voronind/nix
0
0
Fork 0
Code Issues 39 Pull requests Packages Projects Releases Wiki Activity

Rewrite modules to options.

Browse source
This commit is contained in:
Dmitry Voronin 2024-06-25 04:04:39 +03:00 committed by Dmitry Voronin
parent fa4b3c31b7
commit 8c7578075f
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
158 changed files with 3802 additions and 3011 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Readme.md
View file

@ -20,7 +20,7 @@
<a href="https://i.imgur.com/H943DFl.jpeg">Wallpaper link</a>
</details>
[My current wallpaper](https://git.voronind.com/voronind/nixos/src/branch/main/part/Wallpaper.nix#L2)
[My current wallpaper](https://git.voronind.com/voronind/nixos/src/branch/main/module/common/Wallpaper.nix#L2)
Color theming based on wallpaper thanks to [Stylix](https://github.com/danth/stylix).

6
android/Termux.nix
View file

@ -1,11 +1,11 @@
{ pkgs, style, util, ... }: {
{ pkgs, config, util, ... }: {
font = pkgs.runCommandNoCC "font" {} ''
cp ${pkgs.nerdfonts.override { fonts = [ "Terminus" ]; }}/share/fonts/truetype/NerdFonts/TerminessNerdFontMono-Regular.ttf $out
'';
colors = util.trimTabs ''
background=#${style.color.bg.dark}
foreground=#${style.color.fg.light}
background=#${config.module.style.color.bg.dark}
foreground=#${config.module.style.color.fg.light}
'';
initScript = util.trimTabs ''

0
part/style/Gruvbox.nix → android/style/Gruvbox.nix
View file

58
container/Change.nix
View file

@ -1,24 +1,48 @@
{ container, ... } @args: let
cfg = container.config.change;
{ container, lib, config, ... } @args: with lib; let
cfg = config.container.module.change;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.change = container.mkContainer cfg {
bindMounts = {
"/var/lib/changedetection-io" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.change = {
enable = mkEnableOption "Change detection service";
address = mkOption {
default = "10.1.0.41";
type = types.str;
};
port = mkOption {
default = 5000;
type = types.int;
};
domain = mkOption {
default = "change.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/change";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
services.changedetection-io = {
enable = true;
baseURL = cfg.domain;
behindProxy = true;
listenAddress = cfg.address;
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.change = container.mkContainer cfg {
bindMounts = {
"/var/lib/changedetection-io" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
};
config = { ... }: container.mkContainerConfig cfg {
services.changedetection-io = {
enable = true;
baseURL = cfg.domain;
behindProxy = true;
listenAddress = cfg.address;
};
};
};
};

99
container/Cloud.nix
View file

@ -1,45 +1,72 @@
{ container, pkgs, ... } @args: let
cfg = container.config.cloud;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
{ container, pkgs, lib, config, ... } @args: with lib; let
cfg = config.container.module.cloud;
containers.cloud = container.mkContainer cfg {
bindMounts = {
"/var/lib/nextcloud" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
postgres = config.container.module.postgres;
proxy = config.container.module.proxy;
in {
options = {
container.module.cloud = {
enable = mkEnableOption "File cloud service";
address = mkOption {
default = "10.1.0.13";
type = types.str;
};
port = mkOption {
default = 80;
type = types.int;
};
domain = mkOption {
default = "cloud.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/cloud";
type = types.str;
};
};
};
config = { config, ... }: container.mkContainerConfig cfg {
environment.systemPackages = [ pkgs.postgresql ];
services.nextcloud = {
enable = true;
# package = pkgs.nextcloud29;
hostName = cfg.domain;
# phpOptions = {
# memory_limit = lib.mkForce "20G";
# };
config = {
adminuser = "root";
adminpassFile = "${pkgs.writeText "NextcloudPassword" "root"}";
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
dbhost = container.config.postgres.address;
dbname = "nextcloud";
dbpassFile = "${pkgs.writeText "NextcloudDbPassword" "nextcloud"}";
dbtype = "pgsql";
dbuser = "nextcloud";
containers.cloud = container.mkContainer cfg {
bindMounts = {
"/var/lib/nextcloud" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar onlyoffice;
};
extraAppsEnable = true;
settings = {
trusted_domains = [ cfg.address cfg.domain ];
trusted_proxies = [ container.config.proxy.address ];
allow_local_remote_servers = true;
};
config = { config, ... }: container.mkContainerConfig cfg {
environment.systemPackages = [ pkgs.postgresql ];
services.nextcloud = {
enable = true;
# package = pkgs.nextcloud29;
hostName = cfg.domain;
# phpOptions = {
# memory_limit = lib.mkForce "20G";
# };
config = {
adminuser = "root";
adminpassFile = "${pkgs.writeText "NextcloudPassword" "root"}";
dbhost = postgres.address;
dbname = "nextcloud";
dbpassFile = "${pkgs.writeText "NextcloudDbPassword" "nextcloud"}";
dbtype = "pgsql";
dbuser = "nextcloud";
};
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar onlyoffice;
};
extraAppsEnable = true;
settings = {
trusted_domains = [ cfg.address cfg.domain ];
trusted_proxies = [ proxy.address ];
allow_local_remote_servers = true;
};
};
};
};

74
container/Ddns.nix
View file

@ -1,35 +1,53 @@
{ container, domain, ... } @args: let
cfg = container.config.ddns;
{ container, lib, config, ... } @args: with lib; let
cfg = config.container.module.ddns;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.ddns = container.mkContainer cfg {
bindMounts = {
"/data" = {
hostPath = "${cfg.storage}/data";
isReadOnly = true;
options = {
container.module.ddns = {
enable = mkEnableOption "Dynamic dns client.";
address = mkOption {
default = "10.1.0.31";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/ddns";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
services.cloudflare-dyndns = {
enable = true;
apiTokenFile = "/data/token";
deleteMissing = true;
ipv4 = true;
ipv6 = false;
proxied = false;
domains = [ domain ] ++ map (sub: "${sub}.${domain}") [
"cloud"
"git"
"mail"
"office"
"paste"
"play"
"vpn"
];
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.ddns = container.mkContainer cfg {
bindMounts = {
"/data" = {
hostPath = "${cfg.storage}/data";
isReadOnly = true;
};
};
config = { ... }: container.mkContainerConfig cfg {
services.cloudflare-dyndns = {
enable = true;
apiTokenFile = "/data/token";
deleteMissing = true;
ipv4 = true;
ipv6 = false;
proxied = false;
domains = let
domain = config.container.domain;
in [ domain ] ++ map (sub: "${sub}.${domain}") [
"cloud"
"git"
"mail"
"office"
"paste"
"play"
"vpn"
];
};
};
};
};

213
container/Dns.nix
View file

@ -1,112 +1,129 @@
{ container, pkgs, ... } @args: let
cfg = container.config.dns;
{ container, pkgs, lib, config, ... } @args: with lib; let
cfg = config.container.module.dns;
in {
containers.dns = container.mkContainer cfg {
forwardPorts = [
{
containerPort = 53;
hostPort = 53;
protocol = "udp";
} {
containerPort = 53;
hostPort = 53;
protocol = "tcp";
}
];
options = {
container.module.dns = {
enable = mkEnableOption "Dns server.";
address = mkOption {
default = "10.1.0.6";
type = types.str;
};
port = mkOption {
default = 53;
type = types.int;
};
};
};
config = { lib, ... }: container.mkContainerConfig cfg {
environment.systemPackages = [
pkgs.cloudflared
config = mkIf cfg.enable {
containers.dns = container.mkContainer cfg {
forwardPorts = [
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "udp";
} {
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "tcp";
}
];
systemd.services.cloudflared = {
description = "Cloudflare DoH server.";
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${lib.getExe pkgs.cloudflared} proxy-dns --port 5054";
};
};
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = [
pkgs.cloudflared
];
services.blocky = {
enable = true;
settings = {
upstream = {
default = [
"0.0.0.0:5054"
"0.0.0.0:5054"
];
systemd.services.cloudflared = {
description = "Cloudflare DoH server.";
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${getExe pkgs.cloudflared} proxy-dns --port 5054";
};
blocking = {
blackLists = {
suspicious = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
"https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts"
"https://v.firebog.net/hosts/static/w3kbl.txt"
];
ads = [
"https://easylist-downloads.adblockplus.org/bitblock.txt"
"https://adaway.org/hosts.txt"
"https://v.firebog.net/hosts/AdguardDNS.txt"
"https://v.firebog.net/hosts/Admiral.txt"
"https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
"https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
"https://v.firebog.net/hosts/Easylist.txt"
"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
"https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
"https://github.com/easylist/ruadlist/blob/master/advblock/adservers.txt"
];
tracking = [
"https://v.firebog.net/hosts/Easyprivacy.txt"
"https://v.firebog.net/hosts/Prigent-Ads.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
];
malicious = [
"https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
"https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
"https://v.firebog.net/hosts/Prigent-Crypto.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
"https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt"
"https://phishing.army/download/phishing_army_blocklist_extended.txt"
"https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
"https://v.firebog.net/hosts/RPiList-Malware.txt"
"https://v.firebog.net/hosts/RPiList-Phishing.txt"
"https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
"https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
"https://urlhaus.abuse.ch/downloads/hostfile/"
];
other = [
"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
];
};
# whiteLists = {
# other = [
# "/.*.vk.com/"
# ];
# };
clientGroupsBlock = {
};
services.blocky = {
enable = true;
settings = {
upstream = {
default = [
"suspicious"
"ads"
"tracking"
"malicious"
"other"
"0.0.0.0:5054"
"0.0.0.0:5054"
];
};
};
customDNS = {
mapping = {
"voronind.com" = "192.168.1.2";
blocking = {
blackLists = {
suspicious = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
"https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts"
"https://v.firebog.net/hosts/static/w3kbl.txt"
];
ads = [
"https://easylist-downloads.adblockplus.org/bitblock.txt"
"https://adaway.org/hosts.txt"
"https://v.firebog.net/hosts/AdguardDNS.txt"
"https://v.firebog.net/hosts/Admiral.txt"
"https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
"https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
"https://v.firebog.net/hosts/Easylist.txt"
"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
"https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
"https://github.com/easylist/ruadlist/blob/master/advblock/adservers.txt"
];
tracking = [
"https://v.firebog.net/hosts/Easyprivacy.txt"
"https://v.firebog.net/hosts/Prigent-Ads.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
];
malicious = [
"https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
"https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
"https://v.firebog.net/hosts/Prigent-Crypto.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
"https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt"
"https://phishing.army/download/phishing_army_blocklist_extended.txt"
"https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
"https://v.firebog.net/hosts/RPiList-Malware.txt"
"https://v.firebog.net/hosts/RPiList-Phishing.txt"
"https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
"https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
"https://urlhaus.abuse.ch/downloads/hostfile/"
];
other = [
"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
];
};
# whiteLists = {
# other = [
# "/.*.vk.com/"
# ];
# };
clientGroupsBlock = {
default = [
"suspicious"
"ads"
"tracking"
"malicious"
"other"
];
};
};
customDNS = {
mapping = {
# All subdomains to current host.
${config.container.domain} = config.container.host;
};
};
port = cfg.port;
# httpPort = "80";
};
port = "53";
httpPort = "80";
};
};
};

71
container/Download.nix
View file

@ -1,29 +1,56 @@
{ container, lib, ... } @args: let
cfg = container.config.download;
memLimit = "4G";
{ container, lib, config, ... }: with lib; let
cfg = config.container.module.download;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.download = container.mkContainer cfg {
enableTun = true;
bindMounts = {
"/var/lib/deluge/.config/deluge" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.download = {
enable = mkEnableOption "Downloader.";
address = mkOption {
default = "10.1.0.12";
type = types.str;
};
} // container.attachMedia "download" cfg.download false;
config = { ... }: container.mkContainerConfig cfg {
services.deluge = {
enable = true;
dataDir = "/var/lib/deluge";
web.enable = true;
port = mkOption {
default = 8112;
type = types.int;
};
domain = mkOption {
default = "download.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/download";
type = types.str;
};
memLimit = mkOption {
default = "4G";
type = types.str;
};
};
};
systemd.services.deluged.serviceConfig.MemoryLimit = memLimit;
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.download = container.mkContainer cfg {
enableTun = true;
bindMounts = {
"/var/lib/deluge/.config/deluge" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
} // container.attachMedia "download" false;
config = { ... }: container.mkContainerConfig cfg {
services.deluge = {
enable = true;
dataDir = "/var/lib/deluge";
web.enable = true;
};
systemd.services.deluged.serviceConfig.MemoryLimit = cfg.memLimit;
};
};
};
}

146
container/Git.nix
View file

@ -1,73 +1,97 @@
{ container, pkgs, ... } @args: let
cfg = container.config.git;
{ container, pkgs, config, lib, ... }: with lib; let
cfg = config.container.module.git;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.git = container.mkContainer cfg {
bindMounts = {
"/var/lib/gitea" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.git = {
enable = mkEnableOption "Git server.";
address = mkOption {
default = "10.1.0.8";
type = types.str;
};
port = mkOption {
default = 3000;
type = types.int;
};
domain = mkOption {
default = "git.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/git";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ gitea ];
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
services.gitea = {
enable = true;
stateDir = "/var/lib/gitea";
database = let
postgre = container.config.postgres;
in {
type = "postgres";
host = postgre.address;
port = postgre.port;
user = "gitea";
createDatabase = false;
containers.git = container.mkContainer cfg {
bindMounts = {
"/var/lib/gitea" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
};
settings = let
gcArgs = "--aggressive --no-cruft --prune=now";
gcTimeout = 600;
in {
"service".DISABLE_REGISTRATION = true;
"log".LEVEL = "Error";
"server" = {
DISABLE_SSH = true;
DOMAIN = cfg.domain;
HTTP_ADDR = cfg.address;
ROOT_URL = "https://${cfg.domain}";
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ gitea ];
services.gitea = {
enable = true;
stateDir = "/var/lib/gitea";
database = let
postgre = config.container.module.postgres;
in {
type = "postgres";
host = postgre.address;
port = postgre.port;
user = "gitea";
createDatabase = false;
};
"ui" = {
AMBIGUOUS_UNICODE_DETECTION = false;
settings = let
gcArgs = "--aggressive --no-cruft --prune=now";
gcTimeout = 600;
in {
"service".DISABLE_REGISTRATION = true;
"log".LEVEL = "Error";
"server" = {
DISABLE_SSH = true;
DOMAIN = cfg.domain;
HTTP_ADDR = cfg.address;
ROOT_URL = "https://${cfg.domain}";
};
"ui" = {
AMBIGUOUS_UNICODE_DETECTION = false;
};
"repository" = {
DEFAULT_PRIVATE = "private";
DEFAULT_PUSH_CREATE_PRIVATE = true;
};
"repository.pull-request".DEFAULT_MERGE_STYLE = "rebase";
"repository.issue".MAX_PINNED = 99999;
"cron" = {
ENABLED = true;
RUN_AT_START = true;
};
"repo-archive".ENABLED = false;
"cron.update_mirrors".SCHEDULE = "@midnight";
"cron.cleanup_actions".ENABLED = true;
"cron.git_gc_repos" = {
ENABLED = true;
SCHEDULE = "@midnight";
TIMEOUT = gcTimeout;
ARGS = gcArgs;
};
"git" = {
GC_ARGS = gcArgs;
};
"git.timeout".GC = gcTimeout;
};
"repository" = {
DEFAULT_PRIVATE = "private";
DEFAULT_PUSH_CREATE_PRIVATE = true;
};
"repository.pull-request".DEFAULT_MERGE_STYLE = "rebase";
"repository.issue".MAX_PINNED = 99999;
"cron" = {
ENABLED = true;
RUN_AT_START = true;
};
"repo-archive".ENABLED = false;
"cron.update_mirrors".SCHEDULE = "@midnight";
"cron.cleanup_actions".ENABLED = true;
"cron.git_gc_repos" = {
ENABLED = true;
SCHEDULE = "@midnight";
TIMEOUT = gcTimeout;
ARGS = gcArgs;
};
"git" = {
GC_ARGS = gcArgs;
};
"git.timeout".GC = gcTimeout;
};
};
};

90
container/Hdd.nix
View file

@ -1,43 +1,67 @@
# ISSUE: Broken, can't read/write sda device.
{ container, pkgs, ... } @args: let
cfg = container.config.hdd;
{ container, pkgs, config, lib, ... }: with lib; let
cfg = config.container.module.hdd;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
options = {
container.module.hdd = {
enable = mkEnableOption "Hdd health monitor.";
address = mkOption {
default = "10.1.0.10";
type = types.str;
};
port = mkOption {
default = 8080;
type = types.int;
};
domain = mkOption {
default = "hdd.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/hdd";
type = types.str;
};
};
};
containers.hdd = container.mkContainer cfg {
# bindMounts = let
# attachDrive = hostPath: {
# inherit hostPath;
# isReadOnly = false;
# };
# in {
# "/opt/scrutiny" = {
# hostPath = "${cfg.storage}/data";
# isReadOnly = false;
# };
# "/dev/sda" = attachDrive "/dev/sda";
# };
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
# allowedDevices = [
# {
# modifier = "rwm";
# node = "/dev/sda";
# }
# ];
containers.hdd = container.mkContainer cfg {
# bindMounts = let
# attachDrive = hostPath: {
# inherit hostPath;
# isReadOnly = false;
# };
# in {
# "/opt/scrutiny" = {
# hostPath = "${cfg.storage}/data";
# isReadOnly = false;
# };
# "/dev/sda" = attachDrive "/dev/sda";
# };
# additionalCapabilities = [ "CAP_SYS_ADMIN" ];
# allowedDevices = [
# {
# modifier = "rwm";
# node = "/dev/sda";
# }
# ];
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ smartmontools ];
# additionalCapabilities = [ "CAP_SYS_ADMIN" ];
services.scrutiny = {
enable = true;
settings.web = {
listen = {
host = cfg.address;
port = cfg.port;
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ smartmontools ];
services.scrutiny = {
enable = true;
settings.web = {
listen = {
host = cfg.address;
port = cfg.port;
};
};
};
};

50
container/Home.nix
View file

@ -1,22 +1,42 @@
{ container, pkgs, util, ... } @args: let
cfg = container.config.home;
{ container, pkgs, util, lib, config, ... } @args: with lib; let
cfg = config.container.module.home;
package = (pkgs.callPackage ./homer args);
in {
containers.home = container.mkContainer cfg {
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = [ package ];
systemd.packages = [ package ];
options = {
container.module.home = {
enable = mkEnableOption "Dashboard.";
address = mkOption {
default = "10.1.0.18";
type = types.str;
};
port = mkOption {
default = 80;
type = types.int;
};
domain = mkOption {
default = "home.${config.container.domain}";
type = types.str;
};
};
};
services.nginx = {
enable = true;
virtualHosts.${cfg.domain} = container.mkServer {
default = true;
root = "${package}";
config = mkIf cfg.enable {
containers.home = container.mkContainer cfg {
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = [ package ];
systemd.packages = [ package ];
locations = {
"/".extraConfig = ''
try_files $uri $uri/index.html;
'';
services.nginx = {
enable = true;
virtualHosts.${cfg.domain} = container.mkServer {
default = true;
root = "${package}";
locations = {
"/".extraConfig = ''
try_files $uri $uri/index.html;
'';
};
};
};
};

146
container/Iot.nix
View file

@ -1,69 +1,93 @@
{ container, ... } @args: let
cfg = container.config.iot;
{ container, lib, config, ... }: with lib; let
cfg = config.container.module.iot;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
options = {
container.module.iot = {
enable = mkEnableOption "IoT service.";
address = mkOption {
default = "10.1.0.27";
type = types.str;
};
port = mkOption {
default = 8123;
type = types.int;
};
domain = mkOption {
default = "iot.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/iot";
type = types.str;
};
};
};
containers.iot = container.mkContainer cfg {
bindMounts = {
"/var/lib/hass" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
"/dev/ttyACM0" = {
hostPath = "/dev/ttyACM0";
isReadOnly = false;
};
"/dev/serial/by-id" = {
hostPath = "/dev/serial/by-id";
isReadOnly = false;
};
} // container.attachMedia "photo" cfg.photo true;
allowedDevices = [
{
modifier = "rwm";
node = "/dev/ttyACM0";
}
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
config = { ... }: container.mkContainerConfig cfg {
# Allow Hass to talk to Zigbee dongle.
users.users.hass.extraGroups = [ "dialout" "tty" ];
containers.iot = container.mkContainer cfg {
bindMounts = {
"/var/lib/hass" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
"/dev/ttyACM0" = {
hostPath = "/dev/ttyACM0";
isReadOnly = false;
};
"/dev/serial/by-id" = {
hostPath = "/dev/serial/by-id";
isReadOnly = false;
};
} // container.attachMedia "photo" true;
services.home-assistant = {
# NOTE: Missing: hacs. Inside hacs: `card-mod`, `Clock Weather Card`, `WallPanel` and `Yandex.Station`.
enable = true;
extraComponents = [
"caldav"
"met"
"sun"
"systemmonitor"
"zha"
];
extraPackages = python3Packages: with python3Packages; [
aiodhcpwatcher
aiodiscover
aiogithubapi
async-upnp-client
ha-av
ha-ffmpeg
hassil
home-assistant-intents
mutagen
numpy
pynacl
pyturbojpeg
python-telegram-bot
zeroconf
];
configDir = "/var/lib/hass";
# lovelaceConfig = {
# title = "Home IoT control center.";
# };
# NOTE: Using imperative config because of secrets.
config = null;
allowedDevices = [
{
modifier = "rwm";
node = "/dev/ttyACM0";
}
];
config = { ... }: container.mkContainerConfig cfg {
# Allow Hass to talk to Zigbee dongle.
users.users.hass.extraGroups = [ "dialout" "tty" ];
services.home-assistant = {
# NOTE: Missing: hacs. Inside hacs: `card-mod`, `Clock Weather Card`, `WallPanel` and `Yandex.Station`.
enable = true;
extraComponents = [
"caldav"
"met"
"sun"
"systemmonitor"
"zha"
];
extraPackages = python3Packages: with python3Packages; [
aiodhcpwatcher
aiodiscover
aiogithubapi
async-upnp-client
ha-av
ha-ffmpeg
hassil
home-assistant-intents
mutagen
numpy
pynacl
pyturbojpeg
python-telegram-bot
zeroconf
];
configDir = "/var/lib/hass";
# lovelaceConfig = {
# title = "Home IoT control center.";
# };
# NOTE: Using imperative config because of secrets.
config = null;
};
};
};
};

88
container/Jobber.nix
View file

@ -1,48 +1,64 @@
{ container, pkgsJobber, poetry2nixJobber, lib, ... } @args: let
cfg = container.config.jobber;
{ container, pkgsJobber, poetry2nixJobber, lib, config, ... }: with lib; let
cfg = config.container.module.jobber;
script = import ./jobber { poetry2nix = poetry2nixJobber; pkgs = pkgsJobber; };
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.jobber = container.mkContainer cfg {
bindMounts = {
"/data" = {
hostPath = "${cfg.storage}/data";
isReadOnly = true;
options = {
container.module.jobber = {
enable = mkEnableOption "Button pusher Stanley.";
address = mkOption {
default = "10.1.0.32";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/jobber";
type = types.str;
};
};
};
enableTun = true;
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
config = { lib, ... }: let
packages = [ script ] ++ (with pkgsJobber; [
firefox
geckodriver
openvpn
python311
]);
in container.mkContainerConfig cfg {
networking = lib.mkForce {
nameservers = [
"10.9.0.5"
];
containers.jobber = container.mkContainer cfg {
bindMounts = {
"/data" = {
hostPath = "${cfg.storage}/data";
isReadOnly = true;
};
};
systemd.services.jobber = {
description = "My job is pushing the button.";
enable = true;
wantedBy = [ "multi-user.target" ];
path = packages;
environment = {
PYTHONUNBUFFERED = "1";
PYTHONDONTWRITEBYTECODE = "1";
enableTun = true;
config = { lib, ... }: let
packages = [ script ] ++ (with pkgsJobber; [
firefox
geckodriver
openvpn
python311
]);
in container.mkContainerConfig cfg {
networking = lib.mkForce {
nameservers = [
"10.9.0.5"
];
};
serviceConfig = {
Type = "simple";
ExecStart = "${script}/bin/jobber -u";
Restart = "on-failure";
systemd.services.jobber = {
description = "My job is pushing the button.";
enable = true;
wantedBy = [ "multi-user.target" ];
path = packages;
environment = {
PYTHONUNBUFFERED = "1";
PYTHONDONTWRITEBYTECODE = "1";
};
serviceConfig = {
Type = "simple";
ExecStart = "${script}/bin/jobber -u";
Restart = "on-failure";
};
};
};
};

336
container/Mail.nix
View file

@ -1,177 +1,203 @@
# Guide: https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html
{ container, domain, pkgs, util, const, ... } @args: let cfg = container.config.mail;
{ container, pkgs, util, const, lib, config, ... }: with lib; let
cfg = config.container.module.mail;
domain = config.container.domain;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
# "data/indices"
# "data/vmail"
# "data/sieve"
# "data/dkim"
];
containers.mail = container.mkContainer cfg {
forwardPorts = [
{
containerPort = 993;
hostPort = 993;
protocol = "tcp";
} {
containerPort = 25;
hostPort = 25;
protocol = "tcp";
} {
containerPort = 465;
hostPort = 465;
protocol = "tcp";
}
];
bindMounts = {
"/var/lib/dovecot/indices" = {
hostPath = "${cfg.storage}/data/indices";
isReadOnly = false;
options = {
container.module.mail = {
enable = mkEnableOption "Email server.";
address = mkOption {
default = "10.1.0.5";
type = types.str;
};
"/var/vmail" = {
hostPath = "${cfg.storage}/data/vmail";
isReadOnly = false;
port = mkOption {
default = 80;
type = types.int;
};
"/var/sieve" = {
hostPath = "${cfg.storage}/data/sieve";
isReadOnly = false;
domain = mkOption {
default = "mail.${config.container.domain}";
type = types.str;
};
"/var/dkim" = {
hostPath = "${cfg.storage}/data/dkim";
isReadOnly = false;
};
"/acme" = {
hostPath = "${container.config.proxy.storage}/letsencrypt";
isReadOnly = true;
storage = mkOption {
default = "${config.container.storage}/mail";
type = types.str;
};
};
};
config = { config, ... }: container.mkContainerConfig cfg {
imports = [
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-${const.stateVersion}/nixos-mailserver-nixos-${const.stateVersion}.tar.gz";
sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
})
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
# "data/indices"
# "data/vmail"
# "data/sieve"
# "data/dkim"
];
containers.mail = container.mkContainer cfg {
forwardPorts = [
{
containerPort = 993;
hostPort = 993;
protocol = "tcp";
} {
containerPort = 25;
hostPort = 25;
protocol = "tcp";
} {
containerPort = 465;
hostPort = 465;
protocol = "tcp";
}
];
mailserver = {
enable = true;
fqdn = cfg.domain;
domains = [ domain ];
sendingFqdn = domain;
bindMounts = {
"/var/lib/dovecot/indices" = {
hostPath = "${cfg.storage}/data/indices";
isReadOnly = false;
};
"/var/vmail" = {
hostPath = "${cfg.storage}/data/vmail";
isReadOnly = false;
};
"/var/sieve" = {
hostPath = "${cfg.storage}/data/sieve";
isReadOnly = false;
};
"/var/dkim" = {
hostPath = "${cfg.storage}/data/dkim";
isReadOnly = false;
};
"/acme" = {
hostPath = "${config.container.module.proxy.storage}/letsencrypt";
isReadOnly = true;
};
};
# Use `mkpasswd -sm bcrypt`.
loginAccounts = let
defaultQuota = "1G";
in {
"admin@${domain}" = {
name = "admin";
hashedPassword = "$2b$05$1O.dxXxaVshcBNybcqDRYuTlnYt3jDBwfPZWoDtP4BjOLoL0StYsi";
quota = defaultQuota;
config = { config, ... }: container.mkContainerConfig cfg {
imports = [
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-${const.stateVersion}/nixos-mailserver-nixos-${const.stateVersion}.tar.gz";
sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
})
];
mailserver = {
enable = true;
domains = [ domain ];
fqdn = cfg.domain;
sendingFqdn = domain;
# Use `mkpasswd -sm bcrypt`.
loginAccounts = let
defaultQuota = "1G";
in {
"admin@${domain}" = {
name = "admin";
hashedPassword = "$2b$05$1O.dxXxaVshcBNybcqDRYuTlnYt3jDBwfPZWoDtP4BjOLoL0StYsi";
quota = defaultQuota;
};
"account@${domain}" = {
name = "account";
hashedPassword = "$2b$05$sCyZHdk98KqQ1qsTIvbrUeRJlNBOwBqDgpdc1QxiSnONlEkZ8xGNO";
quota = defaultQuota;
};
"hi@${domain}" = {
name = "hi";
hashedPassword = "$2b$05$6fT5hIhzIasNfp9IQr/ds.5RuxH95VKU3QJWlX3hmrAzDF3mExanq";
quota = defaultQuota;
aliases = [ "voronind@${domain}" ];
};
"job@${domain}" = {
name = "job";
hashedPassword = "$2b$05$.sUmv2.9EWPfLwJn/oZw2e1UbR7HrpNQ2THc5jjX3ysy7CY8ZWHUC";
quota = defaultQuota;
};
"trash@${domain}" = {
name = "trash";
hashedPassword = "$2b$05$kn5ygZjN9NR3LXjnKKRw/.DXaZQNW.1XEottlCFIoKiDpIj.JGLJm";
catchAll = [ domain ];
quota = defaultQuota;
};
"noreply@${domain}" = {
name = "noreply";
hashedPassword = "$2b$05$TaKwoYmcmkAhsRRv6xG5wOkChcz50cB9BP6QPUDKNAcxMbrY6AeMK";
sendOnly = true;
quota = defaultQuota;
};
};
"account@${domain}" = {
name = "account";
hashedPassword = "$2b$05$sCyZHdk98KqQ1qsTIvbrUeRJlNBOwBqDgpdc1QxiSnONlEkZ8xGNO";
quota = defaultQuota;
enableImap = true;
enableImapSsl = true;
enableSubmission = true;
enableSubmissionSsl = true;
virusScanning = false;
certificateScheme = "manual";
keyFile = "/acme/live/${domain}/privkey.pem";
certificateFile = "/acme/live/${domain}/cert.pem";
indexDir = "/var/lib/dovecot/indices";
mailDirectory = "/var/vmail";
sieveDirectory = "/var/sieve";
dkimKeyDirectory = "/var/dkim";
mailboxes = {
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Junk = {
auto = "subscribe";
specialUse = "Junk";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Trash = {
auto = "no";
specialUse = "Trash";
};
};
"hi@${domain}" = {
name = "hi";
hashedPassword = "$2b$05$6fT5hIhzIasNfp9IQr/ds.5RuxH95VKU3QJWlX3hmrAzDF3mExanq";
quota = defaultQuota;
aliases = [ "voronind@${domain}" ];
};
"job@${domain}" = {
name = "job";
hashedPassword = "$2b$05$.sUmv2.9EWPfLwJn/oZw2e1UbR7HrpNQ2THc5jjX3ysy7CY8ZWHUC";
quota = defaultQuota;
};
"trash@${domain}" = {
name = "trash";
hashedPassword = "$2b$05$kn5ygZjN9NR3LXjnKKRw/.DXaZQNW.1XEottlCFIoKiDpIj.JGLJm";
catchAll = [ domain ];
quota = defaultQuota;
};
"noreply@${domain}" = {
name = "noreply";
hashedPassword = "$2b$05$TaKwoYmcmkAhsRRv6xG5wOkChcz50cB9BP6QPUDKNAcxMbrY6AeMK";
sendOnly = true;
quota = defaultQuota;
dmarcReporting = {
inherit domain;
enable = true;
organizationName = "voronind";
# email = "noreply@${domain}";
};
# monitoring = {
# enable = true;
# alertAddress = "admin@${domain}";
# };
};
enableImap = true;
enableImapSsl = true;
enableSubmission = true;
enableSubmissionSsl = true;
virusScanning = false;
certificateScheme = "manual";
keyFile = "/acme/live/${domain}/privkey.pem";
certificateFile = "/acme/live/${domain}/cert.pem";
indexDir = "/var/lib/dovecot/indices";
mailDirectory = "/var/vmail";
sieveDirectory = "/var/sieve";
dkimKeyDirectory = "/var/dkim";
mailboxes = {
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Junk = {
auto = "subscribe";
specialUse = "Junk";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Trash = {
auto = "no";
specialUse = "Trash";
};
};
dmarcReporting = {
inherit domain;
services.roundcube = {
enable = true;
organizationName = "voronind";
# email = "noreply@${domain}";
dicts = with pkgs.aspellDicts; [ en ru ];
hostName = cfg.domain;
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
# $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
# $config['smtp_server'] = "tls://localhost";
$config['smtp_server'] = "localhost:25";
$config['smtp_auth_type'] = null;
$config['smtp_user'] = "";
$config['smtp_pass'] = "";
# $config['smtp_user'] = "%u";
# $config['smtp_pass'] = "%p";
'';
};
# monitoring = {
# enable = true;
# alertAddress = "admin@${domain}";
# };
};
services.roundcube = {
enable = true;
dicts = with pkgs.aspellDicts; [ en ru ];
hostName = cfg.domain;
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
# $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
# $config['smtp_server'] = "tls://localhost";
$config['smtp_server'] = "localhost:25";
$config['smtp_auth_type'] = null;
$config['smtp_user'] = "";
$config['smtp_pass'] = "";
# $config['smtp_user'] = "%u";
# $config['smtp_pass'] = "%p";
'';
};
services.nginx = {
virtualHosts.${cfg.domain} = {
forceSSL = false;
enableACME = false;
services.nginx = {
virtualHosts.${cfg.domain} = {
forceSSL = false;
enableACME = false;
};
};
};
};

74
container/Office.nix
View file

@ -2,39 +2,63 @@
# 1. You need to change PSQL tables owner from root to onlyoffice, too. They don't do that automatically for some reason.
# 2. TODO: Generate JWT secret at /var/lib/onlyoffice/jwt, i.e. 9wLfMGha1YrfvWpb5hyYjZf8pvJQ3swS
# See https://git.voronind.com/voronind/nixos/issues/74
{ container, pkgs, util, lib, ... } @args: let
cfg = container.config.office;
{ container, pkgs, util, lib, config, ... }: with lib; let
cfg = config.container.module.office;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.office = container.mkContainer cfg {
bindMounts = {
"/var/lib/onlyoffice" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.office = {
enable = mkEnableOption "Office web suite.";
address = mkOption {
default = "10.1.0.21";
type = types.str;
};
port = mkOption {
default = 8000;
type = types.int;
};
domain = mkOption {
default = "office.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/office";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
services.onlyoffice = let
dbName = "onlyoffice";
in {
enable = true;
hostname = cfg.domain;
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
postgresName = dbName;
postgresHost = container.config.postgres.address;
postgresUser = dbName;
postgresPasswordFile = "${pkgs.writeText "OfficeDbPassword" dbName}";
containers.office = container.mkContainer cfg {
bindMounts = {
"/var/lib/onlyoffice" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
};
jwtSecretFile = "/var/lib/onlyoffice/jwt";
config = { ... }: container.mkContainerConfig cfg {
services.onlyoffice = let
dbName = "onlyoffice";
in {
enable = true;
hostname = cfg.domain;
rabbitmqUrl = "amqp://guest:guest@${container.config.rabbitmq.address}:${toString container.config.rabbitmq.port}";
postgresName = dbName;
postgresHost = config.container.module.postgres.address;
postgresUser = dbName;
postgresPasswordFile = "${pkgs.writeText "OfficeDbPassword" dbName}";
examplePort = cfg.port;
enableExampleServer = true;
jwtSecretFile = "/var/lib/onlyoffice/jwt";
rabbitmqUrl = "amqp://guest:guest@${config.container.module.rabbitmq.address}:${toString config.container.module.rabbitmq.port}";
examplePort = cfg.port;
enableExampleServer = true;
};
};
};
};

104
container/Paper.nix
View file

@ -1,52 +1,76 @@
{ container, pkgs, util, lib, ... } @args: let
cfg = container.config.paper;
{ container, pkgs, util, lib, config, ... }: with lib; let
cfg = config.container.module.paper;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.paper = container.mkContainer cfg {
bindMounts = {
"/var/lib/paperless" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.paper = {
enable = mkEnableOption "Paper scans manager.";
address = mkOption {
default = "10.1.0.40";
type = types.str;
};
"/var/lib/paperless/media" = {
hostPath = "${lib.elemAt cfg.paper 0}";
isReadOnly = false;
port = mkOption {
default = 28981;
type = types.int;
};
domain = mkOption {
default = "paper.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/paper";
type = types.str;
};
};
};
config = { lib, ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ postgresql inetutils ];
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
services.paperless = {
enable = true;
dataDir = "/var/lib/paperless";
# address = cfg.domain;
address = "0.0.0.0";
port = cfg.port;
passwordFile = pkgs.writeText "PaperlessPassword" "root";
settings = {
PAPERLESS_URL = "https://${cfg.domain}";
PAPERLESS_ADMIN_USER = "root";
PAPERLESS_DBHOST = container.config.postgres.address;
PAPERLESS_DBENGINE = "postgresql";
PAPERLESS_DBNAME = "paperless";
PAPERLESS_DBPASS = "paperless";
PAPERLESS_DBPORT = container.config.postgres.port;
PAPERLESS_DBUSER = "paperless";
PAPERLESS_OCR_LANGUAGE = "rus";
PAPERLESS_REDIS = "redis://${container.config.redis.address}:${toString container.config.redis.port}";
containers.paper = container.mkContainer cfg {
bindMounts = {
"/var/lib/paperless" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
"/var/lib/paperless/media" = {
hostPath = "${elemAt config.container.media.paper 0}";
isReadOnly = false;
};
};
# HACK: This is required for TCP postgres connection.
systemd.services.paperless-scheduler.serviceConfig = {
PrivateNetwork = lib.mkForce false;
};
systemd.services.paperless-consumer.serviceConfig = {
PrivateNetwork = lib.mkForce false;
config = { lib, ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ postgresql inetutils ];
services.paperless = {
enable = true;
dataDir = "/var/lib/paperless";
# address = cfg.domain;
address = "0.0.0.0";
port = cfg.port;
passwordFile = pkgs.writeText "PaperlessPassword" "root";
settings = {
PAPERLESS_URL = "https://${cfg.domain}";
PAPERLESS_ADMIN_USER = "root";
PAPERLESS_DBHOST = config.container.module.postgres.address;
PAPERLESS_DBENGINE = "postgresql";
PAPERLESS_DBNAME = "paperless";
PAPERLESS_DBPASS = "paperless";
PAPERLESS_DBPORT = config.container.module.postgres.port;
PAPERLESS_DBUSER = "paperless";
PAPERLESS_OCR_LANGUAGE = "rus";
PAPERLESS_REDIS = "redis://${config.container.module.redis.address}:${toString config.container.module.redis.port}";
};
};
# HACK: This is required for TCP postgres connection.
systemd.services.paperless-scheduler.serviceConfig = {
PrivateNetwork = lib.mkForce false;
};
systemd.services.paperless-consumer.serviceConfig = {
PrivateNetwork = lib.mkForce false;
};
};
};
};

72
container/Pass.nix
View file

@ -1,31 +1,55 @@
{ container, ... } @args: let
cfg = container.config.pass;
{ container, lib, config, ... }: with lib; let
cfg = config.container.module.pass;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.pass = container.mkContainer cfg {
bindMounts = {
"/var/lib/bitwarden_rs" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.pass = {
enable = mkEnableOption "Password manager";
address = mkOption {
default = "10.1.0.9";
type = types.str;
};
port = mkOption {
default = 8000;
type = types.int;
};
domain = mkOption {
default = "pass.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/pass";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
environmentFile = "/var/lib/bitwarden_rs/Env";
config = {
# DATABASE_URL = "postgresql://vaultwarden:vaultwarden@${container.config.postgres.address}:${toString container.config.postgres.port}/vaultwarden";
DATA_FOLDER = "/var/lib/bitwarden_rs";
DOMAIN = "http://${cfg.domain}";
SIGNUPS_ALLOWED = false;
WEB_VAULT_ENABLED = true;
ROCKET_ADDRESS = cfg.address;
ROCKET_PORT = cfg.port;
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.pass = container.mkContainer cfg {
bindMounts = {
"/var/lib/bitwarden_rs" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
};
config = { ... }: container.mkContainerConfig cfg {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
environmentFile = "/var/lib/bitwarden_rs/Env";
config = {
# DATABASE_URL = "postgresql://vaultwarden:vaultwarden@${container.config.postgres.address}:${toString container.config.postgres.port}/vaultwarden";
DATA_FOLDER = "/var/lib/bitwarden_rs";
DOMAIN = "http://${cfg.domain}";
SIGNUPS_ALLOWED = false;
WEB_VAULT_ENABLED = true;
ROCKET_ADDRESS = cfg.address;
ROCKET_PORT = cfg.port;
};
};
};
};

182
container/Paste.nix
View file

@ -1,100 +1,124 @@
{ pkgs, util, container, ... } @args: let
cfg = container.config.paste;
{ pkgs, util, container, lib, config, ... } @args: with lib; let
cfg = config.container.module.paste;
package = (pkgs.callPackage ./pastebin args);
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
"tmp"
"nginxtmp"
"config"
];
containers.paste = container.mkContainer cfg {
bindMounts = {
"/srv/data" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.paste = {
enable = mkEnableOption "Pastebin.";
address = mkOption {
default = "10.1.0.14";
type = types.str;
};
"/tmp" = {
hostPath = "${cfg.storage}/tmp";
isReadOnly = false;
port = mkOption {
default = 80;
type = types.int;
};
"/var/lib/nginx/tmp" = {
hostPath = "${cfg.storage}/nginxtmp";
isReadOnly = false;
domain = mkOption {
default = "paste.${config.container.domain}";
type = types.str;
};
"/srv/config" = {
hostPath = "${cfg.storage}/config";
isReadOnly = false;
storage = mkOption {
default = "${config.container.storage}/paste";
type = types.str;
};
};
};
config = { config, ... }: container.mkContainerConfig cfg {
environment.systemPackages = [ package ];
systemd.packages = [ package ];
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
"tmp"
"nginxtmp"
"config"
];
users.users.paste = {
group = "nginx";
isSystemUser = true;
};
services.phpfpm.pools.paste = {
user = "paste";
group = "nginx";
phpPackage = pkgs.php;
settings = {
"pm" = "dynamic";
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"listen.owner" = "nginx";
"catch_workers_output" = true;
"pm.max_children" = "32";
"pm.start_servers" = "2";
"pm.min_spare_servers" = "2";
"pm.max_spare_servers" = "4";
"pm.max_requests" = "500";
containers.paste = container.mkContainer cfg {
bindMounts = {
"/srv/data" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
phpEnv = {
# CONFIG_PATH = "${package}/cfg";
"/tmp" = {
hostPath = "${cfg.storage}/tmp";
isReadOnly = false;
};
"/var/lib/nginx/tmp" = {
hostPath = "${cfg.storage}/nginxtmp";
isReadOnly = false;
};
"/srv/config" = {
hostPath = "${cfg.storage}/config";
isReadOnly = false;
};
};
services.nginx = {
enable = true;
virtualHosts.${cfg.domain} = container.mkServer {
default = true;
root = "${package}";
config = { config, ... }: container.mkContainerConfig cfg {
environment.systemPackages = [ package ];
systemd.packages = [ package ];
locations = {
"/".extraConfig = ''
rewrite ^ /index.php;
'';
users.users.paste = {
group = "nginx";
isSystemUser = true;
};
"~ \\.php$".extraConfig = util.trimTabs ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.paste.socket};
include ${config.services.nginx.package}/conf/fastcgi.conf;
include ${config.services.nginx.package}/conf/fastcgi_params;
'';
services.phpfpm.pools.paste = {
user = "paste";
group = "nginx";
"~ \\.(js|css|ttf|woff2?|png|jpe?g|svg)$".extraConfig = util.trimTabs ''
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
access_log off;
'';
phpPackage = pkgs.php;
settings = {
"pm" = "dynamic";
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"listen.owner" = "nginx";
"catch_workers_output" = true;
"pm.max_children" = "32";
"pm.start_servers" = "2";
"pm.min_spare_servers" = "2";
"pm.max_spare_servers" = "4";
"pm.max_requests" = "500";
};
extraConfig = util.trimTabs ''
try_files $uri /index.php;
'';
phpEnv = {
# CONFIG_PATH = "${package}/cfg";
};
};
services.nginx = {
enable = true;
virtualHosts.${cfg.domain} = container.mkServer {
default = true;
root = "${package}";
locations = {
"/".extraConfig = ''
rewrite ^ /index.php;
'';
"~ \\.php$".extraConfig = util.trimTabs ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.paste.socket};
include ${config.services.nginx.package}/conf/fastcgi.conf;
include ${config.services.nginx.package}/conf/fastcgi_params;
'';
"~ \\.(js|css|ttf|woff2?|png|jpe?g|svg)$".extraConfig = util.trimTabs ''
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
access_log off;
'';
};
extraConfig = util.trimTabs ''
try_files $uri /index.php;
'';
};
};
};
};

112
container/Postgres.nix
View file

@ -1,56 +1,76 @@
{ container, lib, pkgs, ... } @args: let
cfg = container.config.postgres;
{ container, lib, pkgs, config, ... }: with lib; let
cfg = config.container.module.postgres;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.postgres = container.mkContainer cfg {
bindMounts = {
"/var/lib/postgresql/data" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.postgres = {
enable = mkEnableOption "Postgresql server.";
address = mkOption {
default = "10.1.0.3";
type = types.str;
};
port = mkOption {
default = 5432;
type = types.int;
};
storage = mkOption {
default = "${config.container.storage}/postgres";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
services.postgresql = let
# Populate with services here.
configurations = with container.config; {
gitea = git;
nextcloud = cloud;
privatebin = paste;
onlyoffice = office;
paperless = paper;
invidious = yt;
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.postgres = container.mkContainer cfg {
bindMounts = {
"/var/lib/postgresql/data" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
};
access = configurations // {
all = { address = container.host; };
config = { ... }: container.mkContainerConfig cfg {
services.postgresql = let
# Populate with services here.
configurations = with config.container.module; {
gitea = git;
nextcloud = cloud;
privatebin = paste;
onlyoffice = office;
paperless = paper;
invidious = yt;
};
access = configurations // {
all = { address = config.container.host; };
};
authentication = builtins.foldl' (acc: item: acc + "${item}\n") "" (
mapAttrsToList (db: cfg: "host ${db} ${db} ${cfg.address}/32 trust") access
);
ensureDatabases = [ "root" ] ++ mapAttrsToList (name: _: name) configurations;
ensureUsers = map (name: {
inherit name;
ensureClauses = if name == "root" then {
superuser = true;
createrole = true;
createdb = true;
} else {};
ensureDBOwnership = true;
}) ensureDatabases;
in {
inherit authentication ensureDatabases ensureUsers;
enable = true;
package = pkgs.postgresql_14;
dataDir = "/var/lib/postgresql/data/14";
enableTCPIP = true;
};
authentication = builtins.foldl' (acc: item: acc + "${item}\n") "" (
lib.mapAttrsToList (db: cfg: "host ${db} ${db} ${cfg.address}/32 trust") access
);
ensureDatabases = [ "root" ] ++ lib.mapAttrsToList (name: _: name) configurations;
ensureUsers = map (name: {
inherit name;
ensureClauses = if name == "root" then {
superuser = true;
createrole = true;
createdb = true;
} else {};
ensureDBOwnership = true;
}) ensureDatabases;
in {
inherit authentication ensureDatabases ensureUsers;
enable = true;
package = pkgs.postgresql_14;
dataDir = "/var/lib/postgresql/data/14";
enableTCPIP = true;
};
};
};

68
container/Print.nix
View file

@ -2,33 +2,57 @@
# ipp://192.168.2.237
# Pantum M6500W-Series
{ container, pkgs, ... } @args: let
cfg = container.config.print;
{ container, pkgs, lib, config, ... }: with lib; let
cfg = config.container.module.print;
package = pkgs.callPackage ./print args;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.print = container.mkContainer cfg {
bindMounts = {
"/var/lib/cups" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.print = {
enable = mkEnableOption "Printing server.";
address = mkOption {
default = "10.1.0.46";
type = types.str;
};
port = mkOption {
default = 631;
type = types.int;
};
domain = mkOption {
default = "print.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/print";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
services.printing = {
enable = true;
allowFrom = [ "all" ];
browsing = true;
defaultShared = true;
drivers = [ package ];
listenAddresses = [ "${cfg.address}:${toString cfg.port}" ];
startWhenNeeded = true;
stateless = false;
webInterface = true;
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.print = container.mkContainer cfg {
bindMounts = {
"/var/lib/cups" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
};
config = { ... }: container.mkContainerConfig cfg {
services.printing = {
enable = true;
allowFrom = [ "all" ];
browsing = true;
defaultShared = true;
drivers = [ package ];
listenAddresses = [ "${cfg.address}:${toString cfg.port}" ];
startWhenNeeded = true;
stateless = false;
webInterface = true;
};
};
};
};

164
container/Proxy.nix
View file

@ -9,95 +9,115 @@
# ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
# ```
# For certbot to generate new keys: `certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.voronind.com" -d voronind.com`
{ domain, util, container, pkgs, ... } @args: let
cfg = container.config.proxy;
{ util, container, pkgs, lib, config, ... } @args: with lib; let
cfg = config.container.module.proxy;
virtualHosts = util.catSet (util.ls ./proxy/host) args;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"challenge"
"letsencrypt"
];
containers.proxy = container.mkContainer cfg {
forwardPorts = [
# {
# containerPort = 80;
# hostPort = 80;
# protocol = "tcp";
# } {
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "tcp";
}
];
bindMounts = {
"/etc/letsencrypt" = {
hostPath = "${cfg.storage}/letsencrypt";
isReadOnly = true;
options = {
container.module.proxy = {
enable = mkEnableOption "Proxy server.";
address = mkOption {
default = "10.1.0.2";
type = types.str;
};
"/var/www/.well-known" = {
hostPath = "${cfg.storage}/challenge";
isReadOnly = false;
port = mkOption {
default = 443;
type = types.int;
};
storage = mkOption {
default = "${config.container.storage}/proxy";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ certbot ];
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"challenge"
"letsencrypt"
];
services.nginx = {
inherit virtualHosts;
containers.proxy = container.mkContainer cfg {
forwardPorts = [
# {
# containerPort = 80;
# hostPort = 80;
# protocol = "tcp";
# } {
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "tcp";
}
];
enable = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
appendConfig = util.trimTabs ''
worker_processes 4;
'';
eventsConfig = util.trimTabs ''
worker_connections 4096;
'';
# TODO: Fix 80 redirect and 403 default.
appendHttpConfig = util.trimTabs ''
server {
server_name default_server;
listen 80;
bindMounts = {
"/etc/letsencrypt" = {
hostPath = "${cfg.storage}/letsencrypt";
isReadOnly = true;
};
"/var/www/.well-known" = {
hostPath = "${cfg.storage}/challenge";
isReadOnly = false;
};
};
location / {
return 301 https://$host$request_uri;
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ certbot ];
services.nginx = {
inherit virtualHosts;
enable = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
appendConfig = util.trimTabs ''
worker_processes 4;
'';
eventsConfig = util.trimTabs ''
worker_connections 4096;
'';
# TODO: Fix 80 redirect and 403 default.
appendHttpConfig = util.trimTabs ''
server {
server_name default_server;
listen 80;
location / {
return 301 https://$host$request_uri;
}
}
}
map $http_accept_language $resume {
default https://git.${domain}/voronind/resume/releases/download/latest/voronind_en.pdf;
~ru https://git.${domain}/voronind/resume/releases/download/latest/voronind_ru.pdf;
}
map $http_accept_language $resume {
default https://git.${config.container.domain}/voronind/resume/releases/download/latest/voronind_en.pdf;
~ru https://git.${config.container.domain}/voronind/resume/releases/download/latest/voronind_ru.pdf;
}
server {
server_name ${domain};
listen 443 ssl;
server {
server_name ${config.container.domain};
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
return 301 $resume;
}
return 301 $resume;
}
server {
listen 443 ssl default_server;
server_name _;
server {
listen 443 ssl default_server;
server_name _;
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
return 403;
}
'';
return 403;
}
'';
};
};
};
};

58
container/Rabbitmq.nix
View file

@ -1,26 +1,46 @@
{ container, pkgs, util, ... } @args: let
cfg = container.config.rabbitmq;
{ container, pkgs, util, lib, config, ... }: with lib; let
cfg = config.container.module.rabbitmq;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.rabbitmq = container.mkContainer cfg {
bindMounts = {
"/var/lib/rabbitmq" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.rabbitmq = {
enable = mkEnableOption "Mqtt server.";
address = mkOption {
default = "10.1.0.28";
type = types.str;
};
port = mkOption {
default = 5672;
type = types.int;
};
storage = mkOption {
default = "${config.container.storage}/rabbitmq";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
services.rabbitmq = {
enable = true;
listenAddress = cfg.address;
port = cfg.port;
dataDir = "/var/lib/rabbitmq";
configItems = {
"loopback_users" = "none";
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.rabbitmq = container.mkContainer cfg {
bindMounts = {
"/var/lib/rabbitmq" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
};
config = { ... }: container.mkContainerConfig cfg {
services.rabbitmq = {
enable = true;
listenAddress = cfg.address;
port = cfg.port;
dataDir = "/var/lib/rabbitmq";
configItems = {
"loopback_users" = "none";
};
};
};
};

70
container/Read.nix
View file

@ -1,29 +1,53 @@
{ container, lib, pkgs, ... } @args: let
cfg = container.config.read;
{ container, lib, pkgs, config, ... }: with lib; let
cfg = config.container.module.read;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.read = container.mkContainer cfg {
bindMounts = {
"/var/lib/kavita" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.read = {
enable = mkEnableOption "Reading server.";
address = mkOption {
default = "10.1.0.39";
type = types.str;
};
}
// container.attachMedia "book" cfg.book true
// container.attachMedia "manga" cfg.manga true
;
port = mkOption {
default = 5000;
type = types.int;
};
domain = mkOption {
default = "read.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/read";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
services.kavita = {
enable = true;
dataDir = "/var/lib/kavita";
tokenKeyFile = pkgs.writeText "KavitaToken" "xY19aQOa939/Ie6GCRGbubVK8zRwrgBY/20AuyMpYshUjwK1Uyl7bw1yknVh6jJIFIfwq2vAjeotOUq7NEsf9Q==";
settings = {
IpAddresses = cfg.address;
Port = cfg.port;
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.read = container.mkContainer cfg {
bindMounts = {
"/var/lib/kavita" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
}
// container.attachMedia "book" true
// container.attachMedia "manga" true
;
config = { ... }: container.mkContainerConfig cfg {
services.kavita = {
enable = true;
dataDir = "/var/lib/kavita";
tokenKeyFile = pkgs.writeText "KavitaToken" "xY19aQOa939/Ie6GCRGbubVK8zRwrgBY/20AuyMpYshUjwK1Uyl7bw1yknVh6jJIFIfwq2vAjeotOUq7NEsf9Q==";
settings = {
IpAddresses = cfg.address;
Port = cfg.port;
};
};
};
};

34
container/Redis.nix
View file

@ -1,13 +1,29 @@
{ container, pkgs, util, ... } @args: let
cfg = container.config.redis;
{ container, pkgs, util, lib, config, ... }: with lib; let
cfg = config.container.module.redis;
in {
containers.redis = container.mkContainer cfg {
config = { ... }: container.mkContainerConfig cfg {
services.redis.servers.main = {
enable = true;
port = cfg.port;
bind = cfg.address;
extraParams = [ "--protected-mode no" ];
options = {
container.module.redis = {
enable = mkEnableOption "Redis server.";
address = mkOption {
default = "10.1.0.38";
type = types.str;
};
port = mkOption {
default = 6379;
type = types.int;
};
};
};
config = mkIf cfg.enable {
containers.redis = container.mkContainer cfg {
config = { ... }: container.mkContainerConfig cfg {
services.redis.servers.main = {
enable = true;
port = cfg.port;
bind = cfg.address;
extraParams = [ "--protected-mode no" ];
};
};
};
};

48
container/Search.nix
View file

@ -1,16 +1,40 @@
{ container, pkgs, ... } @args: let
cfg = container.config.search;
{ container, pkgs, lib, config, ... }: with lib; let
cfg = config.container.module.search;
in {
containers.search = container.mkContainer cfg {
config = { ... }: container.mkContainerConfig cfg {
services.searx = {
enable = true;
package = pkgs.searxng;
settings = {
server = {
bind_address = cfg.address;
port = cfg.port;
secret_key = "searxxx";
options = {
container.module.search = {
enable = mkEnableOption "Search frontend.";
address = mkOption {
default = "10.1.0.26";
type = types.str;
};
port = mkOption {
default = 8080;
type = types.int;
};
domain = mkOption {
default = "search.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/search";
type = types.str;
};
};
};
config = mkIf cfg.enable {
containers.search = container.mkContainer cfg {
config = { ... }: container.mkContainerConfig cfg {
services.searx = {
enable = true;
package = pkgs.searxng;
settings = {
server = {
bind_address = cfg.address;
port = cfg.port;
secret_key = "searxxx";
};
};
};
};

74
container/Status.nix
View file

@ -1,36 +1,60 @@
{ container, ... } @args: let
cfg = container.config.status;
{ container, lib, config, ... }: with lib; let
cfg = config.container.module.status;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.status = container.mkContainer cfg {
bindMounts = {
"/var/lib/uptime-kuma" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.status = {
enable = mkEnableOption "Status monitor.";
address = mkOption {
default = "10.1.0.22";
type = types.str;
};
port = mkOption {
default = 3001;
type = types.int;
};
domain = mkOption {
default = "status.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/status";
type = types.str;
};
};
};
config = { lib, ... }: container.mkContainerConfig cfg {
networking = {
nameservers = lib.mkForce [
container.config.dns.address
];
};
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
services.uptime-kuma = {
enable = true;
settings = {
DATA_DIR = "/var/lib/uptime-kuma/";
HOST = cfg.address;
PORT = toString cfg.port;
containers.status = container.mkContainer cfg {
bindMounts = {
"/var/lib/uptime-kuma" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
};
systemd.services.uptime-kuma = {
serviceConfig.DynamicUser = lib.mkForce false;
config = { lib, ... }: container.mkContainerConfig cfg {
networking = {
nameservers = mkForce [
config.container.module.dns.address
];
};
services.uptime-kuma = {
enable = true;
settings = {
DATA_DIR = "/var/lib/uptime-kuma/";
HOST = cfg.address;
PORT = toString cfg.port;
};
};
systemd.services.uptime-kuma = {
serviceConfig.DynamicUser = mkForce false;
};
};
};
};

70
container/Stock.nix
View file

@ -1,31 +1,55 @@
{ container, ... } @args: let
cfg = container.config.stock;
{ container, lib, config, ... }: with lib; let
cfg = config.container.module.stock;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.stock = container.mkContainer cfg {
bindMounts = {
"/var/lib/grocy" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
options = {
container.module.stock = {
enable = mkEnableOption "Stock management.";
address = mkOption {
default = "10.1.0.45";
type = types.str;
};
port = mkOption {
default = 80;
type = types.int;
};
domain = mkOption {
default = "stock.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/stock";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
services.grocy = {
enable = true;
dataDir = "/var/lib/grocy";
hostName = cfg.domain;
nginx.enableSSL = false;
settings = {
calendar = {
firstDayOfWeek = 1;
showWeekNumber = true;
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
containers.stock = container.mkContainer cfg {
bindMounts = {
"/var/lib/grocy" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
};
config = { ... }: container.mkContainerConfig cfg {
services.grocy = {
enable = true;
dataDir = "/var/lib/grocy";
hostName = cfg.domain;
nginx.enableSSL = false;
settings = {
calendar = {
firstDayOfWeek = 1;
showWeekNumber = true;
};
culture = "en";
currency = "RUB";
};
culture = "en";
currency = "RUB";
};
};
};

140
container/Vpn.nix
View file

@ -1,68 +1,90 @@
{ container, pkgs, ... } @args: let
cfg = container.config.vpn;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
"data/preshared"
{ container, pkgs, lib, config, ... }: with lib; let
cfg = config.container.module.vpn;
wireguardPeers = let
mkPeer = name: ip: PublicKey: {
inherit PublicKey;
PresharedKeyFile = "/var/lib/wireguard/preshared/${name}";
AllowedIPs = [ "${ip}/32" ];
};
in [
(mkPeer "dashaphone" "10.1.1.3" "O/3y8+QKEY8UoLVlmbc8xdhs248L4wtQcl1MsBBfoQo=")
(mkPeer "laptop" "10.1.1.9" "xxoCNPSB86zs8L8p+wXhqaIwpNDkiZu1Yjv8sj8XhgY=")
(mkPeer "phone" "10.1.1.5" "bFmFisMqbDpIrAg3o/GiRl9XhceZEVnZtkegZDTL4yg=")
(mkPeer "tablet" "10.1.1.6" "BdslswVc9OgUpEhJd0sugDBmYw44DiS0FbUPT5EjOG0=")
(mkPeer "work" "10.1.1.2" "Pk0AASSInKO9O8RaQEmm1uNrl0cwWTJDcT8rLn7PSA0=")
];
boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1;
};
containers.vpn = container.mkContainer cfg {
forwardPorts = [
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "udp";
}
];
bindMounts = {
"/var/lib/wireguard" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
in {
options = {
container.module.vpn = {
enable = mkEnableOption "Vpn server.";
address = mkOption {
default = "10.1.0.23";
type = types.str;
};
port = mkOption {
default = 51820;
type = types.int;
};
storage = mkOption {
default = "${config.container.storage}/vpn";
type = types.str;
};
};
};
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ wireguard-tools ];
networking.useNetworkd = true;
systemd.network = {
enable = true;
netdevs = {
"50-wg0" = {
netdevConfig = {
Kind = "wireguard";
MTUBytes = "1300";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = "/var/lib/wireguard/privkey";
ListenPort = cfg.port;
};
wireguardPeers = let
mkPeer = name: ip: PublicKey: {
inherit PublicKey;
PresharedKeyFile = "/var/lib/wireguard/preshared/${name}";
AllowedIPs = [ "${ip}/32" ];
};
in [
(mkPeer "dashaphone" "10.1.1.3" "O/3y8+QKEY8UoLVlmbc8xdhs248L4wtQcl1MsBBfoQo=")
(mkPeer "laptop" "10.1.1.9" "xxoCNPSB86zs8L8p+wXhqaIwpNDkiZu1Yjv8sj8XhgY=")
(mkPeer "phone" "10.1.1.5" "bFmFisMqbDpIrAg3o/GiRl9XhceZEVnZtkegZDTL4yg=")
(mkPeer "tablet" "10.1.1.6" "BdslswVc9OgUpEhJd0sugDBmYw44DiS0FbUPT5EjOG0=")
(mkPeer "work" "10.1.1.2" "Pk0AASSInKO9O8RaQEmm1uNrl0cwWTJDcT8rLn7PSA0=")
];
};
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
"data/preshared"
];
boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1;
};
containers.vpn = container.mkContainer cfg {
forwardPorts = [
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "udp";
}
];
bindMounts = {
"/var/lib/wireguard" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
};
networks.wg0 = {
matchConfig.Name = "wg0";
address = ["10.1.1.0/24"];
networkConfig = {
IPForward = true;
IPMasquerade = "ipv4";
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ wireguard-tools ];
networking.useNetworkd = true;
systemd.network = {
enable = true;
netdevs = {
"50-wg0" = {
netdevConfig = {
Kind = "wireguard";
MTUBytes = "1300";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = "/var/lib/wireguard/privkey";
ListenPort = cfg.port;
};
inherit wireguardPeers;
};
};
networks.wg0 = {
matchConfig.Name = "wg0";
address = ["10.1.1.0/24"];
networkConfig = {
IPForward = true;
IPMasquerade = "ipv4";
};
};
};
};

119
container/Watch.nix
View file

@ -1,54 +1,81 @@
{ container, lib, ... } @args: let
cfg = container.config.watch;
memLimit = "8G";
{ container, lib, config, ... }: with lib; let
cfg = config.container.module.watch;
in {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
"cache"
];
options = {
container.module.watch = {
enable = mkEnableOption "Media server.";
address = mkOption {
default = "10.1.0.11";
type = types.str;
};
port = mkOption {
default = 8096;
type = types.int;
};
domain = mkOption {
default = "watch.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/watch";
type = types.str;
};
memLimit = mkOption {
default = "8G";
type = types.str;
};
};
};
containers.watch = container.mkContainer cfg {
bindMounts = {
"/var/lib/jellyfin" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
"/var/cache/jellyfin" = {
hostPath = "${cfg.storage}/cache";
isReadOnly = false;
};
"/dev/dri" = {
hostPath = "/dev/dri";
isReadOnly = false;
};
}
// container.attachMedia "anime" cfg.anime true
// container.attachMedia "download" cfg.download true
// container.attachMedia "movie" cfg.movie true
// container.attachMedia "music" cfg.music true
// container.attachMedia "photo" cfg.photo true
// container.attachMedia "porn" cfg.porn true
// container.attachMedia "show" cfg.show true
// container.attachMedia "study" cfg.study true
// container.attachMedia "work" cfg.work true
// container.attachMedia "youtube" cfg.youtube true
;
allowedDevices = [
{
modifier = "rwm";
node = "/dev/dri";
}
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
"cache"
];
config = { ... }: container.mkContainerConfig cfg {
services.jellyfin = {
enable = true;
cacheDir = "/var/cache/jellyfin";
dataDir = "/var/lib/jellyfin";
};
containers.watch = container.mkContainer cfg {
bindMounts = {
"/var/lib/jellyfin" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
};
"/var/cache/jellyfin" = {
hostPath = "${cfg.storage}/cache";
isReadOnly = false;
};
"/dev/dri" = {
hostPath = "/dev/dri";
isReadOnly = false;
};
}
// container.attachMedia "anime" true
// container.attachMedia "download" true
// container.attachMedia "movie" true
// container.attachMedia "music" true
// container.attachMedia "photo" true
// container.attachMedia "porn" true
// container.attachMedia "show" true
// container.attachMedia "study" true
// container.attachMedia "work" true
// container.attachMedia "youtube" true
;
systemd.services.jellyfin.serviceConfig.MemoryLimit = memLimit;
allowedDevices = [
{
modifier = "rwm";
node = "/dev/dri";
}
];
config = { ... }: container.mkContainerConfig cfg {
services.jellyfin = {
enable = true;
cacheDir = "/var/cache/jellyfin";
dataDir = "/var/lib/jellyfin";
};
systemd.services.jellyfin.serviceConfig.MemoryLimit = cfg.memLimit;
};
};
};
}

68
container/Yt.nix
View file

@ -1,26 +1,50 @@
{ container, pkgs, ... } @args: let
cfg = container.config.yt;
{ container, pkgs, lib, config, ... }: with lib; let
cfg = config.container.module.yt;
in {
containers.yt = container.mkContainer cfg {
config = { ... }: container.mkContainerConfig cfg {
services.invidious = {
enable = true;
domain = cfg.domain;
port = cfg.port;
nginx.enable = false;
database = {
port = container.config.postgres.port;
host = container.config.postgres.address;
createLocally = false;
passwordFile = "${pkgs.writeText "InvidiousDbPassword" "invidious"}";
};
settings = {
admins = [ "root" ];
captcha_enabled = false;
check_tables = true;
registration_enabled = false;
external_port = 443;
https_only = true;
options = {
container.module.yt = {
enable = mkEnableOption "YouTube frontend.";
address = mkOption {
default = "10.1.0.19";
type = types.str;
};
port = mkOption {
default = 3000;
type = types.int;
};
domain = mkOption {
default = "yt.${config.container.domain}";
type = types.str;
};
storage = mkOption {
default = "${config.container.storage}/yt";
type = types.str;
};
};
};
config = mkIf cfg.enable {
containers.yt = container.mkContainer cfg {
config = { ... }: container.mkContainerConfig cfg {
services.invidious = {
enable = true;
domain = cfg.domain;
port = cfg.port;
nginx.enable = false;
database = {
port = config.container.module.postgres.port;
host = config.container.module.postgres.address;
createLocally = false;
passwordFile = "${pkgs.writeText "InvidiousDbPassword" "invidious"}";
};
settings = {
admins = [ "root" ];
captcha_enabled = false;
check_tables = true;
registration_enabled = false;
external_port = 443;
https_only = true;
};
};
};
};

285
container/default.nix
View file

@ -1,246 +1,55 @@
{ lib
, const
, host
, storage
, domain
, media
, pkgs
, ... }: {
inherit host;
{ lib, config, ... }: with lib; let
cfg = config.container;
in {
options = {
container = {
enable = mkEnableOption "Containers!!";
# Common configuration for all the containers.
mkContainer = config: cfg: lib.recursiveUpdate {
# Start containers with the system by default.
autoStart = true;
# IP Address of the host. This is required for container to have access to the Internet.
hostAddress = host;
# Container's IP address.
localAddress = config.address;
# Isolate container from other hosts.
privateNetwork = true;
} cfg;
# Common configuration for the system inside the container.
mkContainerConfig = config: cfg: lib.recursiveUpdate {
# HACK: Do not evaluate nixpkgs inside the container. Use host's instead.
nixpkgs.pkgs = lib.mkForce pkgs;
# Release version.
system.stateVersion = const.stateVersion;
# Allow passwordless login as root.
users.users.root.password = "";
users.mutableUsers = false;
networking = {
# Default DNS servers.
nameservers = [
"1.1.1.1"
];
# HACK: Fix for upstream issue: https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
# Disable firewall.
firewall.enable = false;
};
} cfg;
# Create a directory on the host for container use.
mkContainerDir = cfg: dirs: map (path: "d '${cfg.storage}/${path}' 1777 root root - -") dirs;
# Common configuration for Nginx server.
mkServer = cfg: lib.recursiveUpdate {
forceSSL = false;
} cfg;
# Attach the host media directory to container.
# They will be added to /type/{0..9}
attachMedia = type: paths: ro: builtins.listToAttrs (lib.imap0 (i: path:
{
name = "/${type}/${toString i}";
value = {
hostPath = path;
isReadOnly = ro;
autoStart = mkOption {
default = true;
type = types.bool;
};
}
) paths);
# Range of local addresses who have access to sensitive paths like admin panels.
# Other addresses will get 403.
localAccess = "192.168.1.0/24";
host = mkOption {
default = "0.0.0.0";
type = types.str;
};
# Per-container configurations.
config = {
camera = {
address = "192.168.2.249";
domain = "camera.${domain}";
port = "554";
localAccess = mkOption {
default = "0.0.0.0";
type = types.str;
};
storage = mkOption {
default = "/tmp/container";
type = types.str;
};
domain = mkOption {
default = "local";
type = types.str;
};
interface = mkOption {
default = "lo";
type = types.str;
};
media = mkOption {
default = {};
type = types.attrs;
};
};
change = {
address = "10.1.0.41";
port = 5000;
domain = "change.${domain}";
storage = "${storage}/change";
};
cloud = {
address = "10.1.0.13";
port = 80;
domain = "cloud.${domain}";
storage = "${storage}/cloud";
};
ddns = {
address = "10.1.0.31";
port = 53;
storage = "${storage}/ddns";
};
dns = {
address = "10.1.0.6";
};
download = {
inherit (media) download;
address = "10.1.0.12";
port = 8112;
domain = "download.${domain}";
storage = "${storage}/download";
};
git = {
address = "10.1.0.8";
port = 3000;
domain = "git.${domain}";
storage = "${storage}/git";
};
hdd = {
address = "10.1.0.10";
port = 8080;
domain = "hdd.${domain}";
storage = "${storage}/hdd";
};
home = {
address = "10.1.0.18";
port = 80;
domain = "home.${domain}";
};
iot = {
inherit (media) photo;
address = "10.1.0.27";
domain = "iot.${domain}";
port = 8123;
storage = "${storage}/iot";
};
jobber = {
address = "10.1.0.32";
storage = "${storage}/jobber";
};
mail = {
address = "10.1.0.5";
domain = "mail.${domain}";
port = 80;
storage = "${storage}/mail";
};
office = {
address = "10.1.0.21";
domain = "office.${domain}";
port = 8000;
storage = "${storage}/office";
};
paper = {
inherit (media) paper;
address = "10.1.0.40";
domain = "paper.${domain}";
port = 28981;
storage = "${storage}/paper";
};
pass = {
address = "10.1.0.9";
domain = "pass.${domain}";
port = 8000;
storage = "${storage}/pass";
};
paste = {
address = "10.1.0.14";
domain = "paste.${domain}";
port = 80;
storage = "${storage}/paste";
};
print = {
domain = "print.${domain}";
address = "10.1.0.46";
port = 631;
storage = "${storage}/print";
};
printer = {
address = "192.168.2.237";
domain = "printer.${domain}";
port = 80;
};
proxy = {
address = "10.1.0.2";
port = 443;
storage = "${storage}/proxy";
};
postgres = {
address = "10.1.0.3";
port = 5432;
storage = "${storage}/postgres";
};
rabbitmq = {
address = "10.1.0.28";
port = 5672;
storage = "${storage}/rabbitmq";
};
read = {
inherit (media) book manga;
address = "10.1.0.39";
domain = "read.${domain}";
port = 5000;
storage = "${storage}/read";
};
redis = {
address = "10.1.0.38";
port = 6379;
};
router = {
address = "192.168.1.1";
domain = "router.${domain}";
port = 80;
};
search = {
address = "10.1.0.26";
domain = "search.${domain}";
port = 8080;
};
status = {
address = "10.1.0.22";
domain = "status.${domain}";
port = 3001;
storage = "${storage}/status";
};
stock = {
address = "10.1.0.45";
domain = "stock.${domain}";
port = 80;
storage = "${storage}/stock";
};
vpn = {
address = "10.1.0.23";
port = 51820;
storage = "${storage}/vpn";
};
watch = {
inherit (media) anime download movie music photo porn show study work youtube;
address = "10.1.0.11";
domain = "watch.${domain}";
port = 8096;
storage = "${storage}/watch";
};
yt = {
address = "10.1.0.19";
domain = "yt.${domain}";
port = 3000;
};
config = mkIf cfg.enable {
# This is the network for all the containers.
# They are not available to the external interface by default,
# instead they all expose specific ports in their configuration.
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = config.container.interface;
};
};
}

45
container/homer/Config.nix
View file

@ -1,4 +1,4 @@
{ pkgs, container, ... }: let
{ pkgs, config, ... }: let
iconTheme = "fa-solid";
mkGroup = name: icon: items: {
@ -12,7 +12,7 @@
target = "_blank";
};
config = {
cfg = {
title = "Dashboard";
subtitle = "Home";
header = false;
@ -41,33 +41,32 @@
};
links = [
(mkLink "Status" "fa-heartbeat" "https://status.voronind.com")
(mkLink "Status" "fa-heartbeat" "https://${config.container.module.status.domain}")
];
services = [
(mkGroup "App" "fa-server" [
(mkLink "Change" "fa-user-secret" "https://${container.config.change.domain}")
(mkLink "Cloud" "fa-cloud" "https://${container.config.cloud.domain}")
(mkLink "Download" "fa-download" "https://${container.config.download.domain}")
(mkLink "Git" "fab fa-git-alt" "https://${container.config.download.domain}")
(mkLink "Iot" "fa-home" "https://${container.config.iot.domain}")
(mkLink "Mail" "fa-envelope" "https://${container.config.mail.domain}")
(mkLink "Paper" "fa-paperclip" "https://${container.config.paper.domain}")
(mkLink "Pass" "fa-key" "https://${container.config.pass.domain}")
(mkLink "Paste" "fa-paste" "https://${container.config.paste.domain}/s")
(mkLink "Print" "fa-print" "https://${container.config.print.domain}")
(mkLink "Read" "fa-book" "https://${container.config.read.domain}")
(mkLink "Search" "fa-search" "https://${container.config.search.domain}")
(mkLink "Stock" "fa-boxes-stacked" "https://${container.config.stock.domain}")
(mkLink "Watch" "fa-film" "https://${container.config.watch.domain}")
(mkLink "YouTube" "fab fa-youtube" "https://${container.config.yt.domain}")
(mkLink "Change" "fa-user-secret" "https://${config.container.module.change.domain}")
(mkLink "Cloud" "fa-cloud" "https://${config.container.module.cloud.domain}")
(mkLink "Download" "fa-download" "https://${config.container.module.download.domain}")
(mkLink "Git" "fab fa-git-alt" "https://${config.container.module.download.domain}")
(mkLink "Iot" "fa-home" "https://${config.container.module.iot.domain}")
(mkLink "Mail" "fa-envelope" "https://${config.container.module.mail.domain}")
(mkLink "Paper" "fa-paperclip" "https://${config.container.module.paper.domain}")
(mkLink "Pass" "fa-key" "https://${config.container.module.pass.domain}")
(mkLink "Paste" "fa-paste" "https://${config.container.module.paste.domain}/s")
(mkLink "Print" "fa-print" "https://${config.container.module.print.domain}")
(mkLink "Read" "fa-book" "https://${config.container.module.read.domain}")
(mkLink "Search" "fa-search" "https://${config.container.module.search.domain}")
(mkLink "Stock" "fa-boxes-stacked" "https://${config.container.module.stock.domain}")
(mkLink "Watch" "fa-film" "https://${config.container.module.watch.domain}")
(mkLink "YouTube" "fab fa-youtube" "https://${config.container.module.yt.domain}")
])
(mkGroup "System" "fa-shield" [
(mkLink "Camera" "fa-camera" "https://${container.config.camera.domain}")
# (mkLink "Hdd" "fa-hard-drive" "https://${container.config.hdd.domain}")
(mkLink "Camera" "fa-camera" "https://camera.${config.container.domain}")
(mkLink "NixOS Search" "fa-snowflake" "https://search.nixos.org")
(mkLink "Printer" "fa-print" "https://${container.config.printer.domain}")
(mkLink "Router" "fa-route" "https://${container.config.router.domain}")
(mkLink "Printer" "fa-print" "https://printer.${config.container.domain}")
(mkLink "Router" "fa-route" "https://router.${config.container.domain}")
])
(mkGroup "Bookmark" "fa-bookmark" [
(mkLink "2gis" "fa-map-location-dot" "https://2gis.ru")
@ -96,5 +95,5 @@
];
};
in {
file = (pkgs.formats.yaml {}).generate "HomerConfig" config;
file = (pkgs.formats.yaml {}).generate "HomerConfig" cfg;
}

2
container/homer/default.nix
View file

@ -1,4 +1,4 @@
{ stdenv, pkgs, ... } @args: let
{ stdenv, pkgs, config, ... } @args: let
cfg = (import ./Config.nix args).file;
in stdenv.mkDerivation (finalAttrs: {
pname = "Homer";

4
container/pastebin/Config.nix
View file

@ -1,4 +1,4 @@
{ util, container, ... }: {
{ util, config, ... }: {
text = util.trimTabs ''
;<?php http_response_code(403); /*
; config file for PrivateBin
@ -220,7 +220,7 @@
; example of DB configuration for PostgreSQL
class = Database
[model_options]
dsn = "pgsql:host=${container.config.postgres.address};dbname=privatebin"
dsn = "pgsql:host=${config.container.module.postgres.address};dbname=privatebin"
tbl = "privatebin_" ; table prefix
usr = "privatebin"
pwd = "privatebin"

2
container/pastebin/default.nix
View file

@ -1,4 +1,4 @@
{ php, pkgs, util, ... } @args: let
{ php, pkgs, util, config, ... } @args: let
cfg = pkgs.writeText "PrivateBinConfig" (import ./Config.nix args).text;
in php.buildComposerProject (finalAttrs: {
pname = "PrivateBin";

20
container/proxy/host/Camera.nix
View file

@ -1,20 +1,22 @@
{ domain, util, container, ... }: let
cfg = container.config.camera;
{ util, config, lib, container, ... }: let
domain = "camera.${config.container.domain}";
address = "192.168.2.249";
port = 554;
in {
${cfg.domain} = container.mkServer {
${domain} = container.mkServer {
extraConfig = util.trimTabs ''
listen 443 ssl;
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
return 301 rtsp://${cfg.address}:${cfg.port}/live/main;
return 301 rtsp://${address}:${toString port}/live/main;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Change.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.change;
{ util, config, container, ... }: let
cfg = config.container.module.change;
name = "change";
in {
${cfg.domain} = container.mkServer {
@ -8,9 +8,9 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
@ -18,8 +18,8 @@ in {
add_header Referrer-Policy 'origin';
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Cloud.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.cloud;
{ util, config, container, ... }: let
cfg = config.container.module.cloud;
name = "cloud";
in {
${cfg.domain} = container.mkServer {
@ -8,9 +8,9 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location ~ ^/(settings/admin|settings/users|settings/apps|login|api) {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
@ -19,8 +19,8 @@ in {
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Download.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.download;
{ util, config, container, ... }: let
cfg = config.container.module.download;
name = "download";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

22
container/proxy/host/Git.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.git;
{ util, container, config, ... }: let
cfg = config.container.module.git;
name = "git";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location ~ ^/(admin|api|user) {
allow ${container.localAccess};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
location /markdown {
allow ${container.localAccess};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.vpn.address};
deny all;
proxy_set_header Content-Type "application/json";
@ -29,15 +29,15 @@ in {
}
location / {
# allow ${container.localAccess};
# allow ${container.config.status.address};
# allow ${container.config.vpn.address};
# allow ${config.container.localAccess};
# allow ${config.container.module.status.address};
# allow ${config.container.module.vpn.address};
# deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Hdd.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.hdd;
{ util, container, config, ... }: let
cfg = config.container.module.hdd;
name = "hdd";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Home.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.home;
{ util, config, container, ... }: let
cfg = config.container.module.home;
name = "home";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Iot.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.iot;
{ util, container, config, ... }: let
cfg = config.container.module.iot;
name = "iot";
in {
${cfg.domain} = container.mkServer {
@ -8,9 +8,9 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -22,8 +22,8 @@ in {
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Mail.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.mail;
{ util, container, config, ... }: let
cfg = config.container.module.mail;
name = "mail";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Office.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.office;
{ util, container, config, ... }: let
cfg = config.container.module.office;
name = "office";
in {
${cfg.domain} = container.mkServer {
@ -8,16 +8,16 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
# allow ${container.localAccess};
# allow ${container.config.status.address};
# allow ${container.config.vpn.address};
# allow ${config.container.localAccess};
# allow ${config.container.module.status.address};
# allow ${config.container.module.vpn.address};
# deny all;
add_header X-Forwarded-Proto https;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Paper.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.paper;
{ util, container, config, ... }: let
cfg = config.container.module.paper;
name = "paper";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Pass.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.pass;
{ util, container, config, ... }: let
cfg = config.container.module.pass;
name = "pass";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

8
container/proxy/host/Paste.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.paste;
{ util, container, config, ... }: let
cfg = config.container.module.paste;
name = "paste";
in {
${cfg.domain} = container.mkServer {
@ -15,8 +15,8 @@ in {
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Print.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.print;
{ util, container, config, ... }: let
cfg = config.container.module.print;
name = "print";
in {
${cfg.domain} = container.mkServer {
@ -8,9 +8,9 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
@ -20,8 +20,8 @@ in {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

22
container/proxy/host/Printer.nix
View file

@ -1,22 +1,24 @@
{ domain, util, container, ... }: let
cfg = container.config.printer;
name = "printer";
{ util, container, config, ... }: let
address = "192.168.2.237";
domain = "printer.${config.container.domain}";
port = 80;
name = "printer";
in {
${cfg.domain} = container.mkServer {
${domain} = container.mkServer {
extraConfig = util.trimTabs ''
listen 443 ssl;
set ''$${name} ${cfg.address}:${toString cfg.port};
set ''$${name} ${address}:${toString port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Read.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.read;
{ util, container, config, ... }: let
cfg = config.container.module.read;
name = "read";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

22
container/proxy/host/Router.nix
View file

@ -1,22 +1,24 @@
{ domain, util, container, ... }: let
cfg = container.config.router;
name = "router";
{ util, container, config, ... }: let
address = "192.168.1.1";
domain = "router.${config.container.domain}";
port = 80;
name = "router";
in {
${cfg.domain} = container.mkServer {
${domain} = container.mkServer {
extraConfig = util.trimTabs ''
listen 443 ssl;
set ''$${name} ${cfg.address}:${toString cfg.port};
set ''$${name} ${address}:${toString port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Search.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.search;
{ util, container, config, ... }: let
cfg = config.container.module.search;
name = "search";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

16
container/proxy/host/Status.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.status;
{ util, container, config, ... }: let
cfg = config.container.module.status;
name = "sstatus";
in {
${cfg.domain} = container.mkServer {
@ -8,21 +8,21 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location ~ ^/(dashboard|settings) {
allow ${container.localAccess};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
location / {
allow ${container.localAccess};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Stock.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.stock;
{ util, container, config, ... }: let
cfg = config.container.module.stock;
name = "stock";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Watch.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.watch;
{ util, container, config, ... }: let
cfg = config.container.module.watch;
name = "watch";
in {
${cfg.domain} = container.mkServer {
@ -8,15 +8,15 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

14
container/proxy/host/Yt.nix
View file

@ -1,5 +1,5 @@
{ domain, util, container, ... }: let
cfg = container.config.yt;
{ util, container, config, ... }: let
cfg = config.container.module.yt;
name = "yt";
in {
${cfg.domain} = container.mkServer {
@ -8,9 +8,9 @@ in {
set ''$${name} ${cfg.address}:${toString cfg.port};
location / {
allow ${container.localAccess};
allow ${container.config.status.address};
allow ${container.config.vpn.address};
allow ${config.container.localAccess};
allow ${config.container.module.status.address};
allow ${config.container.module.vpn.address};
deny all;
proxy_pass http://''$${name}$request_uri;
@ -25,8 +25,8 @@ in {
proxy_hide_header X-Content-Type-Options;
}
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
'';

255
flake.nix
View file

@ -137,182 +137,85 @@
url = "https://git.voronind.com/voronind/nixos.git";
};
# Common modules used across all the hosts.
nixosModules.common = let
# This function allows me to get the list of all the files from the directories I need.
# It differs from the util.ls function because it also filters out all the directories.
nixosConfigurations = let
# List all files in a dir.
lsFiles = path: map (f: "${path}/${f}") (
builtins.filter (i: builtins.readFileType "${path}/${i}" == "regular") (
builtins.attrNames (builtins.readDir path)
)
);
in {
# Here I import everything from those directories.
imports = (lsFiles ./module/common) ++ (lsFiles ./overlay) ++ [
./part/Setting.nix
./user/Root.nix
];
};
# Function to create a host. It does basic setup, like adding common modules.
mkHost = { system, hostname, modules } @args: nixpkgs.lib.nixosSystem {
# `Inherit` is just an alias for `system = system;`, which means that
# keep the `system` argument as a property in a resulting set.
inherit system;
# Function to create a host. It does basic setup, like adding common modules.
mkHost = { system, hostname, modules } @args: nixpkgs.lib.nixosSystem {
# `Inherit` is just an alias for `system = system;`, which means that
# keep the `system` argument as a property in a resulting set.
inherit system;
# List of modules to use by defualt for all the hosts.
modules = [
# There I put host-specific configurations.
./host/${hostname}
# List of modules to use by defualt for all the hosts.
modules = modules ++ [
# There I put host-specific configurations.
./host/${hostname}
# Make a device hostname match the one from this config.
{ networking.hostName = hostname; }
# Make a device hostname match the one from this config.
{ networking.hostName = hostname; }
# Specify current release version.
{ system.stateVersion = self.const.stateVersion; }
# Specify current release version.
{ system.stateVersion = self.const.stateVersion; }
# Add common modules.
inputs.self.nixosModules.common
# Add modules.
{ imports =
(lsFiles ./container) ++
(lsFiles ./module) ++
(lsFiles ./module/common) ++
(lsFiles ./module/desktop) ++
(lsFiles ./overlay) ++
(lsFiles ./user);
}
# Add Home Manager module.
home-manager.nixosModules.home-manager
# Add Home Manager module.
home-manager.nixosModules.home-manager
# Add Stylix module.
stylix.nixosModules.stylix
]
# Also add host-specific modules from mkHost args.
++ modules;
# Add Stylix module.
stylix.nixosModules.stylix
];
# SpecialArgs allows you to pass objects down to other NixOS modules.
specialArgs = let
pkgs = nixpkgs.legacyPackages.${system}.pkgs;
lib = nixpkgs.lib;
config = self.nixosConfigurations.${hostname}.config;
# SpecialArgs allows you to pass objects down to other NixOS modules.
specialArgs = let
pkgs = nixpkgs.legacyPackages.${system}.pkgs;
lib = nixpkgs.lib;
config = self.nixosConfigurations.${hostname}.config;
pkgsJobber = nixpkgsJobber.legacyPackages.${system}.pkgs;
pkgsStable = nixpkgsJobber.legacyPackages.${system}.pkgs;
pkgsMaster = nixpkgsJobber.legacyPackages.${system}.pkgs;
in {
const = self.const; # Constant values.
flake = self; # This Flake itself.
inputs = inputs; # Our dependencies.
secret = import ./part/Secret.nix {}; # Secrets (public keys).
style = import ./part/Style.nix { inherit config; }; # Style abstraction.
util = import ./part/Util.nix { inherit pkgs lib; }; # Util functions.
wallpaper = import ./part/Wallpaper.nix { inherit pkgs; }; # Wallpaper.
pkgsJobber = nixpkgsJobber.legacyPackages.${system}.pkgs;
pkgsStable = nixpkgsJobber.legacyPackages.${system}.pkgs;
pkgsMaster = nixpkgsJobber.legacyPackages.${system}.pkgs;
# Stable and Master pkgs.
inherit pkgsStable pkgsMaster;
secret = import ./secret {}; # Secrets (public keys).
container = import ./lib/Container.nix { inherit lib pkgs config; inherit (self) const; }; # Container utils.
util = import ./lib/Util.nix { inherit pkgs lib; }; # Util functions.
in {
flake = self;
# Stuff for Jobber container, skip this part.
inherit poetry2nixJobber pkgsJobber;
inherit secret container util inputs;
inherit (self) const;
# Stable and Master pkgs.
inherit pkgsStable pkgsMaster;
# Stuff for Jobber container, skip this part.
inherit poetry2nixJobber pkgsJobber;
};
};
};
# Bellow is the list of all the hosts I currently use.
# They call the `mkHost` function that I defined above
# with their specific parameters.
# You might be interested in `live` and `nixOnDroidConfiguration`
# for Live ISO and Android configurations respectively.
nixosConfigurations.basic = self.mkHost {
hostname = "basic"; # Hostname to use.
system = "x86_64-linux"; # System architecture.
mkSystem = hostname: system: modules: {
"${hostname}" = mkHost {
inherit hostname system modules;
};
};
# Host-specific modules.
modules = [
# Force LTS kernel.
({ pkgs, ... }: { boot.kernelPackages = nixpkgs.lib.mkForce pkgs.linuxPackages; })
];
};
nixosConfigurations.dasha = self.mkHost {
hostname = "dasha";
system = "x86_64-linux";
modules = [
./module/AmdGpu.nix
./module/CapsToggle.nix
# ./module/Gnome.nix
./module/IntelCpu.nix
./module/PowersaveIntel.nix
./module/Print.nix
./module/RemoteBuild.nix
./module/StrongSwan.nix
./module/Sway.nix
./module/Tablet.nix
./user/Dasha.nix
];
};
nixosConfigurations.desktop = self.mkHost {
hostname = "desktop";
system = "x86_64-linux";
modules = [
./module/AmdCompute.nix
./module/AmdCpu.nix
./module/AmdGpu.nix
./module/Docker.nix
./module/Ollama.nix
./module/PowersaveAmd.nix
./module/Print.nix
./module/RemoteBuild.nix
./module/Sway.nix
./module/VirtManager.nix
./user/Voronind.nix
];
};
nixosConfigurations.fsight = self.mkHost {
hostname = "fsight";
system = "x86_64-linux";
modules = [
./module/Docker.nix
];
};
nixosConfigurations.home = self.mkHost {
hostname = "home";
system = "x86_64-linux";
modules = [
./module/AmdCpu.nix
./module/AmdGpu.nix
./module/Ftpd.nix
./module/RemoteBuilder.nix
./module/Sway.nix
./user/Voronind.nix
];
};
nixosConfigurations.laptop = self.mkHost {
hostname = "laptop";
system = "x86_64-linux";
modules = [
./module/AmdCpu.nix
./module/AmdGpu.nix
./module/CapsToggle.nix
./module/Gnome.nix
./module/PowersaveAmd.nix
./module/Print.nix
./module/RemoteBuild.nix
./module/StrongSwan.nix
./module/Tablet.nix
./user/Dasha.nix
./user/Voronind.nix
];
};
# Live ISO configuration.
nixosConfigurations.live = self.mkHost {
hostname = "live";
system = "x86_64-linux";
modules = [
# Those are basic modules for Live ISO image.
# You can discover other possible base images here:
# https://github.com/NixOS/nixpkgs/tree/master/nixos/modules/installer/cd-dvd
liveModules = [
"${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
"${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
# This is required for Live ISO in my case because I use NetworkManager,
# but base Live images require this.
{ networking.wireless.enable = nixpkgs.lib.mkForce false; }
# Override my settings to allow SSH logins using root password.
@ -320,27 +223,29 @@
{ services.openssh.settings.PermitRootLogin = nixpkgs.lib.mkForce "yes"; }
# Disable auto-updates as they are not possible for Live ISO.
{ systemd.services.autoupdate.enable = nixpkgs.lib.mkForce false; }
{ systemd.timers.autoupdate.enable = nixpkgs.lib.mkForce false; }
{ module.common.autoupdate.enable = false; }
# Base Live images also require the LTS kernel.
({ pkgs, ... }: { boot.kernelPackages = nixpkgs.lib.mkForce pkgs.linuxPackages; })
{ module.common.kernel.latest = false; }
];
};
nixosConfigurations.work = self.mkHost {
hostname = "work";
system = "x86_64-linux";
modules = [
./module/IntelCpu.nix
./module/PowerlimitThinkpad.nix
./module/PowersaveIntel.nix
./module/Print.nix
./module/RemoteBuild.nix
./module/Sway.nix
./user/Voronind.nix
];
};
x86System = hostname: mkSystem hostname "x86_64-linux" [];
x86LiveSystem = hostname: mkSystem hostname "x86_64-linux" liveModules;
in
# Bellow is the list of all the hosts I currently use.
# They call the `mkSystem` function that I defined above
# with their specific parameters.
# You might be interested in `live` and `nixOnDroidConfiguration`
# for Live ISO and Android configurations respectively.
(x86System "dasha") //
(x86System "desktop") //
(x86System "fsight") //
(x86System "home") //
(x86System "laptop") //
(x86System "work") //
(x86LiveSystem "live")
;
# Android.
nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
@ -348,9 +253,6 @@
# Android release version.
{ system.stateVersion = inputs.self.const.droidStateVersion; }
# Common settings.
./part/Setting.nix
# I put all my Android configuration there.
./android
];
@ -364,9 +266,8 @@
const = self.const; # Constant values.
flake = self; # This Flake itself.
inputs = inputs; # Our dependencies.
secret = import ./part/Secret.nix {}; # Secrets (public keys).
style = import ./part/Style.nix { config = import ./part/style/Gruvbox.nix {}; }; # Style abstraction. Stylix is not available for Android so I provide static Gruvbox style.
util = import ./part/Util.nix { inherit pkgs lib; }; # Util functions.
secret = import ./lib/Secret.nix {}; # Secrets (public keys).
util = import ./lib/Util.nix { inherit pkgs lib; }; # Util functions.
};
};
};

5
host/basic/default.nix
View file

@ -1,5 +0,0 @@
# Basic host is a dummy and has no specific configuration.
# I don't really need it, this is just a failsafe that I can definitely install and run.
{ ... }: {
imports = [ ];
}

14
host/dasha/default.nix
View file

@ -3,7 +3,15 @@
./Filesystem.nix
];
# Disable keyd.
# services.keyd.enable = lib.mkForce false;
# systemd.services.keyd-application-mapper.enable = lib.mkForce false;
user.dasha.enable = true;
module = {
amd.gpu.enable = true;
builder.client.enable = true;
desktop.sway.enable = true;
intel.cpu.enable = true;
print.enable = true;
strongswan.enable = true;
tablet.enable = true;
};
}

29
host/desktop/default.nix
View file

@ -3,8 +3,29 @@
./Filesystem.nix
];
# Disable docker service.
systemd.services.docker-prune.enable = lib.mkForce false;
systemd.services.docker.enable = lib.mkForce false;
systemd.sockets.docker.enable = lib.mkForce false;
user.voronind.enable = true;
module = {
builder.client.enable = true;
desktop.sway.enable = true;
print.enable = true;
virtmanager.enable = true;
amd = {
compute.enable = true;
cpu.enable = true;
gpu.enable = true;
};
docker = {
enable = true;
autostart = false;
rootless = false;
};
ollama = {
enable = true;
models = [
"llama3"
"llama3:70b"
];
};
};
}

2
host/fsight/default.nix
View file

@ -3,4 +3,6 @@
./Grub.nix
./Root.nix
];
module.docker.enable = true;
}

107
host/home/Container.nix
View file

@ -1,27 +1,40 @@
{ pkgs
, const
, lib
, config
, util
, poetry2nixJobber
, pkgsJobber
, pkgsMaster
, pkgsStable
, ... }: let
args = let
# Path where all the container data will be stored.
storage = "/storage/hot/container";
{ ... }: {
container = {
enable = true;
# Domain used to host stuff. All the services will be like `service.${domain}`.
domain = "voronind.com";
module = {
change.enable = true;
cloud.enable = true;
ddns.enable = true;
dns.enable = true;
download.enable = true;
git.enable = true;
# ISSUE: hdd.enable = true;
home.enable = true;
iot.enable = true;
jobber.enable = true;
mail.enable = true;
# ISSUE: office.enable = true;
paper.enable = true;
pass.enable = true;
paste.enable = true;
postgres.enable = true;
proxy.enable = true;
rabbitmq.enable = true;
read.enable = true;
redis.enable = true;
search.enable = true;
status.enable = true;
stock.enable = true;
vpn.enable = true;
watch.enable = true;
yt.enable = true;
};
# External IP address of the host, where all the services will listen to.
host = "192.168.1.2";
# External interface where all the services will listen on.
externalInterface = "enp7s0";
# Paths to media content. Later they can be plugged to the containers using the `attachMedia "photo"` function.
storage = "/storage/hot/container";
domain = "voronind.com";
host = "192.168.1.2";
interface = "enp7s0";
media = {
anime = [ "/storage/cold_1/media/anime" "/storage/cold_2/media/anime" ];
book = [ "/storage/hot/media/book" ];
@ -31,59 +44,11 @@
music = [ "/storage/cold_2/media/music" ];
paper = [ "/storage/hot/media/paper" ];
porn = [ "/storage/cold_2/media/porn" ];
photo = [ "${storage}/cloud/data/data/cakee/files/media/photo" "/storage/cold_1/backup/tmp/photo" ];
photo = [ "/storage/hot/container/cloud/data/data/cakee/files/media/photo" "/storage/cold_1/backup/tmp/photo" ];
show = [ "/storage/cold_1/media/show" "/storage/cold_2/media/show" ];
study = [ "/storage/cold_1/media/study" "/storage/cold_2/media/study" ];
work = [ "/storage/cold_2/media/work" ];
youtube = [ "/storage/cold_1/media/youtube" "/storage/cold_2/media/youtube" ];
};
in {
# Pass all the arguments further.
inherit storage domain host pkgs const lib config util media externalInterface;
inherit poetry2nixJobber pkgsJobber;
inherit pkgsMaster pkgsStable;
# Pass the global container configuration.
container = import ../../container args;
};
in {
# List of containers enabled on this host.
imports = [
(import ../../container/Change.nix args)
(import ../../container/Cloud.nix args)
(import ../../container/Ddns.nix args)
(import ../../container/Dns.nix args)
(import ../../container/Download.nix args)
(import ../../container/Git.nix args)
# (import ../../container/Hdd.nix args)
(import ../../container/Home.nix args)
(import ../../container/Iot.nix args)
(import ../../container/Jobber.nix args)
(import ../../container/Mail.nix args)
(import ../../container/Office.nix args)
(import ../../container/Paper.nix args)
(import ../../container/Pass.nix args)
(import ../../container/Paste.nix args)
(import ../../container/Postgres.nix args)
(import ../../container/Print.nix args)
(import ../../container/Proxy.nix args)
(import ../../container/Rabbitmq.nix args)
(import ../../container/Read.nix args)
(import ../../container/Redis.nix args)
(import ../../container/Search.nix args)
(import ../../container/Status.nix args)
(import ../../container/Stock.nix args)
(import ../../container/Vpn.nix args)
(import ../../container/Watch.nix args)
(import ../../container/Yt.nix args)
];
# This is the network for all the containers.
# They are not available to the external interface by default,
# instead they all expose specific ports in their configuration.
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
inherit (args) externalInterface;
};
}

20
host/home/default.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }: {
{ ... }: {
imports = [
./Backup.nix
./Container.nix
@ -7,7 +7,21 @@
./Photoprocess.nix
];
user.voronind.enable = true;
module = {
builder.server.enable = true;
desktop.sway.enable = true;
ftpd = {
enable = true;
storage = "/storage/hot/ftp";
};
amd = {
cpu.enable = true;
gpu.enable = true;
};
};
# Disable auto-switch.
systemd.services.autoupdate.enable = lib.mkForce false;
systemd.timers.autoupdate.enable = lib.mkForce false;
module.common.autoupdate.enable = false;
}

17
host/laptop/default.nix
View file

@ -2,4 +2,21 @@
imports = [
./Filesystem.nix
];
user = {
dasha.enable = true;
voronind.enable = true;
};
module = {
builder.client.enable = true;
print.enable = true;
strongswan.enable = true;
tablet.enable = true;
amd = {
compute.enable = true;
cpu.enable = true;
gpu.enable = true;
};
};
}

4
host/live/default.nix
View file

@ -1,3 +1 @@
{ ... }: {
imports = [ ];
}
{ ... }: { }

10
host/work/default.nix
View file

@ -5,4 +5,14 @@
# Keyd Print to Macro remap.
services.keyd.keyboards.default.settings.main.print = "layer(layer_macro)";
user.voronind.enable = true;
module = {
builder.client.enable = true;
desktop.sway.enable = true;
intel.cpu.enable = true;
powerlimit.thinkpad.enable = true;
print.enable = true;
};
}

63
lib/Container.nix Normal file
View file

@ -0,0 +1,63 @@
{ lib, pkgs, const, config, ... }: {
mkContainer = cfg: extra: lib.recursiveUpdate {
# Start containers with the system by default.
autoStart = config.container.autoStart;
# IP Address of the host. This is required for container to have access to the Internet.
hostAddress = config.container.host;
# Container's IP address.
localAddress = cfg.address;
# Isolate container from other hosts.
privateNetwork = true;
} extra;
# Common configuration for the system inside the container.
mkContainerConfig = cfg: extra: lib.recursiveUpdate {
# HACK: Do not evaluate nixpkgs inside the container. Use host's instead.
nixpkgs.pkgs = lib.mkForce pkgs;
# Release version.
system.stateVersion = const.stateVersion;
# Allow passwordless login as root.
users = {
users.root.password = "";
mutableUsers = false;
};
networking = {
# Default DNS servers.
nameservers = [
"1.1.1.1"
];
# HACK: Fix for upstream issue: https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
# Disable firewall.
firewall.enable = false;
};
} extra;
# Create a directory on the host for container use.
mkContainerDir = cfg: dirs: map (path: "d '${cfg.storage}/${path}' 1777 root root - -") dirs;
# Common configuration for Nginx server.
mkServer = cfg: lib.recursiveUpdate {
forceSSL = false;
} cfg;
# Attach the host media directory to container.
# They will be added to /type/{0..9}
attachMedia = type: ro: builtins.listToAttrs (lib.imap0 (i: path:
{
name = "/${type}/${toString i}";
value = {
hostPath = path;
isReadOnly = ro;
};
}
) config.container.media.${type});
}

2
part/Util.nix → lib/Util.nix
View file

@ -30,4 +30,6 @@
stopIfChanged = false;
unitConfig.X-StopOnRemoval = false;
};
}

25
module/AmdCompute.nix
View file

@ -1,10 +1,17 @@
# AMD Rocm support (for Blender).
{ nixpkgs, pkgs, ... }: {
nixpkgs.config.rocmSupport = true;
systemd.tmpfiles.rules = [
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"
];
hardware.opengl.extraPackages = with pkgs; [
rocmPackages.clr.icd
];
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.amd.compute;
in {
options = {
module.amd.compute.enable = mkEnableOption "Enable AMD Rocm support i.e. for Blender.";
};
config = mkIf cfg.enable {
nixpkgs.config.rocmSupport = true;
systemd.tmpfiles.rules = [
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"
];
hardware.opengl.extraPackages = with pkgs; [
rocmPackages.clr.icd
];
};
}

30
module/AmdCpu.nix
View file

@ -1,5 +1,27 @@
# AMD CPU specific configuration.
{ lib, config, ... }: {
boot.kernelModules = [ "kvm-amd" ];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.amd.cpu;
controlFile = "/sys/devices/system/cpu/cpufreq/boost";
enableCmd = "0";
disableCmd = "1";
in {
options = {
module.amd.cpu = {
enable = mkEnableOption "Enable AMD Cpu support.";
powersave.enable = mkEnableOption "Enable AMD Cpu powersave." // { default = true; };
};
};
config = mkIf cfg.enable (mkMerge [
{
boot.kernelModules = [ "kvm-amd" ];
hardware.cpu.amd.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
}
(mkIf cfg.powersave.enable {
module.powersave = {
enable = true;
cpu.boost = { inherit controlFile enableCmd disableCmd; };
};
})
]);
}

36
module/AmdGpu.nix
View file

@ -1,17 +1,23 @@
# AMD GPU specific configuration.
# No, I do not own any Nvidia/Intel GPUs, so I have no configuration for them.
{ nixpkgs, pkgs, ... }: {
boot.initrd.kernelModules = [ "amdgpu" ];
services.xserver.videoDrivers = [ "amdgpu" ];
hardware.opengl.driSupport = true;
hardware.opengl.driSupport32Bit = true;
environment.variables.AMD_VULKAN_ICD = "RADV";
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.amd.gpu;
in {
options = {
module.amd.gpu.enable = mkEnableOption "Enable AMD Gpu support.";
};
# AMDVLK was broken for me (huge stuttering). So keep it disabled, at least for now.
# hardware.opengl.extraPackages = with pkgs; [
# amdvlk
# ];
# hardware.opengl.extraPackages32 = with pkgs; [
# driversi686Linux.amdvlk
# ];
config = mkIf cfg.enable {
boot.initrd.kernelModules = [ "amdgpu" ];
services.xserver.videoDrivers = [ "amdgpu" ];
hardware.opengl.driSupport = true;
hardware.opengl.driSupport32Bit = true;
environment.variables.AMD_VULKAN_ICD = "RADV";
# AMDVLK was broken for me (huge stuttering). So keep it disabled, at least for now.
# hardware.opengl.extraPackages = with pkgs; [
# amdvlk
# ];
# hardware.opengl.extraPackages32 = with pkgs; [
# driversi686Linux.amdvlk
# ];
};
}

6
module/CapsToggle.nix
View file

@ -1,6 +0,0 @@
# Toggle language with CapsLock. My wife prefers this.
{ lib, ... }: {
services.xserver.xkb = {
options = lib.mkForce "grp:caps_toggle";
};
}

42
module/Docker.nix
View file

@ -1,3 +1,41 @@
{ ... }: {
virtualisation.docker.enable = true;
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.docker;
in {
options = {
module.docker = {
enable = mkEnableOption "Enable Cocker";
rootless = mkOption {
default = false;
type = types.bool;
};
autostart = mkOption {
default = true;
type = types.bool;
};
};
};
config = mkIf cfg.enable {
virtualisation.docker.enable = true;
virtualisation.docker.rootless = mkIf cfg.rootless {
enable = true;
setSocketVariable = true;
};
systemd.services.docker-prune.enable = mkForce cfg.autostart;
systemd.services.docker.enable = mkForce cfg.autostart;
systemd.sockets.docker.enable = mkForce cfg.autostart;
};
# NOTE: mkMerge example.
# config = mkIf cfg.enable (mkMerge [
# { virtualisation.docker.enable = true; }
# (mkIf cfg.rootless {
# virtualisation.docker.rootless = {
# enable = true;
# setSocketVariable = true;
# };
# })
# ]);
}

7
module/DockerRootless.nix
View file

@ -1,7 +0,0 @@
{ ... }: {
virtualisation.docker.enable = true;
virtualisation.docker.rootless = {
enable = true;
setSocketVariable = true;
};
}

44
module/Ftpd.nix
View file

@ -1,17 +1,31 @@
{ ... }: {
services.vsftpd = {
enable = true;
anonymousUser = true;
anonymousUserNoPassword = true;
anonymousUploadEnable = true;
anonymousMkdirEnable = true;
anonymousUmask = "000";
anonymousUserHome = "/storage/hot/ftp";
allowWriteableChroot = true;
writeEnable = true;
localUsers = false;
extraConfig = ''
anon_other_write_enable=YES
'';
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.ftpd;
in {
options = {
module.ftpd = {
enable = mkEnableOption "Enable FTP server";
storage = mkOption {
default = null;
type = types.str;
};
};
};
config = mkIf cfg.enable {
services.vsftpd = {
enable = true;
anonymousUser = true;
anonymousUserNoPassword = true;
anonymousUploadEnable = true;
anonymousMkdirEnable = true;
anonymousUmask = "000";
anonymousUserHome = cfg.storage;
allowWriteableChroot = true;
writeEnable = true;
localUsers = false;
extraConfig = ''
anon_other_write_enable=YES
'';
};
};
}

48
module/Gnome.nix
View file

@ -1,48 +0,0 @@
{ pkgs, lib, ... }: {
imports = [
./desktop/App.nix
./desktop/Dconf.nix
./desktop/DisplayManager.nix
./desktop/Sound.nix
./desktop/Wayland.nix
];
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
environment.systemPackages = with pkgs; [
gnome.gnome-tweaks # Gnome "hidden" settings.
openssl # It was needed for something, can't remember.
];
# Disable some Gnome apps.
services.gnome.gnome-keyring.enable = lib.mkForce false;
environment.gnome.excludePackages = with pkgs.gnome; [
# baobab # Disk usage analyzer.
# cheese # Photo booth.
# epiphany # Web browser.
# simple-scan # Document scanner.
# totem # Video player.
# yelp # Help viewer.
# file-roller # Archive manager.
# geary # Email client.
# seahorse # Password manager.
# gnome-calculator
# gnome-calendar
# gnome-characters
# gnome-clocks
# gnome-contacts
# gnome-font-viewer
# gnome-keyring
# gnome-logs
# gnome-maps
# gnome-music
# gnome-shell-extensions
gnome-software
# gnome-system-monitor
# gnome-weather
# gnome-disk-utility
# pkgs.gnome-text-editor
];
}

27
module/IntelCpu.nix
View file

@ -1,4 +1,27 @@
# Intel CPU specific configuration.
{ ... }: {
boot.kernelModules = [ "kvm-intel" ];
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.intel.cpu;
controlFile = "/sys/devices/system/cpu/intel_pstate/no_turbo";
enableCmd = "1";
disableCmd = "0";
in {
options = {
module.intel.cpu = {
enable = mkEnableOption "Support for Shintel CPUs";
powersave.enable = mkEnableOption "Enable Shintel Cpu powersave." // { default = true; };
};
};
config = mkIf cfg.enable (mkMerge [
{
boot.kernelModules = [ "kvm-intel" ];
}
(mkIf cfg.powersave.enable {
module.powersave = {
enable = true;
cpu.boost = { inherit controlFile enableCmd disableCmd; };
};
})
]);
}

75
module/Ollama.nix
View file

@ -1,37 +1,54 @@
# https://github.com/ollama/ollama
{ pkgsStable, lib, config, ... }: let
{ pkgsStable, lib, config, ... }: with lib; let
pkgs = pkgsStable;
cfg = config.module.ollama;
in {
environment = {
# Add Ollama CLI app.
systemPackages = with pkgs; [ ollama ];
# Specify default model.
variables.OLLAMA_MODEL = config.setting.ollama.primaryModel;
options = {
module.ollama = {
enable = mkEnableOption "Local LLM server";
primaryModel = mkOption {
default = "llama3";
type = types.str;
};
models = mkOption {
default = [ cfg.primaryModel ];
type = types.listOf types.str;
};
};
};
# Enable Ollama server.
systemd.services.ollama = {
description = "Ollama LLM server.";
wantedBy = [ "multi-user.target" ];
wants = [ "NetworkManager-wait-online.service" ];
after = [ "NetworkManager-wait-online.service" ];
serviceConfig.Type = "simple";
script = ''
HOME=/root ${lib.getExe pkgs.ollama} serve
'';
};
config = mkIf cfg.enable {
environment = {
# Add Ollama CLI app.
systemPackages = with pkgs; [ ollama ];
# Download Ollama models.
systemd.services.ollamamodel = {
description = "Ollama LLM model.";
wantedBy = [ "multi-user.target" ];
wants = [ "ollama.service" ];
after = [ "ollama.service" ];
serviceConfig.Type = "simple";
script = ''
sleep 5
${lib.getExe pkgs.ollama} pull ${config.setting.ollama.primaryModel}
'';
# Specify default model.
variables.OLLAMA_MODEL = cfg.primaryModel;
};
# Enable Ollama server.
systemd.services.ollama = {
description = "Ollama LLM server.";
wantedBy = [ "multi-user.target" ];
wants = [ "NetworkManager-wait-online.service" ];
after = [ "NetworkManager-wait-online.service" ];
serviceConfig.Type = "simple";
script = ''
HOME=/root ${getExe pkgs.ollama} serve
'';
};
# Download Ollama models.
systemd.services.ollamamodel = {
description = "Ollama LLM model.";
wantedBy = [ "multi-user.target" ];
wants = [ "ollama.service" ];
after = [ "ollama.service" ];
serviceConfig.Type = "simple";
script = ''
sleep 5
${getExe pkgs.ollama} pull ${concatStringsSep " " cfg.models}
'';
};
};
}

24
module/Podman.nix Normal file
View file

@ -0,0 +1,24 @@
{ lib, config, ... }: with lib; let
cfg = config.module.podman;
in {
options = {
module.podman = {
enable = mkEnableOption "OCI Podman.";
};
};
config = mkIf cfg.enable {
virtualisation = {
podman = {
enable = true;
# Free the 53 port ffs.
defaultNetwork.settings.dns_enabled = false;
# Do not interfere with Docker so we can have both installed at the same time.
# Podman can't replace Docker anyway.
dockerCompat = false;
};
};
};
}

85
module/PowerlimitThinkpad.nix
View file

@ -1,22 +1,79 @@
# ThinkPad charge limits.
{ pkgs, lib, ... } @args: let
{ pkgs, lib, config, ... } @args: with lib; let
cfg = config.module.powerlimit.thinkpad;
controlFileMin = "/sys/class/power_supply/BAT0/charge_control_start_threshold";
controlFileMax = "/sys/class/power_supply/BAT0/charge_control_end_threshold";
onMin = "40";
onMax = "80";
offMin = "90";
offMax = "95";
script = pkgs.writeShellScriptBin "powerlimit" ''
function toggle() {
if status; then
echo ${toString cfg.offMax} > ${controlFileMax}
echo ${toString cfg.offMin} > ${controlFileMin}
else
echo ${toString cfg.onMin} > ${controlFileMin}
echo ${toString cfg.onMax} > ${controlFileMax}
fi
script = pkgs.writeShellScriptBin "powerlimit" (import ./powerlimit/Script.nix {
inherit controlFileMax controlFileMin onMin onMax offMin offMax;
}).script;
true
}
function waybar() {
status || echo -n ""
}
function status() {
local current=$(cat ${controlFileMax})
local enabled="${toString cfg.onMax}"
[[ "''${current}" = "''${enabled}" ]]
}
''${@}
'';
in {
imports = [
(import ./powerlimit ({
inherit controlFileMax controlFileMin onMin onMax offMin offMax;
} // args))
];
options = {
module.powerlimit.thinkpad = {
enable = mkEnableOption "Powerlimit Service";
onMin = mkOption {
default = 40;
type = types.int;
};
onMax = mkOption {
default = 80;
type = types.int;
};
offMin = mkOption {
default = 90;
type = types.int;
};
offMax = mkOption {
default = 95;
type = types.int;
};
};
};
environment.systemPackages = [ script ];
config = mkIf cfg.enable {
environment.systemPackages = [ script ];
systemd = {
services.powerlimit = {
description = "Limit battery charge.";
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
RemainAfterExit = "yes";
ExecStart = "${getExe pkgs.bash} -c 'echo ${toString cfg.onMin} > ${controlFileMin}; echo ${toString cfg.onMax} > ${controlFileMax};'";
ExecStop = "${getExe pkgs.bash} -c 'echo ${toString cfg.offMax} > ${controlFileMax}; echo ${toString cfg.offMin} > ${controlFileMin};'";
};
};
# HACK: Allow user access.
tmpfiles.rules = [
"z ${controlFileMax} 0777 - - - -"
"z ${controlFileMin} 0777 - - - -"
];
};
};
}

73
module/Powersave.nix Normal file
View file

@ -0,0 +1,73 @@
{ lib, config, pkgs, ... }: with lib; let
cfg = config.module.powersave;
script = pkgs.writeShellScriptBin "powersave" ''
function toggle() {
if status; then
echo ${cfg.cpu.boost.disableCmd} > ${cfg.cpu.boost.controlFile}
else
echo ${cfg.cpu.boost.enableCmd} > ${cfg.cpu.boost.controlFile}
fi
true
}
function waybar() {
status || echo -n "󰓅"
}
function status() {
local current=$(cat ${cfg.cpu.boost.controlFile})
local enabled="${cfg.cpu.boost.enableCmd}"
[[ "''${current}" = "''${enabled}" ]]
}
''${@}
'';
in {
options = {
module.powersave = {
enable = mkEnableOption "Powersave";
cpu.boost = mkOption {
default = {};
type = types.submodule {
options = {
disableCmd = mkOption {
default = null;
type = types.str;
};
enableCmd = mkOption {
default = null;
type = types.str;
};
controlFile = mkOption {
default = null;
type = types.str;
};
};
};
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ script ];
systemd = {
services.powersave-cpu = {
description = "Disable CPU Boost";
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
RemainAfterExit = "yes";
ExecStart = "${getExe pkgs.bash} -c 'echo ${cfg.cpu.boost.enableCmd} > ${cfg.cpu.boost.controlFile}'";
ExecStop = "${getExe pkgs.bash} -c 'echo ${cfg.cpu.boost.disableCmd} > ${cfg.cpu.boost.controlFile}'";
};
};
# HACK: Allow user access.
tmpfiles.rules = [ "z ${cfg.cpu.boost.controlFile} 0777 - - - -" ];
};
};
}

21
module/PowersaveAmd.nix
View file

@ -1,21 +0,0 @@
# AMD CPU boost control.
{ pkgs, ... } @args: let
controlFile = "/sys/devices/system/cpu/cpufreq/boost";
enable = "0";
disable = "1";
script = pkgs.writeShellScriptBin "powersave" (import ./powersave/Script.nix {
inherit controlFile enable disable;
}).script;
in {
# Requirements:
# CPPC (Collaborative Power Control) - Disabled.
# PSS (Cool and Quiet) - Enabled.
imports = [
(import ./powersave ({
inherit controlFile enable disable;
} // args))
];
environment.systemPackages = [ script ];
}

18
module/PowersaveIntel.nix
View file

@ -1,18 +0,0 @@
# Intel CPU boost control.
{ pkgs, ... } @args: let
controlFile = "/sys/devices/system/cpu/intel_pstate/no_turbo";
enable = "1";
disable = "0";
script = pkgs.writeShellScriptBin "powersave" (import ./powersave/Script.nix {
inherit controlFile enable disable;
}).script;
in {
imports = [
(import ./powersave ({
inherit controlFile enable disable;
} // args))
];
environment.systemPackages = [ script ];
}

22
module/Print.nix
View file

@ -1,9 +1,17 @@
{ ... }: {
services.printing = {
enable = true;
clientConf = ''
DigestOptions DenyMD5
ServerName 192.168.1.2
'';
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.print;
in {
options = {
module.print.enable = mkEnableOption "Add support for printers.";
};
config = mkIf cfg.enable {
services.printing = {
enable = true;
clientConf = ''
DigestOptions DenyMD5
ServerName 192.168.1.2
'';
};
};
}

102
module/RemoteBuild.nix
View file

@ -1,29 +1,79 @@
# Module that enables remote builds. This is a client configuration.
{ lib, secret, ... }: {
# NOTE: Requires host private key to be present in secret.ssh.builderKeys.
nix.buildMachines = [{
hostName = "nixbuilder";
protocol = "ssh-ng";
systems = [
"x86_64-linux"
"i686-linux"
"aarch64-linux"
];
maxJobs = 1;
speedFactor = 2;
mandatoryFeatures = [ ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}];
nix.distributedBuilds = true;
nix.settings = let
substituters = [ "ssh-ng://nixbuilder" ];
in {
substituters = lib.mkForce substituters;
trusted-substituters = substituters;
builders-use-substitutes = true;
max-jobs = 0;
trusted-public-keys = [ secret.ssh.builderKey ];
# require-sigs = false;
# substitute = false;
{ pkgs, lib, config, secret, ... }: with lib; let
cfg = config.module.builder;
serverKeyPath = "/root/.nixbuilder";
in {
options = {
module.builder = {
server.enable = mkEnableOption "This is a builder server.";
client.enable = mkEnableOption "This is a builder client.";
};
};
config = mkMerge [
(mkIf cfg.server.enable {
# Service that generates new key on boot if not present.
# Don't forget to add new key to secret.ssh.buildKeys.
systemd.services.generate-nix-cache-key = {
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.nix ];
script = ''
[[ -f "${serverKeyPath}/private-key" ]] && exit
mkdir ${serverKeyPath} || true
nix-store --generate-binary-cache-key "nixbuilder-1" "${serverKeyPath}/private-key" "${serverKeyPath}/public-key"
nix store sign --all -k "${serverKeyPath}/private-key"
'';
};
# Add `nixbuilder` restricted user.
users.groups.nixbuilder = {};
users.users.nixbuilder = {
openssh.authorizedKeys.keys = secret.ssh.buildKeys;
description = "Nix Remote Builder";
isNormalUser = true;
createHome = lib.mkForce false;
uid = 1234;
home = "/";
group = "nixbuilder";
};
# Sign store automatically.
# Sign existing store with: nix store sign --all -k /path/to/secret-key-file
nix.settings = {
trusted-users = [ "nixbuilder" ];
secret-key-files = [ "${serverKeyPath}/private-key" ];
};
})
(mkIf cfg.client.enable {
# NOTE: Requires host private key to be present in secret.ssh.builderKeys.
nix.buildMachines = [{
hostName = "nixbuilder";
protocol = "ssh-ng";
systems = [
"x86_64-linux"
"i686-linux"
"aarch64-linux"
];
maxJobs = 1;
speedFactor = 2;
mandatoryFeatures = [ ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}];
nix.distributedBuilds = true;
nix.settings = let
substituters = [ "ssh-ng://nixbuilder" ];
in {
substituters = mkForce substituters;
trusted-substituters = substituters;
builders-use-substitutes = true;
max-jobs = 0;
trusted-public-keys = [ secret.ssh.builderKey ];
# require-sigs = false;
# substitute = false;
};
})
];
}

37
module/RemoteBuilder.nix
View file

@ -1,37 +0,0 @@
# Module that enables remote builds. This is a server configuration.
{ pkgs, secret, lib, ... }: let
keyPath = "/root/.nixbuilder";
in {
# Service that generates new key on boot if not present.
# Don't forget to add new key to secret.ssh.buildKeys.
systemd.services.generate-nix-cache-key = {
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.nix ];
script = ''
[[ -f "${keyPath}/private-key" ]] && exit
mkdir ${keyPath} || true
nix-store --generate-binary-cache-key "nixbuilder-1" "${keyPath}/private-key" "${keyPath}/public-key"
nix store sign --all -k "${keyPath}/private-key"
'';
};
# Add `nixbuilder` restricted user.
users.groups.nixbuilder = {};
users.users.nixbuilder = {
openssh.authorizedKeys.keys = secret.ssh.buildKeys;
description = "Nix Remote Builder";
isNormalUser = true;
createHome = lib.mkForce false;
uid = 1234;
home = "/";
group = "nixbuilder";
};
# Sign store automatically.
# Sign existing store with: nix store sign --all -k /path/to/secret-key-file
nix.settings = {
trusted-users = [ "nixbuilder" ];
secret-key-files = [ "${keyPath}/private-key" ];
};
}

10
part/Setting.nix → module/Setting.nix
View file

@ -5,6 +5,8 @@
,lib
, ... }: {
options.setting = with lib; {
# Ollama settings.
# I use the best light model by default.
ollama = mkOption {
default = { };
type = types.submodule {
@ -18,6 +20,7 @@
};
};
# Default browser settings.
browser = mkOption {
default = { };
type = types.submodule {
@ -30,6 +33,7 @@
};
};
# Terminal settings.
terminal = mkOption {
default = { };
type = types.submodule {
@ -42,16 +46,19 @@
};
};
# Whether to use Dpi-aware setting in supported apps.
dpiAware = mkOption {
default = false;
type = types.bool;
};
# The key used for system-related shortcuts.
sysctrl = mkOption {
default = "print";
type = types.str;
};
# Keyboard options.
keyboard = mkOption {
default = { };
type = types.submodule {
@ -68,6 +75,7 @@
};
};
# Settings related to different refreshes, like top apps.
refresh = mkOption {
default = { };
type = types.submodule {
@ -80,6 +88,7 @@
};
};
# Configure steps for different actions.
step = mkOption {
default = { };
type = types.submodule {
@ -100,6 +109,7 @@
};
};
# Specify timeouts.
timeout = mkOption {
default = { };
type = types.submodule {

46
module/StrongSwan.nix
View file

@ -1,21 +1,29 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
networkmanager-l2tp
gnome.networkmanager-l2tp
# networkmanager_strongswan
# strongswan
# strongswanNM
];
networking.networkmanager.enableStrongSwan = true;
services.xl2tpd.enable = true;
services.strongswan = {
enable = true;
secrets = [
"ipsec.d/ipsec.nm-l2tp.secrets"
];
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.strongswan;
in {
options = {
module.strongswan.enable = mkEnableOption "StrongSwan Vpn support.";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
networkmanager-l2tp
gnome.networkmanager-l2tp
# networkmanager_strongswan
# strongswan
# strongswanNM
];
networking.networkmanager.enableStrongSwan = true;
services.xl2tpd.enable = true;
services.strongswan = {
enable = true;
secrets = [
"ipsec.d/ipsec.nm-l2tp.secrets"
];
};
# NOTE: Try this if VPN ever breaks.
# systemd.tmpfiles.rules = [
# "L /etc/ipsec.secrets - - - - /etc/ipsec.d/ipsec.nm-l2tp.secrets"
# ];
};
# NOTE: Try this if VPN ever breaks.
# systemd.tmpfiles.rules = [
# "L /etc/ipsec.secrets - - - - /etc/ipsec.d/ipsec.nm-l2tp.secrets"
# ];
}

91
module/Style.nix Normal file
View file

@ -0,0 +1,91 @@
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.style;
in {
options = let
mkTypeOption = default: type: mkOption { inherit default type; };
mkStrOption = default: mkTypeOption default types.str;
mkIntOption = default: mkTypeOption default types.int;
mkFloatOption = default: mkTypeOption default types.float;
in {
module.style = {
color = {
bg = {
dark = mkStrOption config.lib.stylix.colors.base00;
light = mkStrOption config.lib.stylix.colors.base07;
regular = mkStrOption config.lib.stylix.colors.base01;
};
fg = {
dark = mkStrOption config.lib.stylix.colors.base04;
light = mkStrOption config.lib.stylix.colors.base06;
regular = mkStrOption config.lib.stylix.colors.base05;
};
accent = mkStrOption config.lib.stylix.colors.base0A;
heading = mkStrOption config.lib.stylix.colors.base0D;
hl = mkStrOption config.lib.stylix.colors.base03;
keyword = mkStrOption config.lib.stylix.colors.base0E;
link = mkStrOption config.lib.stylix.colors.base09;
misc = mkStrOption config.lib.stylix.colors.base0F;
negative = mkStrOption config.lib.stylix.colors.base08;
neutral = mkStrOption config.lib.stylix.colors.base0C;
positive = mkStrOption config.lib.stylix.colors.base0B;
selection = mkStrOption config.lib.stylix.colors.base02;
transparent = mkStrOption "ffffff00";
accent-b = mkStrOption config.lib.stylix.colors.base0A-rgb-b;
accent-g = mkStrOption config.lib.stylix.colors.base0A-rgb-g;
accent-r = mkStrOption config.lib.stylix.colors.base0A-rgb-r;
negative-b = mkStrOption config.lib.stylix.colors.base08-rgb-b;
negative-g = mkStrOption config.lib.stylix.colors.base08-rgb-g;
negative-r = mkStrOption config.lib.stylix.colors.base08-rgb-r;
neutral-b = mkStrOption config.lib.stylix.colors.base0C-rgb-b;
neutral-g = mkStrOption config.lib.stylix.colors.base0C-rgb-g;
neutral-r = mkStrOption config.lib.stylix.colors.base0C-rgb-r;
positive-b = mkStrOption config.lib.stylix.colors.base0B-rgb-b;
positive-g = mkStrOption config.lib.stylix.colors.base0B-rgb-g;
positive-r = mkStrOption config.lib.stylix.colors.base0B-rgb-r;
bg-b = mkStrOption config.lib.stylix.colors.base00-rgb-b;
bg-g = mkStrOption config.lib.stylix.colors.base00-rgb-g;
bg-r = mkStrOption config.lib.stylix.colors.base00-rgb-r;
fg-b = mkStrOption config.lib.stylix.colors.base06-rgb-b;
fg-g = mkStrOption config.lib.stylix.colors.base06-rgb-g;
fg-r = mkStrOption config.lib.stylix.colors.base06-rgb-r;
border = mkStrOption config.lib.stylix.colors.base01;
border-b = mkStrOption config.lib.stylix.colors.base01-rgb-b;
border-g = mkStrOption config.lib.stylix.colors.base01-rgb-g;
border-r = mkStrOption config.lib.stylix.colors.base01-rgb-r;
};
font = {
emoji.name = mkStrOption config.stylix.fonts.emoji.name;
monospace.name = mkStrOption config.stylix.fonts.monospace.name;
sansSerif.name = mkStrOption config.stylix.fonts.sansSerif.name;
serif.name = mkStrOption config.stylix.fonts.serif.name;
size = {
terminal = mkIntOption config.stylix.fonts.sizes.terminal;
popup = mkIntOption config.stylix.fonts.sizes.popups;
application = mkIntOption config.stylix.fonts.sizes.applications;
desktop = mkIntOption config.stylix.fonts.sizes.desktop;
};
};
opacity = {
application = mkFloatOption config.stylix.opacity.applications;
desktop = mkFloatOption config.stylix.opacity.desktop;
popup = mkFloatOption config.stylix.opacity.popups;
terminal = mkFloatOption config.stylix.opacity.terminal;
hex = mkStrOption "D9";
};
window = {
gap = mkIntOption 8;
border = mkIntOption 4;
};
};
};
}

43
module/Sway.nix
View file

@ -1,43 +0,0 @@
{ pkgs, lib, ... } @args: let
sway = import ./desktop/sway args;
config = pkgs.writeText "swayConfig" sway.config;
script = pkgs.writeShellScriptBin "swayscript" sway.script;
in {
imports = [
./desktop/App.nix
./desktop/Bluetooth.nix
./desktop/Brightness.nix
./desktop/Dconf.nix
./desktop/Portal.nix
./desktop/Realtime.nix
./desktop/Sound.nix
./desktop/Waybar.nix
./desktop/Wayland.nix
];
services.gnome.gnome-keyring.enable = lib.mkForce false;
environment = {
systemPackages = with pkgs; [
fuzzel # Application launcher.
grim slurp # Screenshot.
mako # Notification system.
networkmanagerapplet # Internet configuration.
pamixer pavucontrol pulseaudio # Audio.
playerctl # Multimedia controls.
script # My custom Sway shell scripts.
];
variables.XDG_CURRENT_DESKTOP = "sway";
};
programs.sway = {
enable = true;
wrapperFeatures = {
base = true;
gtk = true;
};
extraOptions = [
"--config=${config}"
];
};
}

18
module/Tablet.nix
View file

@ -1,6 +1,14 @@
{ pkgs, ... }: {
hardware.opentabletdriver.enable = true;
environment.systemPackages = with pkgs; [
krita
];
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.tablet;
in {
options = {
module.tablet.enable = mkEnableOption "Support for tables.";
};
config = mkIf cfg.enable {
hardware.opentabletdriver.enable = true;
environment.systemPackages = with pkgs; [
krita
];
};
}

26
module/VirtManager.nix
View file

@ -1,11 +1,19 @@
{ pkgs, ... }: {
virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true;
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.virtmanager;
in {
options = {
module.virtmanager.enable = mkEnableOption "VM support.";
};
# HACK: Fixes bug: https://www.reddit.com/r/NixOS/comments/1afbjiu/i_get_a_nonetype_error_when_trying_to_launch_a_vm/
# May also need to run: `gsettings set org.gnome.desktop.interface cursor-theme "Adwaita"`
environment.systemPackages = with pkgs; [
# glib
gnome3.adwaita-icon-theme # default gnome cursors,
];
config = mkIf cfg.enable {
virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true;
# HACK: Fixes bug: https://www.reddit.com/r/NixOS/comments/1afbjiu/i_get_a_nonetype_error_when_trying_to_launch_a_vm/
# May also need to run: `gsettings set org.gnome.desktop.interface cursor-theme "Adwaita"`
environment.systemPackages = with pkgs; [
# glib
gnome3.adwaita-icon-theme # default gnome cursors,
];
};
}

13
module/common/Apks.nix
View file

@ -1,8 +1,17 @@
# I want to pull all the Apk files in their current state
# so that I always have an access to clients that match
# my service versions.
{ pkgs, ... } @args: let
{ pkgs, lib, config, ... } @args: with lib; let
cfg = config.module.common.apks;
package = (pkgs.callPackage ./apks args);
in {
environment.etc.apks.source = package;
options = {
module.common.apks = {
enable = mkEnableOption "Android Apps Apk" // { default = true; };
};
};
config = mkIf cfg.enable {
environment.etc.apks.source = package;
};
}

76
module/common/AutoUpdateSigned.nix
View file

@ -2,41 +2,51 @@
# This is a systemd service that pulls updates every hour.
# Unlike system.autoUpgrade, this script also verifies my git signature
# to prevent unathorized changes to hosts.
{ const, pkgs, lib, secret, util, ... }: {
systemd.services.autoupdate = util.mkStaticSystemdService {
enable = true;
description = "Signed system auto-update.";
serviceConfig.Type = "oneshot";
path = with pkgs; [
bash
git
gnumake
nixos-rebuild
openssh
];
script = ''
pushd /tmp
rm -rf ./nixos
${lib.getExe pkgs.git} clone --depth=1 --single-branch --branch=main ${const.url} ./nixos
pushd ./nixos
${lib.getExe pkgs.git} verify-commit HEAD || {
echo "Verification failed."
exit 1
};
${lib.getExe pkgs.gnumake} switch
'';
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
{ const, pkgs, lib, util, config, ... }: with lib; let
cfg = config.module.common.autoupdate;
in {
options = {
module.common.autoupdate = {
enable = mkEnableOption "System auto-updates." // { default = true; };
};
};
systemd.timers.autoupdate = {
enable = true;
timerConfig = {
OnCalendar = "hourly";
Persistent = true;
Unit = "autoupdate.service";
# RandomizedDelaySec = 60;
config = mkIf cfg.enable {
systemd.services.autoupdate = util.mkStaticSystemdService {
enable = true;
description = "Signed system auto-update.";
serviceConfig.Type = "oneshot";
path = with pkgs; [
bash
git
gnumake
nixos-rebuild
openssh
];
script = ''
pushd /tmp
rm -rf ./nixos
${getExe pkgs.git} clone --depth=1 --single-branch --branch=main ${const.url} ./nixos
pushd ./nixos
${getExe pkgs.git} verify-commit HEAD || {
echo "Verification failed."
exit 1
};
${getExe pkgs.gnumake} switch
'';
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
};
systemd.timers.autoupdate = {
enable = true;
timerConfig = {
OnCalendar = "hourly";
Persistent = true;
Unit = "autoupdate.service";
# RandomizedDelaySec = 60;
};
wantedBy = [ "timers.target" ];
};
wantedBy = [ "timers.target" ];
};
}

2
module/common/Bash.nix
View file

@ -1,4 +1,4 @@
{ lib, style, util, pkgs, ... } @args: let
{ lib, util, pkgs, ... } @args: let
bash = import ./bash args;
in {
# Add my bash configuration to all *interactive* shells.

20
module/common/Distrobox.nix
View file

@ -1,8 +1,16 @@
{ pkgs, ... }: {
# Distrobox works best with Podman, so enable it here.
imports = [ ./Podman.nix ];
{ pkgs, lib, config, ... }: with lib; let
cfg = config.module.common.distrobox;
in {
options = {
module.common.distrobox = {
enable = mkEnableOption "Distrobox." // { default = true; };
};
};
environment.systemPackages = with pkgs; [
distrobox
];
config = mkIf cfg.enable {
# Distrobox works best with Podman, so enable it here.
module.podman.enable = true;
environment.systemPackages = with pkgs; [ distrobox ];
};
}

1
module/common/Filesystem.nix
View file

@ -13,6 +13,7 @@
};
# /etc overlay.
# ISSUE: Should be fixed when you read this. Try it!
# boot.initrd.systemd.enable = true;
# systemd.sysusers.enable = true;
# system.etc.overlay = {

131
module/common/Kernel.nix
View file

@ -1,59 +1,76 @@
{ pkgs, ... }: {
# Use latest kernel.
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernel.sysctl = {
# # Spoof protection.
# "net.ipv4.conf.default.rp_filter" = 1;
# "net.ipv4.conf.all.rp_filter" = 1;
# # Packet forwarding.
# "net.ipv4.ip_forward" = 0;
# "net.ipv6.conf.all.forwarding" = 1;
# # MITM protection.
# "net.ipv4.conf.all.accept_redirects" = 0;
# "net.ipv6.conf.all.accept_redirects" = 0;
# # Do not send ICMP redirects (we are not a router).
# "net.ipv4.conf.all.send_redirects" = 0;
# # Do not accept IP source route packets (we are not a router).
# "net.ipv4.conf.all.accept_source_route" = 0;
# "net.ipv6.conf.all.accept_source_route" = 0;
# Allow sysrq.
"kernel.sysrq" = 1;
# # Protect filesystem links.
# "fs.protected_hardlinks" = 0;
# "fs.protected_symlinks" = 0;
# # Specify ttl.
# "net.ipv4.ip_default_ttl" = 65;
# # Lynis config.
# "kernel.core_uses_pid" = 1;
# "kernel.kptr_restrict" = 2;
# # IP hardening.
# "net.ipv4.conf.all.log_martians" = 1;
# "net.ipv4.conf.default.accept_redirects" = 0;
# "net.ipv4.conf.default.accept_source_route" = 0;
# "net.ipv4.conf.default.log_martians" = 0;
# "net.ipv4.tcp_timestamps" = 0;
# "net.ipv6.conf.default.accept_redirects" = 0;
# Increase file watchers.
"fs.inotify.max_user_instances" = 9999999;
"fs.inotify.max_user_watches" = 9999999;
"fs.inotify.max_user_event" = 9999999;
# "fs.file-max" = 999999;
# # Disable ipv6.
# "net.ipv6.conf.all.disable_ipv6" = 1;
# "net.ipv6.conf.default.disable_ipv6" = 1;
# "net.ipv6.conf.lo.disable_ipv6" = 1;
# "net.ipv6.conf.eth0.disable_ipv6" = 1;
{ pkgs, config, lib, ... }: with lib; let
cfg = config.module.common.kernel;
in {
options = {
module.common.kernel = {
latest = mkOption {
default = true;
type = types.bool;
};
};
};
config = mkMerge [
(mkIf cfg.latest {
# Use latest kernel.
boot.kernelPackages = pkgs.linuxPackages_latest;
})
{
boot.kernel.sysctl = {
# # Spoof protection.
# "net.ipv4.conf.default.rp_filter" = 1;
# "net.ipv4.conf.all.rp_filter" = 1;
# # Packet forwarding.
# "net.ipv4.ip_forward" = 0;
# "net.ipv6.conf.all.forwarding" = 1;
# # MITM protection.
# "net.ipv4.conf.all.accept_redirects" = 0;
# "net.ipv6.conf.all.accept_redirects" = 0;
# # Do not send ICMP redirects (we are not a router).
# "net.ipv4.conf.all.send_redirects" = 0;
# # Do not accept IP source route packets (we are not a router).
# "net.ipv4.conf.all.accept_source_route" = 0;
# "net.ipv6.conf.all.accept_source_route" = 0;
# Allow sysrq.
"kernel.sysrq" = 1;
# # Protect filesystem links.
# "fs.protected_hardlinks" = 0;
# "fs.protected_symlinks" = 0;
# # Specify ttl.
# "net.ipv4.ip_default_ttl" = 65;
# # Lynis config.
# "kernel.core_uses_pid" = 1;
# "kernel.kptr_restrict" = 2;
# # IP hardening.
# "net.ipv4.conf.all.log_martians" = 1;
# "net.ipv4.conf.default.accept_redirects" = 0;
# "net.ipv4.conf.default.accept_source_route" = 0;
# "net.ipv4.conf.default.log_martians" = 0;
# "net.ipv4.tcp_timestamps" = 0;
# "net.ipv6.conf.default.accept_redirects" = 0;
# Increase file watchers.
"fs.inotify.max_user_instances" = 9999999;
"fs.inotify.max_user_watches" = 9999999;
"fs.inotify.max_user_event" = 9999999;
# "fs.file-max" = 999999;
# # Disable ipv6.
# "net.ipv6.conf.all.disable_ipv6" = 1;
# "net.ipv6.conf.default.disable_ipv6" = 1;
# "net.ipv6.conf.lo.disable_ipv6" = 1;
# "net.ipv6.conf.eth0.disable_ipv6" = 1;
};
}
];
}

176
module/common/Keyd.nix
View file

@ -1,88 +1,98 @@
{ pkgs, config, ... }: {
environment.systemPackages = with pkgs; [ keyd ];
services.keyd = {
enable = true;
keyboards.default = {
ids = [ "*" ];
settings = {
main = {
backspace = "delete"; # Delete key on backspace.
capslock = "overload(control, esc)"; # Ctrl/esc combo.
compose = "layer(layer_number)"; # Number input layer.
esc = "${config.setting.sysctrl}"; # System controls.
leftcontrol = "overload(layer_alternative, leftcontrol)"; # Alternative layer for home, end etc.
rightcontrol = "layer(layer_control)"; # Media and other controls.
rightshift = "backspace"; # Backspace.
};
# Alternative navigation.
layer_alternative = {
w = "pageup";
a = "home";
s = "pagedown";
d = "end";
x = "cut";
c = "copy";
v = "paste";
h = "left";
j = "down";
k = "up";
l = "right";
esc = "esc";
rightcontrol = "leftcontrol";
capslock = "capslock";
# space = "macro2(1, 100, macro(space))"; # NOTE: Possible bhop example. Use in per-application, not here.
};
# Media controls.
layer_control = {
space = "playpause";
a = "back";
c = "ejectcd";
d = "forward";
e = "nextsong";
q = "previoussong";
s = "volumedown";
w = "volumeup";
x = "stopcd";
z = "mute";
};
# Number inputs.
layer_number = {
q = "1";
w = "2";
e = "3";
a = "4";
s = "5";
d = "6";
z = "7";
x = "8";
c = "9";
space = "0";
"1" = "f13";
"2" = "f14";
"3" = "f15";
"4" = "f16";
"5" = "f17";
"6" = "f18";
"7" = "f19";
"8" = "f20";
"9" = "f21";
"0" = "f22";
"-" = "f23";
"=" = "f24";
enter = "kpenter";
};
};
{ pkgs, config, lib, ... }: with lib; let
cfg = config.module.common.keyd;
in {
options = {
module.common.keyd = {
enable = mkEnableOption "Keyboard remaps." // { default = true; };
};
};
# HACK: Workaround for https://github.com/NixOS/nixpkgs/issues/290161
users.groups.keyd = {};
systemd.services.keyd.serviceConfig.CapabilityBoundingSet = [ "CAP_SETGID" ];
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ keyd ];
# Debug toggle just in case I need it again.
# systemd.services.keyd.environment.KEYD_DEBUG = "1";
services.keyd = {
enable = true;
keyboards.default = {
ids = [ "*" ];
settings = {
main = {
backspace = "delete"; # Delete key on backspace.
capslock = "overload(control, esc)"; # Ctrl/esc combo.
compose = "layer(layer_number)"; # Number input layer.
esc = "${config.setting.sysctrl}"; # System controls.
leftcontrol = "overload(layer_alternative, leftcontrol)"; # Alternative layer for home, end etc.
rightcontrol = "layer(layer_control)"; # Media and other controls.
rightshift = "backspace"; # Backspace.
};
# Alternative navigation.
layer_alternative = {
w = "pageup";
a = "home";
s = "pagedown";
d = "end";
x = "cut";
c = "copy";
v = "paste";
h = "left";
j = "down";
k = "up";
l = "right";
esc = "esc";
rightcontrol = "leftcontrol";
capslock = "capslock";
# space = "macro2(1, 100, macro(space))"; # NOTE: Possible bhop example. Use in per-application, not here.
};
# Media controls.
layer_control = {
space = "playpause";
a = "back";
c = "ejectcd";
d = "forward";
e = "nextsong";
q = "previoussong";
s = "volumedown";
w = "volumeup";
x = "stopcd";
z = "mute";
};
# Number inputs.
layer_number = {
q = "1";
w = "2";
e = "3";
a = "4";
s = "5";
d = "6";
z = "7";
x = "8";
c = "9";
space = "0";
"1" = "f13";
"2" = "f14";
"3" = "f15";
"4" = "f16";
"5" = "f17";
"6" = "f18";
"7" = "f19";
"8" = "f20";
"9" = "f21";
"0" = "f22";
"-" = "f23";
"=" = "f24";
enter = "kpenter";
};
};
};
};
# HACK: Workaround for https://github.com/NixOS/nixpkgs/issues/290161
users.groups.keyd = {};
systemd.services.keyd.serviceConfig.CapabilityBoundingSet = [ "CAP_SETGID" ];
# Debug toggle just in case I need it again.
# systemd.services.keyd.environment.KEYD_DEBUG = "1";
};
}

Some files were not shown because too many files have changed in this diff Show more