nrabulinski/settei
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Compare commits

base: nrabulinski:cd28907c9e0b9a6c7e15a6b5f937522553adcfbc
Branches Tags
nrabulinski:main
nrabulinski:bootstrap
nrabulinski:experiments/nilla
..
compare: nrabulinski:dd5b13e630281caa36077bcbb1fff85a1718938d
Branches Tags
nrabulinski:main
nrabulinski:bootstrap
nrabulinski:experiments/nilla

No commits in common. "cd28907c9e0b9a6c7e15a6b5f937522553adcfbc" and "dd5b13e630281caa36077bcbb1fff85a1718938d" have entirely different histories.
cd28907c9e ... dd5b13e630

35 changed files with 342 additions and 473 deletions
Download patch file Download diff file Expand all files Collapse all files

41
README.md
View file

@ -6,15 +6,13 @@
Collection of my personal Nix configurations and opinionated NixOS, nix-darwin, home-manager, and flake-parts modules.
> [!CAUTION]
> I tried to make the modules in this repository useful to others without having
> to modify them, meaning I tried to have many configuration options, have them
> be disabled by default, etc. That is no more and although I still encourage
> people to use my config for learning and inspiration, the modules will now
> assume they're running in my infrastructure and I'll only add configuration
> and/or enabling options when it makes sense to me, personally.
> I tried to make the modules in this repository useful to others without having to modify them,
> meaning I tried to have many configuration options, have them be disabled by default, etc.
> That is no more and although I still encourage people to use my config for learning and inspiration,
> the modules will now assume they're running in my infrastructure and I'll only add
> configuration and/or enabling options when it makes sense to me, personally.
## Project structure
- hosts - per-machine configurations
- kazuki - my linux arm server
- legion - my linux x86 server
@ -26,38 +24,29 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin,
- system - my opinionated nixos/nix-darwin modules
- home - my opinionated home-manager modules
- flake - flake-parts modules
- services - configs for services I self-host
- secrets - agenix secrets
- wrappers - nix packages wrapped with my configs (see:
[wrapper-manager](https://github.com/viperML/wrapper-manager))
- wrappers - nix packages wrapped with my configs (see: [wrapper-manager](https://github.com/viperML/wrapper-manager))
- assets - miscellaneous values reused throughout my config
- effects.nix - hercules-ci configuration
## Code guidelines
Not set rules but general guidelines for myself to hopefully keep this config
clean, maintainable, and reusable.
Not set rules but general guidelines for myself to hopefully keep this config clean, maintainable, and reusable.
- only importing downwards. this means no
`imports = [ ../../foo/bar/some-module.nix ];`
- ideally only one level of imports. this means i'll try to only do
`imports = [ ./foo ];` or `imports = [ ./bar.nix ]` but not
`imports = [ ./x/y/z.nix ];`
- the file should be roughly in order of most interesting to least interesting
options.
- only importing downwards. this means no `imports = [ ../../foo/bar/some-module.nix ];`
- ideally only one level of imports.
this means i'll try to only do `imports = [ ./foo ];` or `imports = [ ./bar.nix ]` but not `imports = [ ./x/y/z.nix ];`
- the file should be roughly in order of most interesting to least interesting options.
- `imports` should be the first attribute (except for `_file`)
- there should be no implicit state anywhere in the config. (sounds obvious but
this is already broken with legion and the zfs pool but i'll let that one
slide) to achieve this i still need to create a proper live iso with my config
and my bootstrapping ssh key
- there should be no implicit state anywhere in the config.
(sounds obvious but this is already broken with legion and the zfs pool but i'll let that one slide)
to achieve this i still need to create a proper live iso with my config and my bootstrapping ssh key
## TODOs
Sorted rougly by priority
- bring back ci (sorta done)
- hercules-ci effects for deploying machines on update (if configuration is
valid)
- hercules-ci effects for deploying machines on update (if configuration is valid)
- fix disko
- make the configuration truly declarative (to a reasonable degree)
- themeing solution

13
flake.nix
View file

@ -16,7 +16,6 @@
./modules
./wrappers
./pkgs
./services
];
perSystem =
@ -55,18 +54,6 @@
programs.nixfmt.enable = true;
programs.statix.enable = true;
programs.fish_indent.enable = true;
programs.deno.enable = true;
programs.stylua.enable = true;
programs.shfmt.enable = true;
settings.global.excludes = [
# agenix
"*.age"
# racket
"*.rkt"
"**/rashrc"
];
settings.on-unmatched = "fatal";
};
};
};

12
garnix.yaml
View file

@ -1,8 +1,8 @@
builds:
include:
- "devShells.*.*"
- "packages.*.*"
- "formatter.*"
- "nixosConfigurations.*"
- "darwinConfigurations.*"
- "homeConfigurations.*"
- 'devShells.*.*'
- 'packages.*.*'
- 'formatter.*'
- 'nixosConfigurations.*'
- 'darwinConfigurations.*'
- 'homeConfigurations.*'

10
hosts/default.nix
View file

@ -62,10 +62,7 @@
nixos =
name: module:
baseNixos.extendModules {
modules = [
module
config.__extraHostConfigs.${name} or { }
];
modules = [ module ];
specialArgs.configurationName = name;
};
@ -73,10 +70,7 @@
name: module:
let
eval = baseDarwin._module.args.extendModules {
modules = [
module
config.__extraHostConfigs.${name} or { }
];
modules = [ module ];
specialArgs.configurationName = name;
};
in

4
hosts/hijiri/default.nix
View file

@ -15,7 +15,7 @@
nixpkgs.system = "aarch64-darwin";
settei.user.config = {
settei.desktop.enable = true;
common.desktop.enable = true;
home.packages = with pkgs; [
utm
qemu
@ -28,7 +28,7 @@
};
# TODO: Declarative syncthing config
};
settei.incus.enable = true;
common.incus.enable = true;
# TODO: Setup podman remote
system.defaults = {

115
hosts/kazuki/attic.nix Normal file
View file

@ -0,0 +1,115 @@
{ config, lib, ... }:
let
atticPort = 9476;
in
{
age.secrets.attic-creds = {
file = ../../secrets/attic-creds.age;
owner = config.services.atticd.user;
};
age.secrets.nrab-lol-cf = {
file = ../../secrets/nrab-lol-cf.age;
owner = config.services.nginx.user;
};
services.atticd = {
enable = true;
environmentFile = config.age.secrets.attic-creds.path;
settings = {
listen = "[::]:${toString atticPort}";
storage = {
type = "local";
path = "/storage-box";
};
compression.type = "none";
chunking = {
nar-size-threshold = 0;
min-size = 0;
avg-size = 0;
max-size = 0;
};
api-endpoint = "https://attic.nrab.lol/";
};
};
users = {
users.atticd = {
uid = 990;
isSystemUser = true;
group = "atticd";
home = "/var/lib/atticd";
createHome = true;
};
groups.atticd = {
gid = 988;
};
};
systemd.services.atticd = {
after = [ "storage\\x2dbox.mount" ];
serviceConfig.DynamicUser = lib.mkForce false;
};
security.acme = {
acceptTerms = true;
defaults.email = "nikodem@rabulinski.com";
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."attic.nrab.lol" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://attic";
};
extraConfig = ''
client_max_body_size 24G;
'';
};
virtualHosts."cache.nrab.lol" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://attic/public$request_uri";
};
extraConfig = ''
proxy_cache nixstore;
proxy_cache_use_stale error timeout http_500 http_502;
proxy_cache_lock on;
proxy_cache_key $request_uri;
proxy_cache_valid 200 24h;
'';
};
upstreams."attic".servers = {
"localhost:${toString atticPort}" = { };
};
appendHttpConfig = ''
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;
'';
};
security.acme.certs."attic.nrab.lol" = {
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.nrab-lol-cf.path;
};
security.acme.certs."cache.nrab.lol" = {
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.nrab-lol-cf.path;
};
}

10
hosts/kazuki/default.nix
View file

@ -13,6 +13,7 @@
./mail.nix
./vault.nix
./storage.nix
./attic.nix
./ntfy.nix
./zitadel.nix
./forgejo.nix
@ -41,5 +42,14 @@
routes = [ { Gateway = "fe80::1"; } ];
};
networking.useNetworkd = true;
common.hercules.enable = true;
common.github-runner = {
enable = true;
runners.settei = {
url = "https://github.com/nrabulinski/settei";
instances = 2;
};
};
};
}

8
hosts/kogata/default.nix
View file

@ -4,7 +4,7 @@
{
nixpkgs.system = "aarch64-darwin";
settei.user.config.settei.desktop.enable = true;
settei.user.config.common.desktop.enable = true;
settei.unfree.allowedPackages = [ "teams" ];
environment.systemPackages = with pkgs; [
@ -15,5 +15,11 @@
ipv4 = "100.102.13.61";
ipv6 = "fd7a:115c:a1e0::e126:d3d";
};
common.hercules.enable = true;
common.github-runner = {
enable = true;
runners.settei.url = "https://github.com/nrabulinski/settei";
};
};
}

12
hosts/legion/default.nix
View file

@ -31,7 +31,7 @@
networking = {
hostName = "legion";
hostId = builtins.substring 0 8 "524209a432724c7abaf04398cdd6eecd";
hostId = builtins.substring 0 8 (builtins.readFile ./machine-id);
networkmanager.enable = true;
};
systemd.services.NetworkManager-wait-online.enable = false;
@ -41,7 +41,15 @@
age.secrets.niko-pass.file = ../../secrets/legion-niko-pass.age;
users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path;
settei.incus.enable = true;
common.hercules.enable = true;
common.github-runner = {
enable = true;
runners.settei = {
url = "https://github.com/nrabulinski/settei";
instances = 4;
};
};
common.incus.enable = true;
virtualisation.podman.enable = true;
};
}

2
hosts/legion/desktop.nix
View file

@ -11,7 +11,7 @@
nixpkgs.config.allowUnfree = true;
settei.user.config = {
settei.desktop.enable = true;
common.desktop.enable = true;
home.packages = with pkgs; [
brightnessctl
dmenu

1
hosts/legion/machine-id Normal file
View file

@ -0,0 +1 @@
524209a432724c7abaf04398cdd6eecd

11
hosts/ude/default.nix
View file

@ -25,7 +25,16 @@
ipv6 = "fd7a:115c:a1e0:ab12:4843:cd96:6276:2a8b";
};
settei.incus.enable = true;
common.hercules.enable = true;
services.hercules-ci-agent.settings.concurrentTasks = 6;
common.github-runner = {
enable = true;
runners.settei = {
url = "https://github.com/nrabulinski/settei";
instances = 6;
};
};
common.incus.enable = true;
virtualisation.podman.enable = true;
services.nginx = {

32
modules/default.nix
View file

@ -1,39 +1,11 @@
{
config,
inputs,
...
}:
let
flakeModule = import ./flake { inherit (inputs) nixpkgs darwin home-manager; };
in
{
imports = [
flakeModule
./system
./flake
];
flake.homeModules = rec {
settei = ./home;
default = settei;
};
flake.flakeModules = rec {
settei = flakeModule;
default = settei;
};
flake.nixosModules = rec {
settei = import ./system {
inherit (config) perInput;
isLinux = true;
};
default = settei;
};
flake.darwinModules = rec {
settei = import ./system {
inherit (config) perInput;
isLinux = false;
};
default = settei;
};
}

22
modules/flake/default.nix
View file

@ -1,13 +1,19 @@
{
nixpkgs,
darwin,
home-manager,
flake-parts-lib,
lib,
inputs,
...
}:
let
inherit (flake-parts-lib) importApply;
flakeModules = {
configurations = importApply ./configurations.nix { inherit (inputs) nixpkgs darwin home-manager; };
};
in
{
_file = ./default.nix;
imports = lib.attrValues flakeModules;
imports = [
(import ./configurations.nix { inherit nixpkgs darwin home-manager; })
./services.nix
];
flake = {
inherit flakeModules;
};
}

95
modules/flake/services.nix
View file

@ -1,95 +0,0 @@
# List of features I want this module to eventually have
# TODO: Automatic port allocation
# TODO: Making it possible to conveniently isolate services (running them in NixOS containers)
# TODO: Handling specializations
# TODO: Convenient http handling
# TODO: Automatic backup
{ config, lib, ... }:
let
serviceModule =
{ config, ... }:
{
options = {
host = lib.mkOption {
type = lib.types.str;
};
ports = lib.mkOption {
type = with lib.types; listOf port;
default = [ ];
};
hosts = lib.mkOption {
type = with lib.types; listOf str;
default = [ config.host ];
};
config = lib.mkOption {
type = lib.types.deferredModule;
default = { };
};
hostConfig = lib.mkOption {
type = with lib.types; attrsOf deferredModule;
default = { };
};
};
};
moduleToHostConfigs =
cfg:
lib.genAttrs cfg.hosts (host: {
imports = [
cfg.config
(cfg.hostConfig.${host} or { })
];
});
maybeGetPreviousConfigs = acc: host: (acc.${host} or { imports = [ ]; }).imports;
in
{
_file = ./services.nix;
options = {
services = lib.mkOption {
type = with lib.types; attrsOf (submodule serviceModule);
default = { };
};
__extraHostConfigs = lib.mkOption {
type = with lib.types; attrsOf deferredModule;
readOnly = true;
};
};
config.__extraHostConfigs =
let
duplicatePorts = lib.pipe config.services [
lib.attrValues
(map (cfg: cfg.ports))
lib.flatten
(lib.groupBy' (cnt: _: cnt + 1) 0 toString)
(lib.filterAttrs (_: cnt: cnt > 1))
lib.attrNames
];
assertMsg =
let
plural = lib.length duplicatePorts > 1;
in
"\nBad service config:\nThe following port${if plural then "s" else ""} ${
if plural then "were" else "was"
} declared multiple times: ${lib.concatStringsSep ", " duplicatePorts}";
# Here I collect all the services.<name>.config into a flat
# __extraHostConfigs.<host>.imports = [
# ...
# ]
# so that I can easily import them in hosts/default.nix
hostConfigs = lib.pipe config.services [
lib.attrValues
(lib.foldl' (
acc: cfg:
acc
// lib.mapAttrs (host: c: {
imports = c.imports ++ (maybeGetPreviousConfigs acc host);
}) (moduleToHostConfigs cfg)
) { })
];
in
if duplicatePorts != [ ] then throw assertMsg else hostConfigs;
}

4
modules/home/default.nix
View file

@ -10,7 +10,7 @@
let
# TODO: Conditionally define based on whether we're in a system configuration or not
fishOverlayModule = lib.mkIf (!args ? osConfig) {
# See modules/system/settei/default.nix for reasoning.
# See modules/system/common/default.nix for reasoning.
nixpkgs.overlays = [ (_: _: { inherit (inputs'.settei.packages) fish; }) ];
};
in
@ -21,10 +21,8 @@ in
./desktop
fishOverlayModule
./xdg.nix
./unfree.nix
];
programs.home-manager.enable = true;
programs.fish.enable = true;
programs.nix-index.enable = true;
programs.ssh = {

5
modules/home/desktop/default.nix
View file

@ -11,11 +11,11 @@
imports = [ ./zellij.nix ];
options.settei.desktop = {
options.common.desktop = {
enable = lib.mkEnableOption "Common configuration for desktop machines";
};
config = lib.mkIf config.settei.desktop.enable {
config = lib.mkIf config.common.desktop.enable {
home.packages = with pkgs; [
inputs'.settei.packages.wezterm
nerd-fonts.iosevka
@ -23,7 +23,6 @@
fontconfig
signal-desktop
];
settei.unfree.allowedPackages = [ "signal-desktop" ];
fonts.fontconfig.enable = true;

65
modules/system/default.nix
View file

@ -1,48 +1,21 @@
{ config, lib, ... }:
{
perInput,
# TODO: Figure out a nicer way of doing this without infrec?
isLinux,
}:
{
config,
lib,
pkgs,
inputs',
username,
...
}:
{
_file = ./default.nix;
imports = [
(import ./sane-defaults.nix { inherit isLinux; })
(import ./flake-qol.nix { inherit perInput; })
./user.nix
(import ./programs { inherit isLinux; })
(import ./tailscale.nix { inherit isLinux; })
(import ./containers.nix { inherit isLinux; })
./unfree.nix
(import ./hercules.nix { inherit isLinux; })
(import ./github-runner.nix { inherit isLinux; })
(import ./incus.nix { inherit isLinux; })
(import ./monitoring.nix { inherit isLinux; })
];
options.settei = with lib; {
username = mkOption {
type = types.str;
default = "niko";
};
};
config = {
programs.fish.enable = true;
users.users.${username}.shell = pkgs.fish;
time.timeZone = lib.mkDefault "Europe/Warsaw";
# NixOS' fish module doesn't allow setting what package to use for fish,
# so I need to override the fish package.
nixpkgs.overlays = [ (_: _: { inherit (inputs'.settei.packages) fish; }) ];
};
flake =
lib.genAttrs
[
"nixosModules"
"darwinModules"
]
(
attr:
let
isLinux = lib.hasPrefix "nixos" attr;
in
{
settei = import ./settei {
inherit (config) perInput;
inherit isLinux;
};
}
);
}

47
modules/system/hercules.nix
View file

@ -1,47 +0,0 @@
{ isLinux }:
{
config,
lib,
...
}:
let
options = {
settei.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration";
};
herculesUser =
if isLinux then
config.systemd.services.hercules-ci-agent.serviceConfig.User
else
config.launchd.daemons.hercules-ci-agent.serviceConfig.UserName;
in
{
_file = ./hercules.nix;
inherit options;
config = lib.mkIf config.settei.hercules.enable {
age.secrets.hercules-token = {
file = ../../../secrets/hercules-token.age;
owner = herculesUser;
};
age.secrets.hercules-cache = {
file = ../../../secrets/hercules-cache.age;
owner = herculesUser;
};
age.secrets.hercules-secrets = {
file = ../../../secrets/hercules-secrets.age;
owner = herculesUser;
};
services.hercules-ci-agent = {
enable = true;
settings = {
clusterJoinTokenPath = config.age.secrets.hercules-token.path;
concurrentTasks = lib.mkDefault 4;
binaryCachesPath = config.age.secrets.hercules-cache.path;
secretsJsonPath = config.age.secrets.hercules-secrets.path;
};
};
};
}

0
modules/system/containers.nix → modules/system/settei/containers.nix
View file

50
modules/system/settei/default.nix Normal file
View file

@ -0,0 +1,50 @@
{
perInput,
# TODO: Figure out a nicer way of doing this without infrec?
isLinux,
}:
{
config,
configurationName,
lib,
pkgs,
inputs,
inputs',
username,
...
}:
{
_file = ./default.nix;
imports = [
(import ./sane-defaults.nix { inherit isLinux; })
(import ./flake-qol.nix { inherit perInput; })
./user.nix
(import ./programs { inherit isLinux; })
(import ./tailscale.nix { inherit isLinux; })
(import ./containers.nix { inherit isLinux; })
./unfree.nix
(import ./hercules.nix { inherit isLinux; })
(import ./github-runner.nix { inherit isLinux; })
(import ./incus.nix { inherit isLinux; })
(import ./monitoring.nix { inherit isLinux; })
];
options.settei = with lib; {
username = mkOption {
type = types.str;
default = "niko";
};
};
config = {
programs.fish.enable = true;
users.users.${username}.shell = pkgs.fish;
time.timeZone = lib.mkDefault "Europe/Warsaw";
# NixOS' fish module doesn't allow setting what package to use for fish,
# so I need to override the fish package.
nixpkgs.overlays = [ (_: _: { inherit (inputs'.settei.packages) fish; }) ];
};
}

0
modules/system/flake-qol.nix → modules/system/settei/flake-qol.nix
View file

6
modules/system/github-runner.nix → modules/system/settei/github-runner.nix
View file

@ -8,7 +8,7 @@ let
inherit (lib) mkOption types;
github-runner-user = "github-runner";
cfg = config.settei.github-runner;
cfg = config.common.github-runner;
sharedConfig = {
age.secrets.github-token = {
@ -50,13 +50,13 @@ let
};
darwinConfig = lib.optionalAttrs (!isLinux) {
warnings = lib.singleton "settei.github-runner doesn't do anything on darwin yet";
warnings = lib.singleton "common.github-runner doesn't do anything on darwin yet";
};
in
{
_file = ./github-runner.nix;
options.settei.github-runner = {
options.common.github-runner = {
enable = lib.mkEnableOption "using this machine as a self-hosted github runner";
runners = mkOption {
type =

50
modules/system/settei/hercules.nix Normal file
View file

@ -0,0 +1,50 @@
{ isLinux }:
{
config,
lib,
...
}:
let
options = {
common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration";
};
herculesUser =
if isLinux then
config.systemd.services.hercules-ci-agent.serviceConfig.User
else
config.launchd.daemons.hercules-ci-agent.serviceConfig.UserName;
in
{
_file = ./hercules.nix;
inherit options;
config =
lib.mkIf false
# config.common.hercules.enable
{
age.secrets.hercules-token = {
file = ../../../secrets/hercules-token.age;
owner = herculesUser;
};
age.secrets.hercules-cache = {
file = ../../../secrets/hercules-cache.age;
owner = herculesUser;
};
age.secrets.hercules-secrets = {
file = ../../../secrets/hercules-secrets.age;
owner = herculesUser;
};
services.hercules-ci-agent = {
enable = true;
settings = {
clusterJoinTokenPath = config.age.secrets.hercules-token.path;
concurrentTasks = lib.mkDefault 4;
binaryCachesPath = config.age.secrets.hercules-cache.path;
secretsJsonPath = config.age.secrets.hercules-secrets.path;
};
};
};
}

6
modules/system/incus.nix → modules/system/settei/incus.nix
View file

@ -9,7 +9,7 @@
let
inherit (lib) mkOption types;
cfg = config.settei.incus;
cfg = config.common.incus;
sharedConfig = {
environment.systemPackages = [
@ -71,7 +71,7 @@ in
{
_file = ./incus.nix;
options.settei.incus = {
options.common.incus = {
enable = lib.mkEnableOption "incus, the VM and container manager";
clientOnly = mkOption {
type = types.bool;
@ -81,7 +81,7 @@ in
clientPackage = lib.mkOption {
type = types.package;
default = cfg.package.client;
defaultText = lib.literalExpression "config.settei.incus.package.client";
defaultText = lib.literalExpression "config.common.incus.package.client";
description = "The incus client package to use. This package is added to PATH.";
};
};

0
modules/system/monitoring.nix → modules/system/settei/monitoring.nix
View file

0
modules/system/programs/default.nix → modules/system/settei/programs/default.nix
View file

3
modules/system/sane-defaults.nix → modules/system/settei/sane-defaults.nix
View file

@ -38,6 +38,7 @@ let
# Flakes are unusable without git present so pull it into the environment by default
settei.user.config.programs.git.enable = lib.mkDefault true;
# FIXME: Move to common
users.users.${username}.openssh.authorizedKeys.keys =
let
configName' =
@ -108,8 +109,6 @@ let
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
boot.kernel.sysctl."kernel.yama.ptrace_scope" = 0;
settei.user.config.services.ssh-agent.enable = true;
};
darwinConfig = lib.optionalAttrs (!isLinux) {

0
modules/system/tailscale.nix → modules/system/settei/tailscale.nix
View file

2
modules/home/unfree.nix → modules/system/settei/unfree.nix
View file

@ -1,9 +1,9 @@
# Copy of modules/system/unfree.nix
{ config, lib, ... }:
{
_file = ./unfree.nix;
options = {
# TODO(maybe?): Allow other types and more customizability
settei.unfree.allowedPackages =
with lib;
mkOption {

3
modules/system/user.nix → modules/system/settei/user.nix
View file

@ -51,6 +51,9 @@ in
homeDirectory = config.users.users.${username}.home;
stateVersion = "22.05";
};
programs.home-manager.enable = true;
services.ssh-agent.enable = true;
};
};
in

31
modules/system/unfree.nix
View file

@ -1,31 +0,0 @@
{
config,
lib,
username,
...
}:
let
# TODO: Maybe eventually support multi-user
userAllowedPackages =
lib.optionals config.settei.user.enable
config.home-manager.users.${username}.settei.unfree.allowedPackages;
in
{
_file = ./unfree.nix;
options = {
# TODO(maybe?): Allow other types and more customizability
settei.unfree.allowedPackages =
with lib;
mkOption {
type = types.listOf types.str;
default = [ ];
};
};
config = {
nixpkgs.config.allowUnfreePredicate = lib.mkForce (
pkg: builtins.elem (lib.getName pkg) (config.settei.unfree.allowedPackages ++ userAllowedPackages)
);
};
}

122
services/attic.nix
View file

@ -1,122 +0,0 @@
{
services.attic =
let
atticPort = 9476;
in
{
host = "kazuki";
ports = [ atticPort ];
config =
{ config, ... }:
{
age.secrets.attic-creds = {
file = ../secrets/attic-creds.age;
owner = config.services.atticd.user;
};
age.secrets.nrab-lol-cf = {
file = ../secrets/nrab-lol-cf.age;
owner = config.services.nginx.user;
};
services.atticd = {
enable = true;
environmentFile = config.age.secrets.attic-creds.path;
settings = {
listen = "[::]:${toString atticPort}";
storage = {
type = "local";
path = "/storage-box";
};
compression.type = "none";
chunking = {
nar-size-threshold = 0;
min-size = 0;
avg-size = 0;
max-size = 0;
};
api-endpoint = "https://attic.nrab.lol/";
};
};
users = {
users.atticd = {
uid = 990;
isSystemUser = true;
group = "atticd";
home = "/var/lib/atticd";
createHome = true;
};
groups.atticd = {
gid = 988;
};
};
systemd.services.atticd = {
after = [ "storage\\x2dbox.mount" ];
};
security.acme = {
acceptTerms = true;
defaults.email = "nikodem@rabulinski.com";
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."attic.nrab.lol" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://attic";
};
extraConfig = ''
client_max_body_size 24G;
'';
};
virtualHosts."cache.nrab.lol" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://attic/public$request_uri";
};
extraConfig = ''
proxy_cache nixstore;
proxy_cache_use_stale error timeout http_500 http_502;
proxy_cache_lock on;
proxy_cache_key $request_uri;
proxy_cache_valid 200 24h;
'';
};
upstreams."attic".servers = {
"localhost:${toString atticPort}" = { };
};
appendHttpConfig = ''
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;
'';
};
security.acme.certs."attic.nrab.lol" = {
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.nrab-lol-cf.path;
};
security.acme.certs."cache.nrab.lol" = {
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.nrab-lol-cf.path;
};
};
};
}

5
services/default.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./attic.nix
];
}

28
wrappers/wezterm/config.lua
View file

@ -1,22 +1,22 @@
local wezterm = require("wezterm")
local wezterm = require 'wezterm'
local cfg = {
color_scheme = "Default Dark (base16)",
enable_tab_bar = false,
font = wezterm.font("IosevkaTerm Nerd Font"),
window_decorations = "TITLE | RESIZE",
font_size = 10.5,
native_macos_fullscreen_mode = true,
hide_mouse_cursor_when_typing = false,
keys = {
{ key = "Enter", mods = "CTRL", action = wezterm.action({ SendString = "\x1b[13;5u" }) },
{ key = "Enter", mods = "SHIFT", action = wezterm.action({ SendString = "\x1b[13;2u" }) },
},
color_scheme = 'Default Dark (base16)',
enable_tab_bar = false,
font = wezterm.font('IosevkaTerm Nerd Font'),
window_decorations = 'TITLE | RESIZE',
font_size = 10.5,
native_macos_fullscreen_mode = true,
hide_mouse_cursor_when_typing = false,
keys = {
{ key = "Enter", mods = "CTRL", action = wezterm.action { SendString = "\x1b[13;5u" } },
{ key = "Enter", mods = "SHIFT", action = wezterm.action { SendString = "\x1b[13;2u" } },
},
}
if string.find(wezterm.target_triple, "darwin") then
cfg.font_size = 14.0
cfg.window_decorations = "RESIZE"
cfg.font_size = 14.0
cfg.window_decorations = 'RESIZE'
end
return cfg