From 7fcf26263a920e8af3f4cd718a54448788165f5e Mon Sep 17 00:00:00 2001 From: danny Date: Wed, 22 Oct 2025 16:24:33 +0800 Subject: [PATCH] feat: add outbound firewall to server & add helix and zellij --- .prettierrc | 3 - flake.lock | 6 +- flake.nix | 116 +++---- helper/default.nix | 7 + home/user/nvf/default.nix | 40 ++- home/user/nvf/extra-lsp.nix | 22 ++ home/user/nvf/plugins/lualine/default.nix | 40 ++- home/user/nvf/plugins/snacks-nvim/default.nix | 2 +- home/user/nvf/plugins/snacks-nvim/keymaps.nix | 5 - home/user/shellAlias.nix | 1 + home/user/zellij.nix | 308 +++++++++++++++++- system/dev/dn-pre7780/expr/netbird.nix | 1 - system/dev/dn-pre7780/expr/vm-settings.nix | 1 + system/dev/dn-pre7780/home/default.nix | 1 + system/dev/dn-pre7780/home/expr/default.nix | 7 + system/dev/dn-pre7780/home/expr/helix.nix | 82 +++++ system/dev/dn-server/default.nix | 24 ++ system/dev/dn-server/network/services.nix | 142 +++++--- system/dev/dn-server/options/default.nix | 5 + system/dev/dn-server/options/network.nix | 91 ++++++ system/dev/dn-server/services/mail-server.nix | 2 +- system/modules/stylix.nix | 6 + system/modules/virtualization.nix | 2 + 23 files changed, 769 insertions(+), 145 deletions(-) delete mode 100644 .prettierrc create mode 100644 home/user/nvf/extra-lsp.nix create mode 100644 system/dev/dn-pre7780/home/expr/default.nix create mode 100644 system/dev/dn-pre7780/home/expr/helix.nix create mode 100644 system/dev/dn-server/options/default.nix create mode 100644 system/dev/dn-server/options/network.nix diff --git a/.prettierrc b/.prettierrc deleted file mode 100644 index 36b3563..0000000 --- a/.prettierrc +++ /dev/null @@ -1,3 +0,0 @@ -{ - "trailingComma": "none" -} diff --git a/flake.lock b/flake.lock index b4c3a87..ff07f8a 100644 --- a/flake.lock +++ b/flake.lock @@ -1907,11 +1907,11 @@ "systems": "systems_9" }, "locked": { - "lastModified": 1760153667, - "narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", + "lastModified": 1761112426, + "narHash": "sha256-fa3fIyXP3xQhsPaZX4WsFwPM9g64EMOucfDEC4o8Nwc=", "owner": "NotAShelf", "repo": "nvf", - "rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", + "rev": "9b3e7bcf68ace2f07eb7478c40e45ce79332482b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7ee3768..29cbc3a 100644 --- a/flake.nix +++ b/flake.nix @@ -166,65 +166,67 @@ in { # ==== NixOS Configuration ==== # - nixosConfigurations = mapAttrs ( - hostname: conf: - let - inherit (conf) path system; - pkgs = import nixpkgs { - inherit system; - }; - pkgs-stable = import nixpkgs-stable { - inherit system; - }; - helper = import ./helper { - inherit - pkgs - ; - lib = pkgs.lib; - }; - in - nixpkgs.lib.nixosSystem { - specialArgs = { - inherit (conf) system; - inherit - helper - inputs - self - pkgs-stable - ; - }; - modules = [ - # ==== Common Configuration ==== # - { - nixpkgs.hostPlatform = system; - nixpkgs.config.allowUnfree = true; - nixpkgs.overlays = [ - inputs.mail-server.overlay - inputs.nix-minecraft.overlay - inputs.nix-tmodloader.overlay - ] - ++ (import ./pkgs/overlays); - } + nixosConfigurations = ( + mapAttrs ( + hostname: conf: + let + inherit (conf) path system; + pkgs = import nixpkgs { + inherit system; + }; + pkgs-stable = import nixpkgs-stable { + inherit system; + }; + helper = import ./helper { + inherit + pkgs + ; + lib = pkgs.lib; + }; + in + nixpkgs.lib.nixosSystem { + specialArgs = { + inherit (conf) system; + inherit + helper + inputs + self + pkgs-stable + ; + }; + modules = [ + # ==== Common Configuration ==== # + { + nixpkgs.hostPlatform = system; + nixpkgs.config.allowUnfree = true; + nixpkgs.overlays = [ + inputs.mail-server.overlay + inputs.nix-minecraft.overlay + inputs.nix-tmodloader.overlay + ] + ++ (import ./pkgs/overlays); + } - # ==== Common Modules ==== # - inputs.home-manager.nixosModules.default - inputs.nix-index-database.nixosModules.nix-index - inputs.disko.nixosModules.disko - inputs.sops-nix.nixosModules.sops - inputs.nix-minecraft.nixosModules.minecraft-servers - inputs.nix-tmodloader.nixosModules.tmodloader - inputs.chaotic.nixosModules.default - inputs.actual-budget-api.nixosModules.default - inputs.stylix.nixosModules.stylix - inputs.attic.nixosModules.atticd - inputs.mail-server.nixosModules.default - ./options + # ==== Common Modules ==== # + inputs.home-manager.nixosModules.default + inputs.nix-index-database.nixosModules.nix-index + inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops + inputs.nix-minecraft.nixosModules.minecraft-servers + inputs.nix-tmodloader.nixosModules.tmodloader + inputs.chaotic.nixosModules.default + inputs.actual-budget-api.nixosModules.default + inputs.stylix.nixosModules.stylix + inputs.attic.nixosModules.atticd + inputs.mail-server.nixosModules.default + ./options - # ==== Private Configuration ==== # - (import path { inherit hostname; }) - ]; - } - ) hosts; + # ==== Private Configuration ==== # + (import path { inherit hostname; }) + ]; + } + ) hosts + ); # ==== MicroVM Packages ==== # # packages."${system}" = { diff --git a/helper/default.nix b/helper/default.nix index 13e49ac..290079e 100644 --- a/helper/default.nix +++ b/helper/default.nix @@ -9,6 +9,7 @@ let optionalString toUpper substring + concatStringsSep ; inherit (builtins) toJSON; in @@ -98,4 +99,10 @@ in }; capitalize = text: "${toUpper (substring 0 1 text)}${substring 1 (-1) text}"; + + nftables = { + mkElementsStatement = + elements: + optionalString (builtins.length elements > 0) "elements = { ${concatStringsSep "," elements} }"; + }; } diff --git a/home/user/nvf/default.nix b/home/user/nvf/default.nix index 58a70a5..51d8c8d 100644 --- a/home/user/nvf/default.nix +++ b/home/user/nvf/default.nix @@ -1,4 +1,5 @@ { + osConfig, pkgs, lib, inputs, @@ -27,6 +28,7 @@ in imports = [ ./plugins/snacks-nvim ./plugins/lualine + ./extra-lsp.nix ]; programs.nvf = { @@ -35,6 +37,7 @@ in vim = { enableLuaLoader = true; vimAlias = true; + extraPackages = with pkgs; [ nixfmt ]; clipboard = { enable = true; @@ -236,6 +239,7 @@ in nowait = true; desc = "Select terminal"; } + # Send current selection to Term { key = "ts"; @@ -316,9 +320,13 @@ in lsp = { enable = true; formatOnSave = true; - otter-nvim.enable = true; + otter-nvim = { + enable = true; + setupOpts.handle_leading_whitespace = true; + }; nvim-docs-view.enable = true; lspkind.enable = true; + null-ls.enable = false; trouble = { enable = true; mappings = { @@ -334,6 +342,15 @@ in }; }; + formatter = { + conform-nvim = { + enable = true; + setupOpts.formatters_by_ft = { + nix = [ "nixfmt" ]; + }; + }; + }; + diagnostics = { enable = true; config = { @@ -358,6 +375,7 @@ in bash.enable = true; css.enable = true; + yaml.enable = true; rust = { enable = true; lsp = { @@ -379,20 +397,17 @@ in nix = { enable = true; extraDiagnostics.enable = false; - format.type = "nixfmt"; + format.enable = false; # Manually configured in conform-nvim lsp = { - server = "nil"; + server = "nixd"; options = { - nix.flake.autoArchive = true; + nixos.expr = + # nix + ''(builtins.getFlake "/etc/nixos").nixosConfigurations.${osConfig.networking.hostName}.options''; + home_manager.expr = + # nix + ''(builtins.getFlake "/etc/nixos").nixosConfigurations.${osConfig.networking.hostName}.options.home-manager.users.type.getSubOptions []''; }; - # options = { - # nixos.expr = - # # nix - # ''(builtins.getFlake (builtins.toString ./.)).nixosConfigurations.${osConfig.networking.hostName}.options''; - # home_manager.expr = - # # nix - # ''(builtins.getFlake (builtins.toString ./.)).nixosConfigurations.${osConfig.networking.hostName}.options.home-manager.users.type.getSubOptions []''; - # }; }; }; sql.enable = true; @@ -513,6 +528,7 @@ in yazi-nvim = { enable = true; + mappings.openYaziDir = "e"; }; images = { diff --git a/home/user/nvf/extra-lsp.nix b/home/user/nvf/extra-lsp.nix new file mode 100644 index 0000000..792b786 --- /dev/null +++ b/home/user/nvf/extra-lsp.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + programs.nvf.settings.vim = { + diagnostics.nvim-lint.linters_by_ft = { + dockerfile = [ "hadolint" ]; + }; + treesitter.grammars = with pkgs.vimPlugins.nvim-treesitter-parsers; [ + dockerfile + ]; + extraPackages = with pkgs; [ + # docker + hadolint + dockerfile-language-server + docker-compose-language-service + ]; + + lsp.servers = { + dockerls = { }; + docker_compose_language_service = { }; + }; + }; +} diff --git a/home/user/nvf/plugins/lualine/default.nix b/home/user/nvf/plugins/lualine/default.nix index 5bdb05c..a920be2 100644 --- a/home/user/nvf/plugins/lualine/default.nix +++ b/home/user/nvf/plugins/lualine/default.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: +{ lib, ... }: { programs.nvf.settings.vim.statusline = { lualine = { @@ -48,22 +48,24 @@ '' ]; c = lib.mkForce [ + # lua '' - { - "diff", - colored = false, - diff_color = { - -- Same color values as the general color option can be used here. - added = 'DiffAdd', -- Changes the diff's added color - modified = 'DiffChange', -- Changes the diff's modified color - removed = 'DiffDelete', -- Changes the diff's removed color you - }, - symbols = {added = '+', modified = '~', removed = '-'}, -- Changes the diff symbols - separator = {right = ''} - } + { + "diff", + colored = false, + diff_color = { + -- Same color values as the general color option can be used here. + added = 'DiffAdd', -- Changes the diff's added color + modified = 'DiffChange', -- Changes the diff's modified color + removed = 'DiffDelete', -- Changes the diff's removed color you + }, + symbols = {added = '+', modified = '~', removed = '-'}, -- Changes the diff symbols + separator = {right = ''} + } '' ]; x = lib.mkForce [ + # lua '' { -- Lsp server name @@ -93,6 +95,18 @@ separator = {left = ''}, } '' + # lua + '' + { + -- Recording Status + function() + local reg = vim.fn.reg_recording() + if reg == "" then return "" end + return "@" .. reg + end, + } + '' + # lua '' { "diagnostics", diff --git a/home/user/nvf/plugins/snacks-nvim/default.nix b/home/user/nvf/plugins/snacks-nvim/default.nix index aa019ac..9c0c098 100644 --- a/home/user/nvf/plugins/snacks-nvim/default.nix +++ b/home/user/nvf/plugins/snacks-nvim/default.nix @@ -70,7 +70,7 @@ in enabled = false; }; explorer = { - enabled = true; + enabled = false; }; indent = { enabled = true; diff --git a/home/user/nvf/plugins/snacks-nvim/keymaps.nix b/home/user/nvf/plugins/snacks-nvim/keymaps.nix index 3176caf..4a3c918 100644 --- a/home/user/nvf/plugins/snacks-nvim/keymaps.nix +++ b/home/user/nvf/plugins/snacks-nvim/keymaps.nix @@ -1,10 +1,5 @@ let keyList = [ - { - key = "e"; - action = "explorer()"; - desc = "Toggle explorer"; - } { key = ""; action = "picker.smart()"; diff --git a/home/user/shellAlias.nix b/home/user/shellAlias.nix index 1a7816c..9e82787 100644 --- a/home/user/shellAlias.nix +++ b/home/user/shellAlias.nix @@ -5,6 +5,7 @@ cat = "bat"; g = "git"; t = "tmux"; + zl = "zellij"; # Nixos rebuild = "sudo nixos-rebuild switch --flake /etc/nixos#${hostname}"; diff --git a/home/user/zellij.nix b/home/user/zellij.nix index 77af09c..a426b5c 100644 --- a/home/user/zellij.nix +++ b/home/user/zellij.nix @@ -1,6 +1,312 @@ -{ ... }: +{ + pkgs, + config, + ... +}: +let + inherit (builtins) fetchurl; + inherit (config.lib.stylix) colors; + + zjstatus = fetchurl { + url = "https://github.com/dj95/zjstatus/releases/download/v0.21.1/zjstatus.wasm"; + sha256 = "sha256:06mfcijmsmvb2gdzsql6w8axpaxizdc190b93s3nczy212i846fw"; + }; +in { programs.zellij = { enable = true; + attachExistingSession = true; + enableFishIntegration = true; + enableBashIntegration = true; + extraConfig = '' + keybinds clear-defaults=true { + normal { + bind "Ctrl n" { SwitchToMode "Resize"; } + bind "Ctrl p" { SwitchToMode "Pane"; } + bind "Ctrl m" { SwitchToMode "Move"; } + bind "Ctrl t" { SwitchToMode "Tab"; } + bind "Alt Shift h" { GoToPreviousTab; } + bind "Alt Shift l" { GoToNextTab; } + bind "Ctrl o" { SwitchToMode "Session"; } + bind "Ctrl /" { ToggleFloatingPanes; SwitchToMode "Normal"; } + bind "Ctrl Shift -" { Run "yazi" { + floating true + close_on_exit true + width "80%" + height "80%" + x "10%" + y "10%" + };} + } + locked { + bind "Ctrl g" { SwitchToMode "Normal"; } + } + resize { + bind "Ctrl n" "Ctrl c" "Esc" { SwitchToMode "Normal"; } + bind "h" "Left" { Resize "Increase Left"; } + bind "j" "Down" { Resize "Increase Down"; } + bind "k" "Up" { Resize "Increase Up"; } + bind "l" "Right" { Resize "Increase Right"; } + bind "H" { Resize "Decrease Left"; } + bind "J" { Resize "Decrease Down"; } + bind "K" { Resize "Decrease Up"; } + bind "L" { Resize "Decrease Right"; } + bind "=" "+" { Resize "Increase"; } + bind "-" { Resize "Decrease"; } + } + pane { + bind "Ctrl p" "Ctrl c" "Esc" { SwitchToMode "Normal"; } + bind "h" "Left" { MoveFocus "Left"; } + bind "l" "Right" { MoveFocus "Right"; } + bind "j" "Down" { MoveFocus "Down"; } + bind "k" "Up" { MoveFocus "Up"; } + bind "p" { SwitchFocus; } + bind "n" { NewPane; SwitchToMode "Normal"; } + bind "d" { NewPane "Down"; SwitchToMode "Normal"; } + bind "r" { NewPane "Right"; SwitchToMode "Normal"; } + bind "s" { NewPane "stacked"; SwitchToMode "Normal"; } + bind "x" { CloseFocus; SwitchToMode "Normal"; } + bind "F" { ToggleFocusFullscreen; SwitchToMode "Normal"; } + bind "f" { ToggleFloatingPanes; SwitchToMode "Normal"; } + bind "e" { TogglePaneEmbedOrFloating; SwitchToMode "Normal"; } + bind "R" { SwitchToMode "RenamePane"; PaneNameInput 0;} + bind "P" { TogglePanePinned; SwitchToMode "Normal"; } + bind "g" { Run "${pkgs.lazygit}/bin/lazygit" { + floating true + close_on_exit true + width "80%" + height "80%" + x "10%" + y "10%" + }; SwitchToMode "Normal"; } + } + move { + bind "Ctrl m" "Ctrl c" "Esc" { SwitchToMode "Normal"; } + bind "n" "Tab" { MovePane; } + bind "p" { MovePaneBackwards; } + bind "h" "Left" { MovePane "Left"; } + bind "j" "Down" { MovePane "Down"; } + bind "k" "Up" { MovePane "Up"; } + bind "l" "Right" { MovePane "Right"; } + } + tab { + bind "Ctrl t" "Ctrl c" "Esc" { SwitchToMode "Normal"; } + bind "r" { SwitchToMode "RenameTab"; TabNameInput 0; } + bind "h" "Left" "Up" "k" { GoToPreviousTab; } + bind "l" "Right" "Down" "j" { GoToNextTab; } + bind "n" { NewTab; SwitchToMode "Normal"; } + bind "x" { CloseTab; SwitchToMode "Normal"; } + bind "s" { ToggleActiveSyncTab; SwitchToMode "Normal"; } + bind "b" { BreakPane; SwitchToMode "Normal"; } + bind "]" { BreakPaneRight; SwitchToMode "Normal"; } + bind "[" { BreakPaneLeft; SwitchToMode "Normal"; } + bind "1" { GoToTab 1; SwitchToMode "Normal"; } + bind "2" { GoToTab 2; SwitchToMode "Normal"; } + bind "3" { GoToTab 3; SwitchToMode "Normal"; } + bind "4" { GoToTab 4; SwitchToMode "Normal"; } + bind "5" { GoToTab 5; SwitchToMode "Normal"; } + bind "6" { GoToTab 6; SwitchToMode "Normal"; } + bind "7" { GoToTab 7; SwitchToMode "Normal"; } + bind "8" { GoToTab 8; SwitchToMode "Normal"; } + bind "9" { GoToTab 9; SwitchToMode "Normal"; } + bind "Tab" { ToggleTab; } + } + scroll { + bind "Ctrl s" { SwitchToMode "Normal"; } + bind "e" { EditScrollback; SwitchToMode "Normal"; } + bind "s" { SwitchToMode "EnterSearch"; SearchInput 0; } + bind "Ctrl c" { ScrollToBottom; SwitchToMode "Normal"; } + bind "j" "Down" { ScrollDown; } + bind "k" "Up" { ScrollUp; } + bind "Ctrl f" "PageDown" "Right" "l" { PageScrollDown; } + bind "Ctrl b" "PageUp" "Left" "h" { PageScrollUp; } + bind "d" { HalfPageScrollDown; } + bind "u" { HalfPageScrollUp; } + } + search { + bind "Ctrl s" { SwitchToMode "Normal"; } + bind "Ctrl c" { ScrollToBottom; SwitchToMode "Normal"; } + bind "j" "Down" { ScrollDown; } + bind "k" "Up" { ScrollUp; } + bind "Ctrl f" "PageDown" "Right" "l" { PageScrollDown; } + bind "Ctrl b" "PageUp" "Left" "h" { PageScrollUp; } + bind "d" { HalfPageScrollDown; } + bind "u" { HalfPageScrollUp; } + bind "n" { Search "down"; } + bind "p" { Search "up"; } + bind "c" { SearchToggleOption "CaseSensitivity"; } + bind "w" { SearchToggleOption "Wrap"; } + bind "o" { SearchToggleOption "WholeWord"; } + } + entersearch { + bind "Ctrl c" "Esc" { SwitchToMode "Scroll"; } + bind "Enter" { SwitchToMode "Search"; } + } + renametab { + bind "Ctrl c" { SwitchToMode "Normal"; } + bind "Esc" { UndoRenameTab; SwitchToMode "Tab"; } + } + renamepane { + bind "Ctrl c" { SwitchToMode "Normal"; } + bind "Esc" { UndoRenamePane; SwitchToMode "Pane"; } + } + session { + bind "Ctrl o" "Ctrl c" { SwitchToMode "Normal"; } + bind "Ctrl s" { SwitchToMode "Scroll"; } + bind "d" { Detach; } + bind "w" { + LaunchOrFocusPlugin "session-manager" { + floating true + move_to_focused_tab true + }; + SwitchToMode "Normal" + } + bind "c" { + LaunchOrFocusPlugin "configuration" { + floating true + move_to_focused_tab true + }; + SwitchToMode "Normal" + } + bind "p" { + LaunchOrFocusPlugin "plugin-manager" { + floating true + move_to_focused_tab true + }; + SwitchToMode "Normal" + } + bind "a" { + LaunchOrFocusPlugin "zellij:about" { + floating true + move_to_focused_tab true + }; + SwitchToMode "Normal" + } + bind "s" { + LaunchOrFocusPlugin "zellij:share" { + floating true + move_to_focused_tab true + }; + SwitchToMode "Normal" + } + } + } + plugins { + tab-bar location="zellij:tab-bar" + status-bar location="zellij:status-bar" + strider location="zellij:strider" + compact-bar location="zellij:compact-bar" + session-manager location="zellij:session-manager" + welcome-screen location="zellij:session-manager" { + welcome_screen true + } + filepicker location="zellij:strider" { + cwd "/" + } + configuration location="zellij:configuration" + plugin-manager location="zellij:plugin-manager" + about location="zellij:about" + } + web_client { + font "monospace" + } + ''; + settings = { + pane_frames = false; + show_startup_tips = false; + default_layout = "compact-top-bar"; + }; + layouts = { + compact-top-bar = { + layout = { + _children = [ + { + swap_floating_layout._children = [ + { + floating_panes = { + _props = { + max_panes = 1; + }; + _children = [ + { + pane = { + x = "10%"; + y = "10%"; + height = "80%"; + width = "80%"; + }; + } + ]; + }; + } + ]; + } + { + default_tab_template._children = [ + { + pane = { + size = 1; + borderless = true; + plugin = { + location = "file:${zjstatus}"; + format_left = "{mode}#[bg=#${colors.base00}] {tabs}"; + format_center = ""; + format_right = "#[bg=#${colors.base00},fg=#${colors.base0D}]#[bg=#${colors.base0D},fg=#${colors.base01},bold] #[bg=#${colors.base02},fg=#${colors.base05},bold] {session} #[bg=#${colors.base03},fg=#${colors.base05},bold]"; + format_space = ""; + format_hide_on_overlength = "true"; + format_precedence = "crl"; + + border_enabled = "false"; + border_char = "─"; + border_format = "#[fg=#6C7086]{char}"; + border_position = "top"; + + mode_normal = "#[bg=#${colors.base0B},fg=#${colors.base02},bold] NORMAL#[bg=#${colors.base03},fg=#${colors.base0B}]█"; + mode_locked = "#[bg=#${colors.base04},fg=#${colors.base02},bold] LOCKED #[bg=#${colors.base03},fg=#${colors.base04}]█"; + mode_resize = "#[bg=#${colors.base08},fg=#${colors.base02},bold] RESIZE#[bg=#${colors.base03},fg=#${colors.base08}]█"; + mode_pane = "#[bg=#${colors.base0D},fg=#${colors.base02},bold] PANE#[bg=#${colors.base03},fg=#${colors.base0D}]█"; + mode_tab = "#[bg=#${colors.base07},fg=#${colors.base02},bold] TAB#[bg=#${colors.base03},fg=#${colors.base07}]█"; + mode_scroll = "#[bg=#${colors.base0A},fg=#${colors.base02},bold] SCROLL#[bg=#${colors.base03},fg=#${colors.base0A}]█"; + mode_enter_search = "#[bg=#${colors.base0D},fg=#${colors.base02},bold] ENT-SEARCH#[bg=#${colors.base03},fg=#${colors.base0D}]█"; + mode_search = "#[bg=#${colors.base0D},fg=#${colors.base02},bold] SEARCHARCH#[bg=#${colors.base03},fg=#${colors.base0D}]█"; + mode_rename_tab = "#[bg=#${colors.base07},fg=#${colors.base02},bold] RENAME-TAB#[bg=#${colors.base03},fg=#${colors.base07}]█"; + mode_rename_pane = "#[bg=#${colors.base0D},fg=#${colors.base02},bold] RENAME-PANE#[bg=#${colors.base03},fg=#${colors.base0D}]█"; + mode_session = "#[bg=#${colors.base0E},fg=#${colors.base02},bold] SESSION#[bg=#${colors.base03},fg=#${colors.base0E}]█"; + mode_move = "#[bg=#${colors.base0F},fg=#${colors.base02},bold] MOVE#[bg=#${colors.base03},fg=#${colors.base0F}]█"; + mode_prompt = "#[bg=#${colors.base0D},fg=#${colors.base02},bold] PROMPT#[bg=#${colors.base03},fg=#${colors.base0D}]█"; + mode_tmux = "#[bg=#${colors.base09},fg=#${colors.base02},bold] TMUX#[bg=#${colors.base03},fg=#${colors.base09}]█"; + + tab_normal = "#[bg=#${colors.base03},fg=#${colors.base0D}]█#[bg=#${colors.base0D},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{floating_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]█"; + tab_normal_fullscreen = "#[bg=#${colors.base03},fg=#${colors.base0D}]█#[bg=#${colors.base0D},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{fullscreen_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]█"; + tab_normal_sync = "#[bg=#${colors.base03},fg=#${colors.base0D}]█#[bg=#${colors.base0D},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{sync_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]█"; + + tab_active = "#[bg=#${colors.base03},fg=#${colors.base09}]█#[bg=#${colors.base09},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{floating_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]█"; + tab_active_fullscreen = "#[bg=#${colors.base03},fg=#${colors.base09}]█#[bg=#${colors.base09},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{fullscreen_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]█"; + tab_active_sync = "#[bg=#${colors.base03},fg=#${colors.base09}]█#[bg=#${colors.base09},fg=#${colors.base02},bold]{index} #[bg=#${colors.base02},fg=#${colors.base05},bold] {name}{sync_indicator}#[bg=#${colors.base03},fg=#${colors.base02},bold]█"; + + tab_separator = "#[bg=#${colors.base00}] "; + + tab_sync_indicator = " "; + tab_fullscreen_indicator = " 󰊓"; + tab_floating_indicator = " 󰹙"; + + command_git_branch_command = "git rev-parse --abbrev-ref HEAD"; + command_git_branch_format = "#[fg=blue] {stdout} "; + command_git_branch_interval = "10"; + command_git_branch_rendermode = "static"; + + datetime = "#[fg=#6C7086,bold] {format} "; + datetime_format = "%A, %d %b %Y %H:%M"; + datetime_timezone = "Taiwan/Taipei"; + }; + }; + } + { "children" = { }; } + ]; + } + ]; + }; + }; + }; }; } diff --git a/system/dev/dn-pre7780/expr/netbird.nix b/system/dev/dn-pre7780/expr/netbird.nix index dc3b40f..cbe0647 100644 --- a/system/dev/dn-pre7780/expr/netbird.nix +++ b/system/dev/dn-pre7780/expr/netbird.nix @@ -9,7 +9,6 @@ let port = 51820; in { - services.netbird = { server = { enable = true; diff --git a/system/dev/dn-pre7780/expr/vm-settings.nix b/system/dev/dn-pre7780/expr/vm-settings.nix index 7898f9c..1314123 100644 --- a/system/dev/dn-pre7780/expr/vm-settings.nix +++ b/system/dev/dn-pre7780/expr/vm-settings.nix @@ -57,6 +57,7 @@ let }; }; }; + # Node vm-2 = { ip = "192.168.0.7"; diff --git a/system/dev/dn-pre7780/home/default.nix b/system/dev/dn-pre7780/home/default.nix index f7e3eef..7edf8df 100644 --- a/system/dev/dn-pre7780/home/default.nix +++ b/system/dev/dn-pre7780/home/default.nix @@ -8,6 +8,7 @@ in home-manager.users."${username}" = { imports = [ ../../../../home/presets/basic.nix + ./expr ./wm # Bitwarden client diff --git a/system/dev/dn-pre7780/home/expr/default.nix b/system/dev/dn-pre7780/home/expr/default.nix new file mode 100644 index 0000000..fe0a2b4 --- /dev/null +++ b/system/dev/dn-pre7780/home/expr/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./helix.nix + ../../../../../home/user/zellij.nix + ]; +} diff --git a/system/dev/dn-pre7780/home/expr/helix.nix b/system/dev/dn-pre7780/home/expr/helix.nix new file mode 100644 index 0000000..3a879cf --- /dev/null +++ b/system/dev/dn-pre7780/home/expr/helix.nix @@ -0,0 +1,82 @@ +{ + osConfig, + lib, + pkgs, + ... +}: +{ + programs.helix = { + enable = true; + extraPackages = with pkgs; [ + nixd + bash-language-server + docker-language-server + fish-lsp + typescript-language-server + superhtml + hyprls + jq-lsp + vscode-json-languageserver + texlab # Latex + lua-language-server + marksman # Markdown + clang-tools # Clangd + intelephense # Php + ruff # Python + rust-analyzer + vscode-css-languageserver + systemd-lsp + taplo + vue-language-server + yaml-language-server + zls + ]; + settings = { + editor.cursor-shape = { + normal = "block"; + insert = "bar"; + select = "underline"; + }; + keys.normal = { + space.space = "file_picker"; + G = "goto_file_end"; + D = "kill_to_line_end"; + V = [ "extend_to_line_bounds" ]; + "$" = "goto_line_end"; + "^" = "goto_line_start"; + x = "delete_selection"; + esc = [ + "collapse_selection" + "keep_primary_selection" + ]; + space.w = ":w"; + space.q = ":q"; + }; + }; + languages.language = [ + { + name = "nix"; + auto-format = true; + } + ]; + languages.language-server = { + nixd = { + command = "nixd"; + args = [ "--semantic-tokens=true" ]; + config.nixd = + let + myFlake = ''(builtins.getFlake "/etc/nixos")''; + nixosOpts = "${myFlake}.nixosConfigurations.${osConfig.networking.hostName}.options"; + in + { + nixpkgs.expr = "import ${myFlake}.inputs.nixpkgs { }"; + formatting.command = [ "${lib.getExe pkgs.nixfmt}" ]; + options = { + nixos.expr = nixosOpts; + home-manager.expr = "${nixosOpts}.home-manager.users.type.getSubOptions []"; + }; + }; + }; + }; + }; +} diff --git a/system/dev/dn-server/default.nix b/system/dev/dn-server/default.nix index 62558c3..e796570 100644 --- a/system/dev/dn-server/default.nix +++ b/system/dev/dn-server/default.nix @@ -15,6 +15,29 @@ in inherit hostname username; domain = "net.dn"; hyprland.enable = false; + security = { + allowedDomains = [ + "github.com" + "cache.nixos.org" + "hyprland.cachix.org" + "maps.rspamd.com" + "cdn-hub.crowdsec.net" + "api.crowdsec.net" + ]; + allowedIPs = [ + "10.0.0.0/24" + "127.0.0.1" + ]; + allowedIPv6 = [ + "ff02::/16" + "fe80::/10" + "::1" + ]; + sourceIPs = [ + "10.0.0.1" + "192.168.100.0/24" + ]; + }; }; imports = [ @@ -25,6 +48,7 @@ in ./security ./services ./sops + ./options ]; environment.systemPackages = with pkgs; [ diff --git a/system/dev/dn-server/network/services.nix b/system/dev/dn-server/network/services.nix index df9c6bd..7e0838d 100644 --- a/system/dev/dn-server/network/services.nix +++ b/system/dev/dn-server/network/services.nix @@ -1,14 +1,17 @@ { config, lib, + helper, ... }: let - inherit (config.systemConf) username; + inherit (config.systemConf) username security; + inherit (lib) concatStringsSep; + inherit (helper.nftables) mkElementsStatement; ethInterface = "enp0s31f6"; sshPorts = [ 30072 ]; - sshPortsString = builtins.concatStringsSep ", " (builtins.map (p: builtins.toString p) sshPorts); + sshPortsString = concatStringsSep ", " (map (p: toString p) sshPorts); personal = { inherit (config.networking) domain; @@ -30,7 +33,7 @@ let masterAPIServerPort = 6443; }; - allowedSSHIPs = builtins.concatStringsSep ", " [ + allowedSSHIPs = concatStringsSep ", " [ "122.117.215.55" "192.168.100.1/24" personal.range @@ -189,63 +192,104 @@ in nftables = { enable = true; - ruleset = '' - table inet wg-filter { - chain input { - type filter hook input priority 0; policy drop; + tables = { + filter = { + family = "inet"; + content = '' + set restrict_source_ips { + type ipv4_addr + flags interval + ${mkElementsStatement security.sourceIPs} + } - iif lo accept + set ${security.rules.setName} { + type ipv4_addr + flags interval + ${mkElementsStatement security.allowedIPs} + } - meta nftrace set 1 - meta l4proto { icmp, ipv6-icmp } accept + set ${security.rules.setNameV6} { + type ipv6_addr + flags interval + ${mkElementsStatement security.allowedIPv6} + } - ct state vmap { invalid : drop, established : accept, related : accept } + chain input { + type filter hook input priority 0; policy drop; - udp dport 53 accept - tcp dport 53 accept + iif lo accept - tcp dport { ${sshPortsString} } jump ssh-filter + meta nftrace set 1 + meta l4proto { icmp, ipv6-icmp } accept - iifname { ${ethInterface}, ${personal.interface}, ${kube.interface} } udp dport { ${builtins.toString personal.port}, ${builtins.toString kube.port} } accept - iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet - iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter + ct state vmap { invalid : drop, established : accept, related : accept } - counter reject - } + udp dport 53 accept + tcp dport 53 accept - chain ssh-filter { - ip saddr { ${allowedSSHIPs} } accept - counter reject - } + tcp dport { ${sshPortsString} } jump ssh-filter - chain forward { - type filter hook forward priority 0; policy drop; + iifname { ${ethInterface}, ${personal.interface}, ${kube.interface} } udp dport { ${toString personal.port}, ${toString kube.port} } accept + iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet + iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter - meta l4proto { icmp, ipv6-icmp } accept + drop + } - iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet - iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter + chain output { + type filter hook output priority 0; policy drop; - counter - } + iif lo accept - chain kube-filter { - ip saddr ${kube.ip} ip daddr ${kube.ip} accept - counter drop - } + # Allow DNS qeury + udp dport 53 accept + tcp dport 53 accept - chain wg-subnet { - ip saddr ${personal.full} accept - ip saddr ${personal.restrict} ip daddr ${personal.range} accept - counter drop - } + meta skuid ${toString config.users.users.systemd-timesync.uid} accept - chain postrouting { - type nat hook postrouting priority 100; policy accept; - oifname ${ethInterface} masquerade - } - } - ''; + ct state vmap { invalid : drop, established : accept, related : accept } + ip saddr != @restrict_source_ips accept + + ip daddr @${security.rules.setName} accept + ip6 daddr @${security.rules.setNameV6} accept + + counter log prefix "OUTPUT-DROP: " flags all drop + } + + chain ssh-filter { + ip saddr { ${allowedSSHIPs} } accept + counter reject + } + + chain forward { + type filter hook forward priority 0; policy drop; + + meta l4proto { icmp, ipv6-icmp } accept + + iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet + iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter + + counter + } + + chain kube-filter { + ip saddr ${kube.ip} ip daddr ${kube.ip} accept + counter drop + } + + chain wg-subnet { + ip saddr ${personal.full} accept + ip saddr ${personal.restrict} ip daddr ${personal.range} accept + counter drop + } + + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname ${ethInterface} masquerade + } + ''; + }; + }; }; wireguard = { @@ -323,7 +367,11 @@ in webserver-port=8081 local-port=5359 dnsupdate=yes + primary=yes + secondary=no allow-dnsupdate-from=10.0.0.0/24 + allow-axfr-ips=10.0.0.0/24 + also-notify=10.0.0.148:53 ''; secretFile = config.sops.secrets.powerdns.path; }; @@ -333,6 +381,7 @@ in forwardZones = { "${config.networking.domain}." = "127.0.0.1:5359"; "pre7780.dn." = "127.0.0.1:5359"; + "test.local." = "127.0.0.1:5359"; }; forwardZonesRecurse = { "." = "8.8.8.8"; @@ -342,9 +391,6 @@ in "127.0.0.0/8" "10.0.0.0/24" "192.168.100.0/24" - "::1/128" - "fc00::/7" - "fe80::/10" ]; yaml-settings = { webservice.webserver = true; diff --git a/system/dev/dn-server/options/default.nix b/system/dev/dn-server/options/default.nix new file mode 100644 index 0000000..fff6d3c --- /dev/null +++ b/system/dev/dn-server/options/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./network.nix + ]; +} diff --git a/system/dev/dn-server/options/network.nix b/system/dev/dn-server/options/network.nix new file mode 100644 index 0000000..af5e1ca --- /dev/null +++ b/system/dev/dn-server/options/network.nix @@ -0,0 +1,91 @@ +{ + lib, + pkgs, + config, + ... +}: +let + inherit (lib) mkOption types concatStringsSep; + cfg = config.systemConf.security; +in +{ + options.systemConf.security = { + allowedDomains = mkOption { + type = with types; listOf str; + description = "Domains that allowed to query dns."; + default = [ ]; + }; + rules = { + setName = mkOption { + type = with types; str; + default = "allowed_output_ips"; + readOnly = true; + }; + setNameV6 = mkOption { + type = with types; str; + default = "allowed_output_ipv6"; + readOnly = true; + }; + }; + dnsIPs = mkOption { + type = with types; listOf str; + description = "External DNS server to use"; + default = [ "8.8.8.8" ]; + }; + allowedIPs = mkOption { + type = with types; listOf str; + description = "IPv4 that allowed to request."; + default = [ ]; + }; + allowedIPv6 = mkOption { + type = with types; listOf str; + description = "IPv6 that allowed to request."; + default = [ ]; + }; + sourceIPs = mkOption { + type = with types; listOf str; + description = "Source IPs to restrict."; + default = [ ]; + }; + }; + + config = { + environment.systemPackages = with pkgs; [ + ipset + ]; + + systemd.timers.fetch-allowed-domains = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = 10; + OnUnitActiveSec = 60; + }; + }; + + systemd.services.fetch-allowed-domains = { + path = with pkgs; [ + nftables + dig.dnsutils + ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = "${pkgs.writeShellScript "fetch-allowed-domains" '' + DOMAINS=(${toString (map (x: ''"${x}"'') cfg.allowedDomains)}) + SETNAME="inet filter ${cfg.rules.setName}" + + nft flush set $SETNAME + nft add element $SETNAME { ${concatStringsSep "," cfg.allowedIPs} } + + for domain in "''${DOMAINS[@]}"; do + ips=$(dig +short A $domain | grep -E '^[0-9.]+$') + for ip in $ips; do + nft add element $SETNAME { $ip } + echo "Added $ip for $domain" + done + done + ''}"; + Type = "oneshot"; + }; + }; + }; +} diff --git a/system/dev/dn-server/services/mail-server.nix b/system/dev/dn-server/services/mail-server.nix index 5957c61..2ef0594 100644 --- a/system/dev/dn-server/services/mail-server.nix +++ b/system/dev/dn-server/services/mail-server.nix @@ -36,7 +36,7 @@ in adminAccountFile = config.sops.secrets."oauth/adminEnv".path; }; ldap = { - filter = "(&(objectClass=inetOrgPerson)(objectClass=mailRoutingObject)(uid=%{user | username}))"; + filter = "(&(objectClass=inetOrgPerson)(objectClass=inetMailRoutingObject)(uid=%{user | username}))"; extraAuthConf = '' auth_username_format = %{user | lower} fields { diff --git a/system/modules/stylix.nix b/system/modules/stylix.nix index 205f60e..fd5d464 100644 --- a/system/modules/stylix.nix +++ b/system/modules/stylix.nix @@ -1,10 +1,12 @@ { pkgs, config, + lib, ... }: let inherit (config.systemConf) username; + inherit (lib) mkForce; caskaydia = { name = "CaskaydiaCove Nerd Font Mono"; @@ -71,6 +73,10 @@ in enable = true; transparentBackground = true; }; + helix = { + enable = true; + transparent = mkForce true; + }; }; }; } diff --git a/system/modules/virtualization.nix b/system/modules/virtualization.nix index b44853c..dccfbcf 100644 --- a/system/modules/virtualization.nix +++ b/system/modules/virtualization.nix @@ -4,6 +4,8 @@ { virtualisation = { docker.enable = true; + docker.daemon.settings = { + }; spiceUSBRedirection.enable = true; }; }