adriangl
/
nix-dotfiles
mirror of https://github.com/adrlau/nix-dotfiles.git
1
2
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refactoring + new services, profiles and updates

This commit is contained in:
Adrian Gunnar Lauterer 2024-04-19 14:22:06 +02:00
parent b4e97cb86e
commit c801e79f5e
22 changed files with 581 additions and 489 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
flake.nix
View File

@ -32,26 +32,23 @@
{ {
nixosConfigurations = { nixosConfigurations = {
#aragon = nixpkgs.lib.nixosSystem {
# aragon = nixpkgs.lib.nixosSystem { # system = "x83_64-linux";
# system = "x83_64-linux"; # specialArgs = {
# specialArgs = { # inherit inputs;
# inherit inputs; # };
# }; # modules = [
# modules = [ # # Overlays-module makes "pkgs.unstable" available in configuration.nix
# # Overlays-module makes "pkgs.unstable" available in configuration.nix # ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
# ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) # ./machines/aragon/configuration.nix
# sops-nix.nixosModules.sops
# ./machines/aragon/configuration.nix # home-manager.nixosModules.home-manager {
# sops-nix.nixosModules.sops # home-manager.useGlobalPkgs = true;
# home-manager.nixosModules.home-manager { # home-manager.useUserPackages = true;
# home-manager.useGlobalPkgs = true; # home-manager.users."gunalx" = import ./home/home.nix;
# home-manager.useUserPackages = true; # }
# home-manager.users."gunalx" = import ./home/home.nix; # ];
# } #};
# ];
# };
aragon = nixpkgs.lib.nixosSystem { aragon = nixpkgs.lib.nixosSystem {
system = "x84_64-linux"; system = "x84_64-linux";
@ -67,7 +64,6 @@
}; };
galadriel = nixpkgs.lib.nixosSystem { galadriel = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {

27
home/steam.nix
View File

@ -1,27 +0,0 @@
{pkgs, lib, ...}:
{
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"steam"
"steam-original"
"steam-run"
];
programs.steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
};
environment.systemPackages = [
pkgs.steam-run
pkgs.unstable.alvr
pkgs.openvr
pkgs.openhmd
pkgs.sidequest
pkgs.mplayer
pkgs.appimage-run
];
}

216
machines/aragon/configuration.nix
View File

@ -10,15 +10,13 @@
#profiles #profiles
../../profiles/base.nix ../../profiles/desktop.nix
#home manager #home manager
#../../home/home.nix #../../home/home.nix
#customised applications #customised applications
../../home/steam.nix
../../services/podman.nix ../../services/podman.nix
]; ];
@ -45,71 +43,20 @@
# Enable networking # Enable networking
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Oslo";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Enable the X11 windowing system. # Enable the X11 windowing system.
services.xserver.enable = true; services.xserver.enable = true;
services.xserver.videoDrivers = [ "amdgou" ]; services.xserver.videoDrivers = [ "amdgpu" ];
hardware.opengl.extraPackages = with pkgs; [ hardware.opengl.extraPackages = with pkgs; [
rocm-opencl-icd rocm-opencl-icd
rocm-opencl-runtime rocm-opencl-runtime
amdvlk amdvlk
]; ];
hardware.opengl.driSupport = true; hardware.opengl.driSupport = true;
# For 32 bit applications # For 32 bit applications
hardware.opengl.driSupport32Bit = true; hardware.opengl.driSupport32Bit = true;
# Enable the KDE Plasma Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Configure keymap in X11
services.xserver = {
layout = "no";
xkbVariant = "";
};
fonts.packages = with pkgs; [
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
liberation_ttf
fira-code
fira-code-symbols
mplus-outline-fonts.githubRelease
dina-font
proggyfonts
nerdfonts
ubuntu_font_family
];
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager). # Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true; # services.xserver.libinput.enable = true;
@ -119,115 +66,94 @@ fonts.packages = with pkgs; [
description = "Adrian Gunnar Lauterer"; description = "Adrian Gunnar Lauterer";
extraGroups = [ "networkmanager" "wheel" ]; extraGroups = [ "networkmanager" "wheel" ];
packages = with pkgs; [ packages = with pkgs; [
firefox firefox
kate kate
unstable.ollama unstable.ollama
python310 python310
python310Packages.scipy python310Packages.scipy
python310Packages.sympy python310Packages.sympy
python310Packages.numpy python310Packages.numpy
python310Packages.matplotlib python310Packages.matplotlib
python310Packages.torchWithRocm python310Packages.torchWithRocm
python310Packages.torchvision python310Packages.torchvision
gcc gcc
gpp gpp
cmake cmake
rustup rustup
rustc rustc
cargo cargo
etcher etcher
rpi-imager rpi-imager
minecraft minecraft
prismlauncher prismlauncher
hmcl hmcl
appimage-run
appimage-run vscode-fhs
#unstable.alvr
easyeffects
]; ];
}; };
programs.dconf.enable = true; #needed for easyeffects for some reason
#allow electron 19 becasue of etcher
#allow electron 15 becasue of etcher
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"electron-19.1.9" "electron-19.1.9"
]; ];
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
#basics #basics
vim vim
git git
wget wget
#sleep #sleep
pmutils pmutils
#basic programming #basic programming
python310 python310
python310Packages.scipy python310Packages.scipy
python310Packages.sympy python310Packages.sympy
python310Packages.numpy python310Packages.numpy
python310Packages.matplotlib python310Packages.matplotlib
#python310Packages.torch #python310Packages.torch
python310Packages.torchvision python310Packages.torchvision
python310Packages.torchWithRocm python310Packages.torchWithRocm
gcc
gpp
gdb
cmake
rustup
rustc
cargo
cura
prusa-slicer
openscad
htop
killall
docker-compose
gpp
gdb
cmake
rustup
rustc
cargo
cura
prusa-slicer
openscad
htop
docker-compose
]; ];
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
services.blueman.enable=true; services.blueman.enable=true;
services.tailscale.enable = true; services.tailscale.enable = true;
# fileSystems."/mnt/nas" = {
services.openssh.enable = true ; # device = "truenas:/mnt/Main";
services.openssh.settings = { # fsType = "nfs";
UseDns = true; # options = [ "x-systemd.automount" "noauto" ];
PasswordAuthentication = true; # };
};
fileSystems."/mnt/nas" = { # sleep wakeup rules
device = "truenas:/mnt/Main"; services.udev.extraRules = ''
fsType = "nfs"; ACTION=="add", SUBSYSTEM=="pci", DRIVER=="pcieport", ATTR{power/wakeup}="disabled"
options = [ "x-systemd.automount" "noauto" ]; '';
};
#comment out to enable sleep. Uncommented over vacations
# sleep wakeup rules # systemd.targets.sleep.enable = false;
services.udev.extraRules = '' # systemd.targets.suspend.enable = false;
ACTION=="add", SUBSYSTEM=="pci", DRIVER=="pcieport", ATTR{power/wakeup}="disabled" # systemd.targets.hibernate.enable = false;
''; # systemd.targets.hybrid-sleep.enable = false;
#comment out to enable sleep. Uncommented over vacations
# systemd.targets.sleep.enable = false;
# systemd.targets.suspend.enable = false;
# systemd.targets.hibernate.enable = false;
# systemd.targets.hybrid-sleep.enable = false;
# Some programs need SUID wrappers, can be configured further or are # Some programs need SUID wrappers, can be configured further or are
@ -238,10 +164,6 @@ fonts.packages = with pkgs; [
# enableSSHSupport = true; # enableSSHSupport = true;
# }; # };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall. # Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedTCPPorts = [ ... ];

58
machines/elrond/configuration.nix
View File

@ -9,38 +9,23 @@
./hardware-configuration.nix ./hardware-configuration.nix
../../profiles/webhost.nix ../../profiles/webhost.nix
../../profiles/base.nix ../../profiles/base.nix
./routes.nix
]; ];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
# Set your time zone.
time.timeZone = "Europe/Oslo";
# The global useDHCP flag is deprecated, therefore explicitly set to false here. # The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config # Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour. # replicates the default behaviour.
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.ens3.useDHCP = true; # lmao interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way. networking.interfaces.ens3.useDHCP = true; # Interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way.
networking.hostName = "elrond"; # Define your hostname. networking.hostName = "elrond"; # Define your hostname.
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true; "net.ipv6.conf.all.forwarding" = true;
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "no";
}; };
@ -61,9 +46,6 @@
}; };
#add proxyserver to acme
#users.users.kanidm.extraGroups = [ "acme" ];
#sequrity managment through kanidm #sequrity managment through kanidm
# systemd.services.kanidm = let # systemd.services.kanidm = let
# certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost; # certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
@ -133,31 +115,14 @@
# }; # };
# }; # };
#tailscale
services.tailscale.enable = true;
users.users."root".openssh.authorizedKeys.keys = [ users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
]; ];
users.users."gunalx".openssh.authorizedKeys.keys = [ users.users."gunalx".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
]; ];
#fail2ban moved to service file
#services.fail2ban = {
# enable = true;
# maxretry = 5;
# ignoreIP = [
# "127.0.0.0/8"
# "10.0.0.0/8"
# "100.64.0.0/8"
# "172.16.0.0/12"
# "192.168.0.0/16"
# "8.8.8.8"
# ];
# };
#firewall options #firewall options
networking.firewall = { networking.firewall = {
enable = true; enable = true;
@ -166,20 +131,13 @@ users.users."gunalx".openssh.authorizedKeys.keys = [
allowedUDPPorts = [ allowedUDPPorts = [
80 80
443 443
6969
#config.services.openssh.ports
config.services.tailscale.port config.services.tailscale.port
config.services.headscale.port #config.services.headscale.port
]; ];
allowedTCPPorts = config.networking.firewall.allowedUDPPorts; allowedTCPPorts = config.networking.firewall.allowedUDPPorts;
}; };
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave # on your system were taken. It's perfectly fine and recommended to leave

45
machines/elrond/routes.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
{
services.nginx = {
virtualHosts."managment.funn-nas.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "https://100.104.182.48";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
virtualHosts."funn-nas.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "https://100.104.182.48:30044";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
virtualHosts."home.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://10.0.0.32:8123";
};
# ignorerer sikkerhet for littegran for å oprettholde lettvinthet og app kompatibilitet.
#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
virtualHosts."jellyfin.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://100.84.215.84:8096";
};
#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
};
}

9
machines/galadriel/README.md
View File

@ -1,9 +0,0 @@
services
jellyfin
services in need of configuration
transmission
sonarr
to be implemented
calibre

31
machines/galadriel/backup.nix.bak
View File

@ -1,31 +0,0 @@
{ pkgs, ... }:
{
systemd.user.services = {
dataBackup = {
path = [
pkgs.rsync
];
Unit = {
Description = "/Data backup to /Main";
After = [ "network.target" ];
};
Service = {
Type = "oneshot";
ExecStart = "rsync --archive /Data/ /Main/Data";
};
Install.WantedBy = [ "default.target" ];
};
};
systemd.user.timers = {
dataBackup = {
Unit.Description = "/Data backup schedule";
Timer = {
Unit = "dataBackup";
OnCalendar = "06:00";
};
Install.WantedBy = [ "timers.target" ];
};
};
}

49
machines/galadriel/configuration.nix
View File

@ -7,21 +7,21 @@
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./vim.nix ./zfs.nix
./nvidia.nix ./nvidia.nix
./openvpn.nix ./openvpn.nix
../../profiles/base.nix ./backup.nix
../../profiles/sops.nix
./zfs.nix
./backup.nix
../../services/smb.nix
../../services/torrent.nix
#../../services/stableDiffusion.nix
#../../services/freshrrs.nix
#../../services/torrent.nix
]; ../../profiles/base.nix
../../profiles/sops.nix
#../../profiles/ai.nix
../../services/smb.nix
../../services/torrent.nix
#../../services/stableDiffusion.nix
#../../services/freshrrs.nix
];
# Bootloader. # Bootloader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@ -37,20 +37,7 @@
# Enable networking # Enable networking
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Oslo";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Configure keymap in X11
services.xserver = {
layout = "no";
xkbVariant = "";
};
# Configure console keymap
console.keyMap = "no";
# Define a user account. Don't forget to set a password with passwd. # Define a user account. Don't forget to set a password with passwd.
users.users.gunalx = { users.users.gunalx = {
@ -74,7 +61,6 @@
tailscale tailscale
nfs-utils nfs-utils
cifs-utils cifs-utils
tailscale
jellyfin jellyfin
jellyfin-web jellyfin-web
jellyfin-mpv-shim jellyfin-mpv-shim
@ -118,12 +104,6 @@
#services.calibre-server.enable = true; #services.calibre-server.enable = true;
##networking ##networking
# Enable the OpenSSH daemon.
services.openssh.enable = true;
#tailscale
services.tailscale.enable = true;
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 80 8090 8096 443 433 6969 1194 445 139]; networking.firewall.allowedTCPPorts = [ 22 80 8090 8096 443 433 6969 1194 445 139];
networking.firewall.allowedUDPPorts = [ 22 80 8090 8096 443 433 6969 1194 137 138]; networking.firewall.allowedUDPPorts = [ 22 80 8090 8096 443 433 6969 1194 137 138];
@ -162,7 +142,6 @@
# }; # };
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave # on your system were taken. Its perfectly fine and recommended to leave

1
machines/galadriel/hardware-configuration.nix
View File

@ -28,7 +28,6 @@
fsType = "ext4"; fsType = "ext4";
}; };
boot.initrd.luks.devices."luks-028e05b0-f079-41f6-b244-eb7ceda4f315".device = "/dev/disk/by-uuid/028e05b0-f079-41f6-b244-eb7ceda4f315"; boot.initrd.luks.devices."luks-028e05b0-f079-41f6-b244-eb7ceda4f315".device = "/dev/disk/by-uuid/028e05b0-f079-41f6-b244-eb7ceda4f315";
swapDevices = swapDevices =

30
machines/galadriel/nvidia.nix
View File

@ -6,7 +6,6 @@
driSupport = true; driSupport = true;
driSupport32Bit = true; driSupport32Bit = true;
}; };
nixpkgs.config.allowUnfree = true;
# Load nvidia driver for Xorg and Wayland # Load nvidia driver for Xorg and Wayland
services.xserver.videoDrivers = ["nvidia"]; services.xserver.videoDrivers = ["nvidia"];
@ -15,24 +14,23 @@
hardware.nvidia = { hardware.nvidia = {
# Modesetting is required. # Modesetting is required.
modesetting.enable = true; modesetting.enable = true;
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
#powerManagement.enable = true;
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
#powerManagement.finegrained = true;
# Nvidia power management. Experimental, and can cause sleep/suspend to fail. # Use the NVidia open source kernel module (not to be confused with the
# powerManagement.enable = true; # independent third-party "nouveau" open source driver).
# Fine-grained power management. Turns off GPU when not in use. # Support is limited to the Turing and later architectures. Full list of
# Experimental and only works on modern Nvidia GPUs (Turing or newer). # supported GPUs is at:
#powerManagement.finegrained = true; # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+
# Use the NVidia open source kernel module (not to be confused with the # Currently alpha-quality/buggy, so false is currently the recommended setting.
# independent third-party "nouveau" open source driver).
# Support is limited to the Turing and later architectures. Full list of
# supported GPUs is at:
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+
# Currently alpha-quality/buggy, so false is currently the recommended setting.
open = false; open = false;
# Enable the Nvidia settings menu, # Enable the Nvidia settings menu,
# accessible via `nvidia-settings`. # accessible via `nvidia-settings`.
#nvidiaSettings = true; #nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU. # Optionally, you may need to select the appropriate driver version for your specific GPU.
@ -45,7 +43,7 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
cudaPackages.cudnn cudaPackages.cudnn
cudaPackages.cudatoolkit cudaPackages.cudatoolkit
#cudaPackages.tensorrt_8_6_0 #cudaPackages.tensorrt_8_6_0 #needs to be added manually, to the store and is a pain because of the license agreement and garbage collection
]; ];

25
machines/galadriel/vim.nix
View File

@ -1,25 +0,0 @@
{ pkgs, ... }:
{
programs.neovim = {
enable = true;
viAlias = true;
vimAlias = true;
defaultEditor = true;
configure = {
customRC = ''
" your custom vimrc
set nocompatible
set backspace=indent,eol,start
" Turn on syntax highlighting by default
syntax on
set autoindent
" ...
'';
packages.myplugins = with pkgs.vimPlugins; {
start = [ vim-nix vim-lastplace vim-yaml ];
opt = [];
};
};
};
}

49
profiles/ai.nix Normal file
View File

@ -0,0 +1,49 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./base.nix
../services/podman.nix
../services/ollama.nix
# ../services/whisper.nix
];
environment.systemPackages = with pkgs.unstable; [
# ollama
# openai-whisper
# openai-whisper-cpp
# wyoming-faster-whisper
# subtitlr
# piper-tts
# #piper-train #broken
# wyoming-piper
# python3
# python3Packages.torchWithCuda
# python3Packages.openai-whisper
# python3Packages.faster-whisper
# python3Packages.scipy
# python3Packages.numba-scipy
# python3Packages.scikit-image
# python3Packages.traittypes
# python3Packages.statsmodels
# python3Packages.scikits-odes
# python3Packages.sympy
# python3Packages.numpy
# python3Packages.pandas
# python3Packages.matplotlib
# python3Packages.tensorflow
# python3Packages.tensorboard
# python3Packages.keras
# python3Packages.transformers
# python3Packages.torch
# python3Packages.torchvision-bin
# python3Packages.torchsde
# python3Packages.torchaudio-bin
# python3Packages.torchWithRocm
# python3Packages.torchWithCuda
# python3Packages.scikit-learn-extra
];
}

31
profiles/base.nix
View File

@ -7,28 +7,45 @@ imports =
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
git git
wget
rsync rsync
ripgrep ripgrep
neofetch
htop htop
bottom bottom
killall
foot.terminfo foot.terminfo
tailscale tailscale
]; ];
#just allow unfree, im fine with it.
nixpkgs.config.allowUnfree = true;
# Set your time zone.
time.timeZone = "Europe/Oslo";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
#system vide bash aliases. # Configure console
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
#tailscale
services.tailscale.enable = true;
#system vide bash aliases. TODO: check if only one of these works so i dont need duplicates.
programs.bash.shellAliases = config.environment.shellAliases;
environment.shellAliases = { environment.shellAliases = {
gst="git status"; gst="git status";
gcm="git commit -m"; gcm="git commit -m";
gca="git commit --amend";
gsw="git switch"; gsw="git switch";
gaa="git add -A"; gaa="git add -A";
gb="git branch"; gb="git branch";
@ -36,12 +53,10 @@ imports =
la="ls -la"; la="ls -la";
lls="ls"; lls="ls";
}; };
programs.bash.shellAliases = config.environment.shellAliases;
environment.interactiveShellInit = '' environment.interactiveShellInit = ''
alias gst='git status' alias gst='git status'
alias gcm='git commit -m' alias gcm='git commit -m'
alias gca='git commit --amend'
alias gsw='git switch' alias gsw='git switch'
alias gaa='git add -A' alias gaa='git add -A'
alias gb='git branch' alias gb='git branch'
@ -50,6 +65,8 @@ imports =
alias lls='ls' alias lls='ls'
''; '';
#TODO: ssh hosts.
#nix stuff #nix stuff
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.gc.automatic = true; nix.gc.automatic = true;

36
profiles/desktop.nix
View File

@ -3,10 +3,44 @@
imports = imports =
[ [
./base.nix ./base.nix
./sound.nix #all i would ever need in sound.
../packages/vim.nix ../packages/vim.nix
../home/code.nix #../home/home-full.nix
../packages/steam.nix ../packages/steam.nix
]; ];
fonts.packages = with pkgs; [
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
liberation_ttf
fira-code
fira-code-symbols
mplus-outline-fonts.githubRelease
dina-font
proggyfonts
nerdfonts
ubuntu_font_family
];
# Enable CUPS to print documents.
services.printing.enable = true;
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Configure keymap in X11
services.xserver = {
layout = "no";
xkbVariant = "";
};
#TODO: add sway with home manager to get proper dotfiles. Possibly in its own sway file.
#TODO: add hyperland.
} }

82
profiles/sound.nix Normal file
View File

@ -0,0 +1,82 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./base.nix
];
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
environment.systemPackages = with pkgs; [
pavucontrol
wireplumber
easyeffects
ncpamixer
qpaeq
#more audio stuff, but not essential
#synths
qsynth
fluidsynth
synthesia
vital
picoloop
bespokesynth-with-vst2
fmsynth
polyphone #soundfont editor
#vocaloids
openutau
#daw
ardour
lmms
rosegarden
musescore
#playing audio
cmus
cmusfm
whistle
cozy
lollypop
deadbeef
deadbeef-with-plugins
libsForQt5.elisa
radiotray-ng
shortwave
radioboat
qradiolink
pithos
gnomeExtensions.internet-radio
gqrx
headset
nuclear
spotifyd
spotifywm
spotify-qt
spotify-tui
spotify-tray
tenacity
libsForQt5.soundkonverter
];
programs.dconf.enable = true; #needed for easyeffects for some reason
}

5
profiles/webhost.nix
View File

@ -1,12 +1,15 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
#in all practicality equvivalent with elrond, but i migth get another puplic facing machine, so nice to have. (would need to move nginx routes to machine specific in that case)
imports = imports =
[ [
./base.nix ./base.nix
./sops.nix ./sops.nix
../services/acme.nix
../services/nginx.nix ../services/nginx.nix
../services/fail2ban.nix
#../services/authelia.nix #../services/authelia.nix
#../services/fail2ban.nix
]; ];
} }

38
services/acme.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
{
#declare secrets
sops.secrets."acme/certs" = { };
networking.enableIPv6 = false; #For some reason acme only works without ipv6, probably because of missing AAAA records.
networking.domain = "lauterer.it";
#acme and certs helpful blog https://carjorvaz.com/posts/
security.acme = {
acceptTerms = true;
defaults.email = "adrian+acme@lauterer.it";
certs."${config.networking.domain}" = {
domain = "${config.networking.domain}";
extraDomainNames = [
"*.${config.networking.domain}"
#"256.no"
#"*.256.no"
#"*.addictedmaker.eu"
#"addictedmaker.eu"
];
## for testing.
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
#enableDebugLogs = true;
#legos registrar specific stuff.
dnsResolver = "ns1.hyp.net:53";
dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/
dnsPropagationCheck = true;
#need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
credentialsFile = config.sops.secrets."acme/certs".path;
};
};
#add proxyserver to acme group
users.users.nginx.extraGroups = [ "acme" ];
users.users.root.extraGroups = [ "acme" ];
}

39
services/nginx.nix
View File

@ -1,53 +1,16 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
#declare secrets #declare secrets
sops.secrets."acme/certs" = { };
sops.secrets."nginx/defaultpass" = { sops.secrets."nginx/defaultpass" = {
restartUnits = [ "nginx.service" ]; restartUnits = [ "nginx.service" ];
owner = "nginx"; owner = "nginx";
}; };
networking.enableIPv6 = false; # lol for some reason acme works without ipv6
networking.domain = "lauterer.it";
#acme and certs helpful blog https://carjorvaz.com/posts/
security.acme = {
acceptTerms = true;
defaults.email = "adrian+acme@lauterer.it";
certs."${config.networking.domain}" = {
domain = "*.${config.networking.domain}";
extraDomainNames = [
"${config.networking.domain}"
#"${config.networking.domain}"
#"lauterer.it"
#"*.lauterer.it"
#"*.256.no"
];
#server = "https://acme-staging-v02.api.letsencrypt.org/directory"; #for testing.
enableDebugLogs = true;
dnsResolver = "ns1.hyp.net:53";
dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/
dnsPropagationCheck = true;
#need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
credentialsFile = config.sops.secrets."acme/certs".path;
};
};
#add proxyserver to acme
users.users.nginx.extraGroups = [ "acme" ];
users.users.root.extraGroups = [ "acme" ];
# services.oauth2_proxy = { # services.oauth2_proxy = {
# enable = true; # enable = true;
# } # }
#proxy stuff #proxy stuff
services.nginx = { services.nginx = {
enable = true; enable = true;
statusPage = true; statusPage = true;

29
services/ollama.nix Normal file
View File

@ -0,0 +1,29 @@
{ config, pkgs, lib, ... }:
{
environment.systemPackages = [
pkgs.ollama
];
services.ollama.enable = true;
services.ollama.listenAddress = "0.0.0.0:11434";
services.ollama.models = "/var/lib/ollama/models";
services.ollama.home = "/var/lib/ollama";
#possibly a flawed idea.
services.ollama.acceleration = lib.mkDefault ( let
hostname = config.networking.hostname;
in
if hostname == "galadriel" then "cuda"
else if hostname == "aragorn" then "rocm"
else null);
services.nginx.virtualHosts."ollama.${config.networking.hostName}.${config.networking.domain}" = {
forceSSL = true;
#useACMEHost = config.networking.domain; #not sure if this will work, unless
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://${config.services.ollama.listenAddress}";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
}

2
services/ssh.nix
View File

@ -26,5 +26,5 @@
port = 22; port = 22;
openFirewall = true; openFirewall = true;
}; };
services.sshguard.enable = true; #protection against brute force attacks like fail2ban services.sshguard.enable = true; #protection against brute force attacks
} }

147
services/torrent.nix
View File

@ -5,82 +5,80 @@ let
savePath = "/Main/Data/media/Downloads/"; savePath = "/Main/Data/media/Downloads/";
path = "/var/lib/qbittorrent"; path = "/var/lib/qbittorrent";
contentLayout = "Subfolder";
configurationFile = '' configurationFile = ''
[Application] [Application]
FileLogger\Age=1 FileLogger\Age=1
FileLogger\AgeType=1 FileLogger\AgeType=1
FileLogger\Backup=true FileLogger\Backup=true
FileLogger\DeleteOld=true FileLogger\DeleteOld=true
FileLogger\Enabled=true FileLogger\Enabled=true
FileLogger\MaxSizeBytes=66560 FileLogger\MaxSizeBytes=66560
FileLogger\Path=/Main/Data/media/.qbittorrent/logs FileLogger\Path=/Main/Data/media/.qbittorrent/logs
MemoryWorkingSetLimit=8192 MemoryWorkingSetLimit=8192
[BitTorrent] [BitTorrent]
Session\AddExtensionToIncompleteFiles=true Session\AddExtensionToIncompleteFiles=true
Session\AlternativeGlobalDLSpeedLimit=1000 Session\AlternativeGlobalDLSpeedLimit=1000
Session\AlternativeGlobalUPSpeedLimit=1000 Session\AlternativeGlobalUPSpeedLimit=1000
Session\AnonymousModeEnabled=false Session\AnonymousModeEnabled=false
Session\BTProtocol=Both Session\BTProtocol=Both
Session\BandwidthSchedulerEnabled=false Session\BandwidthSchedulerEnabled=false
Session\DefaultSavePath=/Main/Data/media/Downloads Session\DefaultSavePath=/Main/Data/media/Downloads
Session\Encryption=1 Session\Encryption=1
Session\ExcludedFileNames= Session\ExcludedFileNames=
Session\FinishedTorrentExportDirectory=/Main/Data/media/Downloads/torrents-complete Session\FinishedTorrentExportDirectory=/Main/Data/media/Downloads/torrents-complete
Session\GlobalDLSpeedLimit=0 Session\GlobalDLSpeedLimit=0
Session\GlobalMaxRatio=1.5 Session\GlobalMaxRatio=1.5
Session\GlobalUPSpeedLimit=0 Session\GlobalUPSpeedLimit=0
Session\I2P\Enabled=true Session\I2P\Enabled=true
Session\IgnoreLimitsOnLAN=true Session\IgnoreLimitsOnLAN=true
Session\IncludeOverheadInLimits=true Session\IncludeOverheadInLimits=true
Session\Interface=tun0 Session\Interface=tun0
Session\InterfaceAddress=${config.sops.placeholder."qbittorrent/interfaceAddress"} Session\InterfaceAddress=${config.sops.placeholder."qbittorrent/interfaceAddress"}
Session\InterfaceName=tun0 Session\InterfaceName=tun0
Session\LSDEnabled=true Session\LSDEnabled=true
Session\MaxActiveCheckingTorrents=15 Session\MaxActiveCheckingTorrents=15
Session\MaxRatioAction=1 Session\MaxRatioAction=1
Session\Port=44183 Session\Port=44183
Session\Preallocation=true Session\Preallocation=true
Session\QueueingSystemEnabled=false Session\QueueingSystemEnabled=false
Session\SubcategoriesEnabled=true Session\SubcategoriesEnabled=true
Session\Tags=movie, anime Session\Tags=movie, anime
Session\TempPath=/Main/Data/media/Downloads/temp Session\TempPath=/Main/Data/media/Downloads/temp
Session\TempPathEnabled=true Session\TempPathEnabled=true
Session\TorrentContentLayout=${contentLayout} Session\TorrentContentLayout=Subfolder
Session\TorrentExportDirectory=/Main/Data/media/Downloads/torrents Session\TorrentExportDirectory=/Main/Data/media/Downloads/torrents
Session\UseAlternativeGlobalSpeedLimit=false Session\UseAlternativeGlobalSpeedLimit=false
[Core] [Core]
AutoDeleteAddedTorrentFile=Never AutoDeleteAddedTorrentFile=Never
[LegalNotice] [LegalNotice]
Accepted=true Accepted=true
[Meta] [Meta]
MigrationVersion=6 MigrationVersion=6
[Network] [Network]
PortForwardingEnabled=true PortForwardingEnabled=true
[Preferences] [Preferences]
General\Locale=en General\Locale=en
MailNotification\req_auth=true MailNotification\req_auth=true
Scheduler\days=Weekday Scheduler\days=Weekday
Scheduler\end_time=@Variant(\0\0\0\xf\x5%q\xa0) Scheduler\end_time=@Variant(\0\0\0\xf\x5%q\xa0)
WebUI\AuthSubnetWhitelist=192.168.1.0/24, 100.0.0.0/8 WebUI\AuthSubnetWhitelist=192.168.1.0/24, 100.0.0.0/8
WebUI\AuthSubnetWhitelistEnabled=true WebUI\AuthSubnetWhitelistEnabled=true
WebUI\Port=${toString port} WebUI\Port=${toString port}
WebUI\UseUPnP=false WebUI\UseUPnP=false
[RSS]
AutoDownloader\DownloadRepacks=true
AutoDownloader\EnableProcessing=true
AutoDownloader\SmartEpisodeFilter=s(\\d+)e(\\d+), (\\d+)x(\\d+), "(\\d{4}[.\\-]\\d{1,2}[.\\-]\\d{1,2})", "(\\d{1,2}[.\\-]\\d{1,2}[.\\-]\\d{4})"
Session\EnableProcessing=true
'';
[RSS]
AutoDownloader\DownloadRepacks=true
AutoDownloader\EnableProcessing=true
AutoDownloader\SmartEpisodeFilter=s(\\d+)e(\\d+), (\\d+)x(\\d+), "(\\d{4}[.\\-]\\d{1,2}[.\\-]\\d{1,2})", "(\\d{1,2}[.\\-]\\d{1,2}[.\\-]\\d{4})"
Session\EnableProcessing=true
'';
in in
{ {
@ -94,18 +92,17 @@ in
sops.secrets."qbittorrent/interfaceAddress" = { sops.secrets."qbittorrent/interfaceAddress" = {
restartUnits = [ "qbittorrent-nox.service" ]; restartUnits = [ "qbittorrent-nox.service" ];
owner = "qbittorrent";
mode = "0755"; mode = "0755";
}; };
sops.templates."qbittorrent/configuration" = { sops.templates."qbittorrent/configuration" = {
content = configurationFile; content = configurationFile;
#path = "${path}/.config/qBittorrent/qBittorrent.conf"; #path = "${path}/.config/qBittorrent/qBittorrent.conf"; #did not seem to work
owner = "qbittorrent"; owner = "qbittorrent";
mode = "0755"; mode = "0755";
}; };
users.users.qbittorrent = { users.users.qbittorrent = {
isNormalUser = true; #make this a normal user to be able to make files isNormalUser = true; #make this a normal user to be able to make files
home = path; home = path;
@ -129,6 +126,14 @@ in
ProtectKernelModules = true; ProtectKernelModules = true;
NoNewPrivileges = true; NoNewPrivileges = true;
}; };
};
services.nginx.virtualHosts."qbittorrent.${config.networking.hostName}.${config.networking.domain}" = {
forceSSL = true;
#useACMEHost = config.networking.domain; #not sure if this will work, unless
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:${port}";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
}; };
} }

67
services/whisper.nix Normal file
View File

@ -0,0 +1,67 @@
{ config, pkgs, lib, ... }:
{
environment.systemPackages = [
pkgs.wyoming-faster-whisper
pkgs.whisper
pkgs.openai-whisper
pkgs.openai-whisper-cpp
];
services.wyoming.faster-whisper = {
package = pkgs.wyoming-faster-whisper;
servers = {
fast = {
enable = true;
model = "tiny-int8";
uri = "tcp://0.0.0.0:10300";
device = "cuda";
language = "en";
beamSize = 1;
};
fast-no = {
enable = true;
model = "tiny-int8";
uri = "tcp://0.0.0.0:10301";
device = "cuda";
language = "no";
beamSize = 1;
};
fast-auto = {
enable = true;
model = "tiny-int8";
uri = "tcp://0.0.0.0:10302";
device = "cuda";
language = "auto";
beamSize = 1;
};
fast-cpu = {
enable = true;
model = "tiny-int8";
uri = "tcp://0.0.0.0:10303";
device = "cpu";
language = "auto";
beamSize = 1;
};
slow = {
enable = true;
model = "small";
uri = "tcp://0.0.0.0:10304";
device = "auto";
language = "auto";
beamSize = 5;
};
};
};
services.nginx.virtualHosts."whisper.${config.networking.hostName}.${config.networking.domain}" = {
forceSSL = true;
#useACMEHost = config.networking.domain; #not sure if this will work, unless
locations."/" = {
proxyWebsockets = true;
proxyPass = "${config.services.services.wyoming.faster-whisper.servers.fast.uri}";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
}