diff --git a/flake.nix b/flake.nix index 9287bf3..3f7c2b2 100644 --- a/flake.nix +++ b/flake.nix @@ -32,26 +32,23 @@ { nixosConfigurations = { - - # aragon = nixpkgs.lib.nixosSystem { - # system = "x83_64-linux"; - # specialArgs = { - # inherit inputs; - # }; - # modules = [ - # # Overlays-module makes "pkgs.unstable" available in configuration.nix - # ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) - - # ./machines/aragon/configuration.nix - # sops-nix.nixosModules.sops - # home-manager.nixosModules.home-manager { - # home-manager.useGlobalPkgs = true; - # home-manager.useUserPackages = true; - # home-manager.users."gunalx" = import ./home/home.nix; - # } - # ]; - # }; - + #aragon = nixpkgs.lib.nixosSystem { + # system = "x83_64-linux"; + # specialArgs = { + # inherit inputs; + # }; + # modules = [ + # # Overlays-module makes "pkgs.unstable" available in configuration.nix + # ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + # ./machines/aragon/configuration.nix + # sops-nix.nixosModules.sops + # home-manager.nixosModules.home-manager { + # home-manager.useGlobalPkgs = true; + # home-manager.useUserPackages = true; + # home-manager.users."gunalx" = import ./home/home.nix; + # } + # ]; + #}; aragon = nixpkgs.lib.nixosSystem { system = "x84_64-linux"; @@ -67,7 +64,6 @@ }; - galadriel = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/home/steam.nix b/home/steam.nix deleted file mode 100644 index dfa1e55..0000000 --- a/home/steam.nix +++ /dev/null @@ -1,27 +0,0 @@ -{pkgs, lib, ...}: -{ - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ - "steam" - "steam-original" - "steam-run" - ]; - - - programs.steam = { - enable = true; - remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play - dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server - }; - - environment.systemPackages = [ - pkgs.steam-run - pkgs.unstable.alvr - pkgs.openvr - pkgs.openhmd - pkgs.sidequest - pkgs.mplayer - pkgs.appimage-run - ]; - - -} diff --git a/machines/aragon/configuration.nix b/machines/aragon/configuration.nix index 37e8676..b957aa7 100644 --- a/machines/aragon/configuration.nix +++ b/machines/aragon/configuration.nix @@ -10,15 +10,13 @@ #profiles - ../../profiles/base.nix - - + ../../profiles/desktop.nix + #home manager #../../home/home.nix #customised applications - ../../home/steam.nix ../../services/podman.nix ]; @@ -45,71 +43,20 @@ # Enable networking networking.networkmanager.enable = true; - # Set your time zone. - time.timeZone = "Europe/Oslo"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; # Enable the X11 windowing system. services.xserver.enable = true; - services.xserver.videoDrivers = [ "amdgou" ]; + services.xserver.videoDrivers = [ "amdgpu" ]; hardware.opengl.extraPackages = with pkgs; [ - rocm-opencl-icd - rocm-opencl-runtime - amdvlk + rocm-opencl-icd + rocm-opencl-runtime + amdvlk ]; hardware.opengl.driSupport = true; # For 32 bit applications hardware.opengl.driSupport32Bit = true; - # Enable the KDE Plasma Desktop Environment. - services.xserver.displayManager.sddm.enable = true; - services.xserver.desktopManager.plasma5.enable = true; - - # Configure keymap in X11 - services.xserver = { - layout = "no"; - xkbVariant = ""; - }; - -fonts.packages = with pkgs; [ - noto-fonts - noto-fonts-cjk - noto-fonts-emoji - liberation_ttf - fira-code - fira-code-symbols - mplus-outline-fonts.githubRelease - dina-font - proggyfonts - nerdfonts - ubuntu_font_family - -]; - - # Enable CUPS to print documents. - services.printing.enable = true; - - # Enable sound with pipewire. - sound.enable = true; - hardware.pulseaudio.enable = false; - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - # If you want to use JACK applications, uncomment this - jack.enable = true; - - # use the example session manager (no others are packaged yet so this is enabled by default, - # no need to redefine it in your config for now) - #media-session.enable = true; - - }; - # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; @@ -119,115 +66,94 @@ fonts.packages = with pkgs; [ description = "Adrian Gunnar Lauterer"; extraGroups = [ "networkmanager" "wheel" ]; packages = with pkgs; [ - firefox - kate - unstable.ollama - python310 - python310Packages.scipy - python310Packages.sympy - python310Packages.numpy - python310Packages.matplotlib - python310Packages.torchWithRocm - python310Packages.torchvision - gcc - gpp - cmake - rustup - rustc - cargo - etcher - rpi-imager - minecraft - prismlauncher - hmcl - - appimage-run - #unstable.alvr - - easyeffects - - + firefox + kate + unstable.ollama + python310 + python310Packages.scipy + python310Packages.sympy + python310Packages.numpy + python310Packages.matplotlib + python310Packages.torchWithRocm + python310Packages.torchvision + gcc + gpp + cmake + rustup + rustc + cargo + etcher + rpi-imager + minecraft + prismlauncher + hmcl + appimage-run + vscode-fhs ]; }; - programs.dconf.enable = true; #needed for easyeffects for some reason - - #allow electron 15 becasue of etcher + #allow electron 19 becasue of etcher nixpkgs.config.permittedInsecurePackages = [ "electron-19.1.9" - ]; - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; + ]; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - #basics - vim - git - wget + #basics + vim + git + wget - #sleep - pmutils - - #basic programming - python310 - python310Packages.scipy - python310Packages.sympy - python310Packages.numpy - python310Packages.matplotlib - #python310Packages.torch - python310Packages.torchvision - python310Packages.torchWithRocm - gcc - gpp - gdb - cmake - rustup - rustc - cargo - cura - prusa-slicer - openscad - htop - killall - docker-compose - + #sleep + pmutils + + #basic programming + python310 + python310Packages.scipy + python310Packages.sympy + python310Packages.numpy + python310Packages.matplotlib + #python310Packages.torch + python310Packages.torchvision + python310Packages.torchWithRocm + + gpp + gdb + cmake + rustup + rustc + cargo + cura + prusa-slicer + openscad + htop + docker-compose ]; hardware.bluetooth.enable = true; services.blueman.enable=true; - services.tailscale.enable = true; - - services.openssh.enable = true ; - services.openssh.settings = { - UseDns = true; - PasswordAuthentication = true; - }; - - - fileSystems."/mnt/nas" = { - device = "truenas:/mnt/Main"; - fsType = "nfs"; - options = [ "x-systemd.automount" "noauto" ]; - }; + # fileSystems."/mnt/nas" = { + # device = "truenas:/mnt/Main"; + # fsType = "nfs"; + # options = [ "x-systemd.automount" "noauto" ]; + # }; - # sleep wakeup rules - services.udev.extraRules = '' - ACTION=="add", SUBSYSTEM=="pci", DRIVER=="pcieport", ATTR{power/wakeup}="disabled" - ''; - -#comment out to enable sleep. Uncommented over vacations -# systemd.targets.sleep.enable = false; -# systemd.targets.suspend.enable = false; -# systemd.targets.hibernate.enable = false; -# systemd.targets.hybrid-sleep.enable = false; + # sleep wakeup rules + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="pci", DRIVER=="pcieport", ATTR{power/wakeup}="disabled" + ''; + + #comment out to enable sleep. Uncommented over vacations + # systemd.targets.sleep.enable = false; + # systemd.targets.suspend.enable = false; + # systemd.targets.hibernate.enable = false; + # systemd.targets.hybrid-sleep.enable = false; # Some programs need SUID wrappers, can be configured further or are @@ -238,10 +164,6 @@ fonts.packages = with pkgs; [ # enableSSHSupport = true; # }; - # List services that you want to enable: - - # Enable the OpenSSH daemon. - # services.openssh.enable = true; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; diff --git a/machines/elrond/configuration.nix b/machines/elrond/configuration.nix index 72d2f1b..231fd83 100644 --- a/machines/elrond/configuration.nix +++ b/machines/elrond/configuration.nix @@ -9,40 +9,25 @@ ./hardware-configuration.nix ../../profiles/webhost.nix ../../profiles/base.nix + ./routes.nix ]; - - # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - - - # Set your time zone. - time.timeZone = "Europe/Oslo"; - - # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens3.useDHCP = true; # lmao interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way. + networking.interfaces.ens3.useDHCP = true; # Interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way. networking.hostName = "elrond"; # Define your hostname. boot.kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; }; - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = "no"; - - }; - # List packages installed in system profile. To search, run: # $ nix search wget @@ -61,9 +46,6 @@ }; - #add proxyserver to acme - #users.users.kanidm.extraGroups = [ "acme" ]; - #sequrity managment through kanidm # systemd.services.kanidm = let # certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost; @@ -133,31 +115,14 @@ # }; # }; - #tailscale - services.tailscale.enable = true; - users.users."root".openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop" ]; -users.users."gunalx".openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos" + users.users."gunalx".openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos" ]; - #fail2ban moved to service file - #services.fail2ban = { - # enable = true; - # maxretry = 5; - # ignoreIP = [ - # "127.0.0.0/8" - # "10.0.0.0/8" - # "100.64.0.0/8" - # "172.16.0.0/12" - # "192.168.0.0/16" - # "8.8.8.8" - # ]; - # }; - #firewall options networking.firewall = { enable = true; @@ -166,20 +131,13 @@ users.users."gunalx".openssh.authorizedKeys.keys = [ allowedUDPPorts = [ 80 443 - 6969 - #config.services.openssh.ports config.services.tailscale.port - config.services.headscale.port + #config.services.headscale.port ]; allowedTCPPorts = config.networking.firewall.allowedUDPPorts; }; - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It's perfectly fine and recommended to leave diff --git a/machines/elrond/routes.nix b/machines/elrond/routes.nix new file mode 100644 index 0000000..a699166 --- /dev/null +++ b/machines/elrond/routes.nix @@ -0,0 +1,45 @@ +{ config, pkgs, lib, ... }: +{ + services.nginx = { + virtualHosts."managment.funn-nas.lauterer.it" = { + forceSSL = true; + useACMEHost = config.networking.domain; + locations."/" = { + proxyWebsockets = true; + proxyPass = "https://100.104.182.48"; + }; + basicAuthFile = config.sops.secrets."nginx/defaultpass".path; + }; + + virtualHosts."funn-nas.lauterer.it" = { + forceSSL = true; + useACMEHost = config.networking.domain; + locations."/" = { + proxyWebsockets = true; + proxyPass = "https://100.104.182.48:30044"; + }; + basicAuthFile = config.sops.secrets."nginx/defaultpass".path; + }; + + virtualHosts."home.lauterer.it" = { + forceSSL = true; + useACMEHost = config.networking.domain; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://10.0.0.32:8123"; + }; + # ignorerer sikkerhet for littegran for å oprettholde lettvinthet og app kompatibilitet. + #basicAuthFile = config.sops.secrets."nginx/defaultpass".path; + }; + + virtualHosts."jellyfin.lauterer.it" = { + forceSSL = true; + useACMEHost = config.networking.domain; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://100.84.215.84:8096"; + }; + #basicAuthFile = config.sops.secrets."nginx/defaultpass".path; + }; + }; +} \ No newline at end of file diff --git a/machines/galadriel/README.md b/machines/galadriel/README.md deleted file mode 100644 index 605a57e..0000000 --- a/machines/galadriel/README.md +++ /dev/null @@ -1,9 +0,0 @@ -services -jellyfin - -services in need of configuration -transmission -sonarr - -to be implemented -calibre diff --git a/machines/galadriel/backup.nix.bak b/machines/galadriel/backup.nix.bak deleted file mode 100644 index 59e5e28..0000000 --- a/machines/galadriel/backup.nix.bak +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, ... }: -{ - systemd.user.services = { - dataBackup = { - path = [ - pkgs.rsync - ]; - Unit = { - Description = "/Data backup to /Main"; - After = [ "network.target" ]; - }; - Service = { - Type = "oneshot"; - ExecStart = "rsync --archive /Data/ /Main/Data"; - }; - Install.WantedBy = [ "default.target" ]; - }; - }; - - systemd.user.timers = { - dataBackup = { - Unit.Description = "/Data backup schedule"; - Timer = { - Unit = "dataBackup"; - OnCalendar = "06:00"; - }; - Install.WantedBy = [ "timers.target" ]; - }; - }; - -} diff --git a/machines/galadriel/configuration.nix b/machines/galadriel/configuration.nix index e6b6137..28c4fe5 100644 --- a/machines/galadriel/configuration.nix +++ b/machines/galadriel/configuration.nix @@ -7,21 +7,21 @@ { imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./vim.nix - ./nvidia.nix - ./openvpn.nix - ../../profiles/base.nix - ../../profiles/sops.nix - ./zfs.nix - ./backup.nix - ../../services/smb.nix - ../../services/torrent.nix - #../../services/stableDiffusion.nix - #../../services/freshrrs.nix - #../../services/torrent.nix + ./hardware-configuration.nix + ./zfs.nix + ./nvidia.nix + ./openvpn.nix + ./backup.nix - ]; + ../../profiles/base.nix + ../../profiles/sops.nix + #../../profiles/ai.nix + + ../../services/smb.nix + ../../services/torrent.nix + #../../services/stableDiffusion.nix + #../../services/freshrrs.nix + ]; # Bootloader. boot.loader.systemd-boot.enable = true; @@ -37,20 +37,7 @@ # Enable networking networking.networkmanager.enable = true; - # Set your time zone. - time.timeZone = "Europe/Oslo"; - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Configure keymap in X11 - services.xserver = { - layout = "no"; - xkbVariant = ""; - }; - - # Configure console keymap - console.keyMap = "no"; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.gunalx = { @@ -74,7 +61,6 @@ tailscale nfs-utils cifs-utils - tailscale jellyfin jellyfin-web jellyfin-mpv-shim @@ -118,12 +104,6 @@ #services.calibre-server.enable = true; ##networking - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - #tailscale - services.tailscale.enable = true; - # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 80 8090 8096 443 433 6969 1194 445 139]; networking.firewall.allowedUDPPorts = [ 22 80 8090 8096 443 433 6969 1194 137 138]; @@ -162,7 +142,6 @@ # }; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/machines/galadriel/hardware-configuration.nix b/machines/galadriel/hardware-configuration.nix index 2c6326a..ad20a12 100644 --- a/machines/galadriel/hardware-configuration.nix +++ b/machines/galadriel/hardware-configuration.nix @@ -12,7 +12,7 @@ boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - + fileSystems."/" = { device = "/dev/disk/by-uuid/1f5ecd69-80d4-454a-96bd-cdc23884470c"; fsType = "ext4"; @@ -28,7 +28,6 @@ fsType = "ext4"; }; - boot.initrd.luks.devices."luks-028e05b0-f079-41f6-b244-eb7ceda4f315".device = "/dev/disk/by-uuid/028e05b0-f079-41f6-b244-eb7ceda4f315"; swapDevices = diff --git a/machines/galadriel/nvidia.nix b/machines/galadriel/nvidia.nix index 4b52a99..ac122c4 100644 --- a/machines/galadriel/nvidia.nix +++ b/machines/galadriel/nvidia.nix @@ -6,8 +6,7 @@ driSupport = true; driSupport32Bit = true; }; - nixpkgs.config.allowUnfree = true; - + # Load nvidia driver for Xorg and Wayland services.xserver.videoDrivers = ["nvidia"]; #boot with nvidia kernel module @@ -15,24 +14,23 @@ hardware.nvidia = { # Modesetting is required. modesetting.enable = true; + # Nvidia power management. Experimental, and can cause sleep/suspend to fail. + #powerManagement.enable = true; + # Fine-grained power management. Turns off GPU when not in use. + # Experimental and only works on modern Nvidia GPUs (Turing or newer). + #powerManagement.finegrained = true; - # Nvidia power management. Experimental, and can cause sleep/suspend to fail. - # powerManagement.enable = true; - # Fine-grained power management. Turns off GPU when not in use. - # Experimental and only works on modern Nvidia GPUs (Turing or newer). - #powerManagement.finegrained = true; - - # Use the NVidia open source kernel module (not to be confused with the - # independent third-party "nouveau" open source driver). - # Support is limited to the Turing and later architectures. Full list of - # supported GPUs is at: - # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus - # Only available from driver 515.43.04+ - # Currently alpha-quality/buggy, so false is currently the recommended setting. + # Use the NVidia open source kernel module (not to be confused with the + # independent third-party "nouveau" open source driver). + # Support is limited to the Turing and later architectures. Full list of + # supported GPUs is at: + # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus + # Only available from driver 515.43.04+ + # Currently alpha-quality/buggy, so false is currently the recommended setting. open = false; # Enable the Nvidia settings menu, - # accessible via `nvidia-settings`. + # accessible via `nvidia-settings`. #nvidiaSettings = true; # Optionally, you may need to select the appropriate driver version for your specific GPU. @@ -45,7 +43,7 @@ environment.systemPackages = with pkgs; [ cudaPackages.cudnn cudaPackages.cudatoolkit - #cudaPackages.tensorrt_8_6_0 + #cudaPackages.tensorrt_8_6_0 #needs to be added manually, to the store and is a pain because of the license agreement and garbage collection ]; diff --git a/machines/galadriel/vim.nix b/machines/galadriel/vim.nix deleted file mode 100644 index a5a0547..0000000 --- a/machines/galadriel/vim.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, ... }: -{ - programs.neovim = { - enable = true; - viAlias = true; - vimAlias = true; - defaultEditor = true; - - configure = { - customRC = '' - " your custom vimrc - set nocompatible - set backspace=indent,eol,start - " Turn on syntax highlighting by default - syntax on - set autoindent - " ... - ''; - packages.myplugins = with pkgs.vimPlugins; { - start = [ vim-nix vim-lastplace vim-yaml ]; - opt = []; - }; - }; - }; -} diff --git a/profiles/ai.nix b/profiles/ai.nix new file mode 100644 index 0000000..1583263 --- /dev/null +++ b/profiles/ai.nix @@ -0,0 +1,49 @@ +{ config, pkgs, lib, ... }: +{ + imports = + [ + ./base.nix + ../services/podman.nix + ../services/ollama.nix + # ../services/whisper.nix + ]; + + environment.systemPackages = with pkgs.unstable; [ + # ollama + # openai-whisper + # openai-whisper-cpp + # wyoming-faster-whisper + # subtitlr + # piper-tts + # #piper-train #broken + # wyoming-piper + # python3 + # python3Packages.torchWithCuda + # python3Packages.openai-whisper + # python3Packages.faster-whisper + # python3Packages.scipy + # python3Packages.numba-scipy + # python3Packages.scikit-image + # python3Packages.traittypes + # python3Packages.statsmodels + # python3Packages.scikits-odes + # python3Packages.sympy + # python3Packages.numpy + # python3Packages.pandas + # python3Packages.matplotlib + # python3Packages.tensorflow + # python3Packages.tensorboard + # python3Packages.keras + # python3Packages.transformers + # python3Packages.torch + # python3Packages.torchvision-bin + # python3Packages.torchsde + # python3Packages.torchaudio-bin + # python3Packages.torchWithRocm + # python3Packages.torchWithCuda + # python3Packages.scikit-learn-extra + ]; + + + +} diff --git a/profiles/base.nix b/profiles/base.nix index ced7ec4..947eaa7 100644 --- a/profiles/base.nix +++ b/profiles/base.nix @@ -7,28 +7,45 @@ imports = ]; - - environment.systemPackages = with pkgs; [ vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - wget git + wget rsync ripgrep + neofetch htop bottom + killall foot.terminfo tailscale ]; + #just allow unfree, im fine with it. + nixpkgs.config.allowUnfree = true; + + # Set your time zone. + time.timeZone = "Europe/Oslo"; + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + # Configure console + console = { + font = "Lat2-Terminus16"; + keyMap = "no"; + }; - #system vide bash aliases. + #tailscale + services.tailscale.enable = true; + + #system vide bash aliases. TODO: check if only one of these works so i dont need duplicates. + programs.bash.shellAliases = config.environment.shellAliases; environment.shellAliases = { gst="git status"; - gcm="git commit -m"; + gcm="git commit -m"; + gca="git commit --amend"; gsw="git switch"; gaa="git add -A"; gb="git branch"; @@ -36,12 +53,10 @@ imports = la="ls -la"; lls="ls"; }; - - programs.bash.shellAliases = config.environment.shellAliases; - environment.interactiveShellInit = '' alias gst='git status' alias gcm='git commit -m' + alias gca='git commit --amend' alias gsw='git switch' alias gaa='git add -A' alias gb='git branch' @@ -50,6 +65,8 @@ imports = alias lls='ls' ''; + #TODO: ssh hosts. + #nix stuff nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.gc.automatic = true; diff --git a/profiles/desktop.nix b/profiles/desktop.nix index ca4a582..6757cb8 100644 --- a/profiles/desktop.nix +++ b/profiles/desktop.nix @@ -3,10 +3,44 @@ imports = [ ./base.nix + ./sound.nix #all i would ever need in sound. + ../packages/vim.nix - ../home/code.nix + #../home/home-full.nix ../packages/steam.nix + ]; + fonts.packages = with pkgs; [ + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + liberation_ttf + fira-code + fira-code-symbols + mplus-outline-fonts.githubRelease + dina-font + proggyfonts + nerdfonts + ubuntu_font_family + ]; + + # Enable CUPS to print documents. + services.printing.enable = true; + + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; + + # Configure keymap in X11 + services.xserver = { + layout = "no"; + xkbVariant = ""; + }; + + + #TODO: add sway with home manager to get proper dotfiles. Possibly in its own sway file. + #TODO: add hyperland. + + } diff --git a/profiles/sound.nix b/profiles/sound.nix new file mode 100644 index 0000000..cd546f3 --- /dev/null +++ b/profiles/sound.nix @@ -0,0 +1,82 @@ +{ config, pkgs, lib, ... }: +{ +imports = + [ + ./base.nix + + ]; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + wireplumber.enable = true; + }; + + environment.systemPackages = with pkgs; [ + pavucontrol + wireplumber + easyeffects + ncpamixer + qpaeq + #more audio stuff, but not essential + + #synths + qsynth + fluidsynth + synthesia + vital + picoloop + bespokesynth-with-vst2 + fmsynth + polyphone #soundfont editor + + #vocaloids + openutau + #daw + ardour + lmms + rosegarden + musescore + + #playing audio + cmus + cmusfm + whistle + cozy + lollypop + deadbeef + deadbeef-with-plugins + libsForQt5.elisa + + radiotray-ng + shortwave + radioboat + qradiolink + pithos + gnomeExtensions.internet-radio + gqrx + + headset + nuclear + spotifyd + spotifywm + spotify-qt + spotify-tui + spotify-tray + + tenacity + + libsForQt5.soundkonverter + ]; + + programs.dconf.enable = true; #needed for easyeffects for some reason + + +} diff --git a/profiles/webhost.nix b/profiles/webhost.nix index 282c20e..ade6d5a 100644 --- a/profiles/webhost.nix +++ b/profiles/webhost.nix @@ -1,12 +1,15 @@ { config, pkgs, lib, ... }: { + #in all practicality equvivalent with elrond, but i migth get another puplic facing machine, so nice to have. (would need to move nginx routes to machine specific in that case) imports = [ ./base.nix ./sops.nix + ../services/acme.nix ../services/nginx.nix + ../services/fail2ban.nix #../services/authelia.nix - #../services/fail2ban.nix ]; + } diff --git a/services/acme.nix b/services/acme.nix new file mode 100644 index 0000000..2ff2ad0 --- /dev/null +++ b/services/acme.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: +{ + #declare secrets + sops.secrets."acme/certs" = { }; + + networking.enableIPv6 = false; #For some reason acme only works without ipv6, probably because of missing AAAA records. + networking.domain = "lauterer.it"; + #acme and certs helpful blog https://carjorvaz.com/posts/ + security.acme = { + acceptTerms = true; + defaults.email = "adrian+acme@lauterer.it"; + certs."${config.networking.domain}" = { + domain = "${config.networking.domain}"; + extraDomainNames = [ + "*.${config.networking.domain}" + #"256.no" + #"*.256.no" + #"*.addictedmaker.eu" + #"addictedmaker.eu" + ]; + + ## for testing. + #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + #enableDebugLogs = true; + + #legos registrar specific stuff. + dnsResolver = "ns1.hyp.net:53"; + dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/ + dnsPropagationCheck = true; + #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml + credentialsFile = config.sops.secrets."acme/certs".path; + }; + }; + + #add proxyserver to acme group + users.users.nginx.extraGroups = [ "acme" ]; + users.users.root.extraGroups = [ "acme" ]; +} diff --git a/services/nginx.nix b/services/nginx.nix index 6e9ab82..e5a4c22 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -1,53 +1,16 @@ { config, pkgs, lib, ... }: { #declare secrets - sops.secrets."acme/certs" = { }; sops.secrets."nginx/defaultpass" = { restartUnits = [ "nginx.service" ]; owner = "nginx"; }; - - - networking.enableIPv6 = false; # lol for some reason acme works without ipv6 - - networking.domain = "lauterer.it"; - #acme and certs helpful blog https://carjorvaz.com/posts/ - security.acme = { - acceptTerms = true; - defaults.email = "adrian+acme@lauterer.it"; - certs."${config.networking.domain}" = { - domain = "*.${config.networking.domain}"; - extraDomainNames = [ - "${config.networking.domain}" - #"${config.networking.domain}" - #"lauterer.it" - #"*.lauterer.it" - #"*.256.no" - ]; - - #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; #for testing. - enableDebugLogs = true; - - - - dnsResolver = "ns1.hyp.net:53"; - dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/ - dnsPropagationCheck = true; - #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml - credentialsFile = config.sops.secrets."acme/certs".path; - }; - }; - - #add proxyserver to acme - users.users.nginx.extraGroups = [ "acme" ]; - users.users.root.extraGroups = [ "acme" ]; - # services.oauth2_proxy = { # enable = true; # } - #proxy stuff + #proxy stuff services.nginx = { enable = true; statusPage = true; diff --git a/services/ollama.nix b/services/ollama.nix new file mode 100644 index 0000000..81dff3f --- /dev/null +++ b/services/ollama.nix @@ -0,0 +1,29 @@ +{ config, pkgs, lib, ... }: +{ + environment.systemPackages = [ + pkgs.ollama + ]; + + services.ollama.enable = true; + services.ollama.listenAddress = "0.0.0.0:11434"; + services.ollama.models = "/var/lib/ollama/models"; + services.ollama.home = "/var/lib/ollama"; + + #possibly a flawed idea. + services.ollama.acceleration = lib.mkDefault ( let + hostname = config.networking.hostname; + in + if hostname == "galadriel" then "cuda" + else if hostname == "aragorn" then "rocm" + else null); + + services.nginx.virtualHosts."ollama.${config.networking.hostName}.${config.networking.domain}" = { + forceSSL = true; + #useACMEHost = config.networking.domain; #not sure if this will work, unless + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.ollama.listenAddress}"; + }; + basicAuthFile = config.sops.secrets."nginx/defaultpass".path; + }; +} \ No newline at end of file diff --git a/services/ssh.nix b/services/ssh.nix index a530b3f..ea2c343 100644 --- a/services/ssh.nix +++ b/services/ssh.nix @@ -26,5 +26,5 @@ port = 22; openFirewall = true; }; - services.sshguard.enable = true; #protection against brute force attacks like fail2ban + services.sshguard.enable = true; #protection against brute force attacks } diff --git a/services/torrent.nix b/services/torrent.nix index e5bbf4d..65ce821 100644 --- a/services/torrent.nix +++ b/services/torrent.nix @@ -5,82 +5,80 @@ let savePath = "/Main/Data/media/Downloads/"; path = "/var/lib/qbittorrent"; - contentLayout = "Subfolder"; configurationFile = '' -[Application] -FileLogger\Age=1 -FileLogger\AgeType=1 -FileLogger\Backup=true -FileLogger\DeleteOld=true -FileLogger\Enabled=true -FileLogger\MaxSizeBytes=66560 -FileLogger\Path=/Main/Data/media/.qbittorrent/logs -MemoryWorkingSetLimit=8192 + [Application] + FileLogger\Age=1 + FileLogger\AgeType=1 + FileLogger\Backup=true + FileLogger\DeleteOld=true + FileLogger\Enabled=true + FileLogger\MaxSizeBytes=66560 + FileLogger\Path=/Main/Data/media/.qbittorrent/logs + MemoryWorkingSetLimit=8192 -[BitTorrent] -Session\AddExtensionToIncompleteFiles=true -Session\AlternativeGlobalDLSpeedLimit=1000 -Session\AlternativeGlobalUPSpeedLimit=1000 -Session\AnonymousModeEnabled=false -Session\BTProtocol=Both -Session\BandwidthSchedulerEnabled=false -Session\DefaultSavePath=/Main/Data/media/Downloads -Session\Encryption=1 -Session\ExcludedFileNames= -Session\FinishedTorrentExportDirectory=/Main/Data/media/Downloads/torrents-complete -Session\GlobalDLSpeedLimit=0 -Session\GlobalMaxRatio=1.5 -Session\GlobalUPSpeedLimit=0 -Session\I2P\Enabled=true -Session\IgnoreLimitsOnLAN=true -Session\IncludeOverheadInLimits=true -Session\Interface=tun0 -Session\InterfaceAddress=${config.sops.placeholder."qbittorrent/interfaceAddress"} -Session\InterfaceName=tun0 -Session\LSDEnabled=true -Session\MaxActiveCheckingTorrents=15 -Session\MaxRatioAction=1 -Session\Port=44183 -Session\Preallocation=true -Session\QueueingSystemEnabled=false -Session\SubcategoriesEnabled=true -Session\Tags=movie, anime -Session\TempPath=/Main/Data/media/Downloads/temp -Session\TempPathEnabled=true -Session\TorrentContentLayout=${contentLayout} -Session\TorrentExportDirectory=/Main/Data/media/Downloads/torrents -Session\UseAlternativeGlobalSpeedLimit=false + [BitTorrent] + Session\AddExtensionToIncompleteFiles=true + Session\AlternativeGlobalDLSpeedLimit=1000 + Session\AlternativeGlobalUPSpeedLimit=1000 + Session\AnonymousModeEnabled=false + Session\BTProtocol=Both + Session\BandwidthSchedulerEnabled=false + Session\DefaultSavePath=/Main/Data/media/Downloads + Session\Encryption=1 + Session\ExcludedFileNames= + Session\FinishedTorrentExportDirectory=/Main/Data/media/Downloads/torrents-complete + Session\GlobalDLSpeedLimit=0 + Session\GlobalMaxRatio=1.5 + Session\GlobalUPSpeedLimit=0 + Session\I2P\Enabled=true + Session\IgnoreLimitsOnLAN=true + Session\IncludeOverheadInLimits=true + Session\Interface=tun0 + Session\InterfaceAddress=${config.sops.placeholder."qbittorrent/interfaceAddress"} + Session\InterfaceName=tun0 + Session\LSDEnabled=true + Session\MaxActiveCheckingTorrents=15 + Session\MaxRatioAction=1 + Session\Port=44183 + Session\Preallocation=true + Session\QueueingSystemEnabled=false + Session\SubcategoriesEnabled=true + Session\Tags=movie, anime + Session\TempPath=/Main/Data/media/Downloads/temp + Session\TempPathEnabled=true + Session\TorrentContentLayout=Subfolder + Session\TorrentExportDirectory=/Main/Data/media/Downloads/torrents + Session\UseAlternativeGlobalSpeedLimit=false -[Core] -AutoDeleteAddedTorrentFile=Never + [Core] + AutoDeleteAddedTorrentFile=Never -[LegalNotice] -Accepted=true + [LegalNotice] + Accepted=true -[Meta] -MigrationVersion=6 + [Meta] + MigrationVersion=6 -[Network] -PortForwardingEnabled=true + [Network] + PortForwardingEnabled=true -[Preferences] -General\Locale=en -MailNotification\req_auth=true -Scheduler\days=Weekday -Scheduler\end_time=@Variant(\0\0\0\xf\x5%q\xa0) -WebUI\AuthSubnetWhitelist=192.168.1.0/24, 100.0.0.0/8 -WebUI\AuthSubnetWhitelistEnabled=true -WebUI\Port=${toString port} -WebUI\UseUPnP=false - -[RSS] -AutoDownloader\DownloadRepacks=true -AutoDownloader\EnableProcessing=true -AutoDownloader\SmartEpisodeFilter=s(\\d+)e(\\d+), (\\d+)x(\\d+), "(\\d{4}[.\\-]\\d{1,2}[.\\-]\\d{1,2})", "(\\d{1,2}[.\\-]\\d{1,2}[.\\-]\\d{4})" -Session\EnableProcessing=true -''; + [Preferences] + General\Locale=en + MailNotification\req_auth=true + Scheduler\days=Weekday + Scheduler\end_time=@Variant(\0\0\0\xf\x5%q\xa0) + WebUI\AuthSubnetWhitelist=192.168.1.0/24, 100.0.0.0/8 + WebUI\AuthSubnetWhitelistEnabled=true + WebUI\Port=${toString port} + WebUI\UseUPnP=false + [RSS] + AutoDownloader\DownloadRepacks=true + AutoDownloader\EnableProcessing=true + AutoDownloader\SmartEpisodeFilter=s(\\d+)e(\\d+), (\\d+)x(\\d+), "(\\d{4}[.\\-]\\d{1,2}[.\\-]\\d{1,2})", "(\\d{1,2}[.\\-]\\d{1,2}[.\\-]\\d{4})" + Session\EnableProcessing=true + ''; in { @@ -94,18 +92,17 @@ in sops.secrets."qbittorrent/interfaceAddress" = { restartUnits = [ "qbittorrent-nox.service" ]; + owner = "qbittorrent"; mode = "0755"; }; sops.templates."qbittorrent/configuration" = { content = configurationFile; - #path = "${path}/.config/qBittorrent/qBittorrent.conf"; + #path = "${path}/.config/qBittorrent/qBittorrent.conf"; #did not seem to work owner = "qbittorrent"; mode = "0755"; - }; - users.users.qbittorrent = { isNormalUser = true; #make this a normal user to be able to make files home = path; @@ -129,6 +126,14 @@ in ProtectKernelModules = true; NoNewPrivileges = true; }; - + }; + services.nginx.virtualHosts."qbittorrent.${config.networking.hostName}.${config.networking.domain}" = { + forceSSL = true; + #useACMEHost = config.networking.domain; #not sure if this will work, unless + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:${port}"; + }; + basicAuthFile = config.sops.secrets."nginx/defaultpass".path; }; } diff --git a/services/whisper.nix b/services/whisper.nix new file mode 100644 index 0000000..deadbec --- /dev/null +++ b/services/whisper.nix @@ -0,0 +1,67 @@ +{ config, pkgs, lib, ... }: +{ + environment.systemPackages = [ + pkgs.wyoming-faster-whisper + pkgs.whisper + pkgs.openai-whisper + pkgs.openai-whisper-cpp + ]; + + + services.wyoming.faster-whisper = { + package = pkgs.wyoming-faster-whisper; + + servers = { + fast = { + enable = true; + model = "tiny-int8"; + uri = "tcp://0.0.0.0:10300"; + device = "cuda"; + language = "en"; + beamSize = 1; + }; + fast-no = { + enable = true; + model = "tiny-int8"; + uri = "tcp://0.0.0.0:10301"; + device = "cuda"; + language = "no"; + beamSize = 1; + }; + fast-auto = { + enable = true; + model = "tiny-int8"; + uri = "tcp://0.0.0.0:10302"; + device = "cuda"; + language = "auto"; + beamSize = 1; + }; + fast-cpu = { + enable = true; + model = "tiny-int8"; + uri = "tcp://0.0.0.0:10303"; + device = "cpu"; + language = "auto"; + beamSize = 1; + }; + slow = { + enable = true; + model = "small"; + uri = "tcp://0.0.0.0:10304"; + device = "auto"; + language = "auto"; + beamSize = 5; + }; + }; + }; + + services.nginx.virtualHosts."whisper.${config.networking.hostName}.${config.networking.domain}" = { + forceSSL = true; + #useACMEHost = config.networking.domain; #not sure if this will work, unless + locations."/" = { + proxyWebsockets = true; + proxyPass = "${config.services.services.wyoming.faster-whisper.servers.fast.uri}"; + }; + basicAuthFile = config.sops.secrets."nginx/defaultpass".path; + }; +} \ No newline at end of file