dsbxhKyuJ0qTRSLnfN79HbqyFZa5IoVLURFpmTxOK9gf0MX+m3X//aFAuKEwf5xJyOEoz5WMzfQzQCRrmK25SF8j6BemjqKtQlYJDsih8l0eyLeYssD3Vkfae/UHnVslq/CAoN0mbjgQmZsOOpf/EMJSwvn+rf8YzgrWz6DqhuzlOCPvreGW34HvAd8cFVishVC8Tf1kDZRyIP+iR/7Kd4QWlbE4VyzlY5RPnCd+WyJtnyzl68OSBBlRF56TY7sLEyou9d2mUN8aqogfm1wOthlue4hgwbTeUEsXUKkoWNkrWHYD3sy9TLmJum1Kwg9IzhIlv+WZJXbt04pYSSelKYWzYvktrY3WSJV8A0ZNmAQeFfTOJJx+dfeK6xw41gA/0qgU3ubt9Rf+83Z5hfwQWfbszh7rrpFccLOfgnI9Zj5unNb64weV9aI8lZD5xv42dylVwHR4ikEpVqWyeHNVZw35ntstwJxr/wWgJss1W+GgJmClk0EhWrbcnLGywrbHrVEWOiDFqgyYrej97RTfs0zetyv3EcvqUXbEKpXYDsEXEXq+R6fJQ6Ve/dOHT7aIukDOHCOasnueDIrQkjoIE3En85Y1WYUGW1V6zEEa4O+NNPQ+uRVVkgN2PGDOG9QqR4sTqx9GBeJ/XgdIRZvP96KiGhJzbWprGBoH2FZqWLBc+jHmwm3RLfG2s02ntdQEHKghi/jfSdGo4sgZpBfnxTq3ZHGAK0aHE0aIWLezZDUp7Da3Fnnp3qAK7LySHi0zZFQf+gfJY4XdG0WNMEfUKqCEsYq1rlvsBHsCgLINAsxxD8uXwrqAlO3cXYBYA6A3wtr/Qpu45nD9mjTNJnT7+qLxj0kNlUINMUl1eCpOYYwqscuIV4XHVKUyQMI5XAh18iN7eBQ6ZRS7TZxLkg56F3P3TRZ3UWalMbBmiuFkOHQ8nLoMeMl50WTancKl4KJ6svNA4D/I9SmJsFolOiNH5P/nXhYAE65yjO5kiSmsxeGb64gqgn1ydC0ZQsvT4Kmx3LoJD1zNWG+v6Q1uFa7CZ6u1XfmlQPvmkFFwbkxih9/v/uk5++E8r8BtTLvUlMpqxI0X9Ai+g46/y/1qSe3gwHSLzSmnHwPJfV6pzwmtq3DL6Ci6O+CbfNBA8aFqKxZ4F/xS79LzVwDC+fdKYtT5YeUc8CFn7d6Bjc4ixvQZzG7rDa8LER/VzKKw86m+k90LCCScIE+MncAd2FqjLoyDOh6cLIaxf+BaemGVt68SmBH6//Zj5yVnAoku4g9Vdm/wgy0gjFJJKUdVwTXmgxhBhq8gwxu/OkF6BB6muhx/VOpQysIfovipEyp9aIq018BwDItc+Ya+oxd8IoJ86unA6xKf/PZWtznOT5wk358KH637t1Rzww4D8G2MSY2FhHG8Sv4m1MERYUuuKCX1OGLNTenM9rt1AF8QTuYSsjSiLvMWt49h6RluKToAVkzt0Fta527PMTPF9yienx3P6m96IOb1Lg03Js0pgD2PuyjhrvA4I8FkMiKzSsJyKAONtH2HyFXcAGXbyDNnJkbF3aCLuKukSECpoWoLQc/PFFIWdY4lFBEnM0xnEImwjFkRBToWWAt1ZV6CfVVObLxEFZb3ysDilaFk6/qevZzJhGZa9qB+qJ2f5EAUK26g9NA8ksNcYqg7PW6vvz5zlvcR8TceVxRc/JDMQ07DaMZs3zz2hpII33lVFGttrvKn/0G/RUROw/2OAzsPDHCditmXdDNMmU+7cE1yVLJ4y5vhdjuwzCS4O4YH8BIez+gGdQiLhM6zDcFENNdgxgPF7O1LD1LgqJ2mQFjKvEu7eQdFisHhDupYPhcAS6KeIRhS4a7zEduPXUXgAkBW7GOU2cWd102AUMVUkrgzs6VtKrTeXVt6DcnHY9EyaK7kwvsFOfRnxU22KyN9VLkOfWQXVKrXIt/2aSf3dS4b8Vlt0Fcik3y9Xbebv+bzOzjsdJuWDUkTxdOpX6Zea3DEReBZ1+N7VYA0fWddPmPXLMAuZJ25fI9g9b37NoK7MaIsmMjqjhPTuH/+xf2d6bRE7FbtbyzdL/bmX5/Gbdx7NDjmbTzA5raQWQ5kKTxokO4Ks02RaeRV6wSNzED1FrE6ZvDxdbXXKsopAA5+T8jnXyRZKaZMqGsn+hheLHMpBCNZ+q/cJmcS6pcOuIDrT9qqAPH5YrIBVV5F78tjp7j3JhMqklivkNLj+M8fLGwAYB8vqd5MJerc/yCYTzb3ra6iY8oBJcri+3nFKjZHHE+x7r694IXVqgibGs1WMMjJKA50hNJeLBzzMR0djR5qRkgKbMKTqbDAaxGrocNFE/YTXvgsC/Kx6vGp9dIBIsrvwbw35Fjd0/y6/CGyM87jZ+LEXCc8UTeBRhUuKCvlGD4Z97f2DTeAWeh2JeDNxef+XIhzcyCXdCd0K09z/UH1HfspdHzMxsG6VLzJ4+f9UQ+yVwyGG3MO6b6yWo9JFNdpxQCtwfuu1vkRdNOKLTiv16pEt8=,iv:WVSTjMjzmtQTs7s9RUO4q3QY0ECP3yhNrWIu+fOb8jQ=,tag:qetrngB95vK+J2ARZvC+bg==,type:str] -sops: - age: - - recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYWpiZ0h3VURrcW0rV0Vj - SFJwMlRUMHUyS1FGTEo3cHZJc1Z6a3FWbmtRCkdoZXhwOGJQNlV2dU8wRFRMUHVv - QzhxU3RiVHl5UVpUNk10S2VRVy95OHMKLS0tIE9zbUNUU3ZINU1JNGtmd2trS2tI - d3YxREtHcTBJYU1sNU9vMGZTUGh6NXMKtGKMnnamCAeftkQ0+Ygb/yg1NdyKDz1W - UjYvW2PYKzkx8IWmIgzdAI3fWDOiE7tmBTMlX9C3/2PKR6dCc/a+SQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxc3pna3R3aG85bmt2WERa - aG9TaDBKTlNMTUVwaFlIdkV0UmFJQStYSHdvCmNuYWJpN2M3QjRkV2s0MHJ4TzZP - ZkhKc0xPUFBrblVFR1U4SUdjYzQ2cm8KLS0tIDVuNW9tRGoxanVKOUJYa2QwNFNz - OTRiU0cxeXp5K1FjaWRGTnBHcnpUYmcKVVlueEj/DELe9Xi9iaBddpPPRmoUmD48 - wyjtlvKzS20zishE/D7GkHZ2ZdNsLD3AOnYZ6r6ATAndssC2YT/SXA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-22T15:01:33Z" - mac: ENC[AES256_GCM,data:miZfJnqlk3SGTmf1c2n6r40eU/sBAgjVV0nusZGry22YEd5eKNEsWISg6mKTVvx7g8Xcp53sjz7kDJKbLdJed3WvMveho+8bpuNkbG0vaoZKISr0bcyiQ3x/wRcW/zdm3an/obtytY8abP18yBMEeBClax8wEvmE+xgCzU32WxQ=,iv:394nUuehcLr1QaLJTsYixe21LwpU5hzcDpq99eE9KQs=,tag:/v2fMvNGqtbYF87RFparYg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/system/dev/dn-server/security/crowdsec.nix b/system/dev/dn-server/security/crowdsec.nix new file mode 100644 index 0000000..1f1e70d --- /dev/null +++ b/system/dev/dn-server/security/crowdsec.nix @@ -0,0 +1,12 @@ +{ config, ... }: +{ + imports = [ + (import ../../../modules/crowdsec.nix { + lapiCred = config.sops.secrets."crowdsec/lapi.yaml".path; + capiCred = config.sops.secrets."crowdsec/capi.yaml".path; + consoleToken = config.sops.secrets."crowdsec/consoleToken".path; + enableServer = true; + enablePrometheus = true; + }) + ]; +} diff --git a/system/dev/dn-server/security/default.nix b/system/dev/dn-server/security/default.nix new file mode 100644 index 0000000..0f85ea8 --- /dev/null +++ b/system/dev/dn-server/security/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./fail2ban.nix + ./crowdsec.nix + ]; +} diff --git a/system/dev/dn-server/security.nix b/system/dev/dn-server/security/fail2ban.nix similarity index 68% rename from system/dev/dn-server/security.nix rename to system/dev/dn-server/security/fail2ban.nix index 6de9d48..cdb8340 100644 --- a/system/dev/dn-server/security.nix +++ b/system/dev/dn-server/security/fail2ban.nix @@ -1,9 +1,6 @@ -{ - ... -}: { imports = [ - (import ../../modules/fail2ban.nix { + (import ../../../modules/fail2ban.nix { extraAllowList = [ "10.0.0.0/24" "122.117.215.55" diff --git a/system/dev/dn-server/services/actual-budget.nix b/system/dev/dn-server/services/actual-budget.nix new file mode 100644 index 0000000..1bf255f --- /dev/null +++ b/system/dev/dn-server/services/actual-budget.nix @@ -0,0 +1,7 @@ +{ + imports = [ + (import ../../../modules/actual { + fqdn = "actual.net.dn"; + }) + ]; +} diff --git a/system/dev/dn-server/services/bitwarden.nix b/system/dev/dn-server/services/bitwarden.nix new file mode 100644 index 0000000..6710ae0 --- /dev/null +++ b/system/dev/dn-server/services/bitwarden.nix @@ -0,0 +1,7 @@ +{ + imports = [ + (import ../../../modules/vaultwarden.nix { + domain = "bitwarden.net.dn"; + }) + ]; +} diff --git a/system/dev/dn-server/services/default.nix b/system/dev/dn-server/services/default.nix new file mode 100644 index 0000000..7cec603 --- /dev/null +++ b/system/dev/dn-server/services/default.nix @@ -0,0 +1,11 @@ +{ + imports = [ + ./actual-budget.nix + ./bitwarden.nix + ./docmost.nix + ./mail-server.nix + ./nextcloud.nix + ./paperless-ngx.nix + ./metrics.nix + ]; +} diff --git a/system/dev/dn-server/services/docmost.nix b/system/dev/dn-server/services/docmost.nix new file mode 100644 index 0000000..900693f --- /dev/null +++ b/system/dev/dn-server/services/docmost.nix @@ -0,0 +1,12 @@ +{ config, ... }: +{ + imports = [ + (import ../../../modules/docmost.nix { + fqdn = "docmost.net.dn"; + extraConf = { + MAIL_DRIVER = "smtp"; + }; + envFile = config.sops.secrets."docmost".path; + }) + ]; +} diff --git a/system/dev/dn-server/services/mail-server.nix b/system/dev/dn-server/services/mail-server.nix new file mode 100644 index 0000000..5957c61 --- /dev/null +++ b/system/dev/dn-server/services/mail-server.nix @@ -0,0 +1,58 @@ +{ config, ... }: +let + inherit (config.systemConf) username; +in +{ + mail-server = + let + domain = "net.dn"; + in + { + inherit domain; + + enable = true; + openFirewall = true; + configureNginx = true; + hostname = "mx1"; + extraDomains = [ + "mail.${domain}" + ]; + caFile = "" + ../../../extra/ca.crt; + rootAlias = "${username}"; + networks = [ + "127.0.0.0/8" + "10.0.0.0/24" + ]; + virtual = '' + admin@${domain} ${username}@${domain} + postmaster@${domain} ${username}@${domain} + ''; + webmail = { + enable = true; + hostname = "mail.${domain}"; + }; + keycloak = { + dbSecretFile = config.sops.secrets."oauth/password".path; + adminAccountFile = config.sops.secrets."oauth/adminEnv".path; + }; + ldap = { + filter = "(&(objectClass=inetOrgPerson)(objectClass=mailRoutingObject)(uid=%{user | username}))"; + extraAuthConf = '' + auth_username_format = %{user | lower} + fields { + user = %{ldap:mail} + password = %{ldap:userPassword} + } + ''; + secretFile = config.sops.secrets."ldap/password".path; + webSecretFile = config.sops.secrets."ldap/env".path; + }; + rspamd = { + secretFile = config.sops.secrets."rspamd".path; + trainerSecretFile = config.sops.secrets."rspamd-trainer".path; + }; + dovecot.oauth = { + enable = true; + }; + }; +} diff --git a/system/dev/dn-server/services/metrics.nix b/system/dev/dn-server/services/metrics.nix new file mode 100644 index 0000000..0cd62c6 --- /dev/null +++ b/system/dev/dn-server/services/metrics.nix @@ -0,0 +1,157 @@ +{ + config, + lib, + helper, + pkgs, + ... +}: +let + inherit (helper.grafana) mkDashboard; + inherit (lib) optionalAttrs; + inherit (config.networking) hostName; + + datasourceTemplate = [ + { + current = { + text = "Prometheus"; + value = "prometheus-dn-server"; + }; + label = "DS_PROMETHEUS"; + name = "DS_PROMETHEUS"; + options = [ ]; + query = "prometheus"; + refresh = 1; + regex = ""; + type = "datasource"; + } + ]; + + crowdsecSrc = fetchTarball { + url = "https://github.com/crowdsecurity/grafana-dashboards/archive/c89d8476b32ea76e924c488db7d0afd0306fc609.tar.gz"; + sha256 = "sha256:1s7v03hzss22dkl3hw9qf0qc86qn98wx8x13rvy73wc5mgxv9wnk"; + }; + + crowdsecDashboard = mkDashboard { + name = "crowdsec"; + src = "${crowdsecSrc}/dashboards_v5"; + templateList = datasourceTemplate; + }; + + pdnsRecursorSrc = pkgs.fetchurl { + name = "pdns-recursor-grafana-dashboard.json"; + url = "https://grafana.com/api/dashboards/20448/revisions/3/download"; + sha256 = "sha256-8lgo+A3dnFLanhGJWCKAo/iPYSMiove17xvMolgq9nI="; + }; + + pdnsRecursorDashboard = mkDashboard { + name = "pdns-recursor"; + src = "${pdnsRecursorSrc}"; + templateList = datasourceTemplate; + conf = { + dontUnpack = true; + }; + }; +in +{ + imports = [ + (import ../../../modules/prometheus.nix { + fqdn = "metrics.net.dn"; + selfMonitor = true; + configureNginx = true; + scrapes = [ + (optionalAttrs config.services.pdns-recursor.enable { + job_name = "powerdns_recursor"; + static_configs = [ + { + targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ]; + labels = { + machine = "${hostName}"; + }; + } + ]; + relabel_configs = [ + { + source_labels = [ "__address__" ]; + target_label = "instance"; + regex = "(.*):[0-9]+"; + replacement = "PDNS Recursor - \${1}"; + } + ]; + }) + (optionalAttrs config.services.crowdsec.settings.general.prometheus.enabled { + job_name = "crowdsec"; + static_configs = [ + { + targets = [ + "localhost:${toString config.services.crowdsec.settings.general.prometheus.listen_port}" + ]; + labels = { + machine = "${hostName}"; + }; + } + ]; + relabel_configs = [ + { + source_labels = [ "__address__" ]; + target_label = "instance"; + regex = "(.*):[0-9]+"; + replacement = "CrowdSec - \${1}"; + } + ]; + }) + ]; + }) + + (import ../../../modules/grafana.nix { + domain = "grafana.net.dn"; + passFile = config.sops.secrets."grafana/password".path; + smtpHost = "${config.mail-server.hostname}.${config.mail-server.domain}:465"; + smtpDomain = config.mail-server.domain; + extraSettings = { + "auth.generic_oauth" = + let + OIDCBaseUrl = "https://keycloak.net.dn/realms/master/protocol/openid-connect"; + in + { + enabled = true; + allow_sign_up = true; + client_id = "grafana"; + client_secret = ''$__file{${config.sops.secrets."grafana/client_secret".path}}''; + scopes = "openid email profile offline_access roles"; + email_attribute_path = "email"; + login_attribute_path = "username"; + name_attribute_path = "username"; + auth_url = "${OIDCBaseUrl}/auth"; + token_url = "${OIDCBaseUrl}/token"; + api_url = "${OIDCBaseUrl}/userinfo"; + role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"; + }; + }; + extraConf = { + provision.datasources.settings = { + prune = true; + datasources = [ + { + uid = "prometheus-dn-server"; + name = "Prometheus"; + url = "https://metrics.net.dn"; + type = "prometheus"; + } + ]; + }; + provision.dashboards.settings.providers = [ + { + name = "CrowdSec"; + type = "file"; + options.path = "${crowdsecDashboard}"; + } + { + name = "PDNSRecursor"; + type = "file"; + options.path = "${pdnsRecursorDashboard}"; + } + ]; + }; + }) + ]; +} diff --git a/system/dev/dn-server/services/nextcloud.nix b/system/dev/dn-server/services/nextcloud.nix new file mode 100644 index 0000000..f03c459 --- /dev/null +++ b/system/dev/dn-server/services/nextcloud.nix @@ -0,0 +1,11 @@ +{ config, ... }: +{ + imports = [ + (import ../../../modules/nextcloud.nix { + hostname = "nextcloud.net.dn"; + adminpassFile = config.sops.secrets."nextcloud/adminPassword".path; + trusted-domains = [ "nextcloud.daccc.info" ]; + trusted-proxies = [ "10.0.0.0/24" ]; + }) + ]; +} diff --git a/system/dev/dn-server/services/paperless-ngx.nix b/system/dev/dn-server/services/paperless-ngx.nix new file mode 100644 index 0000000..f47aae3 --- /dev/null +++ b/system/dev/dn-server/services/paperless-ngx.nix @@ -0,0 +1,9 @@ +{ config, ... }: +{ + imports = [ + (import ../../../modules/paperless-ngx.nix { + domain = "paperless.net.dn"; + passwordFile = config.sops.secrets."paperless/adminPassword".path; + }) + ]; +} diff --git a/system/dev/dn-server/sops-conf.nix b/system/dev/dn-server/sops-conf.nix deleted file mode 100644 index 98e3cf8..0000000 --- a/system/dev/dn-server/sops-conf.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, lib, ... }: -let - inherit (lib) mkIf; -in -{ - sops = { - secrets = { - "wireguard/privateKey" = { }; - "nextcloud/adminPassword" = { }; - "step_ca/password" = { }; - vaultwarden = { }; - "oauth/password" = { }; - "ldap/password" = lib.mkIf config.mail-server.enable { - mode = "0660"; - owner = config.services.openldap.user; - group = config.services.openldap.group; - }; - "ldap/env" = lib.mkIf config.mail-server.enable { - mode = "0660"; - group = config.users.groups.docker.name; - }; - "powerdns-admin/secret" = { - mode = "0660"; - owner = "powerdnsadmin"; - group = "powerdnsadmin"; - }; - "powerdns-admin/salt" = { - mode = "0660"; - owner = "powerdnsadmin"; - group = "powerdnsadmin"; - }; - powerdns = { - mode = "0660"; - owner = "pdns"; - group = "pdns"; - }; - rspamd-trainer = { }; - "acme/env" = mkIf config.security.acme.acceptTerms { - mode = "0660"; - owner = "acme"; - group = "acme"; - }; - "postsrsd/secret" = mkIf config.services.postsrsd.enable { - mode = "0660"; - owner = config.services.postsrsd.user; - group = config.services.postsrsd.group; - }; - "grafana/password" = mkIf config.services.grafana.enable { - mode = "0660"; - owner = "grafana"; - group = "grafana"; - }; - "grafana/client_secret" = mkIf config.services.grafana.enable { - mode = "0660"; - owner = "grafana"; - group = "grafana"; - }; - "prometheus/powerdns/password" = mkIf config.services.prometheus.enable { - mode = "0660"; - owner = "prometheus"; - group = config.users.users.prometheus.group; - }; - "paperless/adminPassword" = mkIf config.services.paperless.enable { - owner = config.services.paperless.user; - }; - "atticd/secret" = mkIf config.services.atticd.enable { }; - }; - }; -} diff --git a/system/dev/dn-server/sops/default.nix b/system/dev/dn-server/sops/default.nix new file mode 100644 index 0000000..08b0fca --- /dev/null +++ b/system/dev/dn-server/sops/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./sops-conf.nix + ]; +} diff --git a/system/dev/dn-server/sops/secret.yaml b/system/dev/dn-server/sops/secret.yaml new file mode 100644 index 0000000..d6cb307 --- /dev/null +++ b/system/dev/dn-server/sops/secret.yaml @@ -0,0 +1,63 @@ +wireguard: + privateKey: ENC[AES256_GCM,data:TzZLi58XfkhHAN0LcWNSlGJ7KSspCVaCKvLl1Y3MhxEKyERStCR8MEJ629U=,iv:XG107Tnt/Md56q9vK/Eh5uyzvFT+JrcD0UAUdqky+EA=,tag:dHgl7IwqEWC+MgHPH9wyIw==,type:str] +nextcloud: + adminPassword: ENC[AES256_GCM,data:ev4Ua8JX0l0KK50SGm6xCw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:rIr+4x/p8u94e2Ip03iX0Q==,type:str] +step_ca: + password: ENC[AES256_GCM,data:3NtUAl344gHiXLlMl88X17Vsm/4OKFM0W8bntzbXC0U=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:ibumK7ebPKNO/CXAS0eeRA==,type:str] +vaultwarden: ENC[AES256_GCM,data:5gn2+IYznojrYbmzCJx17qAlBvJBv3CnMEZensyep9JpKEHVz29teOYDh5Zetv0mSrgmrUxCTdNsm0OZCX9EswhslNl5ay6zkhoL+64JIyUcNFWcvu7oD2w1qynWgz41GS2yzuw91LntN4mcpODKhHNN8XFCU9d71Z9zTSIdWn2PoG8wME2hVBJ2YxLpqzDyJYlkWYf4VYUnn9vXZatZqQd0n7bjx3dgX3ogFG/UNfMAs2oLCfuYLkxBqpR2cGNktIxWctCEAWwG68Pfk7X66KMi5w==,iv:JcExp8YkGwV2nMbCK+n0KSL3+SryJZ0iKtVcU/Q+Cgs=,tag:Ut6ahXVAuOKlcwk6DE56Ig==,type:str] +ldap: + password: ENC[AES256_GCM,data:gz5WBopSffGyvJxKDPekPQ==,iv:bX7N9/oNMhtE/KbPah2ge4s87P2VsxHGoFkOyl83dxs=,tag:YoTe6NPAJgp/0nvhHC9Y5A==,type:str] + env: ENC[AES256_GCM,data:XmIz9JEswvK1jVmTsTgdDZJXeK7j8E/b6nF+uuZpvpoe5/IogjMrzcWi3EB1i44z1Dxgoim8QM8ZtczY,iv:1jK/J2qfKODrbrNpSHl110jPvbNLl0zI//laowerJOc=,tag:tkBVxDC8Ebn3Aac+LATQFA==,type:str] +oauth: + password: ENC[AES256_GCM,data:lzS/OtqHb/24IJnOKxMBQA==,iv:BI1n7Jjklye6WM2ss7jpaGgokrJpAG2Ipil7VrY30XM=,tag:i3OByJ6LDwvAsS5CTrEQig==,type:str] + adminEnv: ENC[AES256_GCM,data:LECZ1/KtaEB7kUN6zNDUr08g2SVtGhWEvy2QA9jzU3vJ1U8NDnPXjfDkkH1bIw==,iv:pPz7J+DdF7zkqzFlevoeYQGZnA2PQDoRYcpOaOeHN3A=,tag:e0iVPSZQ1V3aWYtKpGnBGg==,type:str] +powerdns-admin: + secret: ENC[AES256_GCM,data:M5hD8B7kikseQJZCWUIlc7OJcQn0nwnx0QOSQe+Mf8TaztvyFfSfxv0vowNsx0MyGef4teuK+DW9/UTbRFEHeg==,iv:xaSgzhqMU9+ud1xfXLVkg3v2xcmIo35BOhml5VfHKBI=,tag:L1v95+HsIqNjVA1LGNbEJQ==,type:str] + salt: ENC[AES256_GCM,data:Vtn3/gJlElrFkPwoa05wlxVL/Sk4lNLghp1gi6o4V5A=,iv:/lRVfNOpERS963+9JNf8wATIY9FcicT8xQ9Cbw2by/s=,tag:x5WiNa56l7y3CKwbaamLLA==,type:str] +powerdns: ENC[AES256_GCM,data:d4qzUAjyHUxLynvP6vSxCzrihfb/X3KYHeRA/w+CButld7ulxL9W6PerhvNcJytgfJDQINvcgnMKjijJ/vC7VeO9p7ZyArh4/PWZwgiJ,iv:orfh5F4uCYq2IplG0Y7Q/RcSqIm5Xyzn3ejzPsm+/0k=,tag:YqfvBlJRpkmMy29z3wyJ1g==,type:str] +rspamd-trainer: ENC[AES256_GCM,data:EqWVADi7zr6AUZL5mlN1/xbpjuRIS3Zn,iv:M/xk7LywcRiKQM9LrnTnCKu3OS/YBf23CRkxh4ll1+c=,tag:4lH3hhMxWIzEUExJOt/41Q==,type:str] +rspamd: ENC[AES256_GCM,data:qEXHXdcvk24pAHEl6MI=,iv:L5tmoTu5Qk5sxDj3EmWfc39AHwRTT4T4gB1O2EsTQkY=,tag:vIhAOnEpWxtP0eU4stkQww==,type:str] +acme: + env: ENC[AES256_GCM,data:gHoAyc6+LK7jrTfrIlPJx+RNe90xTpVVykDEfor3+ifRDRCPfxLmfj1nWylRp7r3N/Ha8AlElvNPmn4mVMsM2OsXmZoYoO+YOVq1zShXHI3A2dHgzJGxaCu/zuf2AWefEsBDWhjbGxWUpjjcEh6mOgvuh0HHGdW0uq6EL5LqDZiPMGdYNdJLEuy6s9pdQt69mVWAwGVA9eTvbnG0W91/35SUeOSs+la+YRCSPQ==,iv:QebJyJ1+6dYQulVkDdkFx34KkiH9xzsX+C3TYDdIMkw=,tag:h7Oxt04PqkFDdb7ZuyVnlQ==,type:str] +postsrsd: + secret: ENC[AES256_GCM,data:JZNwSymEjIFb8h3gnvFajxSaNYRxjA/NUruA4WX+uSqX0ufVcbVWgxQTr7U=,iv:ydGnCESCLbwyGKc+5witXDkT3OgW27LKen7PkqUL6mU=,tag:M3RGI6LgU5n2e6ZiXxTFfQ==,type:str] +grafana: + password: ENC[AES256_GCM,data:tySP1+vHkd+meSunzjE=,iv:09F8yEGw4j1Jd0HXDQyHbFxsr3Vg23mvWF5eZkU2KU8=,tag:6fmS38VUgNBNbo2BzxBuGA==,type:str] + client_secret: ENC[AES256_GCM,data:abk55RRC57xGiEpaBby0Drk4XS1+7INVie8wrpEg0XE=,iv:qywQIHIpgaS2pUcW1Uau//JU6UdMY52EVYCjhmnWJt4=,tag:fI01k/1nIqEXuPi90A00jQ==,type:str] +prometheus: + powerdns: + password: ENC[AES256_GCM,data:eliVy2619cZ/w/QOnayBt04ilCkXAXzck/RYr/c9oJEgirnqH1kATWJix3VzYng0/9yhGloOUHCm+jF3xOP6Uw==,iv:UI7UuJYJizYCO0ReC4SEPgmdPJNUnNuxgvkrhB1o/EQ=,tag:hEpJ64NcyaWl/e7KalOfGg==,type:str] + nginxAuth: ENC[AES256_GCM,data:+xcdBPwrpAXIXPFJCrmSsDacWlKzZbE0Mtt97ixxYcDMJT4PdATkboaECDJoyhqUc9ThwOCJ7t8/IHHNOh5r7hkk9aWzh8FY,iv:Z/IiEi6oZm1Hv3m8c522GK6eYFf0syFn3A0o4S58DUI=,tag:ASZqiiBOitfFGdYFP+i0jQ==,type:str] +paperless: + adminPassword: ENC[AES256_GCM,data:6SFObuK96Vc+PBUv/wRNCA==,iv:Mn6GJWzkd72xsvqlG0bD/3pp9YICqov356ZmlTda2eA=,tag:P3BJ1I+3XFD3HVkJccKyTg==,type:str] +atticd: + secret: ENC[AES256_GCM,data:HAMmdCCm5HVK35T7gkFbsVKXMENUqZxE23FvyYqii6Bs0nzo4mNJKcAkugYdKU4JgO1R3goMMNJsCaHDbsQ/FUM73MDbUyCS88rV5l+arsoDRBPlVfnfeMa+0CRxkoZpcpVpRJ/m8e6pIc+hqnn9DsxvB3uXcy77EpE2mAzRBTTzb9GKJnaNUubrHDi05BDAMRcyqFsgBl5SeQGA/HvhiqdUevz79kVQxQchBjYJvf+fRP8oub/mVJwbxJLBi/mStZtARp8/Xwt7SMlGGvYzL6czW1IowHd1GG/EQ+HplnBIHro1BVRDqyzP2aNq3ipW4KQ1yE3LUBSRrGUk7jR+lIhgwj0tepkJmrp3P73rEndjP3cqIB3G0e/L4CHH7hsbhZj/Setlg8Cb8tgD5Yj4/EUZGDr2Bfj8sqIDLTSK7aFFTvDeNUqrUji1J2I1HZSbXlGXWircgOjX84VU5hpUhVoQSYGBskBrzt3jkMh3FQUTLU4HOMInPvv+Ow9uICok3mOhF33Zg8h7lW8K4o633adDzoCrhVyOX75B3/cUGNhnSxJUql/NJe23dv1oOV1XsaZEVw/O2cWG/1P0GIAY98DnzMFpU0hbEjfI1sKTPxJDBNl0OSiiErix3Gls8EsxwR3aCQ/rIGreETvuAwLkeyaVzmeh5vv62OkhvRT2gtJM9/CsAp2HisCTcnV4bWsQ4dUCXOh64ZCaHYk2eF5TcSqQ1kUSm8RSpTcdsSUxn8grbUCzPm37xodX1joqW/dv6WACZmGkL62/Bv1cdduFeX5Z+yagyK3s8UHynNca945pmVEiYdAq9e9mAMRKeQPxNhc1Ri56wcSdmaCt8tvk1NOYpdn1bQMkK8HfzCD41bjy9oQ75Hsscaq6y3ybZlscGuHjWx4MKnb0he20BVEB+RmmfdVkShVJQTHyBepMFrqWNKxrKKe3c7izxMW1ksRjowIaLdeRTdoZBRP1PxdejVv3guniANooaEooatIdOZhYYcTLyQ4Sc5ceO+AV6QoYIULyBywMXP+4ONx3qg65LqF9Js24ngypko6NlqYnuw9BAfjj9QUVibpzxXarn6sbMsnWastXyvknfkCBJzIUy3aODCIk2OPa1QDGEuD5Y0DfdVRwMLaeG4l+XWztLin2oOCLmuWyCSE+hE1A70AmzjwvYVvTIB/A9OdFkNeLK7nUoPHmEtrJfENH5SuQVjSxEzjdwqL9jIYWelcCtz/oBQMTrXCfrs4uIrQbQ/GA/plK1IaNp//5gk1TT/YVARuaxZWsYZ17MYndLkuQ6V1oJFkXMLomJe7dFfw0bBn5Pq9TEvT0yPf+pqqsOmi7h3Cbhetlke2AT6V37UQ7U4SKG9zUVz+tzK+LikNTCRIcEQH5MiXEbu7EmOGRIZqGVs4Nfz6w54vzoh9Lgen6tf30IhpcysxsVzxjP59yXFILrzHbsVTUt+LG3igaKV8zNhrXB1vF6t+dqB6LZ8Y2Q7jPuL2tZ+Ti0BKIcAAc9i99PrsFsR/1q2EbgJmQ7PkzJs8qOY5oKHASbr7xGvNWZ9EmQU+bur7NyBNR34EdIr4H+g2N3+JQdjxtlxn8M1cgBDskgE56fG4Ve3c0l58KoK+u1IFMNSIS+Rx9RI5/V6cPcAVx597Fw9rCjndQumys9A9pI/l0qiYp7FHQcqq9wbahQARU1j4aoMRREJ7+so73kockdKXx6Gx5+CU7MRmP8zxWt2bATpH/x62QPyg7xp1J8k2vFDSpDdinFFCR3FE7zUY6IhmuZK2jvmMSv3fAKVDPIWpPJS/P93Lk3CWyxPFdgEhtaToHACBGoEk/rqYpgJNVAtZ2JpLVaYOjC17WCncoZzXwKJCJ0rlHIJXCrwaV37WazJM6k4o2tnLcl51LgmHk/w0FUT2fb7jFNpL6uMLd4chQiJfrccYDqWWpI+ltIK7kmCyycVQ/O63xBWTkP40ZjW2UJDKKRUOThsZsB9vbMRbOmmjkNbwCQ4eaaTM4kMX5jA60XQJa/XHgmHcAY3OLLTeZhbtVufgh8HGcxY/Sy2Cli2TqRYrDNiQLR6mdrb2pui5czHXU4b6JfrBIaPR3hSvKVAxEiuXRc7o1PAAfJPIKEFkTxbkuDl2gqBcfHZhydVqoL3rZnpL1R3ZjrwovlMf1ivIZ0x8S1ceiFw5UqjkIr3oGBo9rC3LJO8qy3i2x40hEzZMYckrxEunlxxgkDAPE2xMadldnmjd0HTOIn/5yCXIHx6HJOcV1ym2KIJNUvk0arql90tRglOLS2jX0IgK9wNHwMMyrIPGtoAFw+j6T7IJU2yLwFXK3oA4GLjZRjaBr16ZzJEpu9VMoTv/4aPxihoVUfWj9uXezQ1BokDLdpUeNUXTfV/YqXv8USC/Lfl2PfEM7ILcPzzaWrj8aZsuZFBRFNOLAFlrwTAxZq+fch8hEAg9XATdB5JOZZ66uGBoDzc8rsgJ+OlNBicld0B6wkB5NwCePSNy7WE/S9tJD26pzc3mVyf7OyjdKgz2yKVYjVtWuZidsxGXqFjQgEMcKwI+1Wam+iwJndFAhl4vJfJpLYZ3tgpnVrpzGkjE1t8zuy/m3pecqaYQMm1S7zxxsnE7LijYCMP39ExBNmrnrWZEO1S+amBAKxP99yFoFM/pznVthZKWAqDBBH+r4oWFgXSC1Nw43pr0XHsSGdPPFj0m8RUfJ+J+YynktKAOhcran1B+MPqE5ANH6ACmByB/pb9gZGgRiW4MLcYGmu6xSAz49Ow0Gn1ASiM7pI5+P5FK5ILJbmvbmC/qE/V7LYz9n+1Fm+7VoOY+1BHBjJofqI341erZIMKkhInnRnugHwDKV3at8Megd6PMU72RAbMorDJhX1Pe8HxAJ6rhDWToXzelWwRH9iqJAfBO2bTb4hAib2HCEqAStaf6NxObSHxV/66MgGGo0bNi/h5IKZwQVilxfuxeZPNwbKdmHIR8LSiIRKSYwCfMlBG0Ga+Q1cqJ+Tu/gHq9tes1+IJYih2dszl8ZdfyMY3cZ9ultejK0vANIRBeRE7gHf9YQWVu6UBzPcytrvVVggyqk84tYoxRIcGTzc4sCd0rhM6Ie4oyWRdgYK3CqCl1+SnsTTwJpFarILGX59j/ecGZFKxk+v6tUodgiUb+s2W3Sxtyu+PPHb2Tm0x6iXciRDEk8hxappKGI7YCnzi2FHhn8G1+bscli8Nf64igBd2s9dvckluZg30GOElZ5W8NFLW64WxoceQiq4hnXxpY38vsBals+0arQPLfDzYvvRgaTnCcDcWOE9sg4OhQC2/rXCglmMGEqnaDbysDziYcjQlCBgtWQSj6SBhm2SI2v+G3emRSFPsqGBvS9JgQPx8AKUHqBawRJlILyABNlQKvJjjPeXE17wWD9cwgFv6NPlZ4YggLFXl/Bdb7SLhzicBxdqlY4EfG2ZPIpJ4quDXLDQJl5uowwGorKqp2ZQjkdGeQGoi7riCsZtVeZZRFzQEZF9yWzIWyJfnLlaMxqRsLJ6uY9ZxVP/pLpNw4/WbZjxWXKZcXEaf/6Yy5iOaYl8YL3Bg8xyTmhQDXGyZaq+oTsm6i9nczsOth0pnxLtkCUO/AnxyYWO9CpF52QPzyCEoETHeLHB4rTxKjGbm2U2hXC5lIdMNW6S/aP2e4JDl2iduP4FiZTVmZtpu8W0bL3twtnnwkwMolxWNENaYsap02teEXMMaPd/f/F+vtN4VbYeDL5kmzo3pOC2Uxv4shlRfWgDmgUXP4oSVoHnTmBYnq1f1ww8uhm7XL/x7oL0JytNUqUUzlR3u8AmmpEWFCDVhXnNmgXNFiEzuDDu6it1TNDbPdgxPSdxzcuBp1oJTSEi6MtoyU1rfqE/LwcwAT15X/OP+vYQtuQbBh+8J0rMTVtA6xCl6rkLz1lcOnKOapB9yF208a5E3r6/f10zXbbcaYmQ+q/LmhwbnrMLijCQ/MVLBup9iJVWBsPLUS7BNikFgyAwRyMBUb+GEqCP3hoEir+7ILolCNcVBWj03nzkwsMm8fCLlQeC+KWtU1Z391U+JK3imgjudJTG/QFioS3c6UH14iDzMVdXw+aZoj+OroD1AOwJLaIZAS2omjkn44a4jRgCDMHClk/MTkuocaaMb2SPpIZI/If7N3KGscW2hSWlnWgwxTNWsGOPkbouFvH7SgWm3SLaFwBTKoI7ZG7VB/MbJSnpQtRMUbU9Me0xQpjc2zOV48bJE1jiOTdHEeUCDgJtXqKOpQxaByd/icIaJjs7G1/19OWHJMntaxDAk7THZsfAGYy2olqt/yefuDMxFEqapjQfNrpcQ503friY/dAuQHl7TaIjn7yZnGbLYDhJrip3srlIrqp+CR8kC/+A8D+ZjruUc8G+DZ1NPL5EksYAuiASr9WBKSkIKG7gBfibO8nO+vtGNs81pwfMOXMaXtohFmrRLhqjpGnte09scgk+ofym9l+4VsBUZnm7VZOWgOd4LyaKDH5YbAV3aP9BBtr/0dGPiV2BWvkx6woj3nU2MiLwFw2lMc06fXJXzXoZXclVbG3dMwU9NOOzyuI5YcRnxtjdAtVsXQuGtHDOgleEClTvDg+zF3D6McqFLW+O5fLthcavzQK9M/4x/J+7FGsE3cZs2r3ctu9v7+SwjDsuh3QBg6VEACgqEPYYhIZm4asbd647559LGWsmqRlXQIAVlbKQsTtosTHth2bzuIc9iBT1g/sHazLoGbhLO6uC0P9TbHTQW3oHKGQqP0mE73GX6pyS2Ohydl7Usd6GGFPzAG7cyswYfpoLCRbK+lwhygdw0/RvzgDbmLAR4p/ByAyp56sP4l5IE/i2ZrhHLLgjj/SBXb9CVY5hLeVbdk0LPCokeqFxsQDOnLEceGBUjg2Vj/KwBI1s/oaV+xmsGnIbYe/1TkFdp7+SP5PlRq/UIrG4OJTdpw0KT/z85XXSvrNAjSYTIjDUXAGN65ukWjLxGo5Sd4vzkFAYiWAX0uf2FNYKy9QBrC90o5QeVrMHw3j0ijExCVPmDzNcvco5Ie2cVAf4BzC6DS6dUuJLbtPcm7nG6p2iwchiiJFgOROWW2jBunwJO/7e5K9Y4eKO+mgAcDULi+ujmbbG9zlsPcVx7rkXPKbLjQsPOwI4b7wRsB62rFSAGhmAoQL7EKwg9k/FpXqHogGbQ29LN16/LvVoQ+lotKwFPMRWlXG0PLdTcQFIi/gCLO5YkM7xmAVTXRGLEf8V3JYyMpIgip3Gtjfnqbyli7bWbyjkrSaSV7RID3N8z4U3uIhvXECoK256rO5qgcgPx0jA34sHyKW7MekgcYLMXnTuJHOAGmM9I9GeXzsWnY0wXvWTkdv3A7jRlykGkUBzCXdd5pzi/1tmePuG2MXYq83H51N0XtcoWfmUiKZo9pra4zf66IiHWmcFOpXWZBPGU8fx2yoFq+yiz1zeJ+6TMiIHNOBvtCHPyrQPhfjPiEgBFa6L4f2dY3RMTmYVY/UqurZlX42KU3idiYHO6NBIfGkme9ShkgyxhghZfEYBDAwzNmt/uB+XCdvXLyB3bMEKwQrhKRIMVnkHrpA0wVi5XmfkkNyvxpxPks4czxnc4LmXLUizL/EKraWrGaUqxq7ctKG2k/xAEQjyf8kcidvMJu5LGRFq82oRCn+bP/2WGGCwVj4MKNxCmHG9b/e/dd4fSIPYuMohWe4XHCZWPsIX2yaBp+6S4JfhsoiVeyFQPu6pG9MU8wxS3GGIeftVm4Pye90OB/uY+ClcYR7gK2Lak0RFOXfLEeXCnlxRMLcnxTv1m1KXfGa4gWRINDdgZbDcXp2Xr0pE6t0IT8=,iv:WVSTjMjzmtQTs7s9RUO4q3QY0ECP3yhNrWIu+fOb8jQ=,tag:QmHqdcd9uMo2DSTVooJtVA==,type:str] +docmost: ENC[AES256_GCM,data:OZWvmW+jipEGILOoXs7fIj0QwYxPO8zJwXR16yTIaf6V6ifY9jNZQnQHLnDP7Ke2e7XuF5yb3FztY0cCLfpDH0wVNCc+CuZhF76ouRZEteGf6TX0Lk9VmZNR0+bhca0ooJW4gXQDdI14gP+tnEd5sImW7PzyMRazkFmnVhzahCIF7eCjCTsEJAlTuSvQI/KYGFdHuCl94YP7U4o+hMHiicmCeTj4iewSS0FDOA6+rPKym6T5FReNtET/kUCVqxh9l2dUWpO+RSPQWfijlIOSt3Fmc18BdYOZ5QiHN9vpt7FUEJqye81ahlvGwNVefjlArGQlA1IoSxuWdSrPgSmEUGGTCEohKQ==,iv:179dvF/fGbqQIkMIHxTc2d2Qzcv6sjcvEsD2mnqYGuk=,tag:u7xRz9eNH7uFNuKZiX27+g==,type:str] +crowdsec: + lapi.yaml: ENC[AES256_GCM,data:1n3jB1QP1U3rO8quVvYe6tHrcf+WomMM2HBmll+kGSYwr6ZEyn70CPuPU5nhkJz4srqkqu0meJsq5AqnbPOsP/p+Zt2RASoG9ndGwFZPXRPD/jEgpJeMhsSxqleTjD/32mUlJvhdYssw2iTSIbhIPNQPAAAUKnGhN7GqQ0vJ7gIPSZrmBKqLN3W9LLTquwGruGPl1EpTDQAMgh+8Vnh8,iv:iZvebbCtFRKwV0SwLswQNuhY8grmWO486mfnk80M470=,tag:hTDdPb1yZpDDlQ2hq5oT5w==,type:str] + capi.yaml: ENC[AES256_GCM,data:+13mu3XXst8J5okb+jQ/IPOd5TfdcDgLuTP8L46U53GTgTJChQoT4Ttw6xKQhp6L7vNoArQBQL66leRt3DEXATUjxl/Zoi2eymxqLn6/NUpPkv0g7hszJGVbMZEUGjo3IAk5ZRQWaNXHA9mRq/OkHzpMMM6ZpCd0KpY92QbLSHxJ6yUMazL1Wh4hwvyWyN6lLxujrgnZWOQDPZYQmIi+c/Af,iv:OO+Ujqq89SbWcRoqhwiJX2jtIJIUrtgG9xll7WuDhzw=,tag:R+Mx2UAkwA238quvMKCBLQ==,type:str] + consoleToken: ENC[AES256_GCM,data:G/UfbMqHW0lecT7vKmZsusvXzgxz6apdRQ==,iv:JJTN1RPhFNMd2gqE3Vw2FvC+bA/vgOiYNfBhr96veIw=,tag:HKbhtwCWkLte8e8uGDt2Gw==,type:str] +sops: + age: + - recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVjFkd0l5dm5KL2hScUZ0 + OW1TRFU5SHYrTE9veUpnUG5heHAxNHR4T3dNCmNpdURkdWFZZDhZVE9oMENGcS9x + c0ltTUZMWWJUZUY5bktDM08xQXEzcTAKLS0tIDh2aHl1S2M5cDhteE9SODNKOFZm + L1JRZHJ2c2NqUTRwdU1xeWdDTVZIeFUKD1vnEBiQdlfYbUYVW29ByHoJ4kEmTOMp + laW74YK6yFNSMCWXkBZU1QmS/LxhHSZnse42WCcI8OFbNR+nud29jA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiVG5IZkZZVXBWZVhRbHdV + OUM5MFBac3hGcU5BS2N6bUg2Q1QyL1V2MW5rCjhrd2hrZm5CWVBtaWh6aHM4WUp6 + ZmxZZWhoYXVCRW1oWTdyOTFJNDh6VUkKLS0tIFdOZms1ZVNUYlI3bk1LZDVtWjRj + Rmpmb2JKUWNXY1Rob1UyOHJxOUdLSE0K+YBX6p44Pkn8aLt/03N8cpkHKzitCC7q + vWmNOpXPWw5ojj/6poED2fe14rNr/bs/UA8qiTo2LB9pOtgFugzaPw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-13T13:08:24Z" + mac: ENC[AES256_GCM,data:P2L3vQEvwub49QLvSgYYW5AwskaLuXdIRfCd8AhnBnDtHuDjNh/AVVLS3OOeDwyw/cNrd/IN8WC1NGZEUJmgOAcJJnfpg1i3gHd7lCA2hDUQyDU04BEfKHroqfZJaxbCoBeqWjPoWtWsIjsxjtedw3VwJ+U0jadrvcRimKEAbKM=,iv:bgVNmdGeVwfzXgrcEySrPOqgAnuSY1ceCkzDjurnkgE=,tag:nkYig1dXgG6mrXlLwJ/gkQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/system/dev/dn-server/sops/sops-conf.nix b/system/dev/dn-server/sops/sops-conf.nix new file mode 100644 index 0000000..3db0243 --- /dev/null +++ b/system/dev/dn-server/sops/sops-conf.nix @@ -0,0 +1,85 @@ +{ config, lib, ... }: +let + inherit (lib) mkIf; +in +{ + sops.secrets = { + "wireguard/privateKey" = { }; + "nextcloud/adminPassword" = { }; + "step_ca/password" = { }; + vaultwarden = { }; + "oauth/password" = { }; + "oauth/adminEnv" = { }; + "ldap/password" = lib.mkIf config.mail-server.enable { + mode = "0660"; + owner = config.services.openldap.user; + group = config.services.openldap.group; + }; + "ldap/env" = lib.mkIf config.mail-server.enable { + mode = "0660"; + group = config.users.groups.docker.name; + }; + "powerdns-admin/secret" = { + mode = "0660"; + owner = "powerdnsadmin"; + group = "powerdnsadmin"; + }; + "powerdns-admin/salt" = { + mode = "0660"; + owner = "powerdnsadmin"; + group = "powerdnsadmin"; + }; + powerdns = { + mode = "0660"; + owner = "pdns"; + group = "pdns"; + }; + rspamd-trainer = { + }; + rspamd = mkIf config.services.rspamd.enable { + owner = config.services.rspamd.user; + }; + "acme/env" = mkIf config.security.acme.acceptTerms { + mode = "0660"; + owner = "acme"; + group = "acme"; + }; + "postsrsd/secret" = mkIf config.services.postsrsd.enable { + mode = "0660"; + owner = config.services.postsrsd.user; + group = config.services.postsrsd.group; + }; + "grafana/password" = mkIf config.services.grafana.enable { + mode = "0660"; + owner = "grafana"; + group = "grafana"; + }; + "grafana/client_secret" = mkIf config.services.grafana.enable { + mode = "0660"; + owner = "grafana"; + group = "grafana"; + }; + "prometheus/powerdns/password" = mkIf config.services.prometheus.enable { + mode = "0660"; + owner = "prometheus"; + group = config.users.users.prometheus.group; + }; + "paperless/adminPassword" = mkIf config.services.paperless.enable { + owner = config.services.paperless.user; + }; + "atticd/secret" = mkIf config.services.atticd.enable { }; + "docmost" = { }; + "crowdsec/lapi.yaml" = mkIf config.services.crowdsec.enable { + owner = "crowdsec"; + mode = "0600"; + }; + "crowdsec/capi.yaml" = mkIf config.services.crowdsec.enable { + owner = "crowdsec"; + mode = "0600"; + }; + "crowdsec/consoleToken" = mkIf config.services.crowdsec.enable { + owner = "crowdsec"; + mode = "0600"; + }; + }; +} diff --git a/system/dev/skydrive-lap/boot.nix b/system/dev/skydrive-lap/common/boot.nix similarity index 100% rename from system/dev/skydrive-lap/boot.nix rename to system/dev/skydrive-lap/common/boot.nix diff --git a/system/dev/skydrive-lap/common/default.nix b/system/dev/skydrive-lap/common/default.nix new file mode 100644 index 0000000..0e32e5b --- /dev/null +++ b/system/dev/skydrive-lap/common/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./boot.nix + ./disk.nix + ./nvidia.nix + ./hardware-configuration.nix + ]; +} diff --git a/system/dev/skydrive-lap/disk.nix b/system/dev/skydrive-lap/common/disk.nix similarity index 100% rename from system/dev/skydrive-lap/disk.nix rename to system/dev/skydrive-lap/common/disk.nix diff --git a/system/dev/skydrive-lap/hardware-configuration.nix b/system/dev/skydrive-lap/common/hardware-configuration.nix similarity index 100% rename from system/dev/skydrive-lap/hardware-configuration.nix rename to system/dev/skydrive-lap/common/hardware-configuration.nix diff --git a/system/dev/skydrive-lap/common/nvidia.nix b/system/dev/skydrive-lap/common/nvidia.nix new file mode 100644 index 0000000..419dde3 --- /dev/null +++ b/system/dev/skydrive-lap/common/nvidia.nix @@ -0,0 +1,10 @@ +{ + imports = [ + # Nvidia GPU Driver + (import ../../../modules/nvidia.nix { + nvidia-mode = "offload"; + intel-bus-id = "PCI:0:2:0"; + nvidia-bus-id = "PCI:1:0:0"; + }) + ]; +} diff --git a/system/dev/skydrive-lap/default.nix b/system/dev/skydrive-lap/default.nix index 6390665..5c91475 100644 --- a/system/dev/skydrive-lap/default.nix +++ b/system/dev/skydrive-lap/default.nix @@ -1,151 +1,41 @@ +{ hostname }: { - username, config, lib, pkgs, ... }: let - inherit (lib) optionalString; - geVersion = "10-15"; - faceIcon = pkgs.fetchurl { - url = "https://files.net.dn/skydrive.jpg"; - hash = "sha256-aMjl6VL1Zy+r3ElfFyhFOlJKWn42JOnAFfBXF+GPB/Q="; - curlOpts = "-k"; - }; - - memeSelector = pkgs.callPackage ../../../home/scripts/memeSelector.nix { - url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/"; - }; - - monitors = [ - "desc:AU Optronics 0x82ED" - "desc:AOC 24B30HM2 27ZQ4HA00101" - ]; + username = "skydrive"; in { - imports = [ - ./hardware-configuration.nix - ../../modules/presets/basic.nix - - # Nvidia GPU Driver - (import ../../modules/nvidia.nix { - nvidia-mode = "offload"; - intel-bus-id = "PCI:0:2:0"; - nvidia-bus-id = "PCI:1:0:0"; - }) - - ./boot.nix # Extra Boot Options - ./disk.nix - ./sops-conf.nix - ../../modules/printer.nix - ../../modules/gaming.nix - ../../modules/wine.nix - ../../modules/localsend.nix - (import ../../modules/airplay.nix { hostname = config.networking.hostName; }) - # (import ../../modules/virtualization.nix { inherit username; }) - ../../modules/wireguard.nix - ]; - - home-manager = { - users."${username}" = { - imports = [ - ../../../home/presets/basic.nix - + systemConf = { + inherit hostname username; + domain = "net.dn"; + hyprland = { + enable = true; + monitors = [ { - home.file.".face" = { - source = lib.mkForce faceIcon; - }; + desc = "AU Optronics 0x82ED"; + props = "prefered, 0x0, 1"; + output = "eDP-1"; } - - # Hyprland - (import ../../../home/user/hyprland.nix { inherit monitors; }) { - wayland.windowManager.hyprland = { - settings = { - input = { - kb_options = lib.mkForce [ ]; - }; - - monitor = [ - ''desc:AU Optronics 0x82ED, prefered, 0x0, 1'' - ''desc:AOC 24B30HM2 27ZQ4HA00101, prefered, 1920x540, 1'' - ]; - - bind = [ - "$mainMod ctrl, M, exec, ${memeSelector}/bin/memeSelector" - ]; - }; - }; + desc = "AOC 24B30HM2 27ZQ4HA00101"; + props = "prefered, 1920x540, 1"; + output = "HDMI-A-2"; } - - (import ../../../home/user/waybar.nix { - settings = [ - # monitor 1 - { - output = "eDP-1"; - modules-left = [ - "custom/os" - "hyprland/workspaces" - "clock" - "custom/cava" - "mpris" - ]; - modules-right = [ - "wlr/taskbar" - (optionalString config.programs.gamemode.enable "custom/gamemode") - "custom/airplay" - "custom/wallRand" - "custom/wireguard" - "custom/recording" - "idle_inhibitor" - "network" - "cpu" - "memory" - "pulseaudio" - "custom/swaync" - ]; - } - { - output = "HDMI-A-2"; - modules-left = [ - "clock" - "mpris" - ]; - modules-right = [ - "wlr/taskbar" - "temperature" - "cpu" - "memory" - "pulseaudio" - ]; - } - ]; - }) ]; - - home.file = { - # Proton GE - ".steam/root/compatibilitytools.d/GE-Proton${geVersion}" = { - source = fetchTarball { - url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton${geVersion}/GE-Proton${geVersion}.tar.gz"; - sha256 = "sha256:0iv7vak4a42b5m772gqr6wnarswib6dmybfcdjn3snvwxcb6hbsm"; - }; - }; - ".steam/root/compatibilitytools.d/CachyOS-Proton10-0_v3" = { - source = fetchTarball { - url = "https://github.com/CachyOS/proton-cachyos/releases/download/cachyos-10.0-20250714-slr/proton-cachyos-10.0-20250714-slr-x86_64_v3.tar.xz"; - sha256 = "sha256:0hp22hkfv3f1p75im3xpif0pmixkq2i3hq3dhllzr2r7l1qx16iz"; - }; - }; - }; }; }; - environment.systemPackages = map lib.lowPrio [ - pkgs.curl - pkgs.gitMinimal - memeSelector + imports = [ + ../../modules/presets/basic.nix + ./common + ./games + ./services + ./sops + ./utility ]; users.users.root.openssh.authorizedKeys.keys = [ diff --git a/system/dev/skydrive-lap/games/default.nix b/system/dev/skydrive-lap/games/default.nix new file mode 100644 index 0000000..bb2b2d3 --- /dev/null +++ b/system/dev/skydrive-lap/games/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ../../../modules/gaming.nix + ../../../modules/wine.nix + ]; +} diff --git a/system/dev/skydrive-lap/home/default.nix b/system/dev/skydrive-lap/home/default.nix new file mode 100644 index 0000000..086ea3e --- /dev/null +++ b/system/dev/skydrive-lap/home/default.nix @@ -0,0 +1,118 @@ +{ + config, + lib, + pkgs, + ... +}: +let + inherit (config.systemConf) username; + inherit (lib) mkForce optionalString; + + geVersion = "10-15"; + + memeSelector = pkgs.callPackage ../../../../home/scripts/memeSelector.nix { + url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/"; + }; + + faceIcon = pkgs.fetchurl { + url = "https://files.net.dn/skydrive.jpg"; + hash = "sha256-aMjl6VL1Zy+r3ElfFyhFOlJKWn42JOnAFfBXF+GPB/Q="; + curlOpts = "-k"; + }; +in +{ + + environment.systemPackages = map lib.lowPrio [ + pkgs.curl + pkgs.gitMinimal + memeSelector + ]; + + home-manager = { + users."${username}" = { + imports = [ + ../../../../home/presets/basic.nix + + { + home.file.".face" = { + source = mkForce faceIcon; + }; + } + + { + wayland.windowManager.hyprland = { + settings = { + input = { + kb_options = lib.mkForce [ ]; + }; + + bind = [ + "$mainMod ctrl, M, exec, ${memeSelector}/bin/memeSelector" + ]; + }; + }; + } + + (import ../../../../home/user/waybar.nix { + settings = [ + # monitor 1 + { + output = "eDP-1"; + modules-left = [ + "custom/os" + "hyprland/workspaces" + "clock" + "custom/cava" + "mpris" + ]; + modules-right = [ + "wlr/taskbar" + (optionalString config.programs.gamemode.enable "custom/gamemode") + "custom/airplay" + "custom/wallRand" + "custom/wireguard" + "custom/recording" + "idle_inhibitor" + "network" + "cpu" + "memory" + "pulseaudio" + "custom/swaync" + ]; + } + { + output = "HDMI-A-2"; + modules-left = [ + "clock" + "mpris" + ]; + modules-right = [ + "wlr/taskbar" + "temperature" + "cpu" + "memory" + "pulseaudio" + ]; + } + ]; + }) + ]; + + home.file = { + # Proton GE + ".steam/root/compatibilitytools.d/GE-Proton${geVersion}" = { + source = fetchTarball { + url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton${geVersion}/GE-Proton${geVersion}.tar.gz"; + sha256 = "sha256:0iv7vak4a42b5m772gqr6wnarswib6dmybfcdjn3snvwxcb6hbsm"; + }; + }; + ".steam/root/compatibilitytools.d/CachyOS-Proton10-0_v3" = { + source = fetchTarball { + url = "https://github.com/CachyOS/proton-cachyos/releases/download/cachyos-10.0-20250714-slr/proton-cachyos-10.0-20250714-slr-x86_64_v3.tar.xz"; + sha256 = "sha256:0hp22hkfv3f1p75im3xpif0pmixkq2i3hq3dhllzr2r7l1qx16iz"; + }; + }; + }; + }; + }; +} diff --git a/system/dev/skydrive-lap/services/default.nix b/system/dev/skydrive-lap/services/default.nix new file mode 100644 index 0000000..e02134a --- /dev/null +++ b/system/dev/skydrive-lap/services/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./wireguard.nix + ]; +} diff --git a/system/dev/skydrive-lap/services/wireguard.nix b/system/dev/skydrive-lap/services/wireguard.nix new file mode 100644 index 0000000..b2e5388 --- /dev/null +++ b/system/dev/skydrive-lap/services/wireguard.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ../../../modules/wireguard.nix + ]; +} diff --git a/system/dev/skydrive-lap/sops/default.nix b/system/dev/skydrive-lap/sops/default.nix new file mode 100644 index 0000000..08b0fca --- /dev/null +++ b/system/dev/skydrive-lap/sops/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./sops-conf.nix + ]; +} diff --git a/system/dev/skydrive-lap/secret.yaml b/system/dev/skydrive-lap/sops/secret.yaml similarity index 100% rename from system/dev/skydrive-lap/secret.yaml rename to system/dev/skydrive-lap/sops/secret.yaml diff --git a/system/dev/skydrive-lap/sops-conf.nix b/system/dev/skydrive-lap/sops/sops-conf.nix similarity index 100% rename from system/dev/skydrive-lap/sops-conf.nix rename to system/dev/skydrive-lap/sops/sops-conf.nix diff --git a/system/dev/skydrive-lap/utility/default.nix b/system/dev/skydrive-lap/utility/default.nix new file mode 100644 index 0000000..698d02b --- /dev/null +++ b/system/dev/skydrive-lap/utility/default.nix @@ -0,0 +1,8 @@ +{ config, ... }: +{ + imports = [ + ../../../modules/printer.nix + ../../../modules/localsend.nix + (import ../../../modules/airplay.nix { hostname = config.networking.hostName; }) + ]; +} diff --git a/system/modules/crowdsec.nix b/system/modules/crowdsec.nix new file mode 100644 index 0000000..a64c04d --- /dev/null +++ b/system/modules/crowdsec.nix @@ -0,0 +1,99 @@ +{ + lapiCred, + capiCred, + consoleToken, + trusted_ips ? [ ], + extraAcq ? [ ], + extraJournal ? [ ], + enableServer ? false, + enablePrometheus ? true, +}: +{ + config, + lib, + pkgs, + ... +}: +let + inherit (lib) mkDefault mkIf; + mkJournalFilter = service: { + journalctl_filter = [ + "_SYSTEMD_UNIT=${service}" + ]; + labels = { + type = "syslog"; + }; + source = "journalctl"; + }; + + # ==== Default Services ==== # + services = map (x: mkJournalFilter x) [ + "sshd.service" + ]; + + extraServices = map (x: mkJournalFilter x) extraJournal; +in +{ + services.postgresql = { + enable = mkDefault true; + ensureDatabases = [ config.services.crowdsec.user ]; + ensureUsers = [ + { + name = config.services.crowdsec.user; + ensureDBOwnership = true; + } + ]; + }; + + services.crowdsec = { + enable = true; + settings.general = { + prometheus = { + enabled = enablePrometheus; + }; + db_config = { + type = "postgresql"; + db_name = config.services.crowdsec.user; + db_path = "/var/run/postgresql"; + user = config.services.crowdsec.user; + sslmode = "disable"; + flush.max_items = 5000; + flush.max_age = "7d"; + }; + api.client = { + insecure_skip_verify = false; + }; + api.server = mkIf enableServer { + enable = true; + listen_uri = "127.0.0.1:31005"; + trusted_ips = [ + "127.0.0.1" + "10.0.0.0/24" + "::1" + ] + ++ trusted_ips; + }; + }; + settings = { + lapi.credentialsFile = lapiCred; + capi.credentialsFile = capiCred; + console.tokenFile = consoleToken; + }; + localConfig = { + acquisitions = services ++ extraServices ++ extraAcq; + }; + hub = { + scenarios = [ + "crowdsecurity/ssh-bf" + "crowdsecurity/ssh-generic-test" + "crowdsecurity/http-generic-test" + ]; + postOverflows = [ "crowdsecurity/auditd-nix-wrappers-whitelist-process" ]; + parsers = [ "crowdsecurity/sshd-logs" ]; + collections = [ "crowdsecurity/linux" ]; + appSecRules = [ "crowdsecurity/base-config" ]; + appSecConfigs = [ "crowdsecurity/appsec-default" ]; + }; + autoUpdateService = true; + }; +} diff --git a/system/modules/davinci-resolve.nix b/system/modules/davinci-resolve.nix index 2d7f618..a3cb5bd 100644 --- a/system/modules/davinci-resolve.nix +++ b/system/modules/davinci-resolve.nix @@ -1,6 +1,6 @@ { pkgs, - username, + config, ... }: let @@ -13,7 +13,7 @@ in scriptBin ]; - home-manager.users."${username}" = { + home-manager.users."${config.systemConf.username}" = { xdg.desktopEntries."davindi-resolve" = { name = "Davinci Resolve"; genericName = "Video Editor"; diff --git a/system/modules/docmost.nix b/system/modules/docmost.nix new file mode 100644 index 0000000..488b750 --- /dev/null +++ b/system/modules/docmost.nix @@ -0,0 +1,86 @@ +{ + fqdn ? null, + port ? 32000, + https ? true, + openFirewall ? false, + extraConf ? { }, + envFile ? null, +}: +{ + lib, + config, + ... +}: +let + inherit (lib) optionalString mkIf; +in +{ + networking.firewall.allowedTCPPorts = mkIf openFirewall [ + port + ]; + + services.redis.servers."docmost" = { + enable = true; + port = 32001; + }; + + services.postgresql = { + ensureDatabases = [ "docmost" ]; + ensureUsers = [ + { + name = "docmost"; + ensureDBOwnership = true; + } + ]; + }; + + virtualisation.oci-containers = { + backend = lib.mkDefault "docker"; + containers = { + docmost = { + image = "docmost/docmost:latest"; + environment = ( + { + PORT = "${toString port}"; + APP_URL = "${ + if (fqdn != null) then + "${if https then "https" else "http"}://${fqdn}" + else + "http://localhost:${toString port}" + }"; + DATABASE_URL = "postgresql://docmost@docmost?schema=public&host=/var/run/postgresql"; + REDIS_URL = "redis://localhost:${toString config.services.redis.servers.docmost.port}"; + } + // extraConf + ); + extraOptions = [ + "--network=host" + "${optionalString (envFile != null) "--env-file=${envFile}"}" + ]; + volumes = [ + "/var/run/postgresql:/var/run/postgresql" + "docmost:/app/data/storage" + ]; + }; + }; + }; + + services.nginx = { + enable = lib.mkDefault true; + enableReload = lib.mkDefault true; + recommendedGzipSettings = lib.mkDefault true; + recommendedOptimisation = lib.mkDefault true; + recommendedTlsSettings = lib.mkDefault true; + recommendedProxySettings = lib.mkDefault true; + virtualHosts = lib.mkIf (fqdn != null) { + "${fqdn}" = { + enableACME = lib.mkIf https true; + forceSSL = lib.mkIf https true; + locations."/" = { + proxyPass = "http://localhost:${toString port}"; + proxyWebsockets = true; + }; + }; + }; + }; +} diff --git a/system/modules/grafana.nix b/system/modules/grafana.nix index 4448b09..b1a247d 100644 --- a/system/modules/grafana.nix +++ b/system/modules/grafana.nix @@ -4,12 +4,23 @@ smtpDomain, domain, extraSettings ? { }, + extraConf ? { }, }: { config, ... }: let email = "grafana@${smtpDomain}"; in { + services.postgresql = { + ensureDatabases = [ "grafana" ]; + ensureUsers = [ + { + name = "grafana"; + ensureDBOwnership = true; + } + ]; + }; + services.grafana = { enable = true; settings = ( @@ -31,11 +42,20 @@ in security = { admin_email = email; admin_password = "$__file{${passFile}}"; + secret_key = "$__file{${passFile}}"; + }; + database = { + type = "postgres"; + user = "grafana"; + name = "grafana"; + host = "/var/run/postgresql"; }; } // extraSettings ); - }; + + } + // extraConf; services.nginx.virtualHosts."${domain}" = { enableACME = true; diff --git a/system/modules/hyprland.nix b/system/modules/hyprland.nix index 4cc8266..018fac1 100644 --- a/system/modules/hyprland.nix +++ b/system/modules/hyprland.nix @@ -1,17 +1,24 @@ { pkgs, + config, inputs, + lib, ... }: +let + inherit (lib) mkIf; + + hyprlandEnabled = config.programs.hyprland.enable; +in { programs.hyprland = { - enable = true; + enable = config.systemConf.hyprland.enable; withUWSM = false; package = inputs.hyprland.packages."${pkgs.system}".hyprland; portalPackage = inputs.hyprland.packages.${pkgs.system}.xdg-desktop-portal-hyprland; }; - xdg.portal = { + xdg.portal = mkIf hyprlandEnabled { enable = true; xdgOpenUsePortal = true; extraPortals = [ @@ -19,29 +26,32 @@ ]; }; - environment.sessionVariables = { + environment.sessionVariables = mkIf hyprlandEnabled { NIXOS_OZONE_WL = "1"; WLR_NO_HARDWARE_CURSORS = "1"; }; - environment.systemPackages = with pkgs; [ - pyprland - hyprsunset - hyprpicker - hyprshot - kitty + environment.systemPackages = mkIf hyprlandEnabled ( + with pkgs; + [ + pyprland + hyprsunset + hyprpicker + hyprshot + kitty - qt5.qtwayland - qt6.qtwayland - wlogout - wl-clipboard + # qt5.qtwayland + # qt6.qtwayland + wlogout + wl-clipboard - # Util - grim - slurp - ]; + # Util + grim + slurp + ] + ); - nix = { + nix = mkIf hyprlandEnabled { settings = { substituters = [ "https://hyprland.cachix.org" ]; trusted-public-keys = [ diff --git a/system/modules/mail-server/default.nix b/system/modules/mail-server/default.nix deleted file mode 100644 index d0f2aff..0000000 --- a/system/modules/mail-server/default.nix +++ /dev/null @@ -1,163 +0,0 @@ -{ - config, - lib, - ... -}: -with lib; -{ - options.mail-server = { - enable = mkEnableOption "mail-server"; - - configureACME = mkEnableOption "Enable auto configuration of ACME" // { - default = false; - }; - - caFile = mkOption { - type = types.path; - default = config.security.pki.caBundle; - description = '' - Extra CA certification to trust; - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - This option results in following configuration: - - networking.firewall.allowedTCPPorts = [ - 25 # SMTP - 465 # SMTPS - 587 # STARTTLS - 143 # IMAP STARTTLS - 993 # IMAPS - 110 # POP3 STARTTLS - 995 # POP3S - ]; - ''; - }; - - rootAlias = mkOption { - type = with types; uniq str; - default = ""; - description = "Root alias"; - example = '' - - ''; - }; - - virtual = mkOption { - type = lib.types.lines; - default = ""; - description = '' - Entries for the virtual alias map, cf. man-page {manpage}`virtual(5)`. - ''; - }; - - extraAliases = mkOption { - type = with types; str; - default = ""; - description = "Extra aliases"; - example = '' - something: root - gender: root - ''; - }; - - mailDir = mkOption { - type = with types; uniq str; - description = "Path to store local mails"; - default = "~/Maildir"; - example = "~/Maildir"; - }; - - virtualMailDir = mkOption { - type = with types; path; - description = "Path to store virtual mails"; - default = "/var/mail/vhosts"; - example = "/var/mail/vmails"; - }; - - uid = mkOption { - type = with types; int; - default = 5000; - description = "UID for \"vmail\""; - }; - - gid = mkOption { - type = with types; int; - default = 5000; - description = "GID for \"vmail\""; - }; - - domain = mkOption { - type = with types; uniq str; - default = config.networking.fqdn; - description = "Domain name used for mail server"; - }; - - origin = mkOption { - type = with types; uniq str; - default = ""; - description = "Origin to use in outgoing e-mail. Leave blank to use hostname."; - }; - - destination = mkOption { - type = with types; listOf str; - default = [ ]; - description = "Postfix destination"; - }; - - networks = mkOption { - type = with types; listOf str; - default = [ ]; - description = "Postfix networks"; - }; - - oauth = { - username = mkOption { - type = with types; uniq str; - default = "keycloak"; - description = "Keycloak username"; - }; - - passwordFile = mkOption { - type = with types; path; - description = "Path to the keycloak password file"; - example = "/run/secrets/keycloak/password"; - }; - }; - - ldap = { - passwordFile = mkOption { - type = with types; path; - description = "Path to the openldap password file"; - example = "/run/secrets/ldap/password"; - }; - - webEnv = mkOption { - type = with types; path; - description = "Path to phpLDAPadmin env file"; - example = "/run/secrets/ldap/env"; - }; - }; - - rspamd = { - trainerSecret = mkOption { - type = with types; path; - description = "Path to rspamd trainer secret"; - example = "/run/secrets/rspamd-trainer/secret"; - }; - port = mkOption { - type = with types; int; - default = 11334; - description = "Port for rspamd webUI"; - }; - }; - }; - - imports = [ - ./server.nix - ]; -} diff --git a/system/modules/mail-server/server.nix b/system/modules/mail-server/server.nix deleted file mode 100644 index c09ae3c..0000000 --- a/system/modules/mail-server/server.nix +++ /dev/null @@ -1,616 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; -let - cfg = config.mail-server; - dcList = strings.splitString "." cfg.domain; - ldapDomain = strings.concatStringsSep "," (lists.forEach dcList (dc: "dc=" + dc)); - - dovecotSecretPath = "/run/dovecot-secret"; - authBaseConf = pkgs.writeText "dovecot-auth.conf.ext" '' - passdb ldap { - auth_username_format = %{user | lower} - ldap_bind = no - ldap_filter = (&(objectClass=inetOrgPerson)(uid=%{user | username})) - use_worker = no - - fields { - user = %{ldap:mail} - password = %{ldap:userPassword} - } - } - ldap_auth_dn = cn=admin,${ldapDomain} - ldap_auth_dn_password = $LDAP_PASSWORD - ldap_uris = ldap://localhost - ldap_base = ${ldapDomain} - ''; - authConf = "${dovecotSecretPath}/dovecot-auth.conf.ext"; - - dovecotDomain = config.services.postfix.settings.main.myhostname; -in -{ - config = mkIf cfg.enable { - security.acme.certs = mkIf cfg.configureACME { - "${config.services.postfix.settings.main.myhostname}" = { - dnsProvider = null; - webroot = "/var/lib/acme/acme-challenge"; - postRun = '' - systemctl restart postfix.service - systemctl restart dovecot.service - ''; - }; - "${cfg.domain}" = { - dnsProvider = null; - webroot = "/var/lib/acme/acme-challenge"; - }; - }; - - # ===== opendkim ===== # - services.opendkim = { - enable = true; - domains = "csl:${cfg.domain}"; - selector = "mail"; - }; - - # ===== Postfix ===== # - environment.sessionVariables = { - MAILDIR = cfg.mailDir; - }; - - systemd.services.postfix = { - requires = [ - "acme-finished-${config.services.postfix.settings.main.myhostname}.target" - ]; - serviceConfig.LoadCredential = - let - certDir = - config.security.acme.certs."${config.services.postfix.settings.main.myhostname}".directory; - in - [ - "cert.pem:${certDir}/cert.pem" - "key.pem:${certDir}/key.pem" - ]; - }; - - services.postfix = { - enable = true; - virtual = cfg.virtual; - enableSubmissions = true; - - settings.main = - let - credsDir = "/run/credentials/postfix.service"; - certDir = "${credsDir}/cert.pem"; - keyDir = "${credsDir}/key.pem"; - in - { - myhostname = "mail.${cfg.domain}"; - mynetworks = cfg.networks; - mydestination = cfg.destination; - myorigin = if cfg.origin == "" then cfg.domain else cfg.origin; - relayhost = [ "0.0.0.0:465" ]; - smtpd_tls_security_level = "encrypt"; - smtpd_client_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject"; - smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"; - milter_macro_daemon_name = "ORIGINATING"; - - virtual_uid_maps = [ - "static:${toString cfg.uid}" - ]; - virtual_gid_maps = [ - "static:${toString cfg.gid}" - ]; - - virtual_mailbox_domains = [ cfg.domain ]; - virtual_transport = "lmtp:unix:private/dovecot-lmtp"; - smtpd_sasl_type = "dovecot"; - smtpd_sasl_path = "private/auth"; - smtpd_sasl_auth_enable = "yes"; - tls_random_source = "dev:/dev/urandom"; - - smtp_tls_security_level = "may"; - smtp_tls_chain_files = [ - keyDir - certDir - ]; - - smtpd_tls_chain_files = [ - keyDir - certDir - ]; - - home_mailbox = cfg.mailDir; - } - // optionalAttrs config.services.opendkim.enable ( - let - opendkimSocket = strings.removePrefix "local:" config.services.opendkim.socket; - in - { - smtpd_milters = [ "unix:${opendkimSocket}" ]; - non_smtpd_milters = [ "unix:${opendkimSocket}" ]; - milter_default_action = "accept"; - } - ); - - rootAlias = cfg.rootAlias; - postmasterAlias = "root"; - extraAliases = '' - mailer-daemon: postmaster - nobody: root - hostmaster: root - usenet: root - news: root - webmaster: root - www: root - ftp: root - abuse: root - noc: root - security: root - '' - + cfg.extraAliases; - }; - - services.rspamd = { - enable = true; - postfix.enable = true; - workers = { - normal = { - includes = [ "$CONFDIR/worker-normal.inc" ]; - bindSockets = [ - { - socket = "/run/rspamd/rspamd.sock"; - mode = "0660"; - owner = "${config.services.rspamd.user}"; - group = "${config.services.rspamd.group}"; - } - ]; - }; - controller = { - includes = [ "$CONFDIR/worker-controller.inc" ]; - bindSockets = [ "127.0.0.1:${toString cfg.rspamd.port}" ]; - extraConfig = '' - password=$2$w3asngzxwp3hoa67gimtrgmdxzmpq1n1$knfe5cyb1f769zro4rsi3j8ipc1p7ewh3u4cz63ngidmpjs8955y - ''; - }; - }; - }; - - # ===== rspamd trainer ===== # - services.rspamd-trainer = { - enable = true; - settings = { - HOST = dovecotDomain; - USERNAME = "spam@${cfg.domain}"; - INBOXPREFIX = "INBOX."; - }; - secrets = [ - cfg.rspamd.trainerSecret - ]; - }; - - systemd.services.rspamd-trainer = lib.mkIf config.services.rspamd-trainer.enable { - after = [ - "postfix.service" - "dovecot.service" - "rspamd-trainer-pre.service" - ]; - requires = [ "rspamd-trainer-pre.service" ]; - }; - - # ===== Create Mailbox for rspamd trainer ===== # - systemd.services.rspamd-trainer-pre = lib.mkIf config.services.rspamd-trainer.enable { - serviceConfig = { - ExecStart = - let - script = pkgs.writeShellScript "rspamd-trainer-pre.sh" '' - set -euo pipefail - - username=${config.services.rspamd-trainer.settings.USERNAME} - domain="${cfg.domain}" - mailbox_list=("report_spam" "report_ham" "report_spam_reply") - for mailbox in ''\${mailbox_list[@]}; do - echo "Creating $mailbox..." - ${pkgs.dovecot}/bin/doveadm mailbox create -u "$username@$domain" "INBOX.$mailbox" 2>/dev/null || true - done - ''; - in - "${pkgs.bash}/bin/bash ${script}"; - Type = "oneshot"; - }; - }; - - # ===== Dovecot ===== # - systemd.services.dovecot = { - requires = [ "acme-finished-${dovecotDomain}.target" ]; - serviceConfig = { - RuntimeDirectory = [ "dovecot-secret" ]; - RuntimeDirectoryMode = "0640"; - ExecStartPre = [ - ''${pkgs.busybox.out}/bin/mkdir -p ${cfg.virtualMailDir}'' - ''${pkgs.busybox.out}/bin/chown -R vmail:vmail ${cfg.virtualMailDir}'' - ''${pkgs.busybox.out}/bin/chmod 770 ${cfg.virtualMailDir}'' - ''${pkgs.bash}/bin/bash -c "LDAP_PASSWORD=$(cat ${cfg.ldap.passwordFile}) ${pkgs.gettext.out}/bin/envsubst < ${authBaseConf} > ${authConf}"'' - ''${pkgs.busybox.out}/bin/chown ${config.services.dovecot.user}:${config.services.dovecot.group} ${authConf}'' - ''${pkgs.busybox.out}/bin/chmod 660 ${authConf}'' - ]; - - LoadCredential = - let - certDir = config.security.acme.certs."${dovecotDomain}".directory; - in - [ - "cert.pem:${certDir}/cert.pem" - "key.pem:${certDir}/key.pem" - ]; - }; - }; - - services.dovecot = - let - credsDir = "/run/credentials/dovecot.service"; - certDir = "${credsDir}/cert.pem"; - keyDir = "${credsDir}/key.pem"; - in - { - enable = true; - enablePAM = false; - enableImap = true; - enablePop3 = true; - enableLmtp = true; - enableHealthCheck = true; - mailLocation = lib.mkDefault "${cfg.mailDir}"; - mailUser = "vmail"; - mailGroup = "vmail"; - sslServerKey = keyDir; - sslServerCert = certDir; - - mailboxes = { - Junk = { - specialUse = "Junk"; - auto = "subscribe"; - }; - Drafts = { - specialUse = "Drafts"; - auto = "subscribe"; - }; - Archive = { - specialUse = "Archive"; - auto = "subscribe"; - }; - Sent = { - specialUse = "Sent"; - auto = "subscribe"; - }; - }; - - extraConfig = '' - # authentication debug logging - log_path = /dev/stderr - log_debug = (category=auth-client) OR (event=auth_client_passdb_lookup_started) - - auth_mechanisms = plain login - ssl = required - - service auth { - unix_listener ${config.services.postfix.settings.main.queue_directory}/private/auth { - mode = 0660 - user = ${config.services.postfix.user} - group = ${config.services.postfix.group} - type = postfix - } - } - - service lmtp { - unix_listener ${config.services.postfix.settings.main.queue_directory}/private/dovecot-lmtp { - mode = 0660 - user = ${config.services.postfix.user} - group = ${config.services.postfix.group} - type = postfix - } - } - - userdb static { - fields { - uid = ${toString cfg.uid} - gid = ${toString cfg.gid} - home = ${cfg.virtualMailDir}/%{user | domain}/%{user | username} - } - } - - lda_mailbox_autosubscribe = yes - lda_mailbox_autocreate = yes - - !include ${authConf} - ''; - }; - - systemd.services.dovecot-healthcheck = mkIf config.services.dovecot.enableHealthCheck ( - let - pythonServer = - pkgs.writeScript "dovecot-healthcheck" - # python - '' - #!${pkgs.python3}/bin/python3 - import socket - from http.server import BaseHTTPRequestHandler, HTTPServer - - DOVECOT_HOST = '127.0.0.1' - DOVECOT_PORT = ${toString config.services.dovecot.healthCheckPort} - - class HealthCheckHandler(BaseHTTPRequestHandler): - def do_GET(self): - if self.path != '/ping': - self.send_response(404) - self.end_headers() - return - try: - with socket.create_connection((DOVECOT_HOST, DOVECOT_PORT), timeout=5) as sock: - sock.sendall(b"PING\n") - data = sock.recv(1024).strip() - except Exception as e: - self.send_response(500) - self.end_headers() - self.wfile.write(b"Error connecting to healthcheck service") - return - - if data == b"PONG": - self.send_response(200) - self.send_header("Content-Type", "text/plain") - self.end_headers() - self.wfile.write(b"PONG") - else: - self.send_response(500) - self.end_headers() - self.wfile.write(b"Unexpected response") - - if __name__ == '__main__': - server = HTTPServer(('0.0.0.0', 5002), HealthCheckHandler) - print("HTTP healthcheck proxy running on port 5002") - server.serve_forever() - ''; - in - { - requires = [ "dovecot.service" ]; - wantedBy = [ "multi-user.target" ]; - after = [ "dovecot.service" ]; - serviceConfig = { - Type = "simple"; - ExecStart = pythonServer; - }; - } - ); - - # ===== Firewall ===== # - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ - 80 # HTTP - 443 # HTTPS - 25 # SMTP - 465 # SMTPS - 587 # STARTTLS - 143 # IMAP STARTTLS - 993 # IMAPS - 110 # POP3 STARTTLS - 995 # POP3S - 389 # LDAP - ]; - - services.postgresql = { - enable = true; - ensureDatabases = [ "keycloak" ]; - ensureUsers = [ - { - name = "keycloak"; - ensureDBOwnership = true; - } - ]; - }; - - # ===== OAuth keycloak ===== # - services.keycloak = { - enable = true; - - database = { - type = "postgresql"; - host = "localhost"; - name = "keycloak"; - createLocally = false; - passwordFile = cfg.oauth.passwordFile; - }; - - settings = { - hostname = "keycloak.${cfg.domain}"; - proxy-headers = "xforwarded"; - http-port = 38080; - http-enabled = true; - health-enabled = true; - http-management-port = 38081; - truststore-paths = cfg.caFile; - }; - }; - - # ==== LDAP ===== # - services.openldap = { - enable = true; - - urlList = [ "ldap:///" ]; - settings = { - attrs = { - olcLogLevel = "conns config"; - }; - - children = { - "cn=schema".includes = [ - "${pkgs.openldap}/etc/schema/core.ldif" - "${pkgs.openldap}/etc/schema/cosine.ldif" - "${pkgs.openldap}/etc/schema/inetorgperson.ldif" - ]; - - "olcDatabase={1}mdb" = { - attrs = { - objectClass = [ - "olcDatabaseConfig" - "olcMdbConfig" - ]; - - olcDatabase = "{1}mdb"; - olcDbDirectory = "/var/lib/openldap/data"; - - olcSuffix = ldapDomain; - - olcRootDN = "cn=admin,${ldapDomain}"; - olcRootPW.path = cfg.ldap.passwordFile; - - olcAccess = [ - '' - {0}to attrs=userPassword - by dn.exact="cn=admin,${ldapDomain}" read - by dn.exact="uid=admin@${cfg.domain},ou=people,${ldapDomain}" write - by self write - by anonymous auth - by * none - '' - '' - {1}to * - by dn.exact="uid=admin@${cfg.domain},ou=people,${ldapDomain}" write - by * read - '' - ]; - }; - - children = { - "olcOverlay={2}ppolicy".attrs = { - objectClass = [ - "olcOverlayConfig" - "olcPPolicyConfig" - "top" - ]; - olcOverlay = "{2}ppolicy"; - olcPPolicyHashCleartext = "TRUE"; - }; - - "olcOverlay={3}memberof".attrs = { - objectClass = [ - "olcOverlayConfig" - "olcMemberOf" - "top" - ]; - olcOverlay = "{3}memberof"; - olcMemberOfRefInt = "TRUE"; - olcMemberOfDangling = "ignore"; - olcMemberOfGroupOC = "groupOfNames"; - olcMemberOfMemberAD = "member"; - olcMemberOfMemberOfAD = "memberOf"; - }; - - "olcOverlay={4}refint".attrs = { - objectClass = [ - "olcOverlayConfig" - "olcRefintConfig" - "top" - ]; - olcOverlay = "{4}refint"; - olcRefintAttribute = "memberof member manager owner"; - }; - }; - }; - }; - }; - }; - - # ==== postsrsd ==== # - services.postsrsd = { - enable = true; - configurePostfix = true; - secretsFile = config.sops.secrets."postsrsd/secret".path; - settings = { - srs-domain = cfg.domain; - domains = [ cfg.domain ]; - }; - }; - - virtualisation = { - docker = { - enable = true; - rootless = { - enable = true; - setSocketVariable = true; - }; - }; - oci-containers = { - backend = "podman"; - containers = { - phpLDAPadmin = { - extraOptions = [ "--network=host" ]; - image = "phpldapadmin/phpldapadmin"; - volumes = [ - "/var/lib/pla/logs:/app/storage/logs" - "/var/lib/pla/sessions:/app/storage/framework/sessions" - ]; - environment = { - APP_URL = "https://ldap.${cfg.domain}"; - ASSET_URL = "https://ldap.${cfg.domain}"; - APP_TIMEZONE = "Asia/Taipei"; - LDAP_HOST = "127.0.0.1"; - SERVER_NAME = ":8080"; - LDAP_LOGIN_OBJECTCLASS = "inetOrgPerson"; - LDAP_BASE_DN = "${ldapDomain}"; - LDAP_LOGIN_ATTR = "dn"; - LDAP_LOGIN_ATTR_DESC = "Username"; - }; - environmentFiles = [ - cfg.ldap.webEnv - ]; - }; - }; - }; - }; - - # ===== Virtual Mail User ===== # - users.groups.vmail = { - gid = cfg.gid; - }; - - users.users.vmail = { - uid = cfg.uid; - group = "vmail"; - }; - - services.nginx = { - enable = mkDefault true; - recommendedGzipSettings = mkDefault true; - recommendedOptimisation = mkDefault true; - recommendedTlsSettings = mkDefault true; - recommendedProxySettings = mkDefault true; - - virtualHosts = { - "${config.services.postfix.settings.main.myhostname}" = { - enableACME = true; - forceSSL = true; - locations."/dovecot/ping".proxyPass = "http://localhost:${toString 5002}/ping"; - }; - "ldap.${cfg.domain}" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://localhost:${toString 8080}/"; - }; - "rspamd.${cfg.domain}" = mkIf config.services.rspamd.enable { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://localhost:${toString cfg.rspamd.port}/"; - }; - "${config.services.keycloak.settings.hostname}" = mkIf config.services.keycloak.enable { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = - "http://localhost:${toString config.services.keycloak.settings.http-port}"; - locations."/health".proxyPass = - "http://localhost:${toString config.services.keycloak.settings.http-management-port}/health"; - }; - }; - }; - }; -} diff --git a/system/modules/nextcloud.nix b/system/modules/nextcloud.nix index 271a33b..2fa2968 100644 --- a/system/modules/nextcloud.nix +++ b/system/modules/nextcloud.nix @@ -2,11 +2,10 @@ hostname, adminpassFile, datadir ? null, - dataBackupPath ? null, - dbBackupPath ? null, https ? true, configureACME ? true, - trusted ? [ ], + trusted-domains ? [ ], + trusted-proxies ? [ ], }: { config, @@ -17,9 +16,7 @@ let inherit (lib) mkIf; - enableBackup = dataBackupPath != null || dbBackupPath != null; - - nextcloudPkg = pkgs.nextcloud31.overrideAttrs (oldAttr: rec { + nextcloudPkg = pkgs.nextcloud32.overrideAttrs (oldAttr: rec { caBundle = config.security.pki.caBundle; postPatch = '' cp ${caBundle} resources/config/ca-bundle.crt @@ -30,8 +27,8 @@ in imports = [ "${ fetchTarball { - url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz"; - sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs"; + url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/c3fdbf165814d403a8f8e81ff8e15adcbe7eadd0.tar.gz"; + sha256 = "sha256:19w6m1k4a0f48k1mnvdjkvcc8cnrlqg65kvyqzhxpkp5dbph9nzg"; } }/nextcloud-extras.nix" ]; @@ -54,7 +51,7 @@ in package = nextcloudPkg; configureRedis = true; hostName = hostname; - https = if https then true else false; + https = https; datadir = lib.mkIf (datadir != null) datadir; phpExtraExtensions = all: with all; [ @@ -65,19 +62,13 @@ in inherit (config.services.nextcloud.package.packages.apps) contacts calendar - tasks whiteboard + user_oidc ; camerarawpreviews = pkgs.fetchNextcloudApp { - url = "https://github.com/ariselseng/camerarawpreviews/releases/download/v0.8.7/camerarawpreviews_nextcloud.tar.gz"; - sha256 = "sha256-aiMUSJQVbr3xlJkqOaE3cNhdZu3CnPEIWTNVOoG4HSo="; - license = "agpl3Plus"; - }; - - user_oidc = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v7.2.0/user_oidc-v7.2.0.tar.gz"; - sha256 = "sha256-nXDWfRP9n9eH+JGg1a++kD5uLMsXh5BHAaTAOgLI9W4="; + url = "https://github.com/ariselseng/camerarawpreviews/releases/download/v0.8.8/camerarawpreviews_nextcloud.tar.gz"; + sha256 = "sha256-Pnjm38hn90oV3l4cPAnQ+oeO6x57iyqkm80jZGqDo1I="; license = "agpl3Plus"; }; }; @@ -92,8 +83,8 @@ in settings = { allow_local_remote_servers = true; log_type = "syslog"; - trusted_proxies = trusted; - trusted_domains = trusted; + trusted_proxies = trusted-proxies; + trusted_domains = trusted-domains; enabledPreviewProviders = [ "OC\\Preview\\BMP" "OC\\Preview\\GIF" @@ -120,5 +111,4 @@ in environment.systemPackages = with pkgs; [ exiftool ]; - } diff --git a/system/modules/packages.nix b/system/modules/packages.nix index a3599a8..77f3abf 100644 --- a/system/modules/packages.nix +++ b/system/modules/packages.nix @@ -1,4 +1,10 @@ -{pkgs, ...}: { +{ + pkgs, + inputs, + system, + ... +}: +{ environment.systemPackages = with pkgs; [ file @@ -46,5 +52,8 @@ # Media vlc + + # Search nixpkgs util + inputs.nix-search-tv.packages.${system}.default ]; } diff --git a/system/modules/presets/basic.nix b/system/modules/presets/basic.nix index c3824e4..49e6c9d 100644 --- a/system/modules/presets/basic.nix +++ b/system/modules/presets/basic.nix @@ -7,11 +7,11 @@ ../bluetooth.nix ../display-manager.nix ../flatpak.nix - ../hyprland.nix ../obs-studio.nix ../plymouth.nix ../polkit.nix ../security.nix + ../hyprland.nix ]; programs.gdk-pixbuf.modulePackages = [ pkgs.librsvg ]; diff --git a/system/modules/programs.nix b/system/modules/programs.nix index a7087af..6dc1eba 100644 --- a/system/modules/programs.nix +++ b/system/modules/programs.nix @@ -36,7 +36,12 @@ dconf.enable = true; zsh.enable = true; mtr.enable = true; - fish.enable = true; + fish = { + enable = true; + shellAliases = { + "ns" = "nix-search-tv print | fzf --preview 'nix-search-tv preview {}' --scheme history"; + }; + }; # Set fish as default shell but not login shell bash = { diff --git a/system/modules/services.nix b/system/modules/services.nix index 4b8f6ca..e23eae3 100644 --- a/system/modules/services.nix +++ b/system/modules/services.nix @@ -1,10 +1,12 @@ { lib, pkgs, - username, + config, ... }: - +let + inherit (config.systemConf) username; +in { networking = { firewall = { diff --git a/system/modules/sops-nix.nix b/system/modules/sops-nix.nix index 4497d69..4b9c0f7 100644 --- a/system/modules/sops-nix.nix +++ b/system/modules/sops-nix.nix @@ -1,6 +1,6 @@ { config, ... }: let - defaultSopsFile = ../.. + "/system/dev/${config.networking.hostName}/secret.yaml"; + defaultSopsFile = ../.. + "/system/dev/${config.networking.hostName}/sops/secret.yaml"; ageKeyFile = "/var/lib/sops-nix/key.txt"; in { diff --git a/system/modules/stalwart.nix b/system/modules/stalwart.nix index 24274fc..d773177 100644 --- a/system/modules/stalwart.nix +++ b/system/modules/stalwart.nix @@ -3,7 +3,6 @@ dbPassFile, dkimKey, ldapConf, - oidcConf, domain ? null, acmeConf ? null, enableNginx ? true, @@ -102,17 +101,6 @@ in }; acme."letsencrypt" = mkIf (acmeConf != null) acmeConf; - session.auth = { - mechanisms = "[plain login oauthbearer]"; - directory = mkCondition "listener != 'smtp'" "'ldap'" false; - require = mkCondition "listener != 'smtp'" true false; - }; - - session.rcpt = { - relay = mkCondition "!is_empty(authenticated_as)" true false; - directory = "'*'"; - }; - directory = { "in-memory" = { type = "memory"; @@ -129,7 +117,6 @@ in imap.lookup.domains = [ domain ]; - "oidc" = oidcConf; }; authentication.fallback-admin = { user = "admin"; diff --git a/system/modules/stylix.nix b/system/modules/stylix.nix index a4de9a8..205f60e 100644 --- a/system/modules/stylix.nix +++ b/system/modules/stylix.nix @@ -1,18 +1,17 @@ { pkgs, config, - username, - inputs, ... }: let + inherit (config.systemConf) username; + caskaydia = { name = "CaskaydiaCove Nerd Font Mono"; package = pkgs.nerd-fonts.caskaydia-cove; }; sf-pro-display-bold = pkgs.callPackage ../../pkgs/fonts/sf-pro-display-bold { }; - # dfkai-sb = pkgs.callPackage ../../pkgs/fonts/dfkai-sb { src = inputs.kaiu-font; }; in { stylix = { diff --git a/system/modules/users.nix b/system/modules/users.nix index a84e211..5a4b119 100644 --- a/system/modules/users.nix +++ b/system/modules/users.nix @@ -1,10 +1,11 @@ { pkgs, config, - username, ... }: - +let + inherit (config.systemConf) username; +in { users.users.${username} = { isNormalUser = true; diff --git a/system/modules/virtualization.nix b/system/modules/virtualization.nix index 88a2523..b44853c 100644 --- a/system/modules/virtualization.nix +++ b/system/modules/virtualization.nix @@ -4,13 +4,6 @@ { virtualisation = { docker.enable = true; - - # Run container as systemd service - oci-containers = { - backend = "podman"; - containers = { }; - }; - spiceUSBRedirection.enable = true; }; }