386 lines
9.2 KiB
Nix
386 lines
9.2 KiB
Nix
{ config, pkgs, lib, ... }:
|
||
|
||
{
|
||
#nixpkgs.overlays = overlays;
|
||
nixpkgs.config.allowUnfreePredicate = (pkg: true);
|
||
nixpkgs.config.allowUnfree = true;
|
||
system.autoUpgrade.enable = true; # daily nixos-rebuild switch, no reboot by default
|
||
|
||
# TODO: can i make this non-string?
|
||
nix.extraOptions = ''
|
||
experimental-features = nix-command flakes
|
||
'';
|
||
|
||
# TODO: move to pbsds home
|
||
programs.ssh.extraConfig = ''
|
||
Host *.ntnu.no *.pvv.org
|
||
User pederbs
|
||
'';
|
||
|
||
# deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
|
||
nix.settings.auto-optimise-store = true;
|
||
#nix.optimize.automatic = true; # periodic optimization
|
||
nix.gc.automatic = true;
|
||
nix.gc.dates = "weekly";
|
||
nix.gc.options = "--delete-older-than 30d";
|
||
|
||
imports = [
|
||
./hardware-configuration.nix # results of hardware scan
|
||
./cachix.nix
|
||
|
||
./profiles/web
|
||
./profiles/web/index
|
||
./profiles/web/cinny
|
||
./profiles/web/element
|
||
./profiles/web/flexget
|
||
./profiles/web/gitea
|
||
./profiles/web/hydra
|
||
./profiles/web/invidious
|
||
./profiles/web/jellyfin
|
||
./profiles/web/libreddit
|
||
./profiles/web/mattermost
|
||
./profiles/web/navidrome
|
||
./profiles/web/netdata
|
||
./profiles/web/nitter
|
||
./profiles/web/ntopng
|
||
./profiles/web/owncast
|
||
./profiles/web/paperless
|
||
./profiles/web/polaris
|
||
./profiles/web/resilio
|
||
./profiles/web/roundcube
|
||
./profiles/web/thelounge
|
||
./profiles/web/vaultwarden
|
||
./profiles/web/webdav-zotero
|
||
#./profiles/web/convos
|
||
#./profiles/web/cryptpad
|
||
#./profiles/web/galene
|
||
#./profiles/web/graphana
|
||
#./profiles/web/hedgedoc
|
||
#./profiles/web/home-assistant
|
||
#./profiles/web/jitsi-meet
|
||
#./profiles/web/kukkee
|
||
#./profiles/web/matrix-synapse
|
||
#./profiles/web/shlink
|
||
#./profiles/web/sourcegraph
|
||
|
||
./profiles/web/pdoc
|
||
./profiles/web/linktree-pbsds
|
||
./profiles/web/refleksjon-no
|
||
./profiles/web/roroslyd-no
|
||
./profiles/web/trivial-gradios
|
||
./profiles/web/censordodge
|
||
./profiles/web/openspeedtest
|
||
|
||
./profiles/code-remote
|
||
./profiles/remote-builders #
|
||
./profiles/nfs/reidun.nix # NFS mounts
|
||
./profiles/autossh-reverse-tunnels
|
||
#./profiles/xrdp
|
||
|
||
./users
|
||
#./users/pbsds # todo: <- make this possible
|
||
|
||
# How to override package used by module
|
||
# https://github.com/NixOS/nixpkgs/issues/55366
|
||
# TODO: move to where relevant
|
||
<nixos-unstable/nixos/modules/services/misc/jellyfin.nix>
|
||
<nixos-unstable/nixos/modules/services/web-apps/invidious.nix>
|
||
];
|
||
disabledModules = [
|
||
"services/misc/jellyfin.nix"
|
||
"services/web-apps/invidious.nix"
|
||
];
|
||
services.jellyfin.package = pkgs.unstable.jellyfin;
|
||
services.invidious.package = pkgs.unstable.invidious;
|
||
|
||
# TODO: remove? Move to where relevant
|
||
nixpkgs.overlays = [ (import ./overlays) ];
|
||
|
||
# Allow unstable packages.
|
||
nixpkgs.config.packageOverrides = pkgs: {
|
||
unstable = import <nixos-unstable> {
|
||
config = config.nixpkgs.config;
|
||
};
|
||
# TODO: nur
|
||
};
|
||
|
||
# enable opengl (headless)
|
||
hardware.opengl.enable = true;
|
||
#hardware.opengl.extraPackages = [ pkgs.mesa.drivers ];
|
||
hardware.opengl.extraPackages = with pkgs; [ mesa.drivers vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ];
|
||
|
||
# run/build weird binaries
|
||
boot.binfmt.emulatedSystems = [
|
||
"wasm32-wasi"
|
||
"wasm64-wasi"
|
||
"x86_64-windows"
|
||
"aarch64-linux"
|
||
"riscv64-linux"
|
||
#"x86_64-darwin"
|
||
#"aarch64-darwin"
|
||
];
|
||
|
||
services.thermald.enable = true;
|
||
|
||
# Bootloader
|
||
|
||
boot.loader.grub.enable = true;
|
||
boot.loader.grub.device = "/dev/sda";
|
||
boot.loader.grub.useOSProber = true;
|
||
|
||
|
||
# Virtualization
|
||
|
||
#services.docker.enable = true;
|
||
virtualisation = {
|
||
podman.enable = true;
|
||
# TODO: are these default since 22.11?
|
||
podman.dockerCompat = true; # alias docker to podman
|
||
oci-containers.backend = "podman";
|
||
};
|
||
|
||
|
||
# Networking
|
||
|
||
networking = {
|
||
# Enable networking
|
||
networkmanager.enable = true;
|
||
#wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||
#iwd.enable = true
|
||
|
||
hostName = "noximilien"; # Define your hostname.
|
||
domain = "pbsds.net";
|
||
|
||
interfaces.eno1.ipv4.addresses = [
|
||
{ address = "192.168.1.9"; prefixLength = 24; }
|
||
];
|
||
|
||
nameservers = [
|
||
"192.168.1.254"
|
||
"8.8.8.8"
|
||
];
|
||
defaultGateway = {
|
||
address = "192.168.1.254";
|
||
interface = "eno1";
|
||
};
|
||
|
||
#useDHCP = true;
|
||
};
|
||
|
||
# firewall
|
||
services.fail2ban.enable = true;
|
||
networking.firewall.enable = true; # default
|
||
#networking.firewall.allowedTCPPorts = [ ... ];
|
||
#networking.firewall.allowedUDPPorts = [ ... ];
|
||
|
||
|
||
|
||
# Time zone and internationalisation properties.
|
||
|
||
time.timeZone = "Europe/Oslo";
|
||
i18n.defaultLocale = "en_US.utf8";
|
||
i18n.extraLocaleSettings = {
|
||
LC_ADDRESS = "nb_NO.utf8";
|
||
LC_IDENTIFICATION = "nb_NO.utf8";
|
||
LC_MEASUREMENT = "nb_NO.utf8";
|
||
LC_MONETARY = "nb_NO.utf8";
|
||
LC_NAME = "nb_NO.utf8";
|
||
LC_NUMERIC = "nb_NO.utf8";
|
||
LC_PAPER = "nb_NO.utf8";
|
||
LC_TELEPHONE = "nb_NO.utf8";
|
||
LC_TIME = "nb_NO.utf8";
|
||
};
|
||
services.xserver.layout = "no";
|
||
services.xserver.xkbVariant = "";
|
||
console.keyMap = "no";
|
||
|
||
|
||
|
||
# Installed system packages
|
||
# $ nix search FOOBAR
|
||
|
||
# TODO: prune this, make home-manager deal with the majority
|
||
environment.systemPackages = with pkgs; [
|
||
lsof
|
||
lshw
|
||
htop
|
||
file
|
||
tmux
|
||
#parallel # already provided by moreutils
|
||
pwgen
|
||
git
|
||
nmap
|
||
rsync
|
||
bind.dnsutils
|
||
graphviz
|
||
dialog
|
||
cowsay
|
||
gnused
|
||
gnumake
|
||
coreutils-full
|
||
moreutils
|
||
binutils
|
||
diffutils
|
||
findutils
|
||
usbutils
|
||
bash-completion
|
||
curl
|
||
wget
|
||
strace
|
||
killall
|
||
|
||
zip
|
||
unrar
|
||
unzip
|
||
atool
|
||
p7zip
|
||
bzip2
|
||
gzip
|
||
atool
|
||
|
||
micro
|
||
aspell
|
||
aspellDicts.en
|
||
aspellDicts.nb
|
||
vimv
|
||
dos2unix
|
||
#rmate # TODO: add to nixpkgs
|
||
pandoc
|
||
cargo
|
||
cargo-edit
|
||
sqlite
|
||
#sshuttle
|
||
visidata
|
||
|
||
weston
|
||
cage
|
||
vimix-gtk-themes
|
||
flat-remix-icon-theme
|
||
xclip
|
||
feh
|
||
|
||
sshfs
|
||
|
||
glances
|
||
zenith
|
||
fzf
|
||
tealdeer #tldr
|
||
entr
|
||
axel aria
|
||
bat
|
||
xe # xargs alternative
|
||
sd # sed alternative
|
||
fd # find alternative
|
||
silver-searcher # `ag`
|
||
ripgrep
|
||
jq
|
||
yq
|
||
htmlq
|
||
sysz
|
||
du-dust # du alternative
|
||
ncdu # Disk usage analyzer with an ncurses interface
|
||
|
||
gh
|
||
hub
|
||
|
||
cachix
|
||
nix-output-monitor
|
||
nix-prefetch
|
||
nix-top
|
||
#nix-index
|
||
nix-tree
|
||
nixfmt
|
||
alejandra
|
||
|
||
];
|
||
|
||
# TODO: make this root only?
|
||
programs.bash.shellInit = ''
|
||
if command -v fzf-share >/dev/null; then
|
||
source "$(fzf-share)/key-bindings.bash"
|
||
source "$(fzf-share)/completion.bash"
|
||
fi
|
||
'';
|
||
|
||
# TODO: make this root only?
|
||
programs.bash.shellAliases."ed" = "micro"; # TODO: ${EDITOR:-micro}
|
||
environment.variables."EDITOR" = "micro";
|
||
|
||
# TODO: remove? Move?
|
||
programs.dconf.enable = true;
|
||
|
||
# System fonts
|
||
# Nice to have when X-forwading on headless machines
|
||
|
||
fonts.fonts = with pkgs; [
|
||
noto-fonts # includes Cousine
|
||
noto-fonts-cjk
|
||
noto-fonts-emoji
|
||
noto-fonts-extra
|
||
dejavu_fonts
|
||
];
|
||
|
||
# Some programs need SUID wrappers, can be configured further or are
|
||
# started in user sessions.
|
||
#programs.mtr.enable = true;
|
||
#programs.gnupg.agent = {
|
||
# enable = true;
|
||
# enableSSHSupport = true;
|
||
#};
|
||
|
||
|
||
# OpenSSH
|
||
|
||
services.openssh.enable = true;
|
||
services.openssh.forwardX11 = true;
|
||
|
||
|
||
# auto domain update
|
||
systemd.services.domeneshop-updater = {
|
||
description = "domene.shop domain updater";
|
||
#after = [ "something?.service" ];
|
||
#wants = [ "something?.service" ];
|
||
serviceConfig = let
|
||
prog = pkgs.writeShellApplication {
|
||
name = "domeneshop-dyndns-updater.sh";
|
||
runtimeInputs = with pkgs; [ curl yq ];
|
||
text = ''
|
||
test -s /var/lib/secrets/domeneshop.toml || {
|
||
>&2 echo "ERROR: /var/lib/secrets/domeneshop.toml not found!"
|
||
exit 1
|
||
}
|
||
DOMENESHOP_TOKEN="$(tomlq .secrets.DOMENESHOP_TOKEN /var/lib/secrets/domeneshop.toml --raw-output)"
|
||
DOMENESHOP_SECRET="$(tomlq .secrets.DOMENESHOP_SECRET /var/lib/secrets/domeneshop.toml --raw-output)"
|
||
curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname=olavtr.pbsds.net
|
||
'';
|
||
};
|
||
in {
|
||
User = "domeneshop";
|
||
Group = "domeneshop";
|
||
DynamicUser = true;
|
||
ExecStart = "${prog}/bin/domeneshop-dyndns-updater.sh";
|
||
PrivateTmp = true;
|
||
};
|
||
};
|
||
systemd.timers.domeneshop-updater = let interval = "5h"; in {
|
||
description = "Update domene.shop every ${interval}";
|
||
wantedBy = [ "timers.target" ];
|
||
timerConfig = {
|
||
OnBootSec = "5m";
|
||
OnUnitInactiveSec = interval;
|
||
Unit = "domeneshop-updater.service";
|
||
};
|
||
};
|
||
|
||
|
||
# This value determines the NixOS release from which the default
|
||
# settings for stateful data, like file locations and database versions
|
||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||
# this value at the release version of the first install of this system.
|
||
# Before changing this value read the documentation for this option
|
||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||
system.stateVersion = "22.11"; # Did you read the comment?
|
||
#system.stateVersion = "22.05"; # Did you read the comment?
|
||
|
||
}
|