Compare commits

...

629 commits

Author SHA1 Message Date
Simon Bruder b826fe24ea
generic browser 2022-01-22 10:22:34 +01:00
Simon Bruder 9f7355f97c
dreckiger commit 2022-01-22 10:19:36 +01:00
Simon Bruder 342d537621
WIP: Add neomutt 2022-01-22 10:19:35 +01:00
Simon Bruder 0de6be12f4
fuuko/gitea: Allow larger HTTP uploads
This is required to include larger files in Git LFS, which uses HTTP for
uploading the files.
2022-01-21 18:17:31 +01:00
Simon Bruder 964b34f321
sway/waybar: Disable hwmon override for mayushii
After a kernel upgrade, the old path no longer works and waybar
autodetects the correct one.
2022-01-20 18:21:36 +01:00
Simon Bruder fae6a08b6a
vueko/mail: Add alias 2022-01-18 19:30:48 +01:00
Simon Bruder 5d5a30a72b
vueko/mail: Add alias 2022-01-16 12:51:10 +01:00
Simon Bruder ebd1353bd6
qutebrowser/qbmarks: Do not sign when rebasing 2022-01-15 20:46:12 +01:00
Simon Bruder db7efe7d77
sway/kanshi: Add configuration for sayuri 2022-01-15 15:09:38 +01:00
Simon Bruder 4f042f7dd8
flake.lock: Update
Flake lock file changes:

• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/46df95ca81e7e4cf3458cdb4b7d1714b5fce9da5' (2021-12-28)
  → 'github:nixos/nixos-hardware/87a35a0d58f546dc23f37b4f6af575d0e4be6a7a' (2022-01-12)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/d1e59cfc49961e121583abe32e2f3db1550fbcff' (2022-01-01)
  → 'github:nixos/nixpkgs/386234e2a61e1e8acf94dfa3a3d3ca19a6776efb' (2022-01-11)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/59bfda72480496f32787cec8c557182738b1bd3f' (2021-12-31)
  → 'github:nixos/nixpkgs/b2737d4980a17cc2b7d600d7d0b32fd7333aca88' (2022-01-11)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/1514ac9fd54363a24c513de43dd0b963e2d17cb7' (2021-12-29)
  → 'github:Mic92/sops-nix/7edb4b080023ef12f39262a3aa7aab31015a7a0e' (2022-01-05)
2022-01-15 11:24:01 +01:00
Simon Bruder a7724d2713
mpv: Add 4k visualiser resolution 2022-01-14 21:54:06 +01:00
Simon Bruder 8748cfdf11
fuuko: Remove drone
I don’t actually use it and it is somewhat of a risk to run
code-execution-as-a-service. Also, the confinement does not work
currently (tries to write to /var/empty), which prompted the removal,
because the low usage does not justify that amount of maintainance.
2022-01-14 17:20:52 +01:00
Simon Bruder ac22d1bc39
fuuko/go-neb: Use persistent system user
Using a dynamic user is unreliable as the pre-start script often starts
before the user and group are created.
2022-01-14 17:16:27 +01:00
Simon Bruder cc9fbf8d37
fuuko: Reinstall on different SSD
The old one is quite small and does not have a cache, which makes it
quite slow. The new SSD also has a much higher endurance rating.
2022-01-14 17:05:40 +01:00
Simon Bruder 0baeb59b38
tools: Add parted 2022-01-14 15:53:29 +01:00
Simon Bruder db5e4d212f
vueko/mail: Add alias 2022-01-12 19:55:35 +01:00
Simon Bruder 80ee98058e
mayushii: Configure new monitor setup
This configures the home profile for kanshi for an Acer B277K monitor.
Since it is both larger than my previous monitor and has a higher
resolution, a few things change with this.

For one, my preferred setup is now to just have one monitor instead of
having my laptop screen as a secondary display device. Therefore, logind
should not suspend if the lid is closed. Since it fails to accurately
detect when a dock is connected, it is configured to never suspend on
lid switch when external power is connected.

Another thing is that the high resolution makes it necessary to use a
scaling factor, which is quite easy to configure with sway and kanshi.
It does, however, not work for Xwayland clients (they render at a lower
resolution and are scaled up with nearest-neighbor interpolation).
That requires me to no longer force the qt backend to xcb for
qutebrowser, because that significantly lowers the browsing experience.

The setup for sayuri is still to be done.
2022-01-10 21:10:55 +01:00
Simon Bruder 07142b8114
vueko/mail: Add alias 2022-01-08 16:52:14 +01:00
Simon Bruder e8e43b70ad
vueko/mail: Correct fold name 2022-01-08 14:25:12 +01:00
Simon Bruder 7376e600d7
vueko/mail: Add alias 2022-01-08 14:25:02 +01:00
Simon Bruder 23b63fcf4b
mpv/sponsorblock: Disable local database
It has been broken for a long time and is not likely to work again
soon[1].

[1]: https://github.com/po5/mpv_sponsorblock/issues/31
2022-01-07 10:35:32 +01:00
Simon Bruder 540f89bff1
games/steam: Include ~/.config in sandbox
Some games place their state there.
2022-01-03 11:13:21 +01:00
Simon Bruder e64480c820
flake.lock: Update
Flake lock file changes:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/8a053bc2255659c5ca52706b9e12e76a8f50dbdd' (2021-12-30)
  → 'github:nixos/nixpkgs/d1e59cfc49961e121583abe32e2f3db1550fbcff' (2022-01-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/5b091d4fbe3b7b7493c3b46fe0842e4b30ea24b3' (2021-12-30)
  → 'github:nixos/nixpkgs/59bfda72480496f32787cec8c557182738b1bd3f' (2021-12-31)
• Updated input 'AriaNg':
    'git+https://git.sbruder.de/simon/AriaNg?ref=master&rev=2dc260f73f9b612b7055cbd1c9ac0a49bdbee56a' (2021-05-02)
  → 'git+https://git.sbruder.de/simon/AriaNg?ref=master&rev=ea678a781a34613cf67c9c81d4f176d531f40630' (2022-01-02)
2022-01-02 21:57:37 +01:00
Simon Bruder 6eadefd6fb
Revert "pipewire: Enable jack"
This reverts commit 9588343b6e.

It causes issues with yuzu.
2022-01-02 16:45:21 +01:00
Simon Bruder ad8eff91db
flake.lock: Update
Flake lock file changes:

• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/3f92db38374b2977aea8daf4c4fe2fa0eddbd60c' (2021-12-20)
  → 'github:nixos/nixos-hardware/46df95ca81e7e4cf3458cdb4b7d1714b5fce9da5' (2021-12-28)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/6979c0e49bb491e18dd4870abb104cc7375aa7e8' (2021-12-25)
  → 'github:nixos/nixpkgs/8a053bc2255659c5ca52706b9e12e76a8f50dbdd' (2021-12-30)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/eac07edbd20ed4908b98790ba299250b5527ecdf' (2021-12-24)
  → 'github:nixos/nixpkgs/5b091d4fbe3b7b7493c3b46fe0842e4b30ea24b3' (2021-12-30)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/afe00100b16648c1d79e62926caacac561df93a5' (2021-12-06)
  → 'github:Mic92/sops-nix/1514ac9fd54363a24c513de43dd0b963e2d17cb7' (2021-12-29)
2022-01-02 11:35:58 +01:00
Simon Bruder aba6be5002
games: Use mainline branch of yuzu 2022-01-01 16:39:09 +01:00
Simon Bruder 06a464c182
vueko/mail: Add alias 2021-12-29 12:27:53 +01:00
Simon Bruder dde4275f0c
vueko/mail: Add alias 2021-12-28 23:27:02 +01:00
Simon Bruder 65a37c5703
programs: Add remmina 2021-12-28 10:31:50 +01:00
Simon Bruder e1cda094c0
flake.nix: Add app to locally build remote deployment 2021-12-26 12:54:05 +01:00
Simon Bruder c55bc54b35
vueko/mail: Add alias 2021-12-26 12:23:24 +01:00
Simon Bruder cbde39cac1
flake.lock: Update
Flake lock file changes:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/9ab7d12287ced0e1b4c03b61c781901f178d9d77' (2021-12-21)
  → 'github:nixos/nixpkgs/6979c0e49bb491e18dd4870abb104cc7375aa7e8' (2021-12-25)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/c478eaf416411a7dedf773185b6d5bfc966a80ae' (2021-12-21)
  → 'github:nixos/nixpkgs/eac07edbd20ed4908b98790ba299250b5527ecdf' (2021-12-24)
2021-12-26 11:06:24 +01:00
Simon Bruder a47e41b9a2
sway: Allow launching helvum from waybar module 2021-12-21 21:50:45 +01:00
Simon Bruder 76479d0b37
fuuko/torrent: Increase the open file limit of aria2
The previous attempt in 427361df65 did
increase the open file limit, but for the wrong service.
2021-12-21 18:28:02 +01:00
Simon Bruder 1b8f16e88a
Revert "programs: Fix audacity hanging after quitting"
This reverts commit 6e9c04e52a.

A fix for this problem has been added to nixpkgs.
2021-12-21 17:41:38 +01:00
Simon Bruder 95fdbc6b25
flake.lock: Update
Flake lock file changes:

• Updated input 'home-manager':
    'github:nix-community/home-manager/6ce1d64073f48b9bc9425218803b1b607454c1e7' (2021-12-03)
  → 'github:nix-community/home-manager/697cc8c68ed6a606296efbbe9614c32537078756' (2021-12-18)
• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/c3b4f94350b0e59c2546fa85890cc70d03616b9c' (2021-11-24)
  → 'github:cachix/pre-commit-hooks.nix/ff9c0b459ddc4b79c06e19d44251daa8e9cd1746' (2021-12-18)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/2a7063461c3751d83869a2a0a8ebc59e34bec5b2' (2021-12-11)
  → 'github:nixos/nixos-hardware/3f92db38374b2977aea8daf4c4fe2fa0eddbd60c' (2021-12-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/573095944e7c1d58d30fc679c81af63668b54056' (2021-12-10)
  → 'github:nixos/nixpkgs/9ab7d12287ced0e1b4c03b61c781901f178d9d77' (2021-12-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/b0bf5f888d377dd2f36d90340df6dc9f035aaada' (2021-12-12)
  → 'github:nixos/nixpkgs/c478eaf416411a7dedf773185b6d5bfc966a80ae' (2021-12-21)
2021-12-21 17:13:42 +01:00
Simon Bruder ac85009184
udev: Add rules for Switch Pro Controller 2021-12-19 11:25:51 +01:00
Simon Bruder bc862642d7
vueko/mail: Add alias 2021-12-18 00:29:11 +01:00
Simon Bruder c7ccd022b7
programs: Add qrencode 2021-12-17 16:08:31 +01:00
Simon Bruder 1a515ed9e3
xdg: Add xdg-open to path 2021-12-17 16:08:20 +01:00
Simon Bruder e55094d898
flake.lock: Update
Flake lock file changes:

• Updated input 'home-manager':
    'github:nix-community/home-manager/3e93c4e8b2b479c712b7c20a428993b459118842' (2021-11-30)
  → 'github:nix-community/home-manager/6ce1d64073f48b9bc9425218803b1b607454c1e7' (2021-12-03)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/4c9f07277bd4bc29a051ff2a0ca58c6403e3881a' (2021-12-02)
  → 'github:nixos/nixos-hardware/2a7063461c3751d83869a2a0a8ebc59e34bec5b2' (2021-12-11)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/a640d8394f34714578f3e6335fc767d0755d78f9' (2021-12-01)
  → 'github:nixos/nixpkgs/573095944e7c1d58d30fc679c81af63668b54056' (2021-12-10)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/6daa4a5c045d40e6eae60a3b6e427e8700f1c07f' (2021-12-01)
  → 'github:nixos/nixpkgs/b0bf5f888d377dd2f36d90340df6dc9f035aaada' (2021-12-12)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/0e0dcc74bae23c7ef7fb6251c43c277b827e8c34' (2021-11-29)
  → 'github:Mic92/sops-nix/afe00100b16648c1d79e62926caacac561df93a5' (2021-12-06)
2021-12-14 18:49:27 +01:00
Simon Bruder 2fabf49a06
yuzuru/schabernack: Init 2021-12-11 20:28:44 +01:00
Simon Bruder 398ca91aa5
tools: Add wireshark 2021-12-10 18:00:13 +01:00
Simon Bruder 6e9c04e52a
programs: Fix audacity hanging after quitting
nixpkgs issue that was closed with just a workaround: https://github.com/NixOS/nixpkgs/issues/130347
2021-12-10 14:34:01 +01:00
Simon Bruder 5a75e8e443
yuzuru/invidious: Enable auto-restarts
This is not the cleanest way to make it work reliably, but since this is
an upstream problem, I can’t do much else.
2021-12-09 21:43:29 +01:00
Simon Bruder a9f0b42f2f
mayushii/tlp: Adapt to TLP 1.4
It renamed the option to denylist and automatically excludes audio
devices by default.
2021-12-06 16:03:45 +01:00
Simon Bruder b87209cd06
zsh: Remove cp alias
Coreutils 9, which is the current version in nixpkgs stable, uses
reflinks by default.
2021-12-06 16:02:29 +01:00
Simon Bruder 505697715d
nix: Remove fallback for deamon nice levels 2021-12-06 16:00:41 +01:00
Simon Bruder 349b72c1d7
qutebrowser/invidious: Also redirect youtube-nocookie.com 2021-12-05 19:22:00 +01:00
Simon Bruder 88ba5dd485
vueko/mail: Add alias 2021-12-03 12:33:02 +01:00
Simon Bruder 986983f1ae
flake.lock: Update
Flake lock file changes:

• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/6b3f79de09c3de7c91ab51e55e87879f61b6faec' (2021-11-29)
  → 'github:nixos/nixos-hardware/4c9f07277bd4bc29a051ff2a0ca58c6403e3881a' (2021-12-02)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/96b4157790fc96e70d6e6c115e3f34bba7be490f' (2021-11-30)
  → 'github:nixos/nixpkgs/a640d8394f34714578f3e6335fc767d0755d78f9' (2021-12-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/29d1f6e1f625d246dcf84a78ef97b4da3cafc6ea' (2021-11-30)
  → 'github:nixos/nixpkgs/6daa4a5c045d40e6eae60a3b6e427e8700f1c07f' (2021-12-01)
2021-12-02 19:36:32 +01:00
Simon Bruder 5b8f759519
flake.lock: Update
Flake lock file changes:

• Updated input 'nixpkgs-overlay':
    'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=28788423542ce545f81af1f08f142d3fa336b8cf' (2021-11-26)
  → 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=72d323ca0410a08abc2d981b812c5cd0fd3338bf' (2021-12-01)
2021-12-01 21:01:32 +01:00
Simon Bruder 8d789fbba3
Rework mautrix-whatsapp config for 0.2
Many of the options are the default and some of them got renamed.
2021-12-01 19:15:32 +01:00
Simon Bruder e6f9ea1c67
Update infinisilSystem
It includes fixes for the mumble module required by newer nixpkgs.
2021-12-01 19:15:31 +01:00
Simon Bruder ab793631d2
vueko/coturn: Use upstream module
Fixes #53.
2021-12-01 19:15:31 +01:00
Simon Bruder 2c160661ec
Apply fixes for breaking module changes in 21.11 2021-12-01 19:15:31 +01:00
Simon Bruder cc8727fa80
Use nixFlakes instead of nixUnstable 2021-12-01 18:32:51 +01:00
Simon Bruder a9817baee9
Remove unneeded packages from unstable 2021-12-01 18:32:51 +01:00
Simon Bruder f17dac8f50
Remove packages overrides that are obsolete with 21.11 2021-12-01 18:32:51 +01:00
Simon Bruder 312f2ba627
flake.lock: Update
Flake lock file changes:

• Updated input 'flake-utils':
    'github:numtide/flake-utils/bba5dcc8e0b20ab664967ad83d24d64cb64ec4f4' (2021-11-15)
  → 'github:numtide/flake-utils/74f7e4319258e287b0f9cb95426c9853b282730b' (2021-11-28)
• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/50cfce93606c020b9e69dce24f039b39c34a4c2d' (2021-11-15)
  → 'github:cachix/pre-commit-hooks.nix/c3b4f94350b0e59c2546fa85890cc70d03616b9c' (2021-11-24)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/5a7e613703ea349fd46b3fa2f3dfe3bd5444d591' (2021-11-18)
  → 'github:nixos/nixos-hardware/6b3f79de09c3de7c91ab51e55e87879f61b6faec' (2021-11-29)
• Updated input 'nixpkgs-overlay':
    'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=8dd0b5b818fb5e2f03bd942f7a62fbd84e198ee5' (2021-10-24)
  → 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=28788423542ce545f81af1f08f142d3fa336b8cf' (2021-11-26)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/715f63411952c86c8f57ab9e3e3cb866a015b5f2' (2021-11-17)
  → 'github:nixos/nixpkgs/29d1f6e1f625d246dcf84a78ef97b4da3cafc6ea' (2021-11-30)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/3c53d012ac77d4bd8428f9c847709e287c897ad9' (2021-11-16)
  → 'github:Mic92/sops-nix/0e0dcc74bae23c7ef7fb6251c43c277b827e8c34' (2021-11-29)
2021-12-01 18:32:51 +01:00
Simon Bruder e6c1a105d2
Update to 21.11 2021-12-01 17:51:15 +01:00
Simon Bruder 5517a5a3db
pipewire: Add helvum 2021-11-29 17:06:41 +01:00
Simon Bruder df865ebef9
qutebrowser: Open downloads with reasonable program 2021-11-28 14:44:47 +01:00
Simon Bruder 7ad9d52864
vueko/mail: Add alias 2021-11-28 14:44:32 +01:00
Simon Bruder 4807e930e7
vueko/mail: Add alias 2021-11-28 14:44:27 +01:00
Simon Bruder cde1a05fd7
vueko/mail: Add alias 2021-11-23 20:35:15 +01:00
Simon Bruder f9fc9691a8
yuzuru/nitter: Fix video playback 2021-11-21 21:09:25 +01:00
Simon Bruder ce6885abca
pipewire: Enable rtkit 2021-11-21 13:11:52 +01:00
Simon Bruder 427361df65
fuuko/torrent: Increase open file descriptor limit 2021-11-21 13:11:19 +01:00
Simon Bruder 9588343b6e
pipewire: Enable jack
This allows more complicated configurations via qjackctl.
2021-11-20 22:51:14 +01:00
Simon Bruder d394b1f802
qutebrowser: Force Qt to use XCB as QPA platform
This somewhat alleviates the memory leaks, though it also creates new
issues, like problems with context menus on multi-monitor setups.

Meh…
2021-11-20 16:45:30 +01:00
Simon Bruder f2d9a44800
mpd: Use pipewire output 2021-11-20 16:44:54 +01:00
Simon Bruder 1df9a87520
Make nix scheduling options compatible with 21.11 2021-11-20 16:29:48 +01:00
Simon Bruder 7b9a52e37f
flake.lock: Update
Flake lock file changes:

• Updated input 'flake-utils':
    'github:numtide/flake-utils/c91f3de5adaf1de973b797ef7485e441a65b8935' (2021-10-21)
  → 'github:numtide/flake-utils/bba5dcc8e0b20ab664967ad83d24d64cb64ec4f4' (2021-11-15)
• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/433808cba23975201a48a3bb8ebc76029191fafd' (2021-11-10)
  → 'github:cachix/pre-commit-hooks.nix/50cfce93606c020b9e69dce24f039b39c34a4c2d' (2021-11-15)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/4045d5f43aff4440661d8912fc6e373188d15b5b' (2021-11-14)
  → 'github:nixos/nixos-hardware/5a7e613703ea349fd46b3fa2f3dfe3bd5444d591' (2021-11-18)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/68d4f5970b69b0fd0a95c57c8d0ab4b2b68fb9aa' (2021-11-13)
  → 'github:nixos/nixpkgs/24528474d2b3370f2f23879a557ae2cc92a5d50b' (2021-11-19)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/c5ed8beb478a8ca035f033f659b60c89500a3034' (2021-11-11)
  → 'github:nixos/nixpkgs/715f63411952c86c8f57ab9e3e3cb866a015b5f2' (2021-11-17)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/9a961ab91c3e1b5561725b0c833c862cf22dc76a' (2021-11-13)
  → 'github:Mic92/sops-nix/3c53d012ac77d4bd8428f9c847709e287c897ad9' (2021-11-16)
2021-11-20 15:51:20 +01:00
Simon Bruder a220c7f9d9
mullvad: Update relays 2021-11-20 15:48:56 +01:00
Simon Bruder a624378478
vueko/mail: Add alias 2021-11-19 20:06:56 +01:00
Simon Bruder 9bac0b95ac
sway: Bind XF86AudioPause to also toggle mpd state 2021-11-18 18:33:18 +01:00
Simon Bruder 882f85cecf
vueko/mail: Add alias 2021-11-14 12:48:58 +01:00
Simon Bruder fc7bfb5b5d
flake.lock: Update
Flake lock file changes:

• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/06fa80325b6fe3b28d136071dd0ce55d4817e9fd' (2021-10-18)
  → 'github:cachix/pre-commit-hooks.nix/433808cba23975201a48a3bb8ebc76029191fafd' (2021-11-10)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/fd6f34afcf062761fb5035230f6297752bfedcba' (2021-11-07)
  → 'github:nixos/nixos-hardware/4045d5f43aff4440661d8912fc6e373188d15b5b' (2021-11-14)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/e74894146a42ba552ebafa19ab2d1df7ccbc1738' (2021-11-08)
  → 'github:nixos/nixpkgs/68d4f5970b69b0fd0a95c57c8d0ab4b2b68fb9aa' (2021-11-13)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/c935f5e0add2cf0ae650d072c8357533e21b0c35' (2021-11-07)
  → 'github:nixos/nixpkgs/c5ed8beb478a8ca035f033f659b60c89500a3034' (2021-11-11)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/517628cc1defc90191f0e1380f8f83e590dd6b56' (2021-11-07)
  → 'github:Mic92/sops-nix/9a961ab91c3e1b5561725b0c833c862cf22dc76a' (2021-11-13)
2021-11-14 12:13:01 +01:00
Simon Bruder ac92017f96
neovim: Fix nix phase snippets 2021-11-12 13:10:07 +01:00
Simon Bruder 821367af3f
qutebrowser: Init
This also makes it the default browser.
2021-11-09 21:45:50 +01:00
Simon Bruder 58e6cad052
pipewire: Remove hacky override of bluez quirks db
Nixpkgs now treats it as data, so it is not set in the module.

As an alternative, hardware volume is disabled globally.
2021-11-08 18:04:14 +01:00
Simon Bruder f38ab1834c
flake.lock: Update
Flake lock file changes:

• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/518b9c2159e7d4b7696ee18b8828f9086012923b' (2021-10-28)
  → 'github:nixos/nixos-hardware/fd6f34afcf062761fb5035230f6297752bfedcba' (2021-11-07)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/f0869b1a2c0b150aac26e10bb5c2364ffb2e804f' (2021-10-31)
  → 'github:nixos/nixpkgs/e74894146a42ba552ebafa19ab2d1df7ccbc1738' (2021-11-08)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/e544ee88fa4590df75e221e645a03fe157a99e5b' (2021-10-31)
  → 'github:nixos/nixpkgs/c935f5e0add2cf0ae650d072c8357533e21b0c35' (2021-11-07)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/2e86e1698d53e5bd71d9de5f8b7e8f2f5458633c' (2021-10-03)
  → 'github:Mic92/sops-nix/517628cc1defc90191f0e1380f8f83e590dd6b56' (2021-11-07)
2021-11-08 17:50:35 +01:00
Simon Bruder 43067ad796
neovim: Rework configuration in lua
Many plugins are not yet configured, but the basic functionality is
there.
2021-11-07 21:47:56 +01:00
Simon Bruder cc63ca0e9a
zsh: Do not automatically set color scheme
It often causes problems and I can still set it manually with dcsl if I
want to.
2021-11-07 21:47:56 +01:00
Simon Bruder 2ef9d583f6
tmux: Enable true color support 2021-11-07 20:33:52 +01:00
Simon Bruder 66f534157d
flake.nix: Avoid some anti-patterns
Even though nixpkgs.legacyPackages isn’t directly an anti-pattern,
importing it allows passing non-default options.
2021-11-07 20:31:48 +01:00
Simon Bruder b8735ee4f1
vueko/mail: Add alias 2021-11-03 10:04:24 +01:00
Simon Bruder 60b0dc9c74
mayushii: Add samba vm share 2021-11-02 11:13:59 +01:00
Simon Bruder d22183a8c2
mayushii: Allow manually controlling the fan speed 2021-11-01 16:27:13 +01:00
Simon Bruder 7e3506adde
Revert "games/steam: Include local fonts"
This reverts commit 4e7aa88c42.
2021-11-01 14:31:09 +01:00
Simon Bruder f4bf1ced57
yuzuru: Init 2021-11-01 10:10:40 +01:00
Simon Bruder b1f4b8b4b5
Add option to mark host as untrusted
This can be used to deploy a host that does not have access to the main
sops secrets file, e.g. because it does not have an encrypted root
partition.
2021-11-01 10:08:23 +01:00
Simon Bruder 65aff69a90
Make nixpkgs that is used for machine configurable
This allows a machine to run off a different nixpkgs branch (e.g.
unstable).
2021-11-01 10:08:23 +01:00
Simon Bruder 9deb6c5656
readme: Clarify the license statement
Especially when the MIT License does not apply.
2021-11-01 10:08:23 +01:00
Simon Bruder 4379c72a7e
flake.lock: Update
Flake lock file changes:

• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/0bb7b0906c353703c2eea36bd73134f0216f3e62' (2021-10-27)
  → 'github:nixos/nixos-hardware/518b9c2159e7d4b7696ee18b8828f9086012923b' (2021-10-28)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/d14d83a3691121642be1b0579cf3408a83c558d7' (2021-10-27)
  → 'github:nixos/nixpkgs/f0869b1a2c0b150aac26e10bb5c2364ffb2e804f' (2021-10-31)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/2deb07f3ac4eeb5de1c12c4ba2911a2eb1f6ed61' (2021-10-28)
  → 'github:nixos/nixpkgs/e544ee88fa4590df75e221e645a03fe157a99e5b' (2021-10-31)
2021-11-01 10:06:51 +01:00
Simon Bruder 4e7aa88c42
games/steam: Include local fonts 2021-10-31 17:45:19 +01:00
Simon Bruder f92ae65467
fuuko/factorio: 1.1.41 -> 1.1.42 2021-10-31 09:09:50 +01:00
Simon Bruder 13663a4297
games/steam-sandbox: Include /etc/passwd
Some games segfault when it doesn’t exist.
2021-10-31 09:02:00 +01:00
Simon Bruder dcdeece6a2
mpv: Reorganise non-home-manager scripts and options 2021-10-29 20:58:40 +02:00
Simon Bruder 817d9dae20
sway/waybar: Display battery icon on the right side 2021-10-29 19:25:11 +02:00
Simon Bruder b443554c41
pkgs/rtw89: Add src override at unstable-2021-10-21
That version includes IPv6 support.
2021-10-29 14:51:20 +02:00
Simon Bruder 31de6ec858
flake.lock: Update
Flake lock file changes:

• Updated input 'flake-utils':
    'github:numtide/flake-utils/7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19' (2021-09-13)
  → 'github:numtide/flake-utils/c91f3de5adaf1de973b797ef7485e441a65b8935' (2021-10-21)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/3aabf78bfcae62f5f99474f2ebbbe418f1c6e54f' (2021-10-09)
  → 'github:nixos/nixos-hardware/0bb7b0906c353703c2eea36bd73134f0216f3e62' (2021-10-27)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/70904d4a9927a4d6e05c72c4aaac4370e05107f3' (2021-10-20)
  → 'github:nixos/nixpkgs/d14d83a3691121642be1b0579cf3408a83c558d7' (2021-10-27)
• Updated input 'nixpkgs-overlay':
    'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=41bf1e1cbf3157ef3eb6896c17a98a387a6c343e' (2021-08-29)
  → 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=8dd0b5b818fb5e2f03bd942f7a62fbd84e198ee5' (2021-10-24)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/5f0194220f2402b06f7f79bba6351895facb5acb' (2021-10-18)
  → 'github:nixos/nixpkgs/2deb07f3ac4eeb5de1c12c4ba2911a2eb1f6ed61' (2021-10-28)
2021-10-28 18:25:13 +02:00
Simon Bruder dd93cf13a2
mpv: Use Iosevka as OSD font
This still had an impure dependency on a proprietary font.
2021-10-27 19:51:34 +02:00
Simon Bruder ef9a022d56
waybar: Remove network speed widget 2021-10-27 19:43:43 +02:00
Simon Bruder e35795ad98
waybar: Remove interface name from network widget
The USB ethernet controller in mayushii’s dock gets the nice name
enp7s0f3u1u1, which takes up considerable amount of space in the bar.
2021-10-27 19:42:51 +02:00
Simon Bruder 58e18ebecb
flake.lock: Update
Flake lock file changes:

• Updated input 'home-manager':
    'github:nix-community/home-manager/49695f33aac22358b59e49c94fe6472218e5d766' (2021-10-07)
  → 'github:nix-community/home-manager/ff2bed9dac84fb202bbb3c49fdcfe30c29d0b12f' (2021-10-18)
• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/475b1f7f7ddcb6415e6624a68c4fe90f55ee9e73' (2021-10-09)
  → 'github:cachix/pre-commit-hooks.nix/06fa80325b6fe3b28d136071dd0ce55d4817e9fd' (2021-10-18)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/93ca5ab64f78ce778c0bcecf9458263f0f6289b6' (2021-10-10)
  → 'github:nixos/nixpkgs/70904d4a9927a4d6e05c72c4aaac4370e05107f3' (2021-10-20)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/9bf75dd50b7b6d3ce6aaf6563db95f41438b9bdb' (2021-10-09)
  → 'github:nixos/nixpkgs/5f0194220f2402b06f7f79bba6351895facb5acb' (2021-10-18)
2021-10-21 17:33:24 +02:00
Simon Bruder 6b08a8e1f3
games/steam: Show icon in tray
Otherwise it just shows an ugly placeholder.
2021-10-17 17:45:45 +02:00
Simon Bruder fc1e8540e4
zsh: Add nix-index 2021-10-16 10:03:10 +02:00
Simon Bruder 718e44402f
fuuko: Add factorio 2021-10-15 15:54:48 +02:00
Simon Bruder d6fd45cd57
mayushii: Exclude Audio Interface from usb autosuspend
Even though I didn’t notice a problem when trying to record from it on
battery, it doesn’t hurt to be on the safe side.
2021-10-13 17:29:12 +02:00
Simon Bruder ee390f869d
Revert "nix: Fix nix not working with local LFS repositories"
This reverts commit 050359f8ee.
2021-10-12 20:45:21 +02:00
Simon Bruder 6c22848c85
flake.lock: Update
Flake lock file changes:

• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/3ed0e618cebc1ff291c27b749cf7568959cac028' (2021-09-09)
  → 'github:cachix/pre-commit-hooks.nix/475b1f7f7ddcb6415e6624a68c4fe90f55ee9e73' (2021-10-09)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/0a8b8054c9920368a3c15e6d766188fdf04b736f' (2021-09-30)
  → 'github:nixos/nixos-hardware/3aabf78bfcae62f5f99474f2ebbbe418f1c6e54f' (2021-10-09)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/aff647e2704fa1223994604887bb78276dc57083' (2021-10-05)
  → 'github:nixos/nixpkgs/93ca5ab64f78ce778c0bcecf9458263f0f6289b6' (2021-10-10)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/5e2018f7b383aeca6824a30c0cd1978c9532a46a' (2021-10-06)
  → 'github:nixos/nixpkgs/9bf75dd50b7b6d3ce6aaf6563db95f41438b9bdb' (2021-10-09)
2021-10-12 20:42:22 +02:00
Simon Bruder 259969f2b6
mayushii/tlp: Set conservative charge thresholds
My usage pattern (mostly docked) otherwise leads to the battery
accumulating one or more charge cycles every day which quickly
deteriorates it.
2021-10-11 17:50:10 +02:00
Simon Bruder 0ff89a0f6f
gui: Add upower 2021-10-10 16:32:03 +02:00
Simon Bruder abe078a914
ytcc: Prefer newer video codecs 2021-10-10 14:43:59 +02:00
Simon Bruder ec0a8dfa49
ssh: Add mayushii’ public host key 2021-10-10 11:43:04 +02:00
Simon Bruder d52084a79b
nunotaba: Remove 2021-10-10 11:40:20 +02:00
Simon Bruder 2af32e4932
mpv: Make ytdl-hook use yt-dlp 2021-10-09 22:55:19 +02:00
Simon Bruder 76afcc4127
mayushii/kanshi: Change home screen layout 2021-10-09 14:39:38 +02:00
Simon Bruder a9a3c74f4a
mayushii: Disable powertop
According to the TLP FAQ[1], TLP does everything powertop does, but
better.

[1] https://linrunner.de/tlp/faq/powertop.html
2021-10-07 21:14:42 +02:00
Simon Bruder 4afbf1c24b
mayushii: Raise trackpoint acceleration 2021-10-07 21:14:01 +02:00
Simon Bruder 716acb8754
flake.lock: Update
Flake lock file changes:

• Updated input 'home-manager':
    'github:nix-community/home-manager/7d9ba15214004c979d2c8733f8be12ce6502cf8a' (2021-09-13)
  → 'github:nix-community/home-manager/49695f33aac22358b59e49c94fe6472218e5d766' (2021-10-07)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/ee90403e147b181300dffca5b0afa405e14f1945' (2021-09-29)
  → 'github:nixos/nixpkgs/aff647e2704fa1223994604887bb78276dc57083' (2021-10-05)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/c21ba4f7bb4a3d621eb1d187e6b5e816bb85380c' (2021-09-28)
  → 'github:nixos/nixpkgs/5e2018f7b383aeca6824a30c0cd1978c9532a46a' (2021-10-06)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/095fca05818c7f4c2285387b2eb94e13b683101a' (2021-09-30)
  → 'github:Mic92/sops-nix/2e86e1698d53e5bd71d9de5f8b7e8f2f5458633c' (2021-10-03)
2021-10-07 20:33:01 +02:00
Simon Bruder d44db0d505
network-manager: Add networkmanagerapplet
This includes nm-connection-editor, which is needed to set up WPA2
enterprise connections.
2021-10-07 12:35:30 +02:00
Simon Bruder 171695dde4
mayushii/readme: Clarify SSD model 2021-10-06 22:43:08 +02:00
Simon Bruder cd2295ad7c
sway: Fix DPMS key binding 2021-10-06 19:41:00 +02:00
Simon Bruder 9743f7050f
vueko/mail: Add alias 2021-10-06 18:10:05 +02:00
Simon Bruder 9c98cf0be7
mayushii: Add radeontop 2021-10-06 16:32:09 +02:00
Simon Bruder 7886cb249a
mayushii: Set trackpoint sensitivity with sway 2021-10-06 16:32:09 +02:00
Simon Bruder 0e2c6a351d
mayushii: Disable touchpad 2021-10-05 23:13:23 +02:00
Simon Bruder b5782f633c
mayushii: Add power saving configuration
When booted with my mouse connected to my kvm switch connected to my
dock connected to mayushii, powertop’s default configuration enables
power saving features that disable the mouse until it registers a click.

My current workaround is to unplug and plug the dock, so the hot-plug
input devices connected to it are reset.
2021-10-05 22:53:49 +02:00
Simon Bruder 15d6c54900
mayushii: Lower TrackPoint sensitivity 2021-10-05 22:43:01 +02:00
Simon Bruder 31cec022e8
Revert "wireguard/home: Use peer-to-peer connections if possible"
This reverts commit bab6c5e5dc.
2021-10-05 21:37:38 +02:00
Simon Bruder 7a08083af1
Revert "wireguard/home: Fix peer-to-peer connection"
This reverts commit d621e84a00.
2021-10-05 21:31:37 +02:00
Simon Bruder dec3f07ca4
sway: Set temperature hwmon path for mayushii 2021-10-05 21:26:39 +02:00
Simon Bruder 00ac4f251c
README: Add UEFI installation instructions 2021-10-05 21:26:39 +02:00
Simon Bruder 8bf63db6e5
mayushii: Init 2021-10-05 21:26:39 +02:00
Simon Bruder ae8effee39
games: Add steam-sandbox 2021-10-04 16:57:10 +02:00
Simon Bruder 0c4f9a7d73
flake.lock: Update
Flake lock file changes:

• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/3cc8c47af31798040ea62499090540413279f832' (2021-09-21)
  → 'github:nixos/nixos-hardware/0a8b8054c9920368a3c15e6d766188fdf04b736f' (2021-09-30)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/056a3c1fae30d06d14b171b9023743c21a23ec1a' (2021-09-23)
  → 'github:nixos/nixpkgs/ee90403e147b181300dffca5b0afa405e14f1945' (2021-09-29)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/51bcdc4cdaac48535dabf0ad4642a66774c609ed' (2021-09-23)
  → 'github:nixos/nixpkgs/c21ba4f7bb4a3d621eb1d187e6b5e816bb85380c' (2021-09-28)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/64235a958b9ceedf98a3212c13b0dea3a504598f' (2021-09-24)
  → 'github:Mic92/sops-nix/095fca05818c7f4c2285387b2eb94e13b683101a' (2021-09-30)
2021-10-01 18:53:37 +02:00
Simon Bruder bbabc80140
vueko/mail: Add alias 2021-10-01 07:30:19 +02:00
Simon Bruder 59655fd1b0
vueko/coturn: Enable plain connections
(D)TLS connections are obviously better, but they stopped working some
time ago and I can’t figure out why.
2021-09-26 22:22:31 +02:00
Simon Bruder 400893b168
vueko/mail: Add alias 2021-09-25 18:13:59 +02:00
Simon Bruder 2a4cbe6ffb
fuuko/matrix: Raise upload limit to 50M 2021-09-25 17:18:23 +02:00
Simon Bruder 050359f8ee
nix: Fix nix not working with local LFS repositories 2021-09-25 17:17:49 +02:00
Simon Bruder ac03369ff8
flake.lock: Update
Flake input changes:

* Updated 'krops': 'github:Mic92/krops/c3a1ffab03e8cfbb7ff532bdfa10b26b3dc76911' -> 'github:Mic92/krops/0388970c568905fedcbf429e5745aacd4f7a6633'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/a387b870f809ca62edb231ded669302d389a6401' -> 'github:nixos/nixos-hardware/3cc8c47af31798040ea62499090540413279f832'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/b3083bc6933eb7fa4ee7bd4802e9f72b56f3e654' -> 'github:nixos/nixpkgs/056a3c1fae30d06d14b171b9023743c21a23ec1a'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/bcd607489d76795508c48261e1ad05f5d4b7672f' -> 'github:nixos/nixpkgs/51bcdc4cdaac48535dabf0ad4642a66774c609ed'
* Updated 'sops-nix': 'github:Mic92/sops-nix/32d94573f7d8fe2c8c7874140990d0f49ea9d344' -> 'github:Mic92/sops-nix/64235a958b9ceedf98a3212c13b0dea3a504598f'
2021-09-25 15:04:14 +02:00
Simon Bruder 7f4d0903ca
vueko/mail: Add alias 2021-09-19 13:32:01 +02:00
Simon Bruder d1000ee78a
vueko/mail: Add alias 2021-09-17 15:03:44 +02:00
Simon Bruder 275b784c09
flake.lock: Update
Flake input changes:

* Updated 'flake-utils': 'github:numtide/flake-utils/997f7efcb746a9c140ce1f13c72263189225f482' -> 'github:numtide/flake-utils/7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19'
* Updated 'home-manager': 'github:nix-community/home-manager/f5adb9be829f487f99bcc0f1884f74ddb85f70c8' -> 'github:nix-community/home-manager/7d9ba15214004c979d2c8733f8be12ce6502cf8a'
* Updated 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/397f0713d007250a2c7a745e555fa16c5dc8cadb' -> 'github:cachix/pre-commit-hooks.nix/3ed0e618cebc1ff291c27b749cf7568959cac028'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/342048461da7fc743e588ee744080c045613a226' -> 'github:nixos/nixos-hardware/a387b870f809ca62edb231ded669302d389a6401'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/fd6dba47199a7c249e64c1aa1fef01ee78e58481' -> 'github:nixos/nixpkgs/b3083bc6933eb7fa4ee7bd4802e9f72b56f3e654'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/efcfe3676268c789e78a22b20a94c00227d20bc8' -> 'github:nixos/nixpkgs/bcd607489d76795508c48261e1ad05f5d4b7672f'
* Updated 'sops-nix': 'github:Mic92/sops-nix/3e4ebc851c91d1ce5c65da23436726c555a0d7e8' -> 'github:Mic92/sops-nix/32d94573f7d8fe2c8c7874140990d0f49ea9d344'
2021-09-15 13:44:12 +02:00
Simon Bruder bd20daea28
vueko/element-web: Make PDF download work 2021-09-15 07:30:41 +02:00
Simon Bruder 5c0d4439e8
bwrap-helper: Reuse system’s PATH
Otherwise running in nix-shell does not make the binaries from the
temporary environment available inside the sandbox.
2021-09-10 23:33:31 +02:00
Simon Bruder 9190c83c97
Fix ntfs support 2021-09-10 18:01:52 +02:00
Simon Bruder b3f106010a
vueko/mail: Add alias 2021-09-10 14:28:44 +02:00
Simon Bruder 79636d081f
vueko/mail: Add alias 2021-09-08 11:49:43 +02:00
Simon Bruder edab69554d
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/110a2c9ebbf5d4a94486854f18a37a938cfacbbb' -> 'github:nixos/nixpkgs/fd6dba47199a7c249e64c1aa1fef01ee78e58481'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/8a2ec31e224de9461390cdd03e5e0b0290cdad0b' -> 'github:nixos/nixpkgs/efcfe3676268c789e78a22b20a94c00227d20bc8'
2021-09-08 01:14:49 +02:00
Simon Bruder 7db9922dc2
nginx: Disable access log by default 2021-09-08 01:12:56 +02:00
Simon Bruder d46eca0ab0
git: Make aliases agnostic of default branch name 2021-09-06 16:30:14 +02:00
Simon Bruder d840d4c227
neovim: Add binding for LSP code action 2021-09-05 14:46:58 +02:00
Simon Bruder 1730681386
fuuko/torrent: Switch wireguard endpoints 2021-09-05 13:35:45 +02:00
Simon Bruder a94fd4d505
ghci: Add Hoogle commands 2021-09-05 00:18:47 +02:00
Simon Bruder aceeb7c35a
ghc: Init
This only adds the configuration, not the packages, because they are
massive.
2021-09-03 20:04:40 +02:00
Simon Bruder d621e84a00
wireguard/home: Fix peer-to-peer connection
Public clients also need to have all peers configured, so they can
connect to them.
2021-09-03 15:31:45 +02:00
Simon Bruder bbda930013
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/74d017edb6717ad76d38edc02ad3210d4ad66b96' -> 'github:nixos/nixpkgs/110a2c9ebbf5d4a94486854f18a37a938cfacbbb'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=f28ea2244d33d0ed663e7864de55a77899e7f226' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=41bf1e1cbf3157ef3eb6896c17a98a387a6c343e'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/88226ea038e538e09c272a7c56ba73c3f5eed57f' -> 'github:nixos/nixpkgs/8a2ec31e224de9461390cdd03e5e0b0290cdad0b'
* Updated 'sops-nix': 'github:Mic92/sops-nix/024c079aa1fb582068b79138597ac41f4f3ce799' -> 'github:Mic92/sops-nix/3e4ebc851c91d1ce5c65da23436726c555a0d7e8'
2021-09-03 15:05:05 +02:00
Simon Bruder bab6c5e5dc
wireguard/home: Use peer-to-peer connections if possible 2021-08-31 11:20:06 +02:00
Simon Bruder 0ca3062e69
dnsmasq: Add quad9 DNS servers
Thanks Sony Music for bringing this to my attention.
2021-08-31 09:55:51 +02:00
Simon Bruder 0d9ec3383e
nginx-interactive-index: Make .. work again
This fixes a regression introduced in
77eab2497a, which moved the heading into a
thead and the file listing into a tbody. Therefore, the .. entry is now
the first entry and has been excluded by the rule that previously
excluded the header.
2021-08-30 22:11:00 +02:00
Simon Bruder 2c3e65cf5c
vueko/mail: Add alias 2021-08-30 12:53:17 +02:00
Simon Bruder 37bc221e0c
fuuko/dnsmasq: Increase cache size 2021-08-29 18:56:00 +02:00
Simon Bruder ccc0d60d71
nginx-interactive-index: Implement stripes in javascript
This shows stripes correctly even after a filter has been entered.
Previously the absolute position (before filtering) has been used to
determine the row colour, which looked weird.
2021-08-29 14:14:07 +02:00
Simon Bruder 77eab2497a
nginx-interactive-index: Only apply stripes to body 2021-08-29 14:13:35 +02:00
Simon Bruder f6d9bf82db
mullvad: Update relays 2021-08-29 12:32:50 +02:00
Simon Bruder 65dcb3051e
Add TODO for removing custom prometheus-fritzbox-exporter 2021-08-29 12:03:22 +02:00
Simon Bruder a5fde0764d
waybar: Autostart blueman-applet 2021-08-28 16:54:27 +02:00
Simon Bruder 8c5a0e8a38
flake.lock: Update
Flake input changes:

* Updated 'home-manager': 'github:nix-community/home-manager/9f2b766d0f46fcc87881531e6a86eba514b8260d' -> 'github:nix-community/home-manager/f5adb9be829f487f99bcc0f1884f74ddb85f70c8'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/de40acde6c056a7c5f3c9ad4dca0c172fa35d207' -> 'github:nixos/nixos-hardware/342048461da7fc743e588ee744080c045613a226'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/d5aadbefd650cb0a05ba9c788a26327afce2396c' -> 'github:nixos/nixpkgs/74d017edb6717ad76d38edc02ad3210d4ad66b96'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/870959c7fb3a42af1863bed9e1756086a74eb649' -> 'github:nixos/nixpkgs/88226ea038e538e09c272a7c56ba73c3f5eed57f'
* Updated 'sops-nix': 'github:Mic92/sops-nix/ec2800174de5a7be8ec5b144819af2c7de77abe2' -> 'github:Mic92/sops-nix/024c079aa1fb582068b79138597ac41f4f3ce799'
2021-08-28 15:17:14 +02:00
Simon Bruder 9f4ffa5932
fuuko: Add hcloud_exporter 2021-08-28 13:53:38 +02:00
Simon Bruder 74955039f3
programs: Remove unused programs
They are currently taking up a huge amount of space but I rarely or
never use them.
2021-08-28 11:49:21 +02:00
Simon Bruder 29f0a5017f
programs: Move virt-manager to user profile 2021-08-28 11:24:51 +02:00
Simon Bruder a0e52ea7b6
{nunotaba,sayuri}: Use qemu_kvm for libvirt
I don’t emulate any architectures besides x86_64 anyway.
2021-08-28 11:23:57 +02:00
Simon Bruder 1aa325b1ec
fuuko/torrent: Use nixpkgs unstable’s aria2
It has a new release of aria2 that includes the patch that was
previously manually applied.
2021-08-24 22:06:30 +02:00
Simon Bruder c0493bd3a5
flake.lock: Update
Flake input changes:

* Updated 'flake-utils': 'github:numtide/flake-utils/c5d161cc0af116a2e17f54316f0bf43f0819785c' -> 'github:numtide/flake-utils/997f7efcb746a9c140ce1f13c72263189225f482'
* Updated 'home-manager': 'github:nix-community/home-manager/b39647e52ed3c0b989e9d5c965e598ae4c38d7ef' -> 'github:nix-community/home-manager/9f2b766d0f46fcc87881531e6a86eba514b8260d'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/878f629005b003fe39c9e619b074e0ff7d9ed0e2' -> 'github:nixos/nixos-hardware/de40acde6c056a7c5f3c9ad4dca0c172fa35d207'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/7bbca9877caed472c6b5866ea09302cfcdce3dbf' -> 'github:nixos/nixpkgs/d5aadbefd650cb0a05ba9c788a26327afce2396c'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=8f31f1add50b4f107f4dc69f12c0aa3c3d5cf49d' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=d408a21736f685dec0426edd0bf12fbbd229b778'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/253aecf69ed7595aaefabde779aa6449195bebb7' -> 'github:nixos/nixpkgs/870959c7fb3a42af1863bed9e1756086a74eb649'
2021-08-24 22:04:13 +02:00
Simon Bruder d76c299f6d
vueko/mail: Add alias 2021-08-22 13:04:56 +02:00
Simon Bruder 9aa7d4411f
zsh: Add binding for editing the current command 2021-08-21 22:32:58 +02:00
Simon Bruder 64a682a836
mpd: Disable replaygain
Otherwise heavy clipping occurs when playing opus files without
replaygain tags.
2021-08-21 18:57:08 +02:00
Simon Bruder 9832f10d03
youtube-dl: Add yt-dlp
youtube-dl currently is unbearably slow (double-digit KiB/s).
2021-08-21 18:55:16 +02:00
Simon Bruder 15fdc8756a
pipewire: Disable hardware volume for HD 4.50BTNC 2021-08-21 15:47:17 +02:00
Simon Bruder aed5d19be3
waybar/mpd: Limit title and artist length 2021-08-19 22:22:08 +02:00
Simon Bruder 71f6aed0b4
flake.lock: Update
Flake input changes:

* Updated 'flake-utils': 'github:numtide/flake-utils/f7e004a55b120c02ecb6219596820fcd32ca8772' -> 'github:numtide/flake-utils/c5d161cc0af116a2e17f54316f0bf43f0819785c'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/566f4da36652b1fe404346aafcd2cd02fecf7d43' -> 'github:nixos/nixos-hardware/878f629005b003fe39c9e619b074e0ff7d9ed0e2'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/a445f5829889959d65ad65e5c961d5c67e1cd677' -> 'github:nixos/nixpkgs/7bbca9877caed472c6b5866ea09302cfcdce3dbf'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/4138cbd913fad85073e59007710e3f083d0eb7c6' -> 'github:nixos/nixpkgs/253aecf69ed7595aaefabde779aa6449195bebb7'
2021-08-19 21:54:46 +02:00
Simon Bruder d564735b4e
flake.lock: Update
Flake input changes:

* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/7da029f26849f8696ac49652312c9171bf9eb170' -> 'github:nixos/nixos-hardware/566f4da36652b1fe404346aafcd2cd02fecf7d43'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2' -> 'github:nixos/nixpkgs/a445f5829889959d65ad65e5c961d5c67e1cd677'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=29f85ebdce94bb722e2cb3d34a823eb4fe8b0fef' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=8f31f1add50b4f107f4dc69f12c0aa3c3d5cf49d'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/fe01052444c1d66ed6ef76df2af798c9769e9e79' -> 'github:nixos/nixpkgs/4138cbd913fad85073e59007710e3f083d0eb7c6'
2021-08-15 10:00:57 +02:00
Simon Bruder 5ebd71d1f3
flake.lock: Update
Flake input changes:

* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/8296b88560d8ac07a885452e094cd454de90ea9b' -> 'github:nixos/nixos-hardware/7da029f26849f8696ac49652312c9171bf9eb170'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/733682c32929293341f113f297b64ea6319e9089' -> 'github:nixos/nixpkgs/2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=eff7a88016c725d7adc8e520f5d95e59d6fed66c' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=29f85ebdce94bb722e2cb3d34a823eb4fe8b0fef'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/439b1605227b8adb1357b55ce8529d541abbe9eb' -> 'github:nixos/nixpkgs/fe01052444c1d66ed6ef76df2af798c9769e9e79'
2021-08-11 18:20:29 +02:00
Simon Bruder 95b65c5d15
sayuri: Add samba sharing files with windows VM
This requires enabling guest access in Windows [1].

[1] https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
2021-08-11 10:54:31 +02:00
Simon Bruder 54242cc943
btsync: Make compatible with pipewire
pacmd only supports the “real” pulseaudio daemon.
2021-08-10 13:16:04 +02:00
Simon Bruder 2b9bb92757
git: Add grbias alias 2021-08-07 13:29:29 +02:00
Simon Bruder cb3401ff87
osu-lazer: Rebase patches
This also modifies how the patches are applied, since nixpkgs does not
apply any patches any more.
2021-08-07 13:22:16 +02:00
Simon Bruder 552c4d3b2b
flake.lock: Update
Flake input changes:

* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/09ed30ff3bb67f5efe9c77e0d79aca01793526ca' -> 'github:nixos/nixos-hardware/8296b88560d8ac07a885452e094cd454de90ea9b'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/11c662074e2ae3dddd7e157918b6981de4ce7857' -> 'github:nixos/nixpkgs/733682c32929293341f113f297b64ea6319e9089'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=76b81d31bb1f703d346086310fe9231fec1d37b2' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=eff7a88016c725d7adc8e520f5d95e59d6fed66c'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/8ecc61c91a596df7d3293603a9c2384190c1b89a' -> 'github:nixos/nixpkgs/439b1605227b8adb1357b55ce8529d541abbe9eb'
2021-08-07 10:14:31 +02:00
Simon Bruder 839fb8e514
games: Add mgba 2021-08-07 00:30:49 +02:00
Simon Bruder 49aa48366a
games: Move to separate module 2021-08-06 18:55:10 +02:00
Simon Bruder 3acc1eb0ce
vueko/mail: Remove alias 2021-08-06 12:37:11 +02:00
Simon Bruder 821a352c49
Annotate multiline strings with their language 2021-08-05 13:23:07 +02:00
Simon Bruder 46afd7123c
neovim: Add fenced syntax highlighting for nix
This is not yet in upstream and the PR is almost 2 years old now, but it
makes editing code in multiline strings much easier.
2021-08-05 13:07:25 +02:00
Simon Bruder 6ac026a535
Enable fwupd on full systems 2021-08-04 16:52:11 +02:00
Simon Bruder a1facf530f
fuuko: Use plain DNS again
DNS over HTTPS often is unreliable in practice (did not empirically test
this).
2021-08-01 19:05:20 +02:00
Simon Bruder e5d82f7087
programs: Remove gscan2pdf
One of its dependencies is currently broken and I don’t use it any more.
2021-08-01 18:47:39 +02:00
Simon Bruder 14999b0f92
flake.lock: Update
Flake input changes:

* Updated 'bang-evaluator': 'git+https://git.sbruder.de/simon/bangs?ref=master&rev=d6ab4b7b2ff0cb7b404643f45e4a7a8d70eda9b7' -> 'git+https://git.sbruder.de/simon/bangs?ref=master&rev=7fc3d5019c907566abbad8f84ba9555a5786bd01'
* Updated 'home-manager': 'github:nix-community/home-manager/9c0abed5228d54aad120b4bc757b6f5935aeda1c' -> 'github:nix-community/home-manager/b39647e52ed3c0b989e9d5c965e598ae4c38d7ef'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/615e23579fec9bf0753fd72a8a447d9fb847c58f' -> 'github:nixos/nixos-hardware/09ed30ff3bb67f5efe9c77e0d79aca01793526ca'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/82151321eeaef290b8345803e0b217a261b7c4e1' -> 'github:nixos/nixpkgs/11c662074e2ae3dddd7e157918b6981de4ce7857'
2021-08-01 18:29:52 +02:00
Simon Bruder 971fda90c4
vueko/mail: Add alias 2021-08-01 11:37:46 +02:00
Simon Bruder d20afbfe4c
vueko/mail: Add alias 2021-08-01 11:36:43 +02:00
Simon Bruder 7b473dad3a
waybar/calendar: Fix number of today’s events
This was broken for multiline descriptions.
2021-07-29 06:31:59 +02:00
Simon Bruder 1fcecb1f64
flake.lock: Update
Flake input changes:

* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/41775780a0b6b32b3d32dcc32bb9bc6df809062d' -> 'github:nixos/nixos-hardware/615e23579fec9bf0753fd72a8a447d9fb847c58f'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/973910f5c31b9ba6c171c33a8bd7199990b14c72' -> 'github:nixos/nixpkgs/82151321eeaef290b8345803e0b217a261b7c4e1'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/dd14e5d78e90a2ccd6007e569820de9b4861a6c2' -> 'github:nixos/nixpkgs/8ecc61c91a596df7d3293603a9c2384190c1b89a'
2021-07-28 15:04:00 +02:00
Simon Bruder 8b9eb54806
games: Conditionally add emulators
This uses a crude arbitrary number to only install them onto machines
that can actually run them.
2021-07-26 20:44:46 +02:00
Simon Bruder a90fef89c0
zsh/dcauto: Use regualar instead of civil daylight 2021-07-25 20:19:59 +02:00
Simon Bruder 42a83bea7f
mpd/ncmpcpp: Add dynamic color palette support 2021-07-25 14:32:31 +02:00
Simon Bruder 32b18bd005
flake.lock: Update
Flake input changes:

* Updated 'home-manager': 'github:nix-community/home-manager/35a24648d155843a4d162de98c17b1afd5db51e4' -> 'github:nix-community/home-manager/9c0abed5228d54aad120b4bc757b6f5935aeda1c'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/4181644d09b96af0f92c2f025d3463f9d19c7790' -> 'github:nixos/nixpkgs/973910f5c31b9ba6c171c33a8bd7199990b14c72'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=f02c1bb2c0a93bfd2f589d225a68d4e2b8eedb5f' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=76b81d31bb1f703d346086310fe9231fec1d37b2'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/967d40bec14be87262b21ab901dbace23b7365db' -> 'github:nixos/nixpkgs/dd14e5d78e90a2ccd6007e569820de9b4861a6c2'
2021-07-25 13:04:05 +02:00
Simon Bruder 4fc2015ee9
fzf: Get solarized colors from common.nix 2021-07-25 10:16:09 +02:00
Simon Bruder a67ec1b22f
zsh: Automatically set color scheme at init 2021-07-25 08:58:57 +02:00
Simon Bruder aef0baf527
programs: Add dynamic-colors 2021-07-25 08:47:59 +02:00
Simon Bruder 11f7ac50ca
Set geographical location system-wide 2021-07-25 08:36:19 +02:00
Simon Bruder 0c74cdbbdd
neovim: Fix installPhase nix snippet 2021-07-24 19:21:52 +02:00
Simon Bruder 8771faa93c
programs: Add paperwork 2021-07-24 13:03:33 +02:00
Simon Bruder 11ec0ab428
vueko/mail: Add alias 2021-07-22 19:12:08 +02:00
Simon Bruder 376dfa37de
vueko/mail: Add alias 2021-07-22 09:52:02 +02:00
Simon Bruder 5ee7108bd6
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/b2f87e0043aaf3f0f05cc983bd6aa80a616b8352' -> 'github:nixos/nixpkgs/4181644d09b96af0f92c2f025d3463f9d19c7790'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/c6c4a3d45ab200f17805d2d86a1ff1cc7ca2b186' -> 'github:nixos/nixpkgs/967d40bec14be87262b21ab901dbace23b7365db'
2021-07-21 15:31:50 +02:00
Simon Bruder 0b9c9ea047
programs: add dust 2021-07-18 22:54:46 +02:00
Simon Bruder 8dafa364e0
waybar: Fix display when there is no event 2021-07-18 08:38:05 +02:00
Simon Bruder 5e4d888da7
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/2a96414d7e350160a33ed0978449c9ff5b5a6eb3' -> 'github:nixos/nixpkgs/b2f87e0043aaf3f0f05cc983bd6aa80a616b8352'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/d8f8f31af9d77a48220e4e8a301d1e79774cb7d2' -> 'github:nixos/nixpkgs/c6c4a3d45ab200f17805d2d86a1ff1cc7ca2b186'
2021-07-18 07:59:07 +02:00
Simon Bruder d0900f1cf8
waybar: Add calendar 2021-07-17 16:13:45 +02:00
Simon Bruder faf9a044fd
neovim: Add nix phase snippets 2021-07-17 14:23:32 +02:00
Simon Bruder 00a919d6d7
sway: Reorganise and split into multiple files 2021-07-17 14:10:02 +02:00
Simon Bruder f3d958c1a9
zsh: Remove redundant environment variable declaration
It is already declared in the sway configuration.
2021-07-17 13:55:46 +02:00
Simon Bruder 34badc3638
anki: Reorganise directory layout 2021-07-17 13:46:19 +02:00
Simon Bruder 0d08f9c6db
zsh: Reorganise directory layout 2021-07-17 13:41:15 +02:00
Simon Bruder 4556ec6c73
scripts: Reorganise directory layout 2021-07-17 13:38:32 +02:00
Simon Bruder 80f23f019b
neovim: Reorganise directory layout
This also loads UltiSnips by setting a configuration option instead of
symlinking it to the default location.
2021-07-17 13:31:47 +02:00
Simon Bruder 35e6bf8185
neovim: Add binding for sorting in visual mode 2021-07-17 13:25:57 +02:00
Simon Bruder c09d54513b
neovim: Allow closing terminal with double escape
I always forget the default key binding.
2021-07-17 13:25:23 +02:00
Simon Bruder 1dcaeb0aed
neovim: Use nerdtree git plugin from nixpkgs 2021-07-17 12:58:25 +02:00
Simon Bruder 16d6aa2aa0
zsh: Add syntax highlighting 2021-07-17 10:19:42 +02:00
Simon Bruder b26b004392
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/c06613c25df3fe1dd26243847a3c105cf6770627' -> 'github:nixos/nixpkgs/2a96414d7e350160a33ed0978449c9ff5b5a6eb3'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/87807e64a5ef5206b745a40af118c7be8db73681' -> 'github:nixos/nixpkgs/d8f8f31af9d77a48220e4e8a301d1e79774cb7d2'
* Updated 'sops-nix': 'github:Mic92/sops-nix/87a27217b229e1044c519a855184c9a16ffc1239' -> 'github:Mic92/sops-nix/ec2800174de5a7be8ec5b144819af2c7de77abe2'
2021-07-14 19:51:59 +02:00
Simon Bruder 6006e2cb46
nix: Add cached-nix-shell 2021-07-11 10:43:43 +02:00
Simon Bruder ce6e2660d0
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/9d1350d9d56411b685ff3de5839ed6728b1bf808' -> 'github:nixos/nixpkgs/c06613c25df3fe1dd26243847a3c105cf6770627'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/036dc0c709650e0c833822307af801f576d67273' -> 'github:nixos/nixpkgs/87807e64a5ef5206b745a40af118c7be8db73681'
2021-07-10 16:53:32 +02:00
Simon Bruder f546f737fe
sway: Enable screencasts via xdg-desktop-portal-wlr
This also adds a blinking indicator to the status bar so it is obvious
when the screen is shared.
2021-07-10 16:27:26 +02:00
Simon Bruder 2d0a2b7316
mako: Highlight critical notifications 2021-07-10 16:20:03 +02:00
Simon Bruder 7fdc470595
bwrap-helper: Add pipewire alsa compatibility 2021-07-10 12:44:54 +02:00
Simon Bruder 7959abe5f0
pipewire: Init and replace pulseaudio 2021-07-10 12:44:09 +02:00
Simon Bruder 3c753e8852
flake.lock: Update
Flake input changes:

* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/eb889532fef2cb73071436842ae2ca0ed2d011aa' -> 'github:nixos/nixos-hardware/41775780a0b6b32b3d32dcc32bb9bc6df809062d'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/21b696caf392ad6fa513caf3327d0aa0430ffb72' -> 'github:nixos/nixpkgs/9d1350d9d56411b685ff3de5839ed6728b1bf808'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/d8079260a3028ae3221d7a5467443ee3a9edd2b8' -> 'github:nixos/nixpkgs/036dc0c709650e0c833822307af801f576d67273'
* Updated 'sops-nix': 'github:Mic92/sops-nix/c4f7025e5d20af51b4803d7b43f23daf06906138' -> 'github:Mic92/sops-nix/87a27217b229e1044c519a855184c9a16ffc1239'
2021-07-07 20:43:30 +02:00
Simon Bruder fd37161a78
programs: Add evince
For some reaseon, the print quality with zathura is subpar (noticeably
blurry), but evince manages to produce a clear print.
2021-07-07 18:58:36 +02:00
Simon Bruder 12e24d0761
cups: Add elma 2021-07-07 18:25:14 +02:00
Simon Bruder 298ef93ed5
cups: Remove broken printers 2021-07-04 20:54:09 +02:00
Simon Bruder 9ce76f591f
mpv: Add binding for frame-exact sub delay 2021-07-04 12:53:50 +02:00
Simon Bruder 1de4af389b
flake.lock: Update
Flake input changes:

* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/03c60a2db286bcd8ecfac9a8739c50626ca0fd8e' -> 'github:nixos/nixos-hardware/eb889532fef2cb73071436842ae2ca0ed2d011aa'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/e9148dc1c30e02aae80cc52f68ceb37b772066f3' -> 'github:nixos/nixpkgs/21b696caf392ad6fa513caf3327d0aa0430ffb72'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/3a8d7958a610cd3fec3a6f424480f91a1b259185' -> 'github:nixos/nixpkgs/d8079260a3028ae3221d7a5467443ee3a9edd2b8'
* Updated 'sops-nix': 'github:Mic92/sops-nix/7918c59b392f23665c0b726d4c640d14be4b0b8b' -> 'github:Mic92/sops-nix/c4f7025e5d20af51b4803d7b43f23daf06906138'
2021-07-03 14:43:54 +02:00
Simon Bruder a58aa3ece4
ncmpcpp: Use nvim as external editor 2021-07-02 18:02:41 +02:00
Simon Bruder 4d77cba8dc
flake.lock: Update
Flake input changes:

* Updated 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/628a319e1ee0f9e01d63a3dbe6c1681a177bc5f9' -> 'github:cachix/pre-commit-hooks.nix/397f0713d007250a2c7a745e555fa16c5dc8cadb'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/7305b276c90cfd3ad0a2452101a49c0b52c784c0' -> 'github:nixos/nixos-hardware/03c60a2db286bcd8ecfac9a8739c50626ca0fd8e'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/8112fbe212f6086151acb19fe464b00c8ac1aebd' -> 'github:nixos/nixpkgs/e9148dc1c30e02aae80cc52f68ceb37b772066f3'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/1905f5f2e55e0db0bb6244cfe62cb6c0dbda391d' -> 'github:nixos/nixpkgs/3a8d7958a610cd3fec3a6f424480f91a1b259185'
2021-06-30 19:52:11 +02:00
Simon Bruder d863586f23
mpv: Use ffmpeg-full
This allows mpv to support more exotic file formats and lavf filters.
Since I am already overring mpv, it should not add another local
rebuild.
2021-06-30 19:49:28 +02:00
Simon Bruder 20117566de
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/0ccd0d91361dc42dd32ffcfafed1a4fc23d1c8b4' -> 'github:nixos/nixpkgs/8112fbe212f6086151acb19fe464b00c8ac1aebd'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/7e567a3d092b7de69cdf5deaeb8d9526de230916' -> 'github:nixos/nixpkgs/1905f5f2e55e0db0bb6244cfe62cb6c0dbda391d'
2021-06-26 11:03:21 +02:00
Simon Bruder 8442afae5c
vueko/mail: Add alias 2021-06-26 10:45:15 +02:00
Simon Bruder 43722b1177
programs: Add taskell 2021-06-25 22:15:01 +02:00
Simon Bruder 80e68848c5
Remove taskwarrior
I find myself not using it but instead writing everything in a plain
text file.
2021-06-25 19:23:23 +02:00
Simon Bruder fc6c997575
nix-direnv: Use new home-manager option 2021-06-23 17:22:04 +02:00
Simon Bruder 02f2138294
flake.lock: Update
Flake input changes:

* Updated 'home-manager': 'github:nix-community/home-manager/148d85ee8303444fb0116943787aa0b1b25f94df' -> 'github:nix-community/home-manager/35a24648d155843a4d162de98c17b1afd5db51e4'
* Updated 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/0398f0649e0a741660ac5e8216760bae5cc78579' -> 'github:cachix/pre-commit-hooks.nix/628a319e1ee0f9e01d63a3dbe6c1681a177bc5f9'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/bad3ccd099ebe9a8aa017bda8500ab02787d90aa' -> 'github:nixos/nixpkgs/0ccd0d91361dc42dd32ffcfafed1a4fc23d1c8b4'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/fa0326ce5233f7d592271df52c9d0812bec47b84' -> 'github:nixos/nixpkgs/7e567a3d092b7de69cdf5deaeb8d9526de230916'
2021-06-23 17:21:57 +02:00
Simon Bruder 0ab3260240
sayuri: Drop amdvlk in favour of radv
DXVK segfaults/exhibits weird errors when using amdvlk since upgrading
to 21.05. Mesa’s radv does work and I did not notice a perofmance drop.
2021-06-20 11:22:34 +02:00
Simon Bruder 71a5ea7a0d
Revert "fuuko/mautrix-whatsapp: Use unstable version from PR"
This reverts commit e1b59d57ff.
2021-06-19 16:02:04 +02:00
Simon Bruder 85a102f53c
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/93963c27b934f24289a94b9e3784d60a9b77e92c' -> 'github:nixos/nixpkgs/bad3ccd099ebe9a8aa017bda8500ab02787d90aa'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=daa5967b81bd898eec21af84686c8c892f0aba12' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=f02c1bb2c0a93bfd2f589d225a68d4e2b8eedb5f'
2021-06-19 16:01:21 +02:00
Simon Bruder a8795cf97c
flake.lock: Update
Flake input changes:

* Updated 'flake-utils': 'github:numtide/flake-utils/7d706970d94bc5559077eb1a6600afddcd25a7c8' -> 'github:numtide/flake-utils/f7e004a55b120c02ecb6219596820fcd32ca8772'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/6bea9761693b5d185d34bef205edb25a8081db57' -> 'github:nixos/nixos-hardware/7305b276c90cfd3ad0a2452101a49c0b52c784c0'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/81b3481d79a599d90138768a964b7d70d8996f97' -> 'github:nixos/nixpkgs/93963c27b934f24289a94b9e3784d60a9b77e92c'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/432fc2d9a67f92e05438dff5fdc2b39d33f77997' -> 'github:nixos/nixpkgs/fa0326ce5233f7d592271df52c9d0812bec47b84'
2021-06-17 19:01:24 +02:00
Simon Bruder e1b59d57ff
fuuko/mautrix-whatsapp: Use unstable version from PR
nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/126966
2021-06-15 19:20:25 +02:00
Simon Bruder 61d47861b5
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/cedcf2565c6b982d703d67455199b09a3d905d86' -> 'github:nixos/nixpkgs/81b3481d79a599d90138768a964b7d70d8996f97'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=6609282c70e881b32688cb1bf0f2e02a95d2306e' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=daa5967b81bd898eec21af84686c8c892f0aba12'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/fbfb79400a08bf754e32b4d4fc3f7d8f8055cf94' -> 'github:nixos/nixpkgs/432fc2d9a67f92e05438dff5fdc2b39d33f77997'
2021-06-13 08:19:36 +02:00
Simon Bruder 5ff547399c
nix-direnv: Enable flake support
Flake support for nix-direnv was made optional in nixpkgs and it has to
be explicitly enabled.
2021-06-11 16:04:55 +02:00
Simon Bruder 97bd12353d
flake.lock: Update
Flake input changes:

* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/fccbee72df707c3fb074854668deee6e1ff02351' -> 'github:nixos/nixos-hardware/6bea9761693b5d185d34bef205edb25a8081db57'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/5de44c15758465f8ddf84d541ba300b48e56eda4' -> 'github:nixos/nixpkgs/cedcf2565c6b982d703d67455199b09a3d905d86'
2021-06-11 15:56:42 +02:00
Simon Bruder 621d209680
sayuri: Add specialisation that disables mitigations
x264 encodes over 2 times faster in one example with mitigations
disabled.
2021-06-09 15:22:17 +02:00
Simon Bruder a6ddd29a1b
flake.lock: Update
Flake input changes:

* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/b2186d6c3cdc58fb3a8def0f608bcae61138cc6f' -> 'github:nixos/nixos-hardware/fccbee72df707c3fb074854668deee6e1ff02351'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/aa576357673d609e618d87db43210e49d4bb1789' -> 'github:nixos/nixpkgs/5de44c15758465f8ddf84d541ba300b48e56eda4'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/1ca6b0a0cc38dbba0441202535c92841dd39d1ae' -> 'github:nixos/nixpkgs/fbfb79400a08bf754e32b4d4fc3f7d8f8055cf94'
2021-06-08 19:58:28 +02:00
Simon Bruder 2aa489853f
programs: Add snownews 2021-06-06 00:12:55 +02:00
Simon Bruder 5d1ed0d770
flake.lock: Update
Flake input changes:

* Updated 'home-manager': 'github:nix-community/home-manager/fd5fbb0a241f644908cdf01ccd1821d0606fb4fd' -> 'github:nix-community/home-manager/148d85ee8303444fb0116943787aa0b1b25f94df'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/4c2e84394c0f372c019e941e95d6fbe21835719b' -> 'github:nixos/nixpkgs/aa576357673d609e618d87db43210e49d4bb1789'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=9bae5108d557668a44fc9239247b9a0b0d3f68ea' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=6609282c70e881b32688cb1bf0f2e02a95d2306e'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/1c2986bbb806c57f9470bf3231d8da7250ab9091' -> 'github:nixos/nixpkgs/1ca6b0a0cc38dbba0441202535c92841dd39d1ae'
* Updated 'sops-nix': 'github:Mic92/sops-nix/4f384662a85804fa2bc1bc1f99e70bb468e76f88' -> 'github:Mic92/sops-nix/7918c59b392f23665c0b726d4c640d14be4b0b8b'
2021-06-05 20:44:40 +02:00
Simon Bruder de67fd9d63
flake.lock: Update
Flake input changes:

* Updated 'home-manager': 'github:nix-community/home-manager/ab64dc32493996c24607eab2cae6663466ddfb8a' -> 'github:nix-community/home-manager/fd5fbb0a241f644908cdf01ccd1821d0606fb4fd'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/eaba7870ffc3400eca4407baa24184b7fe337ec1' -> 'github:nixos/nixpkgs/4c2e84394c0f372c019e941e95d6fbe21835719b'
2021-06-04 23:21:23 +02:00
Simon Bruder 387947191d
programs: Re-enable ungoogled-chromium
This reverts commit 0ba5f8c6fa.
2021-06-03 16:41:22 +02:00
Simon Bruder 740bffae9e
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/6933d068c5d2fcff398e802f7c4e271bbdab6705' -> 'github:nixos/nixpkgs/1c2986bbb806c57f9470bf3231d8da7250ab9091'
2021-06-03 16:30:53 +02:00
Simon Bruder b44acc2ffa
programs: Replace optipng with oxipng 2021-06-02 23:30:16 +02:00
Simon Bruder 92772d1cc3
flake.lock: Update
Flake input changes:

* Updated 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/2e7fac06108b4fc81f5ff9ed9a02bc4f6ede7001' -> 'github:cachix/pre-commit-hooks.nix/0398f0649e0a741660ac5e8216760bae5cc78579'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/d25ea6a0d2a847fb52131da546f2a866656fbafa' -> 'github:nixos/nixpkgs/eaba7870ffc3400eca4407baa24184b7fe337ec1'
2021-06-02 22:43:42 +02:00
Simon Bruder e6a0684bfe
neovim: Drop deprecated g:vimtex_syntax_autoload_packages 2021-06-02 14:01:58 +02:00
Simon Bruder 80f33f9095
Add contact page 2021-06-02 13:24:36 +02:00
Simon Bruder ce57c9a62c
neovim: Highlight syntax in markdown code blocks 2021-06-01 17:54:38 +02:00
Simon Bruder e4b10573d4
flake.lock: Update
Flake input changes:

* Updated 'flake-utils': 'github:numtide/flake-utils/b543720b25df6ffdfcf9227afafc5b8c1fabfae8' -> 'github:numtide/flake-utils/7d706970d94bc5559077eb1a6600afddcd25a7c8'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/684ae160a6e76590eafa3fca8061b6ad57bcc9ad' -> 'github:nixos/nixos-hardware/b2186d6c3cdc58fb3a8def0f608bcae61138cc6f'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/07ca3a021f05d6ff46bbd03c418b418abb781279' -> 'github:nixos/nixpkgs/d25ea6a0d2a847fb52131da546f2a866656fbafa'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/540dccb2aeaffa9dc69bfdc41c55abd7ccc6baa3' -> 'github:nixos/nixpkgs/6933d068c5d2fcff398e802f7c4e271bbdab6705'
2021-06-01 11:39:50 +02:00
Simon Bruder 8259b1455f
mulvad: Do not unlock pass when disabling tunnel 2021-06-01 11:37:59 +02:00
Simon Bruder c0efaa02ba
mullvad: Move script into system module
It doesn’t make sense to install the configuration files system-wide but
the script only for the user.
2021-06-01 10:29:58 +02:00
Simon Bruder e0efa77520
fuuko/nar-serve: Use NixOS module
Since it does not provide a `package` option, it has to be overriden
with an overlay.
2021-06-01 10:16:15 +02:00
Simon Bruder 44cc17db53
Use nixos-21.05 branch 2021-06-01 09:14:59 +02:00
Simon Bruder e94d0227fe
Use black 2021-06-01 00:02:27 +02:00
Simon Bruder b0d6861825
Use shellcheck
This also adds set -e and friends where applicable.
2021-05-31 23:59:13 +02:00
Simon Bruder 56b9c6c37f
Add module for on-demand usage of mullvad
Since wg-quick does not require the configuration file to include a
private key and local addresses, they can be added after the execution
of wg-quick.

Fixes #32.
2021-05-31 23:02:11 +02:00
Simon Bruder ac81f66237
flake.lock: Update
Flake input changes:

* Updated 'home-manager': 'github:nix-community/home-manager/90493027e33ba9eb3f50dc1da365d0e4ca31bf14' -> 'github:nix-community/home-manager/ab64dc32493996c24607eab2cae6663466ddfb8a'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/c4399b921fa7ff5f93ee10b3521b56b722ed74d8' -> 'github:nixos/nixos-hardware/684ae160a6e76590eafa3fca8061b6ad57bcc9ad'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/676ddafd3dbdc8dd95471df84bc5198d2d37d241' -> 'github:nixos/nixpkgs/c399b0f178aa7890157454723b5081f4bf45ac47'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=effd32025de28c69766ae48f7196d0db7dd9e1ec' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=9bae5108d557668a44fc9239247b9a0b0d3f68ea'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/ea7d4aa9b8225abd6147339f0d56675d6f1f0fd1' -> 'github:nixos/nixpkgs/540dccb2aeaffa9dc69bfdc41c55abd7ccc6baa3'
2021-05-30 11:45:08 +02:00
Simon Bruder a196059da6
ncmpcpp: Adapt visualizer settings to 0.9 2021-05-29 18:04:29 +02:00
Simon Bruder 4013206449
neovim: LC: Load per-project configuration 2021-05-29 14:46:32 +02:00
Simon Bruder 6f31ded457
fuuko/wordclock: Use 15 character long password
```cpp
    struct {
      char domain[32];
      char clientId[16];
      char user[16];
      char password[16];
    } mqtt;
```

(f637c2f39e/PersistentStorage.h)

This went unnoticed, because on NixOS, mosquitto does not validate
passwords by default.
2021-05-28 23:08:20 +02:00
Simon Bruder c918486622
fuuko/mqtt: Make compatible with Mosquitto 2
This now requires authenticating with a valid password, which it
apparently didn’t do before?
2021-05-28 23:05:22 +02:00
Simon Bruder 0fdfec4385
mpv: Add motion vector interpolation script 2021-05-28 16:10:11 +02:00
Simon Bruder ef9731a080
mpv: Fix debanding being active by default 2021-05-28 15:06:17 +02:00
Simon Bruder de3f8f8909
restic: Make restic prune regularily on fuuko
Closes #41.
2021-05-28 15:01:06 +02:00
Simon Bruder e9dc4601ad
restic: Do not initialise the repository
It already is initialised, and NixOS’ initialisation always prints all
existing snapshots to the journal which makes it almost impossible to
find the logs from the regular backup.
2021-05-28 15:01:06 +02:00
Simon Bruder 9025dfffb5
wireguard/dns: Make zone master zone
Since 21.05 it does not work when this is not set.
2021-05-28 14:24:50 +02:00
Simon Bruder d3d41da2bc
vueko/murmur: Explicitly set murmur as system user 2021-05-28 14:24:25 +02:00
Simon Bruder e80a0b0c07
vueko/radicale: Use services.radicale.settings 2021-05-28 14:24:02 +02:00
Simon Bruder 6492ad2d4c
prometheus-fritzbox-exporter: stdenv.lib -> lib 2021-05-28 14:05:14 +02:00
Simon Bruder 91b3e97e48
mpv: Update gallery-view plugin 2021-05-28 14:05:14 +02:00
Simon Bruder 7d7da189d0
nunotaba: Reinstall on btrfs filesystem 2021-05-28 14:05:14 +02:00
Simon Bruder 6cb59d0149
nunotaba: Use performance cpuFreqGovernor
With kernel 5.10 powersave is stuck at 798 MHz for some reason.
2021-05-28 14:05:13 +02:00
Simon Bruder 54288988de
zsh: Explicitly disable prompt in user config
Otherwise starship does not work in 21.05.
2021-05-28 14:05:13 +02:00
Simon Bruder 091f6b0e14
Update to 21.05
This still uses the relase-21.05 branch which should later be changed to
nixos-21.05.
2021-05-28 14:04:53 +02:00
Simon Bruder ad0748ba1b
Use gammastep instead of redshift 2021-05-27 18:07:01 +02:00
Simon Bruder 7450828b63
fonts: Do not enable X11 fonts dir 2021-05-27 18:07:00 +02:00
Simon Bruder 10a63f585d
mako: Remove notification inhibitor
Upstream wants to implement modes, which collide with the patch that I
used.
2021-05-27 18:07:00 +02:00
Simon Bruder 36c0c67e36
sayuri: Update specs in readme 2021-05-27 18:06:34 +02:00
Simon Bruder ea45b45c60
restic: Fix restic-auth script
Since I migrated to sops, the password store structure changed.
2021-05-27 14:38:33 +02:00
Simon Bruder 0f135fc87b
unlock: Resolve hostname with hard-coded server
This is required after power outages when unlocking the server that does
dns in the network.
2021-05-26 17:19:38 +02:00
Simon Bruder ab4ef486be
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/a7064e23973b0f3e1dd56cf4601758fedc38423c' -> 'github:nixos/nixpkgs/ac60476ed94fd5424d9f3410c438825f793a8cbb'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/673aea9f84c955c94b105797fdc56007017af4db' -> 'github:nixos/nixpkgs/ea7d4aa9b8225abd6147339f0d56675d6f1f0fd1'
2021-05-25 21:46:58 +02:00
Simon Bruder d64f4a8741
vueko/mail: Add alias 2021-05-25 09:48:25 +02:00
Simon Bruder 71209d0cc8
vueko/mail: Add alias 2021-05-21 12:30:36 +02:00
Simon Bruder 652cdbd975
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/52090c613ad854abb824dcbba20e19bfa3890e91' -> 'github:nixos/nixpkgs/a7064e23973b0f3e1dd56cf4601758fedc38423c'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/7a1fbc38a4b538450ac0d42aec8a3e513b4d723e' -> 'github:nixos/nixpkgs/673aea9f84c955c94b105797fdc56007017af4db'
2021-05-21 08:20:38 +02:00
Simon Bruder 004a879f46
programs/mumble: Fix PTT patch hash
It has been wrong since 9c51d36c4d
switched to fetchpatch (which strips the headers from the patch and
therefore produces a different file).
2021-05-19 16:19:58 +02:00
Simon Bruder ef2f20ee3b
flake.lock: Update
Flake input changes:

* Updated 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/40a51af82c1181b9dea3526c4124eee077e30213' -> 'github:cachix/pre-commit-hooks.nix/2e7fac06108b4fc81f5ff9ed9a02bc4f6ede7001'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/7974217f94c2970026c411d9234dbb47e93a7306' -> 'github:nixos/nixpkgs/52090c613ad854abb824dcbba20e19bfa3890e91'
* Updated 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=37c399d830bd6f2f789cabfae7cd21a824e976c0' -> 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=master&rev=effd32025de28c69766ae48f7196d0db7dd9e1ec'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/83d907fd760d9ee4f49b4b7e4b1c6682f137b573' -> 'github:nixos/nixpkgs/7a1fbc38a4b538450ac0d42aec8a3e513b4d723e'
2021-05-19 15:23:59 +02:00
Simon Bruder b0754833b4
neovim: Use rust-analyzer instead of rls 2021-05-19 15:18:48 +02:00
Simon Bruder 961b497609
vueko/mail: Add alias 2021-05-17 19:05:24 +02:00
Simon Bruder 9afeb8527a
programs: Add gallery-dl 2021-05-16 17:59:21 +02:00
Simon Bruder ef78d4ec8e
flake.lock: Update
Flake input changes:

* Updated 'nixpkgs': 'github:nixos/nixpkgs/21ff9308b75d448765f7c3704a1459a3d8e1c844' -> 'github:nixos/nixpkgs/7974217f94c2970026c411d9234dbb47e93a7306'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/65a9923bbb94e4da656eb63f88f3a378be232e02' -> 'github:nixos/nixpkgs/83d907fd760d9ee4f49b4b7e4b1c6682f137b573'
2021-05-16 12:45:22 +02:00
Simon Bruder 0ba5f8c6fa
programs: Disable ungoogled-chromium
The build on hydra is failing[1] and compiling chromium is no fun.

[1]: https://hydra.nixos.org/build/142976662
2021-05-15 14:19:05 +02:00
Simon Bruder 4af6a8fce1
flake.lock: Update
Flake input changes:

* Updated 'aria2_exporter': 'github:sbruder/aria2_exporter/11af495d33bfa3d3e3f0dda93f17874bbef4ef97' -> 'github:sbruder/aria2_exporter/4b170f34720be5da2d2b8e791ff891624fe40e51'
* Updated 'bang-evaluator': 'git+https://git.sbruder.de/simon/bangs?ref=master&rev=08715eacf11e0c086fe8a09d3ccf6e9c91a60de4' -> 'git+https://git.sbruder.de/simon/bangs?ref=master&rev=d6ab4b7b2ff0cb7b404643f45e4a7a8d70eda9b7'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/c85e2a478c26cfd77d1445169e51475afe9cc7cd' -> 'github:nixos/nixpkgs/21ff9308b75d448765f7c3704a1459a3d8e1c844'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/d1601a40c48426ae460eede1675fd1d6ee23e198' -> 'github:nixos/nixpkgs/65a9923bbb94e4da656eb63f88f3a378be232e02'
2021-05-15 14:11:24 +02:00
Simon Bruder 1562a38fd1
Move mpvScripts.pitchcontrol into external overlay 2021-05-15 14:10:02 +02:00
Simon Bruder 2c8a291ae9
Make flake inputs available as module argument
This moves a bunch of stuff out of flake.nix into the modules they
belong to. This removes complexity from flake.nix and gives the project
a more organised structure.

Sadly, it is not possible to import modules from a flake outside of
flake.nix, since that leads to an infinite recursion (`config` has to be
evaluated before `config._modules.args.inputs` is available but `config`
depends on an import from `config._modules.args.inputs`). Therefore, the
`extraModules` argument in `machines/default.nix` has to be used for
that (it now has access to all flake inputs).
2021-05-15 10:04:44 +02:00
Simon Bruder 531060668a
fuuko/hydra: Show logs after build is completed 2021-05-15 00:01:04 +02:00
Simon Bruder e10394cd99
flake.lock: Update
Flake input changes:

* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/936e4649098d6a5e0762058cb7687be1b2d90550' -> 'github:nixos/nixos-hardware/c4399b921fa7ff5f93ee10b3521b56b722ed74d8'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/327368f98c6a927a84aed3c2f2fd1a7f6983e855' -> 'github:nixos/nixpkgs/c85e2a478c26cfd77d1445169e51475afe9cc7cd'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/65d6153aec85c8cb46023f0a7248628f423ca4ee' -> 'github:nixos/nixpkgs/d1601a40c48426ae460eede1675fd1d6ee23e198'
2021-05-14 14:03:45 +02:00
Simon Bruder be8c942150
flake: Remove updateInputs app
Nix has support for committing the changes with `nix flake update
--commit-lock-file`.
2021-05-13 17:01:37 +02:00
Simon Bruder 7d4f84eda8
flake.lock: Update
Flake input changes:

* Updated 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/09fb9e425111878b58223852e87ed85e8a189e0d' -> 'github:cachix/pre-commit-hooks.nix/40a51af82c1181b9dea3526c4124eee077e30213'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/02f067b234576a08522cffc8f5fa829db9b425cf' -> 'github:nixos/nixos-hardware/936e4649098d6a5e0762058cb7687be1b2d90550'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/6e83cfb005c6281ab10e908f6386fe1499b67feb' -> 'github:nixos/nixpkgs/327368f98c6a927a84aed3c2f2fd1a7f6983e855'
* Updated 'nixpkgs-unstable': 'github:nixos/nixpkgs/ae1c8ede09b53007ba9b3c32f926c9c03547ae8b' -> 'github:nixos/nixpkgs/65d6153aec85c8cb46023f0a7248628f423ca4ee'
2021-05-13 17:00:44 +02:00
Simon Bruder 9f70024257
fuuko/hydra: Make serving build artifacts work
hydra-server.service does not have access to the signing key.
2021-05-13 14:23:10 +02:00
Simon Bruder e629ad86fb
programs: Add textidote 2021-05-13 13:51:06 +02:00
Simon Bruder ebeba7c6fd
programs: Add deemix 2021-05-13 13:50:56 +02:00
Simon Bruder a861fbd725
Include my external overlay
It includes packages that are proably useful for other people outside of
my own system configuration.
2021-05-13 13:42:36 +02:00
Simon Bruder dc1698ffaa
fuuko: Add hydra 2021-05-13 13:07:17 +02:00
Simon Bruder d72ce259cc
Update flake inputs 2021-05-12 07:16:08 +02:00
Simon Bruder d2d2a7234f
direnv: Use nix-direnv’s use_flake 2021-05-09 12:34:48 +02:00
Simon Bruder 675f55e61f
Update flake inputs 2021-05-08 13:24:52 +02:00
Simon Bruder 7a5d16106a
mkvpropedit-add-fonts: Fix with spaces in filenames 2021-05-07 21:34:35 +02:00
Simon Bruder ca2136ef04
sayuri: Allow discards on data ssd 2021-05-07 14:37:53 +02:00
Simon Bruder ec50bc210b
Add nixpkgs-unstable to flake registry 2021-05-07 14:36:39 +02:00
Simon Bruder 26f7ef981b
Update flake inputs 2021-05-05 13:31:12 +02:00
Simon Bruder d3ec5f4ba1
sayuri: Reinstall on NVMe ssd 2021-05-04 23:15:05 +02:00
Simon Bruder 9bbc4a2f7a
sway: Use xwayland from unstable
20.09’s xwayland crashes (presumably because of sway 1.6).
2021-05-04 21:53:15 +02:00
Simon Bruder c3a3d8a12a
Adapt documentation to current configuration 2021-05-04 21:45:05 +02:00
Simon Bruder bb487bd528
Update flake inputs 2021-05-03 22:26:49 +02:00
Simon Bruder 2bf9577b61
vueko/mail: Add alias 2021-05-03 19:33:53 +02:00
Simon Bruder 10ced7f2bb
fuuko/torrent: Make socat work after forced stop
This should improve behavour after e.g. a power outage.
2021-05-03 10:17:00 +02:00
Simon Bruder 54610a130a
flake: Specify apps in the way nix expects it
It has to be a flat attribute set of { type = "app"; program = "…"; },
otherwise nix will still run it, but `nix flake show` fails.
2021-05-03 10:17:00 +02:00
Simon Bruder d19bfb9c2c
pkgs/modules: Remove stray import 2021-05-03 10:17:00 +02:00
Simon Bruder 440fc97f7f
AriaNg: Include as flake 2021-05-03 10:16:59 +02:00
Simon Bruder 51f814c70d
fuuko/go-neb: Use sops for secrets 2021-05-03 10:16:59 +02:00
Simon Bruder 8a5a5e9a1c
aria2_exporter: Include as flake 2021-05-03 10:16:59 +02:00
Simon Bruder 8e02008cb4
bang-evaluator: Include as flake 2021-05-03 10:16:59 +02:00
Simon Bruder df6c74819e
Update flake inputs 2021-05-03 10:16:59 +02:00
Simon Bruder 0bb095a2bf
zsh: No longer unset LESS_TERMCAP
Since I now manually select the environment variables imported into
systemd/dbus, other variables with escape characters are no longer a
problem.
2021-05-03 10:16:59 +02:00
Simon Bruder 09618443eb
sway: Manually implement systemd/dbus integration
The way provided by home-manager does not work reliably.

This also references (hopefully) all executables called by systemd
services by their full path.
2021-05-03 10:16:58 +02:00
Simon Bruder 84c72583fe
fuuko/drone-runner-exec: Use unstable nix
This also adds /etc/static as read-only path to the sandbox, since
otherwise /etc/nix/nix.conf can’t be read.
2021-05-01 18:31:05 +02:00
Simon Bruder 400b55a293
Convert to flake
Fixes #3.
2021-05-01 17:36:58 +02:00
Simon Bruder af036e88db
nix: Enable flake support 2021-05-01 17:08:21 +02:00
Simon Bruder d704dab620
zsh: Do not match #
Nix flakes use # extensively, so quoting '#' every time is not feasible.

This needs to be added to the end of initExtra so other commands do not
reset it.
2021-05-01 16:53:47 +02:00
Simon Bruder 5b5bf546b3
wireguard: Simplify sopsFile path 2021-05-01 16:53:06 +02:00
Simon Bruder ef790a285a
overlay: Replace self/super with final/prev 2021-05-01 16:53:06 +02:00
Simon Bruder 236ac3488a
sway: Make shells reload environment every time
Otherwise changing environment variables requires me to log out.
2021-05-01 16:34:27 +02:00
Simon Bruder 267eecf000
sway: Make swaynag buttons easier to read 2021-04-30 19:22:08 +02:00
Simon Bruder 0ddb38e8f9
sway: Use package from unstable
Sway 1.6 is in nixos-unstable, so I don’t have to apply the patch
manually.

This also addds the WAYLAND_DISPLAY variable to dbus, which is required
to show the GCR prompter GTK3 window. This only happened after the
upgrade, so I assume sway changed some things that necessitate this.
2021-04-30 19:05:36 +02:00
Simon Bruder 36da32ff33
Add memtest86+ override to 5.31b
The version in nixpkgs (5.01-coreboot002) does not work on nunotaba nor
sayuri (it shows all? addresses as bad).
2021-04-30 15:56:23 +02:00
Simon Bruder 1674ee980b
Update sources
This does not update pre-commit-hooks.nix since [1] occurs due to its
migration to flakes.

[1]: https://github.com/cachix/pre-commit-hooks.nix/pull/103#issuecomment-828489093
2021-04-28 17:04:29 +02:00
Simon Bruder 4c60f99b76
pkgs/bwrap-helper: Pass through dev-bind(-try) 2021-04-25 09:54:49 +02:00
Simon Bruder 7d19c9b039
sayuri: Use radeontop from unstable 2021-04-25 09:54:49 +02:00
Simon Bruder 36111cfd8b
Update sources 2021-04-25 09:51:14 +02:00
Simon Bruder 8a339c51a2
Show system closure diff on activation 2021-04-25 09:50:03 +02:00
Simon Bruder 78f4579556
vueko/mail: Add alias 2021-04-23 10:21:11 +02:00
Simon Bruder 85546a5ab7
shell.nix: Make host key import find gpg 2021-04-23 09:31:03 +02:00
Simon Bruder 4d6530a56d
Update sources 2021-04-23 09:22:48 +02:00
Simon Bruder 7fd7f98708
pavucontrol: Make context menus work on wayland
Otherwise, they open with an offset.
2021-04-23 08:26:29 +02:00
Simon Bruder 5de2acd1f0
neovim: Add indentation settings for bib files 2021-04-22 16:05:25 +02:00
Simon Bruder bcee4c3243
mpv: Use better subtitle settings 2021-04-19 21:48:26 +02:00
Simon Bruder 11affcf8cb
Update sources 2021-04-19 19:00:08 +02:00
Simon Bruder 08b8fce2d4
fuuko/gitea: Store session on disk 2021-04-19 14:35:42 +02:00
Simon Bruder 4b81f9163a
mpv/visualiser: Fix resolution for visualiser-60 2021-04-18 22:29:36 +02:00
Simon Bruder 3e9593eb78
Revert "games: Disable osu-lazer-sandbox"
This reverts commit 6cff58fcb0.
2021-04-18 18:02:09 +02:00
Simon Bruder 7f5bf88fd7
pkgs/osu-lazer: Rebase patches 2021-04-18 18:01:21 +02:00
Simon Bruder ce62b43bc8
mpv: Also enable for full non-gui systems 2021-04-18 17:52:32 +02:00
Simon Bruder 5376c2994f
Update sources 2021-04-18 10:44:18 +02:00
Simon Bruder 9d27b71588
pkgs/cyanrip: Init
This also replaces abcde in user environment with cyanrip.
2021-04-18 10:40:33 +02:00
Simon Bruder bd9f25c995
programs: Add opusTools 2021-04-17 23:17:17 +02:00
Simon Bruder b51bff724f
zsh: Make cp use reflinks if possible 2021-04-17 19:36:37 +02:00
Simon Bruder 4af55ba3e9
vueko/mail: Add alias 2021-04-17 12:15:43 +02:00
Simon Bruder e070cb9107
vueko/mail: Add alias 2021-04-17 10:56:15 +02:00
Simon Bruder 438fad34fb
vueko/mail: Reorganise vim folds 2021-04-17 10:47:07 +02:00
Simon Bruder d09fb92fac
Update sources 2021-04-16 19:19:03 +02:00
Simon Bruder cd30750fdc
fuuko/media-backup: Init
Fixes #49.
2021-04-16 17:13:46 +02:00
Simon Bruder 942a5ffb04
zsh: Increase history size to 100000 2021-04-14 21:55:49 +02:00
Simon Bruder b9abd825cb
vueko/mail: Add alias 2021-04-14 15:43:16 +02:00
Simon Bruder 6cff58fcb0
games: Disable osu-lazer-sandbox
Currently the build fails with (multiple instances of) error NU3037:
Package '…' from source '/build/source/nixos': The author primary
signature validity period has expired.
2021-04-13 09:58:07 +02:00
Simon Bruder ec09bbf6c6
fuuko/gitea: Remove version override
Version 1.14.0 has been released and is in nixpkgs.
2021-04-13 09:08:04 +02:00
Simon Bruder 6af6e2b2d3
Update sources 2021-04-13 08:48:32 +02:00
Simon Bruder 602573cd34
fuuko/dnsmasq: Reliably work after reboot 2021-04-10 23:23:46 +02:00
Simon Bruder bb8c54065a
fuuko/drone/runner-exec: Remove port collision with grafana
Drone docs [1] say “Overriding this value is not recommended”, however I
do not see why I should not be able to change it.

[1] https://docs.drone.io/runner/exec/configuration/reference/drone-http-bind/
2021-04-10 23:21:46 +02:00
Simon Bruder 746581ceba
fuuko/dnsmasq: Replace stubby/DoT with https-dns-proxy/DoH 2021-04-10 20:16:08 +02:00
Simon Bruder bed82e297c
sayuri: Migrate to sops
Fixes #38.
2021-04-10 11:58:50 +02:00
Simon Bruder 62a17a54b4
pkgs/osu-lazer: Remove random song button from footer
This also reorganises the other patch I apply.
2021-04-09 12:09:45 +02:00
Simon Bruder feb82fca2e
nix: Make netrc readable by wheel group
This also splits the nix configuration from the default module into its
own file.
2021-04-09 11:34:49 +02:00
Simon Bruder 5d31f32df8
Update sources 2021-04-09 11:02:31 +02:00
Simon Bruder 5dff1a426f
fuuko/binary-cache: Add nar-serve 2021-04-08 21:40:14 +02:00
Simon Bruder 8d9e3af211
Add binary cache hosted on fuuko
See machines/fuuko/services/binary-cache.nix for limitations.
2021-04-08 16:19:57 +02:00
Simon Bruder 07d4260b95
nix: Use daemonNiceLevel instead of CPUSchedulingPolicy 2021-04-08 15:42:49 +02:00
Simon Bruder 4ece15d0f6
programs: Add mkpasswd 2021-04-08 13:36:44 +02:00
Simon Bruder 596b65b153
Update sources 2021-04-08 10:06:05 +02:00
Simon Bruder 68fbc9e185
fuuko/go-neb: Notify room if alert is firing 2021-04-08 10:04:30 +02:00
Simon Bruder 9dbd7f9c85
vueko/coturn: Manage shared secret with sops
This requires not using the NixOS module, since it does not support
loading it from a file.
2021-04-07 12:23:48 +02:00
Simon Bruder 4a8a7e0a4f
Use sops for secrets
Since I currently do not have access to sayuri, sayuri’s migration is
not done yet. The host keys and wg-home-private-key secret still have to
be added.
2021-04-06 14:05:48 +02:00
Simon Bruder b595aceb7c
initrd-ssh: Treat host-key as state
This also removes the explicit passing of the public key fingerprint to
the unlock script, since the host key is no longer available in pass.
Unlocking still works, since the keys are configured in modules/ssh.nix.
2021-04-06 11:45:04 +02:00
Simon Bruder aaaeb56f18
git: Add sops diff textconv 2021-04-06 11:36:08 +02:00
Simon Bruder 41f8d468b6
restic/system: Include /root and /etc 2021-04-06 10:47:05 +02:00
Simon Bruder a102f691a6
tools: Add ssh-to-pgp 2021-04-06 10:21:48 +02:00
Simon Bruder d253f74a06
sayuri: Fill in purpose section of readme
Also, next time try to spell FIXME the right way so I don’t notice this
months after setting the machine up.
2021-04-05 13:38:33 +02:00
Simon Bruder 5c4284d68c
fuuko: Add dnsmasq prometheus exporter 2021-04-05 13:18:43 +02:00
Simon Bruder 6f20d6300d
programs: Use unstable streamlink
Stramlink from 20.09 does not work (at least for low-latency twitch).
2021-04-05 11:50:31 +02:00
Simon Bruder d9a04d1f60
Update sources 2021-04-05 10:17:00 +02:00
Simon Bruder 97974a9616
programs: Add streamlink 2021-04-04 16:00:14 +02:00
Simon Bruder 4e3c1ad6fa
Update sources 2021-04-04 15:49:02 +02:00
Simon Bruder 3b96a823ee
programs: Use (lib)qalculate(-gtk) from unstable
In 20.09’s version currency conversion is broken.
2021-04-04 15:46:35 +02:00
Simon Bruder c26539e607
fuuko/prometheus: Actually show node name in alerts 2021-04-04 14:34:44 +02:00
Simon Bruder 37f95b3d79
ssh: Add global known hosts
Fixes #47.
2021-04-04 11:29:31 +02:00
Simon Bruder 1b08afd515
fuuko/gitea: Also use ed25519 ssh key 2021-04-04 11:18:34 +02:00
Simon Bruder 0212f2adbd
fuuko/drone: Init 2021-04-03 18:47:01 +02:00
Simon Bruder ac7e1c1123
fuuko/dnsmasq: Use DNS over TLS via stubby 2021-04-03 13:11:09 +02:00
Simon Bruder 891697f80c
programs: Add dog 2021-04-03 13:02:21 +02:00
Simon Bruder e186893654
Update sources 2021-04-03 11:37:54 +02:00
Simon Bruder ce7425d8c4
Remove issei from vpn and prometheus 2021-04-02 18:13:09 +02:00
Simon Bruder 94b2746018
fuuko/go-neb: Add alertmanager matrix receiver 2021-04-02 17:46:07 +02:00
Simon Bruder 2897451a65
fuuko/prometheus: Set external URLs 2021-04-02 16:44:17 +02:00
Simon Bruder 8b1b969aa9
fuuko: Set target to production hostname 2021-04-02 15:10:14 +02:00
Simon Bruder 98a4f345eb
fuuko/matrix/mautrix-whatsapp: Init 2021-04-02 15:09:57 +02:00
Simon Bruder 0ae96653a5
fuuko/matrix/synapse: Init 2021-04-02 14:59:14 +02:00
Simon Bruder 3b6a9dfc40
Update sources 2021-04-02 10:11:33 +02:00
Simon Bruder 6459a2a7ef
fzf: Add better default commands and options 2021-04-01 14:43:16 +02:00
Simon Bruder b6297d0153
vueko/coturn: Init 2021-03-31 12:08:35 +02:00
Simon Bruder bc2851de6b
programs: Replace pdfsam with pdfarranger 2021-03-31 10:02:10 +02:00
Simon Bruder 9be9148da8
zsh/pass-wrappers: Remove unnecessary functions
I no longer host a docker registry or minio server.
2021-03-30 23:53:20 +02:00
Simon Bruder 15075a818d
installation: Remove FIXME from comments
Otherwise grepping for FIXME shows this, even though it’s not what you
expect.
2021-03-30 23:49:08 +02:00
Simon Bruder 2d74dac8c0
fuuko/hedgedoc: Start after postgresql 2021-03-30 16:13:20 +02:00
Simon Bruder a32b45ebb7
Update sources 2021-03-30 10:06:52 +02:00
Simon Bruder e94c72e42e
Add open ports for quick tests 2021-03-29 22:26:10 +02:00
Simon Bruder 1521f10806
waybar: Do not print status on mpc invocation 2021-03-29 16:20:24 +02:00
Simon Bruder 50f0968738
fuuko: Add gitea 2021-03-29 14:08:53 +02:00
Simon Bruder 5491ef4817
vueko/mailserver: Add gitea user 2021-03-29 13:48:10 +02:00
Simon Bruder 2484140e59
Update sources 2021-03-29 12:53:57 +02:00
Simon Bruder a7ad88a5ec
Include unstable channel as overlay
This allows nix cli tools to access unstable from niv’s pinned rev
(instead of having to rely on uncached and unpinned
channel:nixos-unstable). Also packageOverrides might get
deprecated/removed[1] eventually.

[1]: https://github.com/NixOS/nixpkgs/issues/43266
2021-03-29 12:03:58 +02:00
Simon Bruder cb8a8f3c8d
fuuko/prometheus: Enable admin API 2021-03-28 11:04:48 +02:00
Simon Bruder 55099f1884
fuuko/prometheus: Raise retention time to 90d 2021-03-28 11:04:25 +02:00
Simon Bruder c8b7a9c8e9
gui: Install adwaita icons system-wide 2021-03-27 13:22:34 +01:00
Simon Bruder c1992958bf
media-proxy: Start after network is online 2021-03-27 12:45:43 +01:00
Simon Bruder 90c2ab9d0a
Update sources 2021-03-26 21:40:33 +01:00
Simon Bruder 9f8c80029d
vueko/mailserver: Add aliases 2021-03-26 19:40:20 +01:00
Simon Bruder aa6458f4bf
ytcc: Init 2021-03-25 13:57:26 +01:00
Simon Bruder 57de9427ea
Update sources 2021-03-25 13:42:59 +01:00
Simon Bruder d2ee32fdb1
Update sources 2021-03-22 20:57:48 +01:00
Simon Bruder fa1c274248
mpv: Update FSRCNNX x2
This also changes the model to 8-0-4-1 (new upstream default). Since
upstream replaced the old model on GitHub releases instead of adding a
new release, previous generations that don’t have the old model cached
won’t build anymore.
2021-03-22 08:31:51 +01:00
Simon Bruder 5e8fb02b78
vueko/mail: Add alias 2021-03-21 11:53:47 +01:00
Simon Bruder 58c72c3200
Allow build on machines that are missing secrets 2021-03-21 11:36:14 +01:00
Simon Bruder 320f438d02
git: Add gsc alias 2021-03-20 21:24:02 +01:00
Simon Bruder 8a0f3c5f6b
pkgs: Inherit callPackage from super 2021-03-20 21:10:09 +01:00
Simon Bruder 187cc904bc
mpv: Move pitchcontrol script to overlay 2021-03-20 21:07:37 +01:00
Simon Bruder e723e75ca8
Update sources 2021-03-20 17:14:51 +01:00
Simon Bruder 08d65e5ae5
Update sources 2021-03-20 10:37:56 +01:00
Simon Bruder 041262fc7a
git: Add aliases 2021-03-19 19:46:57 +01:00
Simon Bruder 9ec9b078dd
Update sources 2021-03-18 11:09:20 +01:00
Simon Bruder f7a27d623b
Revert "mpv: clear-speed: Use firefox’s scaletempo config"
This reverts commit 3b2f41f18a.
2021-03-16 17:46:22 +01:00
Simon Bruder 33ff48da8e
Update sources 2021-03-15 20:49:00 +01:00
Simon Bruder 29af8010a2
user: Remove docker-ls configuration
I don’t have my own docker registry anymore, so this configuration
doesn’t work.
2021-03-13 11:00:41 +01:00
Simon Bruder 7cb3142526
nunotaba: Disable docker
Fixes #15.
2021-03-13 10:59:43 +01:00
Simon Bruder 470ade7e2b
Update sources 2021-03-13 10:53:46 +01:00
Simon Bruder 3b2f41f18a
mpv: clear-speed: Use firefox’s scaletempo config 2021-03-12 15:10:13 +01:00
Simon Bruder 168e492c12
Use firefox-esr
Since Firefox 86, firefox freezes after some time when playing a video.
This only happens on wayland, but using xwayland causes weird stutters.
Downgrading is only meant to be a temporary solution.
2021-03-11 19:09:00 +01:00
Simon Bruder b55144906f
Set user environment variables with home-manager 2021-03-11 19:08:08 +01:00
Simon Bruder a3d1fa50b1
Update sources 2021-03-11 14:11:11 +01:00
Simon Bruder 9b9f574d52
tools: Add dmidecode 2021-03-10 15:49:53 +01:00
Simon Bruder 5df5cf4068
Update sources 2021-03-10 15:43:22 +01:00
Simon Bruder 57652d8a79
fuuko: Add hedgedoc 2021-03-10 15:42:21 +01:00
Simon Bruder 966667b87f
fuuko: Exclude scans from system backup 2021-03-10 11:27:56 +01:00
Simon Bruder db54dfaed1
fuuko/dnsmasq: Allow DNS queries over TCP
Sharepoint manages to return enormous responses when querying for an
AAAA record.

$ dig sitename.sharepoint.com AAAA
;; Truncated, retrying in TCP mode.
2021-03-10 09:13:37 +01:00
Simon Bruder d6bddf40c0
fuuko: Add ankisyncd 2021-03-09 21:22:19 +01:00
Simon Bruder 429144166d
mpv: Add sponsorblock 2021-03-09 15:48:13 +01:00
Simon Bruder 3a5568a136
fuuko: Enable full postgresql backup 2021-03-09 11:50:32 +01:00
Simon Bruder a3c954fa01
mpv: Generate visualiser profiles with function 2021-03-09 11:35:13 +01:00
Simon Bruder 922a359497
mpv: Remove musicvideo-c64 profile
It only has a single purpose and I haven’t used in the last year or so.
2021-03-09 11:23:14 +01:00
Simon Bruder e0d50e0435
wordclock-dimmer: Reconnect before setting color
Also remove apostrophe that I have no idea how it got there.
2021-03-09 08:41:52 +01:00
Simon Bruder ee31882b9a
Update sources 2021-03-08 21:19:55 +01:00
Simon Bruder 515939677b
fuuko/torrent: Add resolv.conf to aria2 netns
Even though aria2 doesn’t respect it, it is useful for for debugging.
2021-03-08 19:38:26 +01:00
Simon Bruder d73da1a131
restic/system: Limit upload to 1.5M by default 2021-03-08 18:46:35 +01:00
Simon Bruder 3da67f7576
fuuko: Enable system backups 2021-03-08 17:33:30 +01:00
Simon Bruder e8626ba27a
fuuko: Add wordclock-dimmer 2021-03-08 17:03:30 +01:00
Simon Bruder 0c081d9805
fuuko: Add dnsmasq 2021-03-08 16:19:49 +01:00
Simon Bruder 786edd1caf
fuuko: Add aria2 2021-03-08 15:55:24 +01:00
Simon Bruder 07f152cb20
fuuko: Add media file index 2021-03-08 15:40:41 +01:00
Simon Bruder 878bdd30d5
fuuko: Add ftp server and scan converter 2021-03-08 15:30:04 +01:00
Simon Bruder d1cf0f698f
fuuko: Add grafana 2021-03-08 15:10:15 +01:00
Simon Bruder 70ee44fbc5
fuuko: Add prometheus fritzbox exporter 2021-03-08 15:10:15 +01:00
Simon Bruder f388995ef6
fuuko: Add prometheus 2021-03-08 15:10:15 +01:00
Simon Bruder df303dcc2b
fuuko: Init 2021-03-08 15:10:15 +01:00
Simon Bruder d239f2ad5e
mako: Implement notification inhibition
Fixes #43.
2021-03-07 20:25:15 +01:00
Simon Bruder 442297ec85
sway: Use kanshi for output management
Fixes #46.
2021-03-07 17:38:35 +01:00
Simon Bruder 724bcd31c5
vueko/nginx: Make vueko.sbruder.de default vhost 2021-03-07 15:51:09 +01:00
Simon Bruder b6e2d2f347
vueko/nginx: Enable recommended proxy settings 2021-03-07 15:49:24 +01:00
Simon Bruder e72d225a0a
Update sources 2021-03-07 15:16:28 +01:00
Simon Bruder 3ddb86d504
Update sources 2021-03-06 17:17:29 +01:00
Simon Bruder 542a89ef57
sayuri: Add foldingathome specialisation 2021-03-06 15:32:18 +01:00
Simon Bruder 65931f8b85
Update sources 2021-03-05 19:54:13 +01:00
Simon Bruder cbf2536e32
vueko: Enable nginx hardening 2021-03-05 16:00:10 +01:00
Simon Bruder 270f20d05b
Add nginx hardening option 2021-03-05 15:58:53 +01:00
Simon Bruder bdda31a807
vueko/mail: Add alias 2021-03-04 20:08:37 +01:00
Simon Bruder 4d474043a0
sway/swaynag: Deduplicate config 2021-03-04 09:39:14 +01:00
Simon Bruder da6788d036
Update sources 2021-03-04 08:00:11 +01:00
Simon Bruder 380c5b0ec5
mpv: Optimise clear-speed profile
It now *almost* sounds as good as firefox, though it sometimes still is
harder to understand.
2021-03-03 22:55:50 +01:00
Simon Bruder 4923f70389
sway/waybar: Use html entity for thinsp
This also moves it to waybar’s let binding, since it is only needed
there.
2021-03-03 21:49:35 +01:00
Simon Bruder c0a130fa59
xdg: Set firefox as default browser
Strangely, it has been working until recently without explicit
configuration (probably starting chromium changed it by setting
something stateful).
2021-03-03 21:44:40 +01:00
Simon Bruder a962fea3a8
sway/waybar: Use correct muted icon 2021-03-03 21:40:24 +01:00
Simon Bruder 05d2529db7
sway/waybar: Add abstraction for unit management
This also passes the unit state as a stream instead of requiring waybar
to poll for the state.
2021-03-02 12:36:50 +01:00
Simon Bruder 2bbe4e715b
sway: Decouple xdg.configFiles
This also adds an empty let binding to the waybar config to avoid an
upcoming commit to introduce a huge diff (twice, since this commit also
would have reformatted the entire waybar configuration).
2021-03-02 12:26:06 +01:00
Simon Bruder 57403a2d52
sway: Fix log pollution
Fixes #44.
2021-03-02 10:36:41 +01:00
Simon Bruder ceda178acf
sway: Manage mako with systemd 2021-03-02 09:49:15 +01:00
Simon Bruder e17aa4bc6b
sway: Manage swayidle with systemd 2021-03-02 09:31:53 +01:00
Simon Bruder d8f75f167a
sway: Manage waybar with systemd 2021-03-02 09:31:22 +01:00
Simon Bruder c7349c4939
zsh: Unset LESS_TERMCAP_* variables 2021-03-02 08:47:23 +01:00
Simon Bruder b3cc7cf907
sway: Redirect output to journal 2021-03-02 08:26:28 +01:00
Simon Bruder c0f7daa411
Update sources 2021-03-01 23:05:15 +01:00
Simon Bruder 081e731be2
neovim: Add unzip to user environment 2021-03-01 18:40:07 +01:00
Simon Bruder eccea38759
mpv: Use youtube-dl’s default format
mpv overrides my custom format with `bestvideo+bestaudio/best`
(youtube-dl upstream default). This applies a patch (from upstream) that
adds a magic value to remove the override. Since home-manager’s mpv
module only supports overriding the mpv package in 21.05, it is done in
the overlay.

Fixes #39.
2021-03-01 17:30:58 +01:00
Simon Bruder fd11348b56
Explain machines/*/secrets in readme 2021-03-01 13:54:41 +01:00
Simon Bruder c30776cea6
Explain machines/*/services in readme 2021-03-01 13:54:18 +01:00
Simon Bruder 5c27e0d423
ncmpcpp: Make block visualizer spectrum character 2021-03-01 09:37:34 +01:00
Simon Bruder 9c19647e76
zsh: Alias ip to ip --color=auto 2021-02-28 20:43:42 +01:00
Simon Bruder 90feb2e3be
zsh: Sort aliases 2021-02-28 20:43:42 +01:00
Simon Bruder 86348d4c60
vueko: Add element-web 2021-02-28 16:16:06 +01:00
Simon Bruder 8392b9937a
Update sources 2021-02-28 14:58:48 +01:00
Simon Bruder b2449c3fe6
osu-lazer-container: Rename to osu-lazer-sandbox 2021-02-28 13:28:13 +01:00
Simon Bruder 83f1c69713
restic/system: Constantly use system for naming
In the future I may create add other backup jobs, so it should be clear,
that this only backs up the system.
2021-02-28 12:22:43 +01:00
Simon Bruder d7272e9db3
restic: Simplify timerConfig
The upstream restic module validates the types anyway, so I can drop the
ugly expression to copy the option.
2021-02-28 12:22:42 +01:00
Simon Bruder 6a8904011a
restic: Fix typo in excludes filename 2021-02-28 12:22:42 +01:00
Simon Bruder 3934c84644
zsh: Disable grml’s sad-smiley prompt 2021-02-28 11:27:08 +01:00
Simon Bruder 209ba3c5f6
programs: Remove starship (duplicate)
The home-manager starship module already adds it to the environment.
2021-02-28 11:27:06 +01:00
Simon Bruder c77328af22
Replace builtins with lib where possible 2021-02-27 19:57:00 +01:00
Simon Bruder f03c1daa31
mpd: Export socket path as environment variable
This eliminates the need to specify it manually every time.
2021-02-27 18:34:35 +01:00
Simon Bruder a745d7353e
sway: Add autostart to zshrc instead of zprofile
home-manager’s sessionVariables are not loaded yet when sway starts.
2021-02-27 18:34:35 +01:00
Simon Bruder b855ed533d
mpd/ncmpcpp: Use host from mpd module 2021-02-27 18:16:39 +01:00
Simon Bruder b3d28b4752
vueko/mail: Add alias 2021-02-27 17:24:26 +01:00
Simon Bruder 1103dd5000
user/programs: Add wev 2021-02-27 16:55:42 +01:00
Simon Bruder 0ecdb8c4f7
user/programs: Correct sorting 2021-02-27 16:55:18 +01:00
Simon Bruder e73aedb584
Update sources 2021-02-27 12:38:58 +01:00
Simon Bruder 9570d63d15
Update sources 2021-02-25 12:09:53 +01:00
Simon Bruder 13a80e122b
Update sources 2021-02-23 23:14:36 +01:00
Simon Bruder 790c4d03c0
mpd: Use package from unstable
The version from 20.09 logs every time a client connects (which pollutes
the journal) and I did not find an easy way to change this. The logging
was changed in a newer mpd version and the default log level now doesn’t
log connects.
2021-02-22 11:15:49 +01:00
Simon Bruder 2a4e358502
node_exporter: Disable rapl collector
It does not work since the service does not have permission and
therefore writes errors into the journal every scrape.
2021-02-21 00:06:16 +01:00
Simon Bruder 13876617f5
node_exporter: Fix name of systemd collector 2021-02-21 00:04:26 +01:00
Simon Bruder 785bb2214b
wireguard/home: Add dns server 2021-02-20 19:57:10 +01:00
Simon Bruder be7e67cf1f
wireguard/home: Make vueko central server
This also restructures the wireguard/home configuration, since now
better peer management is possible.
2021-02-20 19:57:04 +01:00
Simon Bruder c921c2802a
tools: Add compsize 2021-02-20 12:47:27 +01:00
Simon Bruder 5dfe492baf
pkgs: Add aria2_exporter 2021-02-20 12:37:10 +01:00
Simon Bruder 65603effa9
Update sources 2021-02-19 18:49:27 +01:00
Simon Bruder 94f3aae5b9
tmate: Init 2021-02-18 16:37:45 +01:00
Simon Bruder e0ef586e5e
nginx-interactive-index: Init 2021-02-18 12:10:03 +01:00
Simon Bruder ceff40f84d
Update sources 2021-02-18 09:19:18 +01:00
Simon Bruder 0ec1fb5257
Make aesni_intel module available on boot
This should increase LUKS performance significantly. In reality,
however, it doesn’t work that well. The difference of raw vs encrypted
block device speed still ist ~ 100 MiB/s. Even more confusing is that
nunotaba’s Intel DC SSD only manages ~ 350 MiB/s **without** encryption.
2021-02-17 15:33:10 +01:00
Simon Bruder dd93b4c748
Update sources 2021-02-17 14:04:03 +01:00
Simon Bruder e21c769524
machines/installation: Set key map 2021-02-16 17:34:21 +01:00
Simon Bruder 16c710d4a5
shell/unlock: Make unlock work if agent is locked 2021-02-16 15:55:17 +01:00
Simon Bruder 27285a098f
vueko: Serve imprint over http 2021-02-14 19:49:05 +01:00
Simon Bruder f827456d0c
pkgs: Add imprint 2021-02-14 19:48:50 +01:00
Simon Bruder b00498f23d
tools: Add hdparm 2021-02-14 15:30:44 +01:00
Simon Bruder eb97e936ed
zsh: Use grml config system wide 2021-02-14 13:29:51 +01:00
Simon Bruder e8a6110521
Update sources 2021-02-13 10:35:41 +01:00
Simon Bruder 1a7ef37376
home: Use nixosConfig instead of inheriting options 2021-02-12 21:12:03 +01:00
Simon Bruder 474cc7d0f7
sayuri: Disable docker 2021-02-11 14:11:30 +01:00
Simon Bruder 8689ace70d
Update sources 2021-02-11 13:13:16 +01:00
Simon Bruder 3fc9846bf7
vueko: resolved: Disable dnssec 2021-02-10 14:22:00 +01:00
Simon Bruder 3ba514c502
vueko: Add readme 2021-02-09 13:38:32 +01:00
Simon Bruder 15cdd42845
Remove global swapiness
All machines should either import <nixpkgs-hardware/common/pc/hdd> or
<nixpkgs-hardware/common/pc/ssd> if they have swap.
2021-02-08 23:20:31 +01:00
Simon Bruder 29c6d37142
Remove journald extra configuration
Since `Storage=persistent` is the default in NixOS, it is not needed.
2021-02-08 23:19:02 +01:00
Simon Bruder 8c92c1b792
youtube-dl: Add 2021-02-08 20:40:54 +01:00
Simon Bruder d6d2857322
git: Add textconv hook for age diff 2021-02-08 19:19:18 +01:00
Simon Bruder 78c9a2cab9
tools: Add (r)age 2021-02-08 19:17:13 +01:00
Simon Bruder bd8b809486
vueko: Add bang-evaluator 2021-02-07 21:02:11 +01:00
Simon Bruder dde17cf4ec
pkgs: Add bang-evaluator
I don’t know if (and doubt that) this is a good solution. I can’t simply
callPackage it, since it does not use a callPackage compatible nix
expression but rather a ready-to-build default.nix. Also, I need the
source in two different files, one of which can’t use nixpkgs fetchers.
2021-02-07 21:00:09 +01:00
Simon Bruder b8601e6fd3
vueko/mailserver: Change user’s password 2021-02-07 19:59:50 +01:00
Simon Bruder f7287365ff
vueko: Add murmur 2021-02-07 12:29:22 +01:00
Simon Bruder 8037f5eb5e
deploy: Only send the wanted machine configuration
This avoids having secrets that are managed with git-crypt on every
system.
2021-02-07 11:30:42 +01:00
Simon Bruder 1bf141ce03
Update sources 2021-02-06 19:14:08 +01:00
Simon Bruder 75a91e9116
vdirsyncer: Use new credentials 2021-02-06 18:07:53 +01:00
Simon Bruder 9b5a991074
vueko: Add wg-home 2021-02-06 17:10:49 +01:00
Simon Bruder 34ec244fcc
vueko: Add mail and dav server 2021-02-06 16:51:10 +01:00
Simon Bruder 62f1dbe30f
mailserver: Disable recipient_restrictions for submission
Otherwise, sending mails to slow destinations might fail (with the
client throwing an error).
2021-02-06 16:51:10 +01:00
Simon Bruder 9c62905442
mailserver: Add module 2021-02-06 12:48:05 +01:00
Simon Bruder e45b18abd0
Add 1 git-crypt collaborator
New collaborators:

	F309F8EC Simon Bruder <simon@sbruder.de>
2021-02-05 18:01:49 +01:00
Simon Bruder 335f2908e7
tools: Add ccze 2021-02-05 17:51:29 +01:00
Simon Bruder 5ed071c0ed
Move admin tools to system tools
Fixes #37.

This also removes some tools from the user profile since I do not need
them anymore.
2021-02-05 17:34:34 +01:00
Simon Bruder 998d47fd1a
nix: Only keep outputs and drvs on full systems 2021-02-05 17:19:19 +01:00
Simon Bruder bfd192b2a8
vueko: Make small system 2021-02-05 15:39:17 +01:00
Simon Bruder 1437601d5a
Reduce locales and disable docs on small systems 2021-02-05 15:36:51 +01:00
Simon Bruder 6a114a6b7f
Update sources 2021-02-05 14:11:53 +01:00
Simon Bruder 520d750404
firewall: Entirely disable reverse path checking
This hopefully fixes #26 (or more specific a regression caused by it,
see the comment in the issue). I didn’t test it for long, but it seems
to work.
2021-02-02 21:40:30 +01:00
Simon Bruder d8514ab12c
Re-enable waifu2x-converter-cpp
Upstream released a new version which fixes building with gcc10 and
nixpkgs already updated to it.
2021-02-01 20:51:34 +01:00
Simon Bruder 43fbc20020
Update sources 2021-02-01 20:45:22 +01:00
Simon Bruder daf867dcb9
machines: Add vueko
This only adds a minimal configuration.
2021-02-01 17:33:29 +01:00
Simon Bruder 34c801c7e9
Make it possible to disable smartd per-machine
On virtual machines it does not make much sense to have it activated
(also the service fails to start).
2021-02-01 17:03:26 +01:00
Simon Bruder cce86ac2c9
pkgs: Add wordclock-dimmer (including module) 2021-01-31 19:48:18 +01:00
Simon Bruder a02d3cb883
Use separate state version for every machine
This also uses the system state version as the home-manager state
version.

Fixes #35.
2021-01-31 12:21:05 +01:00
Simon Bruder f211bae4e2
Globally set Let’s Encrypt requirements 2021-01-31 12:21:05 +01:00
Simon Bruder 3304c8e62e
programs: Add poppler_utils 2021-01-30 23:27:53 +01:00
Simon Bruder ebddfd35ba
Update sources 2021-01-30 17:09:25 +01:00
Simon Bruder 1a63539df8
Update readme to better reflect current state
Fixes #7.
2021-01-30 16:43:04 +01:00
Simon Bruder 4664265bb0
Add installation machine
Its configuration does not fit a real machine, but rather serves as a
minimal configuration for new machines during installation.
2021-01-30 16:41:06 +01:00
Simon Bruder d61fc70f23
mpd: Only enable when gui is enabled 2021-01-30 13:27:29 +01:00
Simon Bruder 82d5a24dfa
deploy: Do not fail with broken local config 2021-01-29 16:04:38 +01:00
Simon Bruder 241bc188cb
sayuri: Use performance scaling governor
That machine is not very energy efficient anyway.
2021-01-29 15:54:59 +01:00
Simon Bruder 05a72217aa
Use nixos-hardware for hardware configuration
This removes the manual modules that use options to activate hardware
configuration. It seems to general (e.g. newer Intel GPUs require
different opencl icd) or not flexible enough (in case of the ssd
module).

Closes #21.
2021-01-29 15:50:16 +01:00
Simon Bruder 55fb2cfdda
shell.nix: Add luks remote unlock script
Closes #9.
2021-01-28 19:02:19 +01:00
Simon Bruder e7c6406820
Decouple machine configuration and deployment
This allows custom scripts to access machine-specific variables.
2021-01-28 17:08:08 +01:00
Simon Bruder 204962d0f3
user: Fix gui programs being installed by mistake 2021-01-28 16:35:54 +01:00
Simon Bruder 67fe507a2d
Update sources 2021-01-27 21:55:55 +01:00
Simon Bruder d6df163d2e
Update sources 2021-01-26 18:44:43 +01:00
Simon Bruder 603a006df8
Make routing all traffic over wireguard tunnel work
Fixes #26 (regression introduced in
126a0dad4b)

This is not an ideal solution, since it disables some features of the
firewall. Ideally, the mullvad configuration would be declaratively
managed and include a PostUp and PreDown command that adds routes to the
tunnel endpoint to the physical interface.
2021-01-24 14:44:00 +01:00
Simon Bruder bcbd5e772a
gui: Use better way to enable 32bit opengl support 2021-01-24 12:51:56 +01:00
Simon Bruder 617fc28668
Update sources 2021-01-23 08:53:09 +01:00
Simon Bruder 5ecebf4435
nvim: Add nix snippet for sha256 hash 2021-01-22 20:18:39 +01:00
Simon Bruder 428e8103d9
tools/adb: Use proper way to determine if x86_64 2021-01-20 16:40:36 +01:00
Simon Bruder d8b8e5de93
libvirt: Remove custom option 2021-01-20 16:31:59 +01:00
Simon Bruder e5f90116e8
network-manager: Reformat module 2021-01-20 16:28:52 +01:00
Simon Bruder 64ef37badd
Move global lidSwitchDocked setting to nunotaba 2021-01-20 16:27:51 +01:00
Simon Bruder c1283b6ffa
Add option to disable large packages
Fixes #27

This adds the `sbruder.full` option (enabled by default), which disables
some otherwise enabled packages/modules when disabled. When setting it
to false on a full gui system it reduces the size of the system closure
by over 50%. It is intended for systems with low (main) disk space.
2021-01-20 16:23:18 +01:00
Simon Bruder 80cae99fef
Update sources 2021-01-20 15:32:46 +01:00
195 changed files with 10664 additions and 2288 deletions

2
.envrc
View file

@ -1 +1 @@
use nix use flake

2
.gitattributes vendored
View file

@ -1,4 +1,6 @@
*.png filter=lfs diff=lfs merge=lfs -text *.png filter=lfs diff=lfs merge=lfs -text
*.jpg filter=lfs diff=lfs merge=lfs -text *.jpg filter=lfs diff=lfs merge=lfs -text
*.svg filter=lfs diff=lfs merge=lfs -text
**/secrets/** filter=git-crypt diff=git-crypt **/secrets/** filter=git-crypt diff=git-crypt
**/secrets.yaml diff=sops

48
.sops.yaml Normal file
View file

@ -0,0 +1,48 @@
keys:
- &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- &nunotaba 8C5091AEA213FB0642BD46F943EE19743FAC1D5C
- &sayuri 17FEEBB45E4245330507C960653378F10CA6E00A
- &vueko BB046D773F54739757553A053CB9B8EFD7FED749
- &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E
- &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
- &yuzuru F4B5F6971A1FAEA1216FCE1C6745A652A31186DB
creation_rules:
- path_regex: machines/nunotaba/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *nunotaba
- path_regex: machines/sayuri/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *sayuri
- path_regex: machines/vueko/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *vueko
- path_regex: machines/fuuko/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *fuuko
- path_regex: machines/mayushii/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *mayushii
- path_regex: machines/yuzuru/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *yuzuru
- path_regex: secrets\.yaml$
key_groups:
- pgp:
- *simon
- *nunotaba
- *sayuri
- *vueko
- *fuuko
- *mayushii

133
README.md
View file

@ -1,17 +1,45 @@
# NixOS configuration # NixOS configuration
## Structure
* `machines`: Machine-specific configuration
+ `README.md`: Short overview of the hardware and usage of the machine
+ `configuration.nix`: Main configuration
+ `hardware-configuration.nix`: Hardware-specific configuration. It should
not depend on any modules or files from this repository, since it is used
for initial setup.
+ `services`: Non-trivial machine-specific configuration related to a
specific service the machine provides.
+ `secrets`: Nix expressions that include information that is not meant to
be visible to everyone (e.g. accounts, password hashes, private
information etc.) or secrets for services that dont provide any other
(easy) way of specifying them and whose secrets leaking does not pose a
huge threat
* `modules`: Custom modules. Many are activated by default, since I want them
on all systems.
* `pkgs`: My nixpkgs overlay
* `users/simon`: [home-manager](https://github.com/nix-community/home-manager)
configuration
Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
Machines can be deployed with `nix run .#deploy/hostname`, LUKS encrypted
systems can be unlocked over network with `nix run .#unlock/hostname`.
## How to install ## How to install
This guide describes how to install this configuration (or any NixOS This guide describes how to install this configuration with GPT and BIOS boot.
configuration) with GPT and legacy (BIOS) boot. It is not a one-fits-all guide, but the base for what I use for interactive
systems. Servers and specialised systems may need a different setup (e.g. swap
with random luks passphrase and no LVM).
If you do not have a wired connection, first set up wifi Set up wifi if no wired connection is available:
wpa_passphrase "SSID" "PSK" | sudo wpa_supplicant -B -i wlp4s0 -c/dev/stdin wpa_passphrase "SSID" "PSK" | wpa_supplicant -B -i wlp4s0 -c/dev/stdin
Create the partition table (enter the indented lines in the repl). Create the partition table (enter the indented lines in the repl):
sudo parted /dev/sdX parted /dev/sdX
mktable GPT mktable GPT
mkpart primary 1MiB 2MiB mkpart primary 1MiB 2MiB
mkpart primary 2MiB 500MiB mkpart primary 2MiB 500MiB
@ -20,69 +48,76 @@ Create the partition table (enter the indented lines in the repl).
disk_toggle pmbr_boot disk_toggle pmbr_boot
quit quit
Format encrypted partition and open it On UEFI:
sudo cryptsetup luksFormat /dev/sdX3 parted /dev/nvmeXnY
sudo cryptsetup luksOpen /dev/sdX3 HOSTNAME-pv mktable GPT
mkpart ESP 1MiB 512MiB
mkpart root 512MiB 100%
set 1 esp on
quit
Create LVM (replace `8G` with desired swap size) Format encrypted partition and open it:
sudo pvcreate /dev/mapper/HOSTNAME-pv cryptsetup luksFormat --type luks2 /dev/sdX3
sudo vgcreate HOSTNAME-vg /dev/mapper/HOSTNAME-pv cryptsetup open --type luks2 /dev/sdX3 HOSTNAME-pv
sudo lvcreate -L 8G -n swap HOSTNAME-vg
sudo lvcreate -l '100%FREE' -n root HOSTNAME-vg Create LVM (replace `8G` with desired swap size):
pvcreate /dev/mapper/HOSTNAME-pv
vgcreate HOSTNAME-vg /dev/mapper/HOSTNAME-pv
lvcreate -L 8G -n swap HOSTNAME-vg
lvcreate -l '100%FREE' -n root HOSTNAME-vg
**Hint**: If you have to reboot to the installation system later because **Hint**: If you have to reboot to the installation system later because
something went wrong and you need access to the LVM (but dont know LVM), do something went wrong and you need access to the LVM (but dont know LVM), do
the following after opening the luks partition: `sudo vgchange -ay` the following after opening the luks partition: `vgchange -ay`.
Create filesystems Create filesystems:
sudo mkfs.ext2 /dev/sdX2 mkfs.ext2 /dev/sdX2
sudo mkfs.ext4 -L root /dev/HOSTNAME-vg/root mkfs.btrfs -L root /dev/HOSTNAME-vg/root
sudo mkswap -L swap /dev/HOSTNAME-vg/swap mkswap -L swap /dev/HOSTNAME-vg/swap
Mount the file systems and activate swap On UEFI:
sudo mount /dev/HOSTNAME-vg/root /mnt mkfs.fat -F 32 -n boot /dev/nvmeXnYpZ
sudo mkdir /mnt/boot mkfs.btrfs -L root /dev/HOSTNAME-vg/root
sudo mount /dev/sdX2 /mnt/boot mkswap -L swap /dev/HOSTNAME-vg/swap
sudo swapon /dev/HOSTNAME-vg/swap
Create the configuration (see [below](#how-to-add-new-device)) and copy this Mount the file systems and activate swap:
repository to your new home directory (e.g. `/mnt/home/simon/nixos`).
Add a symlink as the global configuration mount /dev/HOSTNAME-vg/root /mnt
mkdir /mnt/boot
sudo mkdir -p /mnt/etc/nixos/ mount /dev/sdX2 /mnt/boot
sudo ln -s ../../home/simon/nixos/machines/nunotaba/configuration.nix /mnt/etc/nixos/configuration.nix swapon /dev/HOSTNAME-vg/swap
Generate hardware configuration and copy hardware configuration to machine Generate hardware configuration and copy hardware configuration to machine
configuration configuration (skip this step if you already have a hardware-configuration for
this machine):
sudo nixos-generate-config --root /mnt/ nixos-generate-config --root /mnt/
sudo mv /mnt/etc/nixos/hardware-configuration.nix /mnt/home/simon/nixos/machines/nunotaba/hardware-configuration.nix
sudo ln -s ../../home/simon/nixos/machines/nunotaba/hardware-configuration.nix /mnt/etc/nixos/hardware-configuration.nix
Install NixOS Modify the hardware configuration as needed and add it to the machine
sudo nixos-install --no-root-passwd configuration in this repository. If necessary, create the machine
configuration first by basing it on an already existing configuration and
adding an entry to `machines/default.nix`. Then copy this repository to the
target machine and run (`--impure` is needed since `/mnt/nix/store` is not in
`/nix/store`):
Enter the target as a container and set a user password nixos-install --impure --flake /path/to/repository#hostname
sudo cp /etc/resolv.conf /mnt/etc/ # see https://github.com/NixOS/nixpkgs/issues/39665 Add the krops sentinel file:
nixos-enter
passwd simon
^D # nixos-enter
sudo rm /mnt/etc/resolv.conf
reboot
## How to add new device mkdir -p /mnt/var/src
touch /mnt/var/src/.populate
* Copy the config from the device that is similar to the new one Reboot.
* Import profiles/modules you want
* Change settings in `configuration.nix`
* Change secrets
## License ## License
[MIT License](LICENSE) Unless otherwise noted in the specific files or directories,
the files in this repository are licensed under the [MIT License](LICENSE).
This only applies to the nix expressions, not the built system or package closures.
Patches may also be licensed differently,
since they may be derivative works of the packages to which they apply.

View file

@ -1,60 +0,0 @@
let
sources = import ./nix/sources.nix;
krops = sources.krops;
lib = import "${krops}/lib";
kropsPkgs = import "${krops}/pkgs" { };
kropsDeploy =
{ hostname
, target ? null
, secrets ? true
, extraSources ? { }
}:
let
source = lib.evalSource [
{
nixpkgs.git = {
ref = sources.nixpkgs.rev;
url = https://github.com/NixOS/nixpkgs;
shallow = true;
};
config.file = {
path = toString ./.;
filters = [
{
type = "exclude";
pattern = ".git";
}
{
type = "exclude";
pattern = "*.qcow2";
}
];
};
nixos-config.symlink = "config/machines/${hostname}/configuration.nix";
}
(lib.mkIf secrets {
secrets.pass = {
dir = toString ~/.password-store;
name = "nixos/machines/${hostname}";
};
})
extraSources
];
in
kropsPkgs.krops.writeDeploy "deploy-${hostname}" {
source = source;
target = lib.mkTarget (if target == null then "root@${hostname}" else target) // {
extraOptions = [
# force allocation of tty to allow aborting with ^C and to show build progress
"-t"
];
};
};
in
builtins.mapAttrs (hostname: configuration: kropsDeploy ({ inherit hostname; } // configuration))
{
nunotaba = { };
sayuri = { };
}

286
flake.lock Normal file
View file

@ -0,0 +1,286 @@
{
"nodes": {
"AriaNg": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1641157028,
"narHash": "sha256-Da9GR1v2niJCU02NnC3aKLDMkUDEN2GULFgBQAT3tsY=",
"ref": "master",
"rev": "ea678a781a34613cf67c9c81d4f176d531f40630",
"revCount": 604,
"type": "git",
"url": "https://git.sbruder.de/simon/AriaNg"
},
"original": {
"type": "git",
"url": "https://git.sbruder.de/simon/AriaNg"
}
},
"aria2_exporter": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1621073204,
"narHash": "sha256-NXjp8rgWsNwX3WR8F11TAGxYoi8QZjrmuc5nsj/IjdQ=",
"owner": "sbruder",
"repo": "aria2_exporter",
"rev": "4b170f34720be5da2d2b8e791ff891624fe40e51",
"type": "github"
},
"original": {
"owner": "sbruder",
"repo": "aria2_exporter",
"type": "github"
}
},
"bang-evaluator": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1627835028,
"narHash": "sha256-LHTdNog+0EmRn+4DIz451vvQ2EeC8KwyV3/8JpX9yiw=",
"ref": "master",
"rev": "7fc3d5019c907566abbad8f84ba9555a5786bd01",
"revCount": 52,
"type": "git",
"url": "https://git.sbruder.de/simon/bangs"
},
"original": {
"type": "git",
"url": "https://git.sbruder.de/simon/bangs"
}
},
"flake-utils": {
"locked": {
"lastModified": 1638122382,
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1639871969,
"narHash": "sha256-6feWUnMygRzA9tzkrfAzpA5/NBYg75bkFxnqb1DtD7E=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "697cc8c68ed6a606296efbbe9614c32537078756",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-21.11",
"repo": "home-manager",
"type": "github"
}
},
"infinisilSystem": {
"flake": false,
"locked": {
"lastModified": 1626615686,
"narHash": "sha256-eXt4eon7oEg1gBUC8myZNACmDisgsQOAHGlnDhyG6zk=",
"owner": "Infinisil",
"repo": "system",
"rev": "f1fd247eca84abccbad3b57da39454702d7ef2c6",
"type": "github"
},
"original": {
"owner": "Infinisil",
"repo": "system",
"rev": "f1fd247eca84abccbad3b57da39454702d7ef2c6",
"type": "github"
}
},
"krops": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1632420452,
"narHash": "sha256-ncK6vABW/Ku9XI0kqj1otarUfblryoQzSaOCnaZ0oSs=",
"owner": "Mic92",
"repo": "krops",
"rev": "0388970c568905fedcbf429e5745aacd4f7a6633",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "krops",
"type": "github"
}
},
"nix-pre-commit-hooks": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1639823344,
"narHash": "sha256-jlsQb2y6A5dB1R0wVPLOfDGM0wLyfYqEJNzMtXuzCXw=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "ff9c0b459ddc4b79c06e19d44251daa8e9cd1746",
"type": "github"
},
"original": {
"owner": "cachix",
"ref": "master",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1641965797,
"narHash": "sha256-AfxfIzAZbt9aAzpVBn0Bwhd/M4Wix7G91kEjm9H6FPo=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "87a35a0d58f546dc23f37b4f6af575d0e4be6a7a",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1641870998,
"narHash": "sha256-6HkxR2WZsm37VoQS7jgp6Omd71iw6t1kP8bDbaqCDuI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-21.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-overlay": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nix-pre-commit-hooks": [
"nix-pre-commit-hooks"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1638388788,
"narHash": "sha256-4t+iDoZO9X8fM1cWfbCbsIagRN0PRkpGcJKaMLJE7yc=",
"ref": "master",
"rev": "72d323ca0410a08abc2d981b812c5cd0fd3338bf",
"revCount": 38,
"type": "git",
"url": "https://git.sbruder.de/simon/nixpkgs-overlay"
},
"original": {
"type": "git",
"url": "https://git.sbruder.de/simon/nixpkgs-overlay"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1641887635,
"narHash": "sha256-kDGpufwzVaiGe5e1sBUBPo9f1YN+nYHJlYqCaVpZTQQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b2737d4980a17cc2b7d600d7d0b32fd7333aca88",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"AriaNg": "AriaNg",
"aria2_exporter": "aria2_exporter",
"bang-evaluator": "bang-evaluator",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"infinisilSystem": "infinisilSystem",
"krops": "krops",
"nix-pre-commit-hooks": "nix-pre-commit-hooks",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-overlay": "nixpkgs-overlay",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1641374494,
"narHash": "sha256-a56G6Um43+0+n+yNYhRCh/mSvDdRVzQHSKcFaDEB9/8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "7edb4b080023ef12f39262a3aa7aab31015a7a0e",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

217
flake.nix Normal file
View file

@ -0,0 +1,217 @@
{
description = "NixOS system configuration";
inputs = {
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
home-manager.url = "github:nix-community/home-manager/release-21.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
krops.url = "github:Mic92/krops";
krops.inputs.flake-utils.follows = "flake-utils";
krops.inputs.nixpkgs.follows = "nixpkgs";
nixos-hardware.url = "github:nixos/nixos-hardware/master";
nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
infinisilSystem.url = "github:Infinisil/system/f1fd247eca84abccbad3b57da39454702d7ef2c6";
infinisilSystem.flake = false;
nixpkgs-overlay.url = "git+https://git.sbruder.de/simon/nixpkgs-overlay";
nixpkgs-overlay.inputs.flake-utils.follows = "flake-utils";
nixpkgs-overlay.inputs.nixpkgs.follows = "nixpkgs";
nixpkgs-overlay.inputs.nix-pre-commit-hooks.follows = "nix-pre-commit-hooks";
bang-evaluator.url = "git+https://git.sbruder.de/simon/bangs";
bang-evaluator.inputs.flake-utils.follows = "flake-utils";
bang-evaluator.inputs.nixpkgs.follows = "nixpkgs";
aria2_exporter.url = "github:sbruder/aria2_exporter";
aria2_exporter.inputs.flake-utils.follows = "flake-utils";
aria2_exporter.inputs.nixpkgs.follows = "nixpkgs";
AriaNg.url = "git+https://git.sbruder.de/simon/AriaNg";
AriaNg.inputs.flake-utils.follows = "flake-utils";
AriaNg.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
{ self
, flake-utils
, krops
, nix-pre-commit-hooks
, nixpkgs
, nixpkgs-overlay
, ...
}@inputs: flake-utils.lib.eachDefaultSystem
(system:
let
pkgs = import nixpkgs { inherit system; };
inherit (pkgs) lib;
in
{
checks = {
pre-commit-check = nix-pre-commit-hooks.lib.${system}.run {
src = self;
hooks = {
black.enable = true;
nixpkgs-fmt.enable = true;
shellcheck.enable = true;
};
};
};
apps = lib.mapAttrs
(name: program: { type = "app"; program = toString program; })
(flake-utils.lib.flattenTree {
deploy = lib.recurseIntoAttrs (lib.mapAttrs
(hostname: machine:
let
inherit (krops.packages.${system}) writeCommand;
inherit (krops) lib;
in
writeCommand "deploy-${hostname}" {
target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // {
extraOptions = [
# force allocation of tty to allow aborting with ^C and to show build progress
"-t"
];
};
source = lib.evalSource (lib.singleton {
config.file = {
path = toString self;
useChecksum = true;
filters = [
{
type = "include";
pattern = "/machines/${hostname}/";
}
{
type = "exclude";
pattern = "/machines/*/";
}
];
};
});
command = targetPath: ''
nixos-rebuild switch --flake ${targetPath}/config -L --keep-going
'';
}
)
self.nixosConfigurations);
deploy-local = lib.recurseIntoAttrs (lib.mapAttrs
(hostname: machine: pkgs.writeShellScript "deploy-local-${hostname}" ''
${pkgs.nixos-rebuild.override { nix = pkgs.nixFlakes; }}/bin/nixos-rebuild \
switch \
--flake .#${hostname} \
-L \
--build-host localhost \
--target-host root@${machine.config.deployment.targetHost} \
--use-substitutes
'')
self.nixosConfigurations);
unlock = lib.recurseIntoAttrs (lib.mapAttrs
(hostname: machine:
let
inherit (machine.config.deployment)
targetHost
unlockOverV4;
in
pkgs.writeShellScript "unlock-${hostname}" ''
set -exo pipefail
# opening luks fails if gpg-agent is not unlocked yet
pass "devices/${hostname}/luks" >/dev/null
ssh \
${lib.optionalString unlockOverV4 "-4"} \
-p 2222 \
"root@$(${pkgs.dnsutils}/bin/dig \
+short \
@${if unlockOverV4 then "8.8.8.8" else "2001:4860:4860::8888"} \
${targetHost} \
${if unlockOverV4 then "A" else "AAAA"})" \
"cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
'')
self.nixosConfigurations);
showKeyFingerprint = pkgs.writeShellScript "show-key-fingerprint" ''
gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }'
'';
});
devShell = pkgs.mkShell {
buildInputs = (with pkgs; [
black
nixpkgs-fmt
shellcheck
sops
ssh-to-pgp
]);
shellHook = ''
find ${./keys} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import
'' + self.checks.${system}.pre-commit-check.shellHook;
};
}) // {
overlay = import ./pkgs;
nixosConfigurations = nixpkgs.lib.mapAttrs
(hostname: { system
, extraModules ? [ ]
, targetHost ? hostname
, unlockOverV4 ? true
, nixpkgs ? inputs.nixpkgs
}: nixpkgs.lib.nixosSystem rec {
inherit system;
modules = [
(./machines + "/${hostname}/configuration.nix")
{
_module.args.inputs = inputs;
}
# deployment settings
({ lib, ... }: {
options.deployment = {
targetHost = lib.mkOption {
type = lib.types.str;
readOnly = true;
internal = true;
};
unlockOverV4 = lib.mkOption {
type = lib.types.bool;
readOnly = true;
internal = true;
description = "Whether to unlock the host over IPv4 (only)";
};
};
config.deployment = {
inherit
targetHost
unlockOverV4;
};
})
] ++ (with inputs; [
home-manager.nixosModules.home-manager
sops-nix.nixosModules.sops
aria2_exporter.nixosModules.aria2_exporter
bang-evaluator.nixosModules.bang-evaluator
]) ++ (builtins.attrValues nixpkgs-overlay.nixosModules)
++ extraModules;
})
(import ./machines inputs);
};
}

28
keys/machines/fuuko.asc Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEACkl9IfFWt7bGRtnJmDsv3sfotEQZusmFA6d9+Lh3J3Z5Ekx1Yz
wIf26Y2MgOtxv8AJJ8QW13wH8/NOrySTPUaaQwjmkiv+7Hp3Ez7uoSg7BRrUXVez
oo6dIStda5rNmx1ClYnzBVu0q54/mOayYWxeJOTl1YVKr7cSx2jcV+h5vEMZYeym
AkHGNoFz83dguwNWTZvURjp6B65G84w3YuZyG0YHeQ8Lr0gCJDEmrP2NzIuXeGWy
VEaE4XAUOF/9T+WVkuQmz6Drnqpw59Wc/J51Z2bz/2KL1oI1vR1HSzJlv7kc3joJ
63yYv0TXy4AeptWoY8FX2wtHxfIUK6ClHNfBhjis0cYgvru0KZSMNAGQutlGB0yA
2YHOS1vSPXfdyKbODCP08CpA1lufYapJwSNgU0c5d22OCCYvdwdr0HRc/0zmUoVH
/ge2SL0dRTm85ny/wEE5TgL9qnh3iWpWM60lCX3MgkHRnfgmSYn/FJHB4+3miQ31
hYkw1X1ee5ZFNsptVT5vtz/b1reVA/+v6moReIsFaWKxEgGFHXBYCRt8HnxyYvcv
jv9B+qpL12p7gflMr/trA5xTu9yQLpLqxSRpl1vebLo5p6H084pUelwFtBq/hLs6
bEPw5R/n/7EyPauDeEPb/xHKACez3hhdS+GqxgcaaLqQZN1w7/cxXBVSFQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQacgYfJxDdU4CGw8CGQEAALeFEABb6uheTtzwh2pmbEfahsMf
3Umb9E1hGVaKz9KUez2gU/C3EbnELm7qPSP8Bj5gp5hF527YpwcPTGMKXD+SyyUE
w+1lFun6RNEEeeJoOEtDoQZA6j4bcpZqvR7r7jAhdU1LHuIjD+4AM4jrTF3B2BrN
LpuX70MO0zX0b6ryHeH+9y3iCDmxViXmn0EVG/MLAjguWMrimZ66R0raKfs4eRR4
WbbFRl+xXPOv5JvPVhl0BQItVXrTTXFnRNF8y0AxmpxGZ8uFr3PwN9xB9I4o25mu
5Pj+aEfJkHTiMqzG44+TITu4pN3xvy32yqO9skn99pz16Q1jQy1cYYnl64nfktJ5
cH9Unq5CQIzyugrHhFTruN4PZR07mMMoIHRNisKOVifoyEQPqKUEOsYsaEv+zeU3
a42acC3AXJJrSgjN5XoA7bV4RRmU3QYQUsO87gJF2I3xnZwKkRL8R+g0cZeBTaG3
U1DwKNfb2WhiAtagixVk7bsKknYJDar41LA0FM5i6uRez+Pb1y8yscD9TP3xiR5d
m+/mbrz4fF+5ifRqhvfsewcZIwkVVXR0pBK8c/eGL7YrZ1pJwt3JDsWfM50TGvS1
O9LCghAw/SZPfyBik0vKc3R01Pfj3yC70gsG6DI9bIG1UavLhbGQCgDPcEpDZiIt
N7RsQdc2NwPnMMMH4mTAvg==
=9jYa
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADjzT31zliBOnM3UALM6S3Oa5nEKHhwn6Dmi8uMABiDUJ0tF3Nw
cM8X69FI4oCA9YxQFWn/J8o/h5TvDPfiBwnjE/kuNCnRVkrPxRDFZybxgMyHM/dM
QjeZBqCexVa5IhugOrjnx/OWKaFhjLp4mTT/g+HhtvD15tandWxRhLBizKAnPQz9
da1nj0i6YbyWP/E+3EGHxw3qHkjDbts7c1oB2N7cTNFtTfdI24G/aiuSmrURHECl
bD9xokEui6ZYAtg6cXDsBlmZE1/9D/sUIdrYvspj5bW0XLZrPLNud10Nh7kumBPG
uy5xqzD7cl6xCcw4phlveHtDnNhNMH7LUplGyMKBc+CEQHC2uiEQ76P6oRTYSHnq
d2fRwzaynBKA00Bv7WH2mucA8fERyLxl/CuBvaswCu/XBWgr3Mi8s9E7p/vB7EUX
DDhJWYDBfy8ONUyWAUxdOwitoiPuKWO04mORLKYOQXS+Z4dpHJc8QwYeZoPNIh0H
yv8mb7U8MNO2DVPDsoDTvC3vtNo8lwEH5BL2zRruc4LMllSPtkLmWRgMz77LL+9W
HYFBfl3URR3MxE0RBU3BMrDeMFHjbxB0kQJL7vYahl6wwTlE6F3KF/l5oyCsd3R8
5oqh4gjkhwIlopXizO8kTqnPWeR51VgNvB+tj5o08sRanB54XREulhRsSwARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQRKN/qMFQU7MCGw8CGQEAAOAnEABGFmF4VKNUQoZYLbnANtHY
r0VGrSiAYQdj+HVP7W3dd04PSbH6YWjpP7yzZLncjd/+zr1azG14D8UjCZdnelGG
jlOLFZNMLwVHjz/quLSMKDgERLfxwDCZsjxnA0CvMvZbWo0VoAs/ncPClqYVjMGP
Lq8O+JVJYNGj0jra/PvLGweVqupbfAuJ6KBLlna9iYJiv8uCTjoRF90/dCPIEEQY
ZUQstHw5zfGs8cycTElfIv2XpPLmARJ+juyLLUvRQQFIif1o9VI4+MC9oFKS/Tku
Osa/KF86z1nLRFRyqKZwgOmZUADKqpEdQwHgyqKCE6XCey089hwBrwnwy/opdXUR
hnP28tc4MgUAEAJhBH3uHH4TQyUI5gUOST9MkmxqQLTNVV5IuK6KqO5XPxtczdCf
LISNRLjzL3H/zCy9BuhnwDZsdAz0ae5NMjjXnVpFcuGW7kP7RsiGL5aZSAYfx08N
mdq1EiK3e3EQAgeunLpGqlc0Os/fB937yuQoR3lYAug6bwa7RnElZMID+Xj1GsQb
qY1xodRDM6DE2qyYlDV2f0WoFjG2f2VjN0IVI0AxiydlIfrrK7v5TR9/8gVuo2Vl
D1/6pVotiCeUapXhf/ezEBRS1DhRXa0v9rpwzV1t91A+M30CGj2Cye0CQc6uDvno
lJ/oTo6bAXwmWGmvvyCtTw==
=S83g
-----END PGP PUBLIC KEY BLOCK-----

28
keys/machines/sayuri.asc Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEACbZMv7VT/YLGIy1NnPmVO0c7ximkxFAx8N8UiCQB6aLL6WKIYB
xuDZAzkRbv7HvzfHbovjWKKrHDihtcup4WA2AF/fBk1grMDq+zIT17EMke2xqp92
OY788ijMPm63+sRgQMfyVOoh16VQb27kgCO8ouPCkjbgabiBz0sC2sVztoDK4xh5
RTT4mVjODeqX1wxhYO90Nez4yZt1zX9t9oOPawTCwzoLKco/QNflz3wAYx21DJ7B
UxfACkHfI3nxjbCbmVDLMzTmcn1UZoxtovJYp9gd//fCaySMxlfk489j/8kPVrxy
bCFtFWEqehLvgQZg0Yrpy/Ih4vuzoCRLPj17GC5LevhrS7sIaATd4UeU/ke9+f/U
T8Yf2dh3e7g0pmeiXphpyG7mUPhxCz3MN/FQnNQauQAwmB8MmhxQXPtfx2OyXnP4
xjLb8sAtrtpaKNQ50k3/1LVcrJozvx6ELkmOE87MIhbi61jeplhUAnqPP7rpUvhn
VeNQ5FgIei78oWVDa6/d1R4Z0Bos/kvNWCdG9OWuqgGnMOfvUfi2WojId8ZM2s2Q
eHqg/NO36zctyCtoF7NBIBsJVDA406M2H3B0Mkx2yGHBXLlgwCBl5mopgjc5wrn0
xMWgUv+H5jcwbzCNcA0dn/I1BlBWPk64T+iCJh4WO+/ZcD4IsXh+fmnB0wARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQZTN48Qym4AoCGw8CGQEAAP1OEAB8vJKvssUiZm72t3EDrc4i
KW6M/kCPTlHBPmkFiLIi1c0qjZ9Oziw20WMhwRdYu6Bv66Of6YqNWNHbDQjdDcSE
/echXBKwdo/uwGpYsIEB5pQwtxkmT+8MlHmfUD9cfPK0vweGq4OOiWtNwzS7jt6M
fvp6Ar2BDXxT7zt6j/2BgioldmlxXVewtEgC+m9jBnCbML4xAyj9AEMrwYVwAvY4
QJoUK18lPWX85bSLpTPyfpJl0DkDiFR1EXHgpiZs/cdv3r0lMb9EfpvZbHtqolMy
MDIdwUy2cnoQu8WazbMloe9nAx6kZ9ylnvjkxuhgNpYV397kESWXzl74es1KAOgg
xURdt/IM2MJoUTs3B5v3d6SkV+UtSzMLSbBPJ5T0ehykgIihHNINcXvQSDAHPBbv
+Add/40MSi7NcJVlGwJvYmIRSiH8nvcQy2UcCGJPx6h3CKk7OskROpSNZ4SbPDsQ
WJk2OXr3tNxBoUp565DRURvIANQLerYV8ziwHxhbIyEudm+9/g8CbDy+wPGulwMZ
ruN6Lu3L6ctYLniXf7mADNVeZWXlrFQB+qNag9TVhj++kv+qsC5VOVI8o/h6N3Ai
yo3aFmDEbsA3F5dE5GZ7kE/u0b3b8nvqKCp+5IQuKl9nwyzKqy9Zj55HmewES3mR
DUKUW9W7ZnROHuiQxO5jTA==
=XySc
-----END PGP PUBLIC KEY BLOCK-----

28
keys/machines/vueko.asc Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADQYi6d6/laFq0OQWLZYL/48/SF1gnej22Ob+Cy0Tm0d2w9lU95
hASROWy6ZqUFwVXKp85uh6UJtA6q2XpaodfurGciCW7DYOjPNexJ0o2xmyFqGB/s
PuQDB4NxGXhCyNBXa42adfIlDyYHo5zIDuglMbwr7CQ3RZ1ktxudaA6t9Zlw/5pM
c1RXuTwvlhLGstnAz/ojNFwEH4lzYIIRpW4GXmWrtnmjXL/z4LLplYrfPGnsPIij
Qf31vhIrEp42nzJIY2wjshZaTvj5y0QIBPfgy9Q9I8/YwxFSY2wt3x8ooGLkTw4v
bshqUReatSdoIL4snCaA1oFtnKpqv2vJy/Z6LvURA4e/sbD+c5lMBTE/EkVgvCkC
6AbvCxwYHxB2G+lizKgRrQ8tVNDEHOFJBKNMaJAXpzz50ItaSpC+8FrYEP+y7iHk
0SBzKlJv3F+yuo1WrD4gHyxHAxACa2eDUU+EikO9BrOh78unOmWYEWVCju+ICHHP
STpW8jvEkldttv9Zr4YBDe22sjLKGuqngqabfSCokjjtEPgABCuJMLaGMW5nQm1K
Qdr0OHjr1apQMG454CMl4SGoXuNv0XIAcDpaR9xUB5cbBmAmwOWtdrqP2z772+9E
jw2WwavW6bn/cApa6BHSK+PQhF9wWvASy138i4m7aCLC8cteukOd6jCexwARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQPLm479f+10kCGw8CGQEAABX4EAAT59Yhu+JwOlmSI9UlzM/E
FJ+A8AHijh7Fc8+TjqnA7HmUSlhhVzhuSpjsSt8f1wswNXdcM9N7A5p0DCPZ+caG
9TyUrQXktiUdOj3O8bAwnsp7c/GYSBpIjhK1ZN8giN/c66l6z5IcolLA/KBPkMOp
2ipPBNjD7bk4khAzAqbPxGxGcpHqaNCS/nC/ovRlcQ2O8rgedXhhRZackuy6gw5+
fwGyrnAt9oVthBqhYSUNItQwEPWnEj1yZzsQVvpCX61Vkh7qfqiG/ewvWVVTVOL3
lEV5EUsFhiNX5ORUm3pk2qqELR8FbcVzTWf8sLgRM3NeqnotPS3rcHFb11Crh5SD
kqoAK2U0oYdGj5wlOH/yNtO5Q1auKwQ0Unttj8zmy55tCwqTiSrahmVxksCyINJn
B7h4Xct0ENH9gK/03aEGSZCzLxNG3BpOAOjWU+Ir5W2QLVxZDJT1KiaSftf81h9I
k57QsrXAoJNfzwONphQGSVKADBa0Y1P/zkm91gOcuIh3WXZ7BRcn5YZ72POqf61o
4uvT5xnDH2Y7upsCMTQkOUCenRUspapQZEQP+tZgQIwli86UeXfcPsqXX8j5QiJD
5HOl1jSRt5Rh4rqHfWYyobvLaEnWFEc3H/tYWSkk/w1ideiB3jMCdw65clQHGqJy
benF3GpcdU5XwmnJZ3XrCA==
=4Idg
-----END PGP PUBLIC KEY BLOCK-----

28
keys/machines/yuzuru.asc Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADlgmSvdnFWue1i5dS1qA9df+cRQDA1NDBHYm5dGpsTe7xghvde
9B1aAzWxbxeppwr2IHvLo1boWyH0ODC5HFxvleaYd6R9oLljQvxZEPq8ANWMyxDx
T4MyRlLClegMrUaCoQTFxoO7LFujrhKPC1+r/JVBBehJrpw31WAUQV2SLDTPFRMJ
GVAJXR1vplafbftlkI9K3t12T1RrD1D5QxPtFPPEdwdfPQ8CDE7cCado9iv+P3e+
9gA3fE0HJzS1ZRySF0sZ5lP3RX3ZBoY7z/8s3ZHGCYfD9ssGwZS5ByjMk2eJiPY2
tX0ZwffBdzAwyq64e1/ddubGTIhKNPd5Iy2GCnOEgPMC8TCke5Zz5IeInUE3ANyS
zkuwpCbqT8Vu541yqhs8+dOnH3srgks9OH2Ar2ctMWx3gmICDoCLHrWfbvlkqUwB
cxnGxAeNzOXiem1Fu5IJwVC5JR1+5b4dqa3k+f/nuWRizvrU26OP/1S+NTz3T7/W
TEF6KyE7+dy3K4IO95SDYwVp6mF/0fh4FTahNi6B1BDEAZKZjaVXyd2TOk77Y7si
Tc98E4SUTUlRRCLh8SmUmxalI168LLgGMwUWhDvRw6EP7uh9FBEi1kLXnN6am0kP
q1jgQL798DzFwcgEYTx7rTDHZLkbwrxWA32Lpu3T6twtaZiQE+o7wuXMTQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQZ0WmUqMRhtsCGw8CGQEAAIyAEAA89dyQvXx4sS7I1nRlMw9q
Agbi4h1lrCifEH6srlInbg3kZNgnlsDY+cVCIiy8m/Oyupn0U4uduMI8P7R5kgWQ
g9+FKFXoLK8P1kO5gani+tWNmBW49leSN8un9YAviKele5wDM/Dg+rNbWDaYHKu5
SspZV/SiP0JkxXOgxkMgOOl97kNmvv6O3qYHPG5rz5P/YV0pdDSi1cfhdREvTPAl
eNqzMrdEuE/GUrYJYeF8kN+TswBubTgy4WBqQdMlS+Go1B/7HQd56pl5BHiHM8HZ
l01ljbgqdYdggmXt7CI90Txe3RRduzKS4ncEQ1VVQiXEmOzU7emu+DFwknGnSgTW
gW6Nps3u2XhcsJNczf2PdEzDAv0oNAp4So7JdTGetkJ1Yw4quS0l1XWWBm+cf376
nanAGkENvuBbS36kgHNjNT1EnUnyJoMDMnc1AmSSlTf/ORc+JrzM4PtMonhWJTAU
eM66tozyJ3qYWApiI2doYwMDuh/u3jvqpTddxklaNFUOxIA2VITP0EgCFkVjW2u3
0gPY2tV6AtcxcUn1NnhS92xf0//O4fcGOwlTvNaPqDuF0mk9OazAPQ5L37mfNZzb
XUc3AyZXRZNhlE+aNfeJSKtzFCpGUJfstPmkdOwPxK29G4GDbjzWevpYF9Rv6Xpq
Ky38rXnis6Hpih/z6/7HOg==
=5Ki8
-----END PGP PUBLIC KEY BLOCK-----

52
keys/users/simon.asc Normal file
View file

@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF/lCz0BEADKOij3IA1IIiZc9c8rgxTUtrn4W1R8ncgsnFuXIDGD35dBB9e0
wd5noQigoqts9N8ULHEV6J8AuBdl1IP2nAKAr6h3F+hrLjL5tZZCPpTN5fhxWguz
wt6aFZgcFwFmQfZHSInxO2XpcibyJAs5ZXW3cO+VYQdVxXLT6KOLKkqWCCGMlQSt
xNigzNbrjUcjrcGBcjNbFJs0P4BkVvD6+3xBerpT6zwAuFdBiUpZZk+XI1QCAuVF
6ld5A+x+pwvKoN/n040UAUAdLTne7oisNonLhSvZVrH2uH4dKkku/yi2glSkUwps
n+ffr0jD9VrdbxktcqQBE0WU2q7Eqe6EjSxURHI6uJ/wFh0QeYR8sT5mgPMt5O9T
T49Kz2uUdljuHW0eI37DJSUDcXWh0OtuENRFf7m0lvIIaaPpbPM4btS8j9lCFs9h
pJsQIQbNjV+UmIBvddDKGwcL+DHJFk0E2sqPYOwsebvbQLhVvPSPWWUVKrqMay9Y
Vd9KKy/KddESzM6c3TFmUbkEj1h4qWSZ0XX0vGL8LL68maaDHwO1nKuw/XfSpjAC
c+3wuqAgwFB+ihO/qWs8CB0z+wo+7NK9OUUVVucu2duUUjNknf6+v6fPedtziapp
SHVQQKWYvozxVa7XU+dnrU3ZUHzIrv6Fr6yTdGy6fw7pE3yPFIwbw9vsowARAQAB
tB9TaW1vbiBCcnVkZXIgPHNpbW9uQHNicnVkZXIuZGU+iQJSBBMBCgA8FiEER+dV
ngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwMFCQeEzgAECwkIBwQVCgkIBRYCAwEA
Ah4BAheAAAoJEI08gvnzCfjsYFoP+weWMfiJ3mMeBeZBBcgp9NZTjrJoc2tKn/9s
RL4PL/3lwLRSEu6JS4LauAD6fW1d5QnNnUe4nIcvTO6RvJ7R/lDWg1KL+pdCfYtk
FiIesUkp+eW5Gqw5m6Bt1a9UjXdtHJuVGKQ/XjxC2914Ps6nhp5mY+NUm5zwZCBK
qbjiPjD17TeTCThEui3kwl0sgBhNX/eCPpJZtw3u7vzxpN24+sX8Ogo9r4nRtHKv
64vVggiT1Iu9JXm9KYlySFDZed9iVbgM2wKpylw1I0+F4VS8Jw/RDiIW61exKxAe
VuxPzbIGeJ0R8u0ZcvTiRbXr7op9barUDCQFn2K2oHXd8uCMUULinlO2pPYyshGh
znnZcZIvawqtWnImNnyTvKYe5Il9w2fmm6SzwRmcMvHBZ60eJC/PmnhpRcpBxyiG
mAWgFmmgMhc81wcPZFD0Mp91twMDHRchgfmBBlNdqMBt9nNJ2Mm7o52mVX/daMG4
VCqLdvbW9mWkyQVjfBq30XabanzN8RST63LlZEwArQqFpH8OifNMHI22fW2xGvPq
09k6SLA9qbobGFw+OGKIaGHiVbFq5aeTkqHr0sgL8QBHUJWv+SE0q49GfDDvA4JE
iDsLW6RJuNFGTaBq/NzN3A7iT8tTcdClYc7MSQxsEyTpuU+BlC9ewNC4cV/PyJ8l
13yeMkdZuQINBF/lCz0BEADs+rV9/tDQ6hyJlgMEKA34LjV4OEBdpwnRS51juXYt
nJiRC22Ljs6FY3NivOQPUNJR4yLU7/FGCGgyXlsLEyMIqH5Lldq1iaTMY8FHSdc4
e+BM4QYCiaYT05Jqeydorq0fZe0nIXobK7RqB4dG543JNzrttotQ94qpx/cFUy6i
ADxp216IyDFh0q10TKao/GB2gwkbOlRNuLYXXUMDON9i8VL0Yh7p0KhZuOl2vREm
9/IQDJJHFv4CbSTmdQ0de+k8rVgyiW05SdYq3vrqRmNuI9fbGTf3vw8bHljq1SiH
VoapbNJ8CnQCRzrsaX+pOlJwFVUUjxco7iyCHKFobfx+3ju5kwc+i/58nDiSkxMV
DPqfjFXnN+72EihfHiw56k1zIRhF9D9b8eq6aqGOIgTtjRujQUR9Rn5BJRZ87/pR
nlZsS3wE3nQxOo7fXKv9FU7TyEy6gu1LuK53dUk5xLlu4zMoIP8mc/mZchXqsksi
JSWPFDeXh9HLFhKyzintRxdXNp5xV5XaXsMlFkNiTBLUHLbU8Ln9tiLcuJZ29y3b
ynLtVo+GN4+G5b+koIoZ9065qSJ0coBPMUa6o7go2e1/oil+xKmtM3UHS+mMNa+4
elSqSRdpv3Xgo5lLNP+e60FpN155/93Hq33UMvh8rS9KVaQgp0c1unP99ewY84ra
9QARAQABiQI8BBgBCgAmFiEER+dVngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwwF
CQeEzgAACgkQjTyC+fMJ+OzfUBAAkVNY0chFGvzWHOxEKNJY9rW5EQrayrKPNhjr
3j9xHoD+1AO7Yinqgd8Ribw88l1+2lVQGHIpIQ2ZPDz/XGND5FvP5PrW71FcUJ/z
AKaEnYP4iZ1jgnjp280bJ2iHBMmHc5cs/7OwTCs1uos1kWhjLGA9M12OWDWN9iqB
+UJo5W8hs9c5LpYp7ByThQp+g0m3E/ZWSbfZqi0BqWX/X6QC1MMXYS1lZcg6qttF
rs6d9hquNHZO7PkI73Ph89DWdxMIirmmn4Iwv88w3jW1KJXiGJbp0N2yooZFtsq+
Yd5SHexET9rtU49BfeggEcWuDWJCGvPqdqCfAH6lKe9ddXwQx/R4f+Ffib8WYA6k
49HA55U6WfPs74yfbR09mh79kDV2uQgtkaHFJyuVuO4e3oyUoqe3hQdqOMR2lCAR
NSc7j5JdR9LxkUDqjUT8ipjzsTxwgPHaO0QkUjugs2v1TpivsDSRooI7NzWFTxbk
MkUX5BGUnPnEivBiB3n++1o5kZp1jk3OAi8cqVkosOMjduWei8f6yKpQ4ZKg9cH7
ovqpDS9R6CDrACDPNJSTBn2VyOdjGVc4FrhGsXp3FAe5prt1b9psvYTTuXrZZJZP
dI1cLPI0Knyymf56gVMGCjp+x1+w7ef0ylGLPtFEuy/6iqWR3H5htZDQo3AgOVgd
R7VFGCA=
=7eg7
-----END PGP PUBLIC KEY BLOCK-----

44
machines/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }@inputs:
let
hardware = inputs.nixos-hardware.nixosModules;
in
{
sayuri = {
system = "x86_64-linux";
extraModules = [
hardware.common-cpu-intel
hardware.common-pc-ssd
];
};
vueko = {
system = "x86_64-linux";
extraModules = [
"${inputs.infinisilSystem}/config/new-modules/murmur.nix"
];
targetHost = "vueko.sbruder.de";
};
fuuko = {
system = "x86_64-linux";
extraModules = [
hardware.common-cpu-intel
hardware.common-pc-ssd
];
targetHost = "fuuko.home.sbruder.de";
unlockOverV4 = false; # gets slaac ipv6 address from router
};
mayushii = {
system = "x86_64-linux";
extraModules = [
#hardware.lenovo-thinkpad-p14s-amd-gen2
(import "${inputs.nixos-hardware}/lenovo/thinkpad/p14s/amd/gen2")
hardware.common-pc-ssd
];
};
yuzuru = {
system = "x86_64-linux";
targetHost = "yuzuru.sbruder.xyz";
};
}

27
machines/fuuko/README.md Normal file
View file

@ -0,0 +1,27 @@
# fuuko
## Hardware
HP MicroServer Gen8 with an [Intel Xeon E3-1220L
v2](https://ark.intel.com/content/www/us/en/ark/products/65735/intel-xeon-processor-e3-1220l-v2-3m-cache-2-30-ghz.html)
and 8GiB ECC RAM (1600MHz). It isnt the best choice, but I already had it
lying around and it is acceptable after changing the CPU from the original
Celeron. I decided not to use another consumer-grade computer for this, since
the server offers ECC memory and therefore should be more reliable.
The SSD (Intel DC S4500 480GB) is connected to the first drive slot in a 3.5 ″
adapter. I originally wanted to connect it to the internal ODD SATA port, but
since it only supports SATA2 (3Gbit/s) and does not support booting from it,
requiring an additional boot drive, I decided against this.
For storage it has two Hard drives (Seagate Exos E 7E8 ST8000NM000A and WD
Ultrastar DC HC320 0B36404) in BTRFS RAID1. They are connected to the 2rd and
3th bay. Bay 3 is only SATA2, but that should not be the bottleneck.
## Purpose
It is my main server handling most long-runing tasks and services.
## Name
Fuuko Ibuki is a student in *Clannad* who carves starfish out of wood.

View file

@ -0,0 +1,79 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
../../users/simon
./services/ankisyncd.nix
./services/binary-cache.nix
./services/dnsmasq.nix
./services/factorio.nix
./services/gitea.nix
./services/grafana.nix
./services/hedgedoc.nix
./services/hydra.nix
./services/matrix
./services/media-backup.nix
./services/media.nix
./services/prometheus.nix
./services/scan.nix
./services/torrent.nix
./services/wordclock-dimmer.nix
];
sbruder = {
wireguard.home.enable = true;
nginx.hardening.enable = true;
restic.system = {
enable = true;
extraPaths = [
"/data"
];
extraExcludes = [
"/data/media/video"
"/data/misc"
"/data/torrent"
];
prune = true;
};
unfree.allowSoftware = true;
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."fuuko.home.sbruder.de" = {
enableACME = true;
forceSSL = true;
};
virtualHosts."sbruder.de" = {
enableACME = true;
forceSSL = true;
root = pkgs.sbruder.contact;
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys";
services.postgresqlBackup = {
enable = true;
startAt = [ ]; # triggered by restic system backup
location = "/data/backup/postgresql";
};
systemd.services.restic-backups-system = {
after = [ "postgresqlBackup.service" ];
wants = [ "postgresqlBackup.service" ];
};
networking.hostName = "fuuko";
system.stateVersion = "20.09";
}

View file

@ -0,0 +1,98 @@
{ config, lib, modulesPath, pkgs, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
kernelModules = [ "kvm-intel" ];
blacklistedKernelModules = [ "acpi_power_meter" ]; # constantly pollutes kernel log
extraModulePackages = [ ];
supportedFilesystems = [ "btrfs" ];
kernelParams =
let
mainInterface = config.systemd.network.networks.eno1;
first = lib.flip lib.elemAt 0;
in
[
"ip=${first mainInterface.address}::${first mainInterface.gateway}::${config.networking.hostName}:${mainInterface.name}"
];
initrd = {
availableKernelModules = [
"aesni_intel" # hardware crypto for luks
"ahci"
"ehci_pci"
"sd_mod"
"tg3" # network interface
"uhci_hcd"
"usb_storage"
"usbhid"
"xhci_pci"
];
kernelModules = [ ];
network.enable = true; # remote unlocking
luks.devices = {
root = {
name = "root";
device = "/dev/disk/by-uuid/c5cf6858-cca0-40dc-a3b5-ab47a3f9d49c";
preLVM = true;
allowDiscards = true;
};
};
};
loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2KB480G7_PHYS749202D6480BGN";
};
environment.etc.crypttab.text = ''
data0 UUID=aa692e73-2b75-4239-8a87-5f5b69ea56c5 /root/luks-data luks
data1 UUID=1f4120b6-a3a0-4973-8c4c-a4d6703eea2a /root/luks-data luks
'';
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/92a1f733-8a23-42ea-958b-0d01a5de7776";
fsType = "btrfs";
options = [ "compress=zstd" "discard" "noatime" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/0f1822e1-643b-49e0-b279-5e3373c6a26c";
fsType = "ext2";
};
"/data" = {
device = "/dev/mapper/data0";
fsType = "btrfs";
options = [ "compress=zstd" ];
};
};
services.btrfs.autoScrub = {
enable = true;
fileSystems = [ "/data" ];
};
swapDevices = [
{
device = "/dev/disk/by-partuuid/22978e17-fbbf-4879-9385-5c9473df1706";
randomEncryption.enable = true;
}
];
powerManagement.cpuFreqGovernor = "performance";
networking.useDHCP = false;
systemd.network = {
enable = true;
networks = {
eno1 = {
name = "eno1";
dns = [ "192.168.100.1" ];
domains = [ "home.sbruder.de" ];
address = [ "192.168.100.61/24" ];
gateway = [ "192.168.100.1" ];
};
};
};
services.resolved.enable = false;
}

View file

@ -0,0 +1,62 @@
gitea-mail: ENC[AES256_GCM,data:ck4S9YJ1BLUb6+mOrRmg22KWI1xQwsdIw1dowNk1OOk=,iv:+aQiTSGzmBOLYbIVgwH/SIhslKgdJKoL1ZaGAXCeqHY=,tag:H3vCEGMktqAV/9BASVR5tg==,type:str]
go-neb-overrides: ENC[AES256_GCM,data:Ws/2yCNNLLEpa9MbN7mZk6BBBaJxtHN2X9I41baWJylZeUld6/h4WCxyHw4MWzigK7k26E+7CGVGThF5Ucd6AuvuD9dd21uaoOtwsAKJVsCavk6VPQvfAuSqYJcBYY2pSwDpA6KbXbQqhC9OgcktvYQdnvNPbsSffK4zhrDjcFpDYYyBRQWxqHu/ZGh2088ECbhm2OCWeC9/5u/2id8dHutip6tUXBIalFmWObc6zgx4atCJGdq9/bOPgajQzrpWlauV0h3ioMwp0gsulOJl2LuI7Lvbsvm+UWe8hVd9ZLqR+4ZAwC5oCQht68AxekKrLNl02KQ8rM4fmWJpbK4NsR/m8+ifMZhqIe8tqUUhWGvJqbxEI/Rsbqm92ToIHL5x9hNSZ/crm+hF4c2Uh9jnSA3E/tOxjZaMU5hB+2Y4tF83nz61tzFnwhQ32VxFeq6IHyMOhgQzGZkDPAyFg2e4tbG6zp5oMx2lsUlgbaXrSrzBU73CjWiLDiJFNyGLx7ADeZ4aZVsZnvGL6y7K4p0uVuK7KSNzoW0=,iv:tniWSP8RgSDJ8ap+PK83TcPAvRdaXWC/gchF6+8uffs=,tag:SC6RB8zyVmjjbLA73cFb4A==,type:str]
hcloud_exporter-environment: ENC[AES256_GCM,data:TPMeNK7uC716PC8UqDCnUKtriueIkg3l1ql9e3lse46Ko3TVvwW1oAQRSbwK8CG5AjuF2s2Y8GJdYcI8PN6Z5kERYF1RL2GDpN4pLSuw/l0YqsFkt0uK,iv:cmB+hZHvbk1p8uRmLDyYdPr6rTsFxKcoTcQVo729sAQ=,tag:nkiSvy7rsoInDN0l+1FOOQ==,type:str]
nix-binary-cache-htpasswd: ENC[AES256_GCM,data:IktPHrrvExeZlCPmP82W9AovC59ILPbMQExVDO7U2S9lJ9cQKP14mQPuYwA+yKTycIdA01MwRDbt/SxhVleZ+aKkyOPwx/iG5B0cQX6cVqQWVTNVmxlW2sjupnnwwibcdikU21CIw6YsDKs7pMqRAfC/U2OJ3POo2qH5GgFY,iv:ofzEQ143HQQGZIEVkdWCrcENz0i6JPljLDGmG0A7aJ8=,tag:a557cdgRD25jWHhZeT+CnQ==,type:str]
prometheus-htpasswd: ENC[AES256_GCM,data:eJOWrcTC3YISJJLuQV6sxzD0r8Gr8uoUt48D9sSEHhsbNUUy3pDgIPqJHrkG0ek2sIF6NvpWdDGK1kFcduRAL9h7nLxQLOtf7dxsdObGlPH5nwe6CwdR+1wTE/2WzrsmTGnUrMjMiBgLPV2yRiQg3VJ7W1Me8tHPYHrqYhM=,iv:WvgwIoIfxc3vyjF+znyUzOElv+sd/thoYpxWVaIavx0=,tag:9FnRw7ol++1PCbl1c2IyoA==,type:str]
restic-password: ENC[AES256_GCM,data:IVFXmuzzvvqDS0T3P0R5ZMIn2wdkbE1AqwDMkWqMpDdCOVMP4/HhP4jF+tEarq22,iv:Eu6Wspzm0rPl0CuSoYTTLz+MmaEtmwCD57nH2JTBuaA=,tag:tKqt5Z7nF7lLcSsDKS4E3A==,type:str]
restic-s3: ENC[AES256_GCM,data:VJ/jgYnUSkbsNMb1ciLiCcRVEpuaznsSFf0QkEnPhTRHpFv4Nt0f8ARnNtG5j3iXSIT4+H2+5HWKXEsjhvL85p0XE3xe4h45xGKnvvVO2obF+b/zsMDdceFJtLbcq+APzPBjchYU,iv:W+80GhAvYD/52dNZsNYiEhiLo4dhO8oxkd+GAbk42NU=,tag:Kj9CaGo/xAmYxdoLE/Lo1Q==,type:str]
synapse-registration-shared-secret: ENC[AES256_GCM,data:lNzK/7QAk4Scv+lNM8bTTKvowI139c4R4Y7Qpq60n8R61aahlxrnWc/PUEOv85Pdx+8IdBOLnV0kp7OQF6tStGBBCOkAicYmnsLoR36DmuDCvTSKVArryV7BrxL8pv0=,iv:ZT9IIF7W0NHqvnU3lPQclVS5uXXK5HIQUzXNYwYFMIo=,tag:a/sUixOlHEvn5ZOINPwQlg==,type:str]
synapse-turn-shared-secret: ENC[AES256_GCM,data:sAvP4/jVma7Uq9TR4W/zEoJA17Stj75uG+G4niYaQ1tflxRhE+/HfrhMn7whnmpSgXDb/ZPtLfVaW1DCfU2jovz3Y9Ij1kveXar2aAjlPSsSVwTbFmei,iv:S7uVlE2rhK7ta2S/eX+KXBMQyc69onHYjfMNro3OCjM=,tag:rvI299PQ9TVfVzQjgfUKww==,type:str]
wg-aria-private-key: ENC[AES256_GCM,data:qbxpfNRocrXDbUJ3MwR5WMXX8LB4Vnv9HMXN403ANaBbCLrRTEL9hy93roY=,iv:l2DYXGY1wN1rP2bG/s9uSwRhbvCUm2T6IJy5LKzguqk=,tag:51S+m1P1EtHk1QWEjdUCUA==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2022-01-14T16:18:19Z"
mac: ENC[AES256_GCM,data:i6TJ+X85H+ptli5GaodNh6KbjqBLuJcs/Cy88JIQdq5az6nVJUtB55SuhkOAu35pPqlGX4tTBRO7OHupkEwS0Gpl2rC+OQB8gvnfuANzK8uFKGs4EK29BJsqNjsRdDmH1NjGjrIjau4spLz0wfELUcKtKofkZeLvzITsgzjRj+4=,iv:ZuFOIeXb+k1PWfWYPyIBKAnBaLZu+E4SeThysXCQ+iI=,tag:BFMwx9Am66pRSmWQWnVpgA==,type:str]
pgp:
- created_at: "2021-04-06T11:27:21Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4AQ/+KSo1N4aEuIAF2JMX+3RborUdEMIJNqIQsBYejPF4o5UD
25XVDt+GrC4Lx6OJsWobLOHm+FDLPzm4Zfo+grU+JaEBo0ZSthUul610iqChwEGF
zVMkNKARsZE7lDQ3uN54Mq/A7RQaav4mrt1AbHTOwBR9UdG5hrEJ8JZjObS7Gqz2
/OFpX4xr214IA9ALx+O2UIkSAJT9u9Ann/xcKL5GpwE9etcGZbYqOhAPaSzbOSDr
BtWuM8Z5nKb1O90pXEe16yVUmFXyO7T+lU1gDrDReSXJJFg7zcjMY4s9rro2H7xq
u0z/ufl4sf1E5u7fLLpzrVcqKJAOw+fvfoPeqMrNsGy3r3AdATw9jPp6giRoB8qL
xm3gGvs/VedBBqbXMDSCTIuhBcTu3/rrTWb0TJeuMz9RM01owkvtTrL3zjwK81BK
pNTwz2a49ylCiDS8Vin2u2jwjoRlri4mPTzw5pvcGqNAoNopv6cjawGQ2toCD5qG
tqx0hY0uXAE1cnfewFC63VGFbaBwfCYLryjGLefRH7XFOAcqZ3dlZFi5lJTVnnXO
44uO7dW8wfJj45USIEoG6D0BiRU7JPUhgPIjMa1cEI4XpoBSj13EACxovE3z5AYa
pX72eJHMkKZ5u+eRrXkrFSGFWkYBGKtgIdbgXn1i9Zw/Ewbf7Qz8kC83kxkih7jS
XAEbvfL1DTAHDEyAXFoI2ekIoTTGAtCpsadQcTZ3+3DeWU5R8X29vflEG/kSeRO4
m2npmJ9OCKyEN+zAd/WRIQ0wChFgadlTugsDcmXazdvzJ1qJiuNGmzpRn3QF
=dltN
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: "2021-04-06T11:27:21Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA2nIGHycQ3VOAQ//RC1NMySQoeqfTGEKFB7LwC3o0yLTMHAqoi4qm2Q8jKxH
6zSjHNoYI9+2VNEWJcSvUwd9ks79jkVOAWO+Lmv2h1QT3RrsSsj16VZwl+ORp50/
+PDrZjaimMafAKaqGJ3HaPlzFX7jUjCHS0yCaF6WIU1ztRLVnHAv3p8dsPzQ1w+7
p1h0oQ2noWibl2GLGI3+1O3sv1N5tusTGZWFacG6VsTbtbJmbVCO5FQRqX7vcJtM
xfClghFPoHCGbN5W1NWpo/a/lOLUucqO7bFB5DIOoXme6SSS7lrYQKtjBQy/4DRe
r3VIjvS6ncVUIYPPnEMlxI3MPUB2lwJLG2B89XNNWwfwREUXTG4DEg09Z6jMUqVr
yNO67YCF95fNUQFMQ0LWyVsWZW1n1ef7/iKtDHNoFubCVGjWimIa3ZDX/e4WemEN
ww7dab2RXEY3oTLJZwAFMN4jeqUfpgH1TOvcs9OHwF0CQjJIDyDj6uyt6wYqITT2
dorhmn1FN/tUUNn4hE0iRjFaD1QrN30KZ4pQ1S/G3IkHGzJ4AlelO0j9yE2VMR2q
E8wEhVtDlO/VAYZSx7tJ7jd24gFsGlL70OfSXvo7jyNpo+OjaN9yy5Qy8iogwpGC
Jua/Y7+XORx3+SVB+1AUNSwCABOhWL2RQGnGxRRQrST4uEv2Gn6IV5sQuPz6my3S
TgEtH78YDDWHFdEE4b3lQaPAR8NGNvuE0btjpdeR7QoTOAkmg0SaUNqAoqrz80jj
7kdIBtI8XA2CW/oXYcoxHlkqbPNqPAhaRu3YDci8oQ==
=ukYv
-----END PGP MESSAGE-----
fp: 2372651C56E22972C2D9F3F569C8187C9C43754E
unencrypted_suffix: _unencrypted
version: 3.7.1

Binary file not shown.

View file

@ -0,0 +1,17 @@
{ config, ... }:
let
cfg = config.services.ankisyncd;
in
{
services.ankisyncd = {
enable = true;
host = "127.0.0.1";
};
services.nginx.virtualHosts."anki.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}";
};
}

View file

@ -0,0 +1,76 @@
# This serves a local binary cache. If the request comes from my home network,
# it will set its priority higher than cache.nixos.org (which has a priority of
# 40), so local devices get a faster binary cache. If the request coes from
# outside my home network, it will set its priority lower, only store paths
# exclusive to this cache will be substituted.
# This only works well when a host does not change its “location”, since nix
# caches binary caches locally (per-user, also for root!) in
# ${XDG_CACHE_HOME:-$HOME/.cache}/.cache/nix/binary-cache-v6.sqlite and does
# not re-check or invalidate them. Devices that often are not at home should
# ensure that the cached priority is 50 to avoid slow substitutions.
{ config, lib, pkgs, ... }:
let
binaryCachePath = "/data/cache/nix-binary-cache";
in
{
sops.secrets.nix-binary-cache-htpasswd = {
owner = "nginx";
sopsFile = ../secrets.yaml;
};
services.nginx = {
appendHttpConfig = ''
geo $nix_binary_cache_priority {
default 50;
192.168.100.0/24 30;
2001:470:1f0b:abc::/64 30;
}
'';
virtualHosts."nix-cache.sbruder.de" = rec {
enableACME = true;
forceSSL = true;
root = binaryCachePath;
locations = {
"/nix-cache-info" = {
return = "200 \"StoreDir: /nix/store\\nPriority: $nix_binary_cache_priority\\n\"";
};
"/".extraConfig = ''
log_not_found off;
client_max_body_size 5G;
# WebDAV (for uploading)
dav_methods PUT DELETE;
create_full_put_path on; # nar/ does not exist by default
dav_access user:rw group:r all:r;
# same filesystem for temporary files
client_body_temp_path ${root}/.upload-tmp;
limit_except GET {
auth_basic "restricted upload";
auth_basic_user_file ${config.sops.secrets.nix-binary-cache-htpasswd.path};
}
# workaround for nginx dropping parent headers
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
${lib.concatStringsSep "\n" (lib.filter
(lib.hasPrefix "add_header ")
(lib.splitString "\n" config.services.nginx.commonHttpConfig))}
add_header Access-Control-Allow-Origin https://hydra.sbruder.de;
'';
"/nix/store/".proxyPass = "http://localhost:${toString config.services.nar-serve.port}";
};
};
};
systemd.services.nginx.serviceConfig.ReadWritePaths = lib.singleton binaryCachePath;
services.nar-serve = {
enable = true;
cacheURL = "file://${binaryCachePath}";
};
# nar-serve logs multiple lines on every request
systemd.services.nar-serve.serviceConfig.StandardOutput = "null";
}

View file

@ -0,0 +1,44 @@
{ config, lib, pkgs, ... }:
{
services.dnsmasq = {
enable = true;
extraConfig = ''
bogus-priv # do not forward revese lookups of internal addresses
domain-needed # do not forward names without domain
local-service # only respond to queries from local network
no-hosts # do not resolve hosts from /etc/hosts
no-resolv # only use explicitly configured resolvers
cache-size=10000
server=/fritz.box/192.168.100.1
domain=home.sbruder.de
dhcp-range=192.168.100.20,192.168.100.150,12h
dhcp-option=option:router,192.168.100.1
'';
servers = [
"9.9.9.9" # dns.quad9.net
"2620:fe::fe"
"194.150.168.168" # dns.as250.net
];
};
# Make `local-service` work (requires network interface with all addresses)
systemd.services.dnsmasq = {
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
};
services.prometheus.exporters.dnsmasq = {
enable = true;
listenAddress = "127.0.0.1";
leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
};
networking.firewall.allowedUDPPorts = [ 53 67 ];
networking.firewall.allowedTCPPorts = [ 53 ];
}

View file

@ -0,0 +1,21 @@
{ lib, pkgs, ... }:
{
services.factorio = {
enable = true;
package = pkgs.factorio-headless.overrideAttrs (o: o // rec {
name = "factorio-headless-${version}";
version = "1.1.42";
src = pkgs.fetchurl {
name = "factorio_headless_x64-${version}.tar.xz";
url = "https://factorio.com/get-download/${version}/headless/linux64";
sha256 = "sha256-QpCZBqJY3NU4FIJY3LDungPKBjhR09jKA9FxJpk7QdA=";
};
});
openFirewall = true;
admins = [ "sbruder" ];
game-name = "factorio.sbruder.de";
game-password = "MoinMoin";
};
}

View file

@ -0,0 +1,75 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.gitea;
in
{
sops.secrets.gitea-mail = {
owner = cfg.user;
sopsFile = ../secrets.yaml;
};
systemd.services.gitea.serviceConfig.SupplementaryGroups = lib.singleton "keys";
services.gitea = {
enable = true;
rootUrl = "https://git.sbruder.de/";
appName = "sbrudergit";
cookieSecure = true;
log.level = "Warn";
lfs = {
enable = true;
contentDir = "/data/gitea/lfs/";
};
enableUnixSocket = true;
ssh = {
clonePort = 2022;
};
database.type = "postgres";
mailerPasswordFile = config.sops.secrets.gitea-mail.path;
settings = {
mailer = {
ENABLED = true;
HOST = "vueko.sbruder.de:587";
FROM = "gitea@sbruder.de";
USER = "gitea@sbruder.de";
};
avatar = {
DISABLE_GRAVATAR = true;
};
server = {
# privacy
DISABLE_ROUTER_LOG = true;
OFFLINE_MODE = true;
# internal ssh server
BUILTIN_SSH_SERVER_USER = "git";
START_SSH_SERVER = true;
SSH_SERVER_HOST_KEYS = "ssh/gitea.ed25519,ssh/gitea.rsa";
};
service = {
DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_NOTIFY_MAIL = true;
NO_REPLY_ADDRESS = "users.git.sbruder.de";
REGISTER_EMAIL_CONFIRM = true;
};
session = {
PROVIDER = "file";
};
};
};
networking.firewall.allowedTCPPorts = [ cfg.ssh.clonePort ];
services.nginx.virtualHosts."git.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://unix:/run/gitea/gitea.sock";
};
extraConfig = ''
client_max_body_size 1G; # Git LFS
'';
};
}

View file

@ -0,0 +1,52 @@
{ config, ... }:
let
cfg = config.services.grafana;
in
{
services.grafana = {
enable = true;
# grafana supports sockets, but no permission management (always 660 grafana:grafana)
addr = "127.0.0.1";
domain = "grafana.sbruder.de";
rootUrl = "https://%(domain)s/";
database = {
type = "postgres";
host = "/run/postgresql";
user = "grafana";
};
provision = {
enable = true;
datasources = [
{
name = "Prometheus";
type = "prometheus";
url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
isDefault = true;
}
];
};
analytics.reporting.enable = false;
};
systemd.services.grafana.after = [ "postgresql.service" ];
services.postgresql = {
enable = true;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{
name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
}
];
};
services.nginx.virtualHosts."grafana.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://${cfg.addr}:${toString cfg.port}";
};
};
}

View file

@ -0,0 +1,63 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.hedgedoc;
in
{
services.postgresql = {
enable = true;
ensureDatabases = [ "hedgedoc" ];
ensureUsers = lib.singleton {
name = "codimd";
ensurePermissions = {
"DATABASE hedgedoc" = "ALL PRIVILEGES";
};
};
};
services.hedgedoc = {
enable = true;
configuration = {
host = "127.0.0.1";
port = 3001;
db = {
dialect = "postgres";
host = "/run/postgresql";
#user = "hedgedoc";
database = "hedgedoc";
};
domain = "pad.sbruder.de";
protocolUseSSL = true;
csp.enable = true;
imageUploadType = "filesystem";
uploadsPath = "/data/hedgedoc/uploads";
};
};
systemd.services.hedgedoc = {
after = [ "postgresql.service" ];
preStart = toString (pkgs.writeShellScript "hedgedoc-generate-session-secret" ''
if [ ! -f ${cfg.workDir}/session_secret_env ]; then
echo "CMD_SESSION_SECRET=$(${pkgs.pwgen}/bin/pwgen -s 32 1)" > ${cfg.workDir}/session_secret_env
fi
'');
serviceConfig = {
Environment = [
"CMD_LOGLEVEL=warn"
];
EnvironmentFile = [
"-${cfg.workDir}/session_secret_env" # - ensures that it will not fail on first start
];
};
};
systemd.tmpfiles.rules = [
"d ${cfg.configuration.uploadsPath} 0700 codimd codimd - -"
];
services.nginx.virtualHosts."pad.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${cfg.configuration.host}:${toString cfg.configuration.port}";
};
}

View file

@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.hydra;
in
{
services.hydra = {
enable = true;
listenHost = "127.0.0.1";
port = 3003;
hydraURL = "https://hydra.sbruder.de";
notificationSender = "hydra@sbruder.de";
buildMachinesFiles = [
(pkgs.writeText "hydra-build-machines" ''
# hostname system sshKey maxJobs speedFactor mandatory+supportedFeatures mandatoryFeatures
localhost x86_64-linux - 4 1 kvm,nixos-test
'')
];
useSubstitutes = true;
minimumDiskFreeEvaluator = 10;
minimumDiskFree = 10;
extraConfig = ''
store_uri = file:///data/cache/nix-binary-cache?secret-key=${config.sops.secrets.binary-cache-secret-key.path}
server_store_uri = file:///data/cache/nix-binary-cache
upload_logs_to_binary_cache = true
log_prefix = https://nix-cache.sbruder.de/
'';
};
sops.secrets.binary-cache-secret-key.owner = "hydra-queue-runner";
systemd.services.hydra-queue-runner.serviceConfig = {
SupplementaryGroups = lib.singleton "keys";
Nice = 10;
IOSchedulingPriority = 5;
};
# Hydra uses restricted eval, which by default does not work with flakes that
# use git+https inputs
nix.extraOptions = ''
allowed-uris = https://git.sbruder.de/
'';
services.nginx.virtualHosts."hydra.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${cfg.listenHost}:${toString cfg.port}";
};
};
}

View file

@ -0,0 +1,7 @@
{
imports = [
./synapse.nix
./mautrix-whatsapp.nix
./go-neb.nix
];
}

View file

@ -0,0 +1,93 @@
{ config, lib, pkgs, ... }:
let
synapseCfg = config.services.matrix-synapse;
in
{
sops.secrets = {
go-neb-overrides.sopsFile = ../../secrets.yaml;
};
users.users.go-neb = {
isSystemUser = true;
group = "go-neb";
};
users.groups.go-neb = { };
services.go-neb = rec {
enable = true;
bindAddress = "127.0.0.1:8010";
baseUrl = "http://${bindAddress}";
config = {
clients = [
{
UserID = "@alertmanager:${synapseCfg.server_name}";
HomeserverURL = synapseCfg.public_baseurl;
Sync = false;
AutoJoinRooms = false;
DisplayName = "Prometheus Alertmanager";
}
];
services = [
{
ID = "alertmanager_service";
Type = "alertmanager";
UserID = "@alertmanager:${synapseCfg.server_name}";
Config = {
webhook_url = "${baseUrl}/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U";
rooms = {
"!ceigaGYfREXXSeLFiH:sbruder.de" = {
text_template = "{{ range .Alerts }}{{ if eq .Status \"firing\" }}@room {{ end }}[{{ .Status }}] {{ index .Labels \"alertname\" }}: {{ index .Annotations \"description\" }}\n{{ end }}";
html_template = ''
{{ range .Alerts }}
{{- if eq .Status "firing" }}@room {{ end -}}
{{ $severity := index .Labels "severity" }}
<font{{ if eq .Status "firing" -}}
{{- if eq $severity "critical" }} color="red"
{{- else if eq $severity "warning" }} color="orange"
{{- end -}}
{{- else }} color="green"
{{- end }}>
<strong>{{ if eq .Status "firing" -}}
[firing{{ if ne $severity "" }} - {{ $severity }}{{ end }}]
{{- else -}}
[resolved]
{{- end }}</strong>
</font>
{{ index .Labels "alertname" }}: {{ index .Annotations "description" }} <a href="{{ .GeneratorURL }}">source</a><br/>
{{ end }}
'';
msg_type = "m.text";
};
};
};
}
];
};
};
# Load AccessToken and DeviceID from secret
systemd.services.go-neb = {
serviceConfig = {
RuntimeDirectory = "go-neb";
RuntimeDirectoryMode = "0750";
DynamicUser = lib.mkForce false;
ExecStartPre =
let
baseConfig = pkgs.writeText "config-base.json" (builtins.toJSON config.services.go-neb.config);
in
[
"!${pkgs.coreutils}/bin/install -g go-neb ${config.sops.secrets.go-neb-overrides.path} /run/go-neb/config-overrides.json"
# needs to be run in a shell script for redirection to work
(pkgs.writeShellScript "merge-go-neb-config" ''
${pkgs.jq}/bin/jq \
--slurp \
'. | map(map_values(. | with_entries(.key = (.value.ID // .value.SessionID // .value.UserID)))) | .[0] * .[1] | with_entries(.value = [.value[]])' \
${baseConfig} \
/run/go-neb/config-overrides.json \
> /run/go-neb/config.json
'')
];
};
environment.CONFIG_FILE = lib.mkForce "/run/go-neb/config.json";
};
}

View file

@ -0,0 +1,78 @@
# somewhat adapted from https://github.com/NixOS/nixpkgs/pull/59211
{ config, lib, pkgs, ... }:
let
synapseCfg = config.services.matrix-synapse;
in
let
config = rec {
homeserver = {
address = synapseCfg.public_baseurl;
domain = synapseCfg.server_name;
};
appservice = rec {
hostname = "127.0.0.1";
port = 29318;
address = "http://${hostname}:${toString port}";
provisioning.shared_secret = "disable";
database = {
type = "sqlite3";
uri = "/var/lib/mautrix-whatsapp/mautrix-whatsapp.db";
};
id = "whatsapp";
bot = {
username = "whatsappbot";
displayname = "WhatsApp bridge bot";
avatar = "mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr";
};
};
whatsapp = {
browser_name = "mx-wa";
os_name = "Mautrix-WhatsApp bridge";
};
bridge = {
command_prefix = "!wa";
delivery_receipts = true;
displayname_template = "{{if .FullName}}{{.FullName}}{{else if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)";
history_sync = {
backfill = true;
};
identity_change_notices = true;
permissions = {
# Only one user since using the name from the address book does not
# work with multiple users
"@simon:${homeserver.domain}" = 100;
};
private_chat_portal_meta = true;
reaction_notices = true;
relay.enable = false;
};
logging.print_level = "info";
};
generatedConfig = pkgs.runCommandNoCC "mautrix-whatsapp-config"
{
buildInputs = with pkgs; [ mautrix-whatsapp ];
}
''
mkdir $out
cat ${pkgs.writeText "mautrix-whatsapp.yaml" (lib.generators.toYAML { } config)} > $out/config.yaml
mautrix-whatsapp -c $out/config.yaml -g -r $out/registration.yaml
'';
in
{
systemd.services.mautrix-whatsapp = {
description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix";
after = [ "network.target" "matrix-synapse.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
StateDirectory = "mautrix-whatsapp";
WorkingDirectory = "/var/lib/mautrix-whatsapp";
ExecStart = "${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp -c ${generatedConfig}/config.yaml";
Restart = "on-failure";
};
};
services.matrix-synapse.app_service_config_files = lib.singleton "${generatedConfig}/registration.yaml";
}

View file

@ -0,0 +1,153 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.matrix-synapse;
fqdn = "matrix.sbruder.de";
domain = "sbruder.de";
in
{
sops.secrets = {
synapse-registration-shared-secret = {
owner = "matrix-synapse";
sopsFile = ../../secrets.yaml;
};
synapse-turn-shared-secret = {
owner = "matrix-synapse";
sopsFile = ../../secrets.yaml;
};
};
systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = lib.singleton "keys";
services.matrix-synapse = {
enable = true;
server_name = domain;
public_baseurl = "https://${fqdn}";
listeners = lib.singleton {
port = 8008;
bind_address = "127.0.0.1";
type = "http";
tls = false;
x_forwarded = true;
resources = lib.singleton {
names = [ "client" "federation" "metrics" ];
compress = false;
};
};
dataDir = "/data/matrix/synapse";
turn_uris = [
"turns:turn.sbruder.de:5349?transport=udp"
"turns:turn.sbruder.de:5349?transport=tcp"
"turn:turn.sbruder.de:3478?transport=udp"
"turn:turn.sbruder.de:3478?transport=tcp"
];
turn_user_lifetime = "3600000"; # 1h
enable_metrics = true;
# adapted from https://github.com/NixOS/nixpkgs/blob/7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a/nixos/modules/services/misc/matrix-synapse-log_config.yaml
# - set root.level to WARNING instead of INFO
logConfig = builtins.toJSON {
version = 1;
formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s";
filters.context = {
"()" = "synapse.util.logcontext.LoggingContextFilter";
request = "";
};
handlers.journal = {
class = "systemd.journal.JournalHandler";
formatter = "journal_fmt";
filters = [ "context" ];
SYSLOG_IDENTIFIER = "synapse";
};
root = {
level = "WARNING";
handlers = [ "journal" ];
};
disable_existing_loggers = false;
};
max_upload_size = "50M";
extraConfig = ''
# Im okay with using matrix.org as trusted key server
suppress_key_server_warning: true
'';
extraConfigFiles = with config.sops.secrets; [
synapse-registration-shared-secret.path
synapse-turn-shared-secret.path
];
};
services.postgresql = {
enable = true;
# synapse requires custom databse configuration:
# CREATE DATABASE "matrix-synapse" TEMPLATE template0 LC_COLLATE "C" LC_CTYPE "C";
ensureUsers = lib.singleton {
name = "matrix-synapse";
ensurePermissions = {
"DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
};
};
};
services.nginx.virtualHosts = {
"${fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 https://chat.sbruder.de";
locations."/_matrix" =
let
listenerCfg = (lib.elemAt cfg.listeners 0);
in
{
proxyPass = "http://${listenerCfg.bind_address}:${toString listenerCfg.port}";
extraConfig = ''
client_max_body_size ${cfg.max_upload_size};
'';
};
};
"${domain}" = {
enableACME = true;
forceSSL = true;
locations =
let
# workaround for nginx dropping parent headers
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
parentHeaders = lib.concatStringsSep "\n" (lib.filter
(lib.hasPrefix "add_header ")
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
in
{
"=/.well-known/matrix/server".extraConfig = ''
${parentHeaders}
add_header Content-Type application/json;
return 200 '${builtins.toJSON {
"m.server" = "${fqdn}:443";
}}';
'';
"=/.well-known/matrix/client".extraConfig = ''
${parentHeaders}
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON {
"m.homeserver"."base_url" = "https://${fqdn}";
}}';
'';
};
};
};
}

View file

@ -0,0 +1,62 @@
# This creates a backup of my media files when a specific hard drive is
# hotplugged. The hard drive has a btrfs filesystem inside of a luks container.
# The filesystem can be created with commands similar to this:
# cryptsetup luksFormat --label="fuuko-media-backup-luks" --key-file=/path/to/key /dev/sdb
# mkfs.btrfs -L "fuuko-media-backup" /dev/mapper/media-backup
{ lib, pkgs, ... }:
let
baseDir = "/data/media";
mountPoint = "/mnt/media-backup";
in
{
# Systemd mount units do not support cryptsetup
systemd.services.media-backup-luks = {
after = [ ''dev-disk-by\x2dlabel-fuuko\x2dmedia\x2dbackup\x2dluks.device'' ];
bindsTo = [ ''dev-disk-by\x2dlabel-fuuko\x2dmedia\x2dbackup\x2dluks.device'' ];
unitConfig = {
StopWhenUnneeded = true;
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = "${pkgs.cryptsetup}/bin/cryptsetup open --type luks2 --key-file=${baseDir}/.backup-key /dev/disk/by-label/fuuko-media-backup-luks media-backup";
ExecStop = "${pkgs.cryptsetup}/bin/cryptsetup close media-backup";
};
};
systemd.mounts = lib.singleton {
after = [ "media-backup-luks.service" ];
bindsTo = [ "media-backup-luks.service" ];
unitConfig = {
StopWhenUnneeded = true;
};
what = "/dev/mapper/media-backup";
where = mountPoint;
};
systemd.services.media-backup = {
wantedBy = [ ''dev-disk-by\x2dlabel-fuuko\x2dmedia\x2dbackup\x2dluks.device'' ];
unitConfig = {
RequiresMountsFor = "/mnt/media-backup";
};
script = ''
${pkgs.rsync}/bin/rsync \
--archive \
--delete \
--links \
--partial \
--recursive\
--verbose \
${lib.escapeShellArg baseDir} \
${lib.escapeShellArg mountPoint}
'';
serviceConfig = {
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
Nice = 10;
};
};
}

View file

@ -0,0 +1,14 @@
{
services.nginx.virtualHosts."media.sbruder.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = "/data/media/.htpasswd";
root = "/data/media/";
locations."=/.htpasswd".return = "403";
};
services.nginx-interactive-index.virtualHosts."media.sbruder.de".locations."/".enable = true;
}

View file

@ -0,0 +1,193 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.prometheus;
mkStaticTargets = targets: lib.singleton { inherit targets; };
mkStaticTarget = target: mkStaticTargets (lib.singleton target);
in
{
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
webExternalUrl = "https://prometheus.sbruder.de";
globalConfig = {
scrape_interval = "15s";
evaluation_interval = "15s";
};
extraFlags = [
"--storage.tsdb.retention.time=90d"
"--web.enable-admin-api"
];
alertmanagers = [
{
static_configs = mkStaticTarget "${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
path_prefix = "/alertmanager/";
}
];
alertmanager = {
enable = true;
listenAddress = "127.0.0.1";
webExternalUrl = "https://prometheus.sbruder.de/alertmanager";
configuration = {
global.resolve_timeout = "2m";
route = {
receiver = "matrix";
group_by = [ "alertname" ];
group_wait = "3m";
};
receivers = [
{
name = "matrix";
webhook_configs = lib.singleton {
url = (lib.elemAt
(lib.filter
({ ID, ... }: ID == "alertmanager_service")
config.services.go-neb.config.services)
0).Config.webhook_url;
};
}
];
};
};
scrapeConfigs = [
{
job_name = "prometheus";
static_configs = mkStaticTarget "localhost:${toString cfg.port}";
}
{
job_name = "node";
static_configs = mkStaticTargets [
"fuuko.vpn.sbruder.de:9100"
"mayushii.vpn.sbruder.de:9100"
"sayuri.vpn.sbruder.de:9100"
"vueko.vpn.sbruder.de:9100"
"yuzuru.vpn.sbruder.de:9100"
];
}
{
job_name = "aria2";
static_configs = mkStaticTarget "127.0.0.1:9578";
relabel_configs = lib.singleton {
target_label = "instance";
replacement = "torrent.sbruder.de";
};
}
{
job_name = "fritzbox";
static_configs = mkStaticTarget "127.0.0.1:9133";
}
(
let
listenerCfg = (lib.elemAt config.services.matrix-synapse.listeners 0);
in
{
job_name = "synapse";
static_configs = mkStaticTarget "${listenerCfg.bind_address}:${toString listenerCfg.port}";
metrics_path = "/_synapse/metrics";
relabel_configs = lib.singleton {
target_label = "instance";
replacement = "matrix.sbruder.de";
};
}
)
{
job_name = "dnsmasq";
static_configs = mkStaticTarget (with config.services.prometheus.exporters.dnsmasq; "${listenAddress}:${toString port}");
relabel_configs = lib.singleton {
target_label = "instance";
replacement = "fuuko.home.sbruder.de";
};
}
{
job_name = "hcloud";
static_configs = mkStaticTarget config.services.hcloud_exporter.listenAddress;
}
];
rules =
let
mkAlert = { name, expr, for ? "1m", description ? null }: {
alert = name;
inherit expr for;
annotations = lib.optionalAttrs (description != null) { inherit description; };
};
in
[
(lib.generators.toYAML { } {
groups = lib.singleton {
name = "alert.rules";
rules = map mkAlert [
{
name = "InstanceDown";
expr = ''up{instance!~"(sayuri|mayushii).vpn.sbruder.de:.*"} == 0'';
description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for more than 1 minutes.";
}
{
name = "SystemdUnitFailed";
expr = ''node_systemd_unit_state{state="failed"} == 1'';
description = "Systemd unit {{ $labels.name }} on {{ $labels.instance }} has state failed.";
}
{
name = "NodeHighLoad";
expr = ''sum by (instance) (node_load15) / count by (instance) (node_cpu_seconds_total{mode="system"}) > 2'';
for = "15m";
description = "Node {{ $labels.instance }} is having a per-core load 2 for the last 15 minutes.";
}
{
name = "NodeHighMemory";
expr = ''(node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) / node_memory_MemTotal_bytes > 0.9'';
for = "2m";
description = "Node {{ $labels.instance }} is using more than 90% of available RAM.";
}
{
name = "TorrentNoPeers";
expr = "sum by (instance) (aria2_torrent_peers) == 0";
description = "Aria2 instance {{ $labels.instance }} has no peers. There might be a network connectivity problem";
}
];
};
})
];
exporters = {
fritzbox = {
enable = true;
gatewayAddress = "192.168.100.1";
listenAddress = "127.0.0.1";
};
};
};
# get rid of “could not call action: authorization required” every scrape
systemd.services.prometheus-fritzbox-exporter.serviceConfig.StandardOutput = "null";
# exporters that are not part of nixpkgs prometheus infrastructure
services.hcloud_exporter = {
enable = true;
listenAddress = "127.0.0.1:9501";
environmentFile = config.sops.secrets.hcloud_exporter-environment.path;
};
sops.secrets.hcloud_exporter-environment.sopsFile = ../secrets.yaml;
sops.secrets.prometheus-htpasswd = {
owner = "nginx";
sopsFile = ../secrets.yaml;
};
services.nginx.virtualHosts."prometheus.sbruder.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.prometheus-htpasswd.path;
locations = {
"/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
"/alertmanager/".proxyPass = "http://${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
};
};
}

View file

@ -0,0 +1,89 @@
{ lib, pkgs, ... }:
{
users.users.scan = {
home = "/var/lib/scans";
isSystemUser = true;
group = "scan";
# this is a low-risk account and since the only thing the account can do is
# login to the ftp server from my home network, you can also sniff the
# password since the connection is unencrypted
password = "meeB3laodoo8na3z";
};
users.groups.scan = { };
systemd.tmpfiles.rules = [
"d /var/lib/scans 0755 scan root 7d"
];
sbruder.restic.system.extraExcludes = [ "/var/lib/scans" ];
services.vsftpd = {
enable = true;
writeEnable = true;
localUsers = true;
userlist = [ "scan" ];
extraConfig = ''
# I only want this to be reachable from within my home network. Since
# IPv6 has all ports forwarded, it is disabled here.
listen=YES
listen_ipv6=NO
# users shell is nologin
check_shell=NO
# scans should be readable
local_umask=022
pasv_min_port=30000
pasv_max_port=30009
'';
};
services.nginx.virtualHosts."scan.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/var/lib/scans";
extraConfig = ''
autoindex on;
allow 192.168.100.0/24;
allow 2001:470:1f0b:abc::/64;
deny all;
'';
};
};
networking.firewall = {
allowedTCPPorts = [ 21 ];
allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
};
systemd.services.scan-converter = {
wantedBy = [ "multi-user.target" ];
script = ''
set -euo pipefail
${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do
echo "Converting ''${file}"
${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png"
rm "/var/lib/scans/$file"
done
'';
serviceConfig = {
User = "scan";
Restart = "always";
# systemd-analyze --no-pager security scan-converter.service
CapabilityBoundingSet = null;
PrivateDevices = true;
PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectHome = true;
RestrictNamespaces = true;
SystemCallFilter = "@system-service";
};
};
}

View file

@ -0,0 +1,199 @@
{ config, lib, pkgs, ... }:
let
homeDir = "/var/lib/aria2";
downloadDir = "/data/torrent";
sessionFile = "${homeDir}/session";
settings = {
# locations
dir = downloadDir;
# logging
show-console-readout = false;
summary-interval = 0;
# rpc
enable-rpc = true;
# permanent queue
bt-load-saved-metadata = true;
bt-save-metadata = true;
force-save = true;
input-file = sessionFile;
save-session = sessionFile;
save-session-interval = 900; # automatic saving
# network
async-dns-server = "193.138.218.74"; # aria2 does not respect netns resolv.conf
dht-listen-port = 56595;
listen-port = 56718;
interface = "wg-aria";
# limits
max-concurrent-downloads = 65536;
max-overall-download-limit = "6M";
max-overall-upload-limit = "4M";
seed-ratio = 0; # do not stop seeding after reaching ratio
};
toString' = value:
if lib.isBool value
then (if value then "true" else "false")
else (toString value);
configFile = pkgs.writeText "aria2.conf" (lib.concatStringsSep
"\n"
(lib.mapAttrsToList
(k: v: "${k}=${toString' v}")
settings));
mkProxyService = socket: port: {
wantedBy = [ "multi-user.target" ];
after = [ "wireguard-wg-aria.service" ];
partOf = [ "wireguard-wg-aria.service" ];
serviceConfig = {
PrivateNetwork = true;
NetworkNamespacePath = "/run/netns/aria2";
Restart = "always";
ExecStart = "${pkgs.socat}/bin/socat UNIX-LISTEN:${socket},fork,reuseaddr,mode=660,unlink-early TCP:127.0.0.1:${toString port}";
User = "aria2";
Group = "nginx";
# systemd-analyze --no-pager security aria2-rpc-proxy.service
CapabilityBoundingSet = null;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectHome = true;
RestrictNamespaces = true;
SystemCallFilter = "@system-service";
};
};
in
{
users.users.aria2 = {
group = "aria2";
uid = config.ids.uids.aria2;
home = homeDir;
};
users.groups.aria2.gid = config.ids.gids.aria2;
systemd.tmpfiles.rules = [
"d '${downloadDir}' 0775 aria2 users - -"
"d '${homeDir}' 0771 aria2 aria2 - -"
];
sops.secrets.wg-aria-private-key.sopsFile = ../secrets.yaml;
networking.wireguard.interfaces.wg-aria = {
interfaceNamespace = "aria2";
preSetup = "ip netns add aria2 && ip -n aria2 link set lo up";
postShutdown = "ip netns del aria2";
privateKeyFile = config.sops.secrets.wg-aria-private-key.path;
} // (import ../secrets/aria2-wireguard.nix); # potentially sensitive data
environment.etc."netns/aria2/resolv.conf".text = ''
nameserver 193.138.218.74
'';
systemd.services.aria2 = {
description = "aria2 Service";
after = [ "wireguard-wg-aria.service" ];
requires = [ "wireguard-wg-aria.service" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
if [[ ! -e "${sessionFile}" ]]; then
touch "${sessionFile}"
fi
'';
serviceConfig = {
PrivateNetwork = true;
NetworkNamespacePath = "/run/netns/aria2";
Restart = "always";
ExecStart = "${pkgs.aria2}/bin/aria2c --conf-path=${configFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = "aria2";
Group = "aria2";
# Increase number of open file descriptors (default: 1024)
LimitNOFILE = 65536;
# systemd-analyze --no-pager security aria2.service
CapabilityBoundingSet = null;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectHome = true;
RestrictNamespaces = true;
SystemCallFilter = "@system-service";
};
};
systemd.services.aria2-rpc-proxy = mkProxyService "${homeDir}/rpc.sock" 6800;
services.aria2_exporter = {
enable = true;
listenAddress = "localhost:9578";
};
systemd.services.aria2_exporter = {
after = [ "wireguard-wg-aria.service" ];
partOf = [ "wireguard-wg-aria.service" ];
serviceConfig = {
PrivateNetwork = true;
NetworkNamespacePath = "/run/netns/aria2";
};
};
systemd.services.aria2_exporter-proxy = mkProxyService "${homeDir}/metrics.sock" 9578;
services.nginx.virtualHosts."torrent.sbruder.de" = {
enableACME = true;
forceSSL = true;
# treated as state
basicAuthFile = "${homeDir}/htpasswd";
locations = {
"/" = {
root = pkgs.AriaNg;
};
"/jsonrpc" = {
proxyPass = "http://unix:${homeDir}/rpc.sock";
proxyWebsockets = true;
};
"/download/" = {
alias = "${downloadDir}/";
extraConfig = ''
autoindex on;
'';
};
"=/metrics" = {
proxyPass = "http://unix:${homeDir}/metrics.sock";
};
};
};
services.nginx.virtualHosts."aria2-metrics" = {
listen = lib.singleton {
addr = "127.0.0.1";
port = 9578;
};
locations."=/metrics" = {
proxyPass = "http://unix:${homeDir}/metrics.sock";
};
};
environment.systemPackages = with pkgs; [
aria2
mktorrent
];
}

View file

@ -0,0 +1,35 @@
{ config, ... }:
let
password = "ymfQkXcEqGuk62S";
in
{
services.mosquitto = {
enable = true;
listeners = [
{
users = {
wordclock = {
acl = [
"readwrite wordclock/color/+"
];
inherit password;
};
};
settings = {
allow_anonymous = false;
};
}
];
};
networking.firewall.allowedTCPPorts = [ 1883 ];
services.wordclock-dimmer = {
enable = true;
mqtt = {
user = "wordclock";
inherit password;
host = "localhost";
};
};
}

View file

@ -0,0 +1,22 @@
# mayushii
## Hardware
ThinkPad P14s AMD Gen2 (≈ T14 AMD Gen2).
* [AMD Ryzen 7 PRO 5850U](https://www.amd.com/en/products/apu/amd-ryzen-7-pro-5850u) (= Ryzen 7 5800U + “PRO Management”)
* 32 GiB DDR4 3200 MHz non-ECC memory
* 1TB Samsung PM981a NVMe SSD
* 1920×1080 IPS 400nits screen
* Realtek RTL8852AE Wireless
Often used docked to a ThinkPad USB-C Dock Gen2 (40AS),
because paying 300€ for a mechanical dock is ridiculous.
## Purpose
It is my daily driver so it does everything (except server stuff obviously).
## Name
Mayuri Shiina is a student from *Steins;Gate*

View file

@ -0,0 +1,65 @@
{ pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
../../users/simon
];
sbruder = {
games = {
enable = true;
performanceIndex = 8;
};
gui.enable = true;
media-proxy.enable = true;
mullvad.enable = true;
restic.system.enable = true;
unfree.allowSoftware = true;
wireguard.home.enable = true;
};
virtualisation.libvirtd = {
enable = true;
qemu.package = pkgs.qemu_kvm;
};
services.samba = {
enable = true;
securityType = "user";
extraConfig = ''
interfaces = 192.168.122.1
bind interfaces only = yes
map to guest = bad user
load printers = no
printing = bsd
disable spoolss = yes
usershare max shares = 0
acl allow execute always = True
'';
shares = {
qemu = {
path = "/home/simon/.cache/vm-share";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"force user" = "simon";
};
};
};
networking.firewall.trustedInterfaces = [ "virbr0" ];
services.tor = {
enable = true;
client.enable = true;
};
services.privoxy = {
enable = true;
enableTor = true;
};
networking.hostName = "mayushii";
system.stateVersion = "21.05";
}

View file

@ -0,0 +1,64 @@
{ config, lib, modulesPath, pkgs, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
kernelModules = [ "kvm-amd" ];
loader = {
grub.enable = false;
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd = {
availableKernelModules = [ "aesni_intel" "cryptd" "nvme" "sd_mod" "sdhci_pci" "usb_storage" "xhci_pci" ];
luks.devices = {
root = {
name = "root";
device = "/dev/disk/by-uuid/16d97095-34d2-4422-819c-d1ddc9c3ce1e";
preLVM = true;
allowDiscards = true;
};
};
};
extraModprobeConfig = ''
options thinkpad_acpi fan_control=1
'';
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/cd7ed921-4b59-4de4-b39e-9679571ce034";
fsType = "btrfs";
options = [ "discard=async" "noatime" "compress=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/861A-D1A2";
fsType = "vfat";
};
};
powerManagement = {
cpuFreqGovernor = "schedutil";
};
services.tlp = {
enable = true;
settings = {
START_CHARGE_THRESH_BAT0 = 75;
STOP_CHARGE_THRESH_BAT0 = 92;
USB_DENYLIST = lib.concatStringsSep " " [
];
};
};
# logind fails to detect that the system is still docked when the external
# monitor is switched off via dpms
services.logind.lidSwitchExternalPower = "ignore";
environment.systemPackages = with pkgs; [
radeontop
];
}

View file

@ -0,0 +1,52 @@
wg-home-private-key: ENC[AES256_GCM,data:ZPPEuIOKCAEv6uN3ZmQpf1SfaQdzUORYBv6u91/rm9g/nxHww6b3umL8eDc=,iv:wtIEEbs6RbINbouW/qc/T1lm4s+5+n27co2AKu2IfTs=,tag:QOpNmYWGYD10DQJtKqIAzw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-10-05T18:14:40Z"
mac: ENC[AES256_GCM,data:Uck/kX7BE3gqpMD8wgsksEX3DKzNSUinSRAPqpafH5UbVfQLYVOD637j7wltrtcHSOLjqGSrSbf6jhql/Ve3yTthYB72cHKcJ1UOk5cTD9xCpUJCx56Eid0yj9UZpifIM3PLRjnqqZFF2TYa/s8HcmsY4uvcN+U5dyXYpS6XYMU=,iv:2mhjUTxjU9xH0wFS0ZbgQ3GYRL+8BQboeQuVBpAQvsI=,tag:ZhAKuPo6iPE8890tkxHdaw==,type:str]
pgp:
- created_at: "2021-10-05T18:14:16Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4ARAAvcpLQ4pl2zWfpNnyoi5Vu7Ok6kiQF2UveJQkxkvgQom0
TtvlazVEy7kBebM9sgYz9NtcWlTFTMCXC04gpJz9fGYAyssnZ9+D7J/yekK6vyEY
5vY9Dd6FX9HGOQuG3wAwBr98AgNHB76Rt31LBSUjIzNZj6RdsbakM2GRIRocFB9V
mykpRozkE1ju9l+E3NqnBm65AhjEX9q8W48oyrZLd0lFlfo3Lseda3AlGIMz+PV+
MNZ9jTERJZQStpeenE2u2+cS+tMJZbXGk0QBY3+Clz7fTOBlA30ePiWefy1ix3XG
mIm5WM12GP5cCpLc1mwAJvyNi/kTw4Myfy0+xth9j65nZCOl2xLIAGqgfikcmQoc
/NKs/ijpTwSaqbh3o2vmlmYoif7UkVDxoz/cQKoh9Boa0br7eEI6beKwL2bvDcn9
KBNYBeHftt08+sPrg8hSLGjVSpcES9IH6u1WHUWnQYH9ykN9b2VcFeMVUjjYsyWd
AwO+quTMF0dfo6es6t21/whzE5TrYZQGSAZzaGASPbzk9MKWQ92hJxICPyyFuZFq
NOdWZWRQfYS2Ia9HXqdzcEIiLtLBm4gZ6sZQ/vkv3bBKFcq1rZ2UqfJhsaL9eOsw
QiSOoiVpjOAq6SXLF6yQnTmPZczQV02XSvwtNjBSD3yXAIMsXt5JyIW4bCcEIJvS
XgESvf5cIkUUA/zmoSmiKFNhHDO7X7b9xMPAE4BqnJqFRL5iBkY9Wkwlv+DFOCDw
0W6U4V5dFtnGYMudnjQMp0qtsHeDkfhj/IQGAY7RuBaag7HnmBPAzWnYmgE7DW0=
=Fru9
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: "2021-10-05T18:14:16Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA0Sjf6jBUFOzAQ/5AbFqOiaNS2Wy5al/H0AVNbpPNPHYYYUaAiDYitdwNgur
oChxTYVP+h1UVwNhy+5e1XnLpEwJNcLrzfeQgxr21CqBcaSbOzEE7G9/COX0TD7z
pyEP5aup2TmCx8Gzc7Ugjbfiksg1m6EhoZV1k1bsuh5mrFMQqhnhI/xQr0Kehl9E
dggOw6IGfu7rZ77U++AHF4b22ZqR2LuRdhpHAvC4H7qlCXIiRlV2qQBT7ArnaOG5
7b9WxPI+PjJUNdm/O3rv/ooAtdYz+mvsoZJIMuS0ruxKNGGO0SInxY16QFECKixY
n7/q5OmlNTVr4i9++JPSAu0enQsqOscSZm7TctiGF0ekHEn+axRsrMBi8pqEzu08
nHb4HXmf/jkdlYjg/K34I4mec9jy1L7a11y6lfsAab1FnabbKJjgm3jrBMMoM/Fj
hEH7CWpAAvG0+rwJ9EmuVjq1gGbi6Q8mBpmX0g6/hfSao/YWOhXMi8tDmRNeVWpa
eBYhRto2SRB0MhLbOeZyC3UkDASDBIsNgmFz9JTbwLh/opv6anqE7O2sLmKIuXDA
IfLJk+ahm05Fdv3AfbPsWGevo1OzxSOxRYn5cDEuF22rcZNDOuRylLJIkkxF9OzN
XpsgV7aoSYFgG84u1qa59dE+rvKlhSi8xLQm2mZTRB6L6sDZw/gQ0H4AeXCZC1XS
UAF7lyInB6tXrEoNCCIdON9JSrBmSyARMGLoPOX6YqvPV2MQ4OEWf7BZ+SPRgbuI
ZFQLv6hk0fYb0fb8xHarmI8krq7k9dsqYxBZI5DjVaPz
=7LEL
-----END PGP MESSAGE-----
fp: 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
unencrypted_suffix: _unencrypted
version: 3.7.1

View file

@ -1,21 +0,0 @@
# nunotaba
## Hardware
ThinkPad T440 with mods to make it acceptable:
* Touchpad is changed for the T450s, which has physical mouse buttons (I
fucked up during the installation and the touchpad part does not work, so it
does not need to be disabled in software).
* Screen has a resolution of 1920×1080 and has an IPS panel
It is used standalone or in on a docking station that connects it to an
external mouse, keyboard and monitor (Dell U2410).
## Purpose
It is my daily driver so it does everything (except server stuff obviously).
## Name
Shinobu Nunotaba is a student/scientist from *A Certain Scientific Railgun*

View file

@ -1,33 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
../../users/simon
];
sbruder = {
cpu.intel.enable = true;
docker.enable = true;
games.enable = true;
gpu.intel.enable = true;
gui.enable = true;
libvirt.enable = true;
media-proxy.enable = true;
restic.enable = true;
ssd.enable = true;
unfree.allowSoftware = true;
wireguard.home = {
enable = true;
address = "10.80.0.4";
};
};
services.tor = {
enable = true;
client.enable = true;
};
networking.hostName = "nunotaba";
}

View file

@ -1,43 +0,0 @@
{ config, lib, modulesPath, pkgs, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2KB480G7_PHYS749202D6480BGN";
initrd = {
availableKernelModules = [ "ahci" "ehci_pci" "rtsx_pci_sdmmc" "sd_mod" "usb_storage" "usbhid" "xhci_pci" ];
kernelModules = [ "dm-snapshot" ];
luks.devices = {
root = {
name = "root";
device = "/dev/disk/by-uuid/f3a2fa57-581b-4e95-9a45-d61cda9edc54";
preLVM = true;
allowDiscards = true;
};
};
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/8937d1ac-23cb-456f-9c16-e348acc66bb7";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/da2e90cc-1e0c-4691-8807-5d2f4858df6e";
fsType = "ext2";
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/b9ad2d56-fee0-49df-98c1-00d93d991b9f"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

View file

@ -5,13 +5,16 @@
HP Z440 workstation. HP Z440 workstation.
* [Intel Xeon E5-1620 v4](https://ark.intel.com/content/www/us/en/ark/products/92991/intel-xeon-processor-e5-1620-v4-10m-cache-3-50-ghz.html) * [Intel Xeon E5-1620 v4](https://ark.intel.com/content/www/us/en/ark/products/92991/intel-xeon-processor-e5-1620-v4-10m-cache-3-50-ghz.html)
* 16 GiB DDR4 ECC memory * 16 GiB DDR4 2400 MHz ECC memory
* 250GB Samsung 970 Evo Pro NVMe SSD
* 256GB micron SSD * 256GB micron SSD
* 2TB Toshiba HDWA120 HDD
* Sapphire Nitro+ Radeon RX 480 * Sapphire Nitro+ Radeon RX 480
## Purpose ## Purpose
FIMXE Tasks that benefit from parallel computing, require a decent amount of GPU
power or possibly even both.
## Name ## Name

View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
imports = [ imports = [
@ -8,31 +8,90 @@
]; ];
sbruder = { sbruder = {
cpu.intel.enable = true; games = {
docker.enable = true; enable = true;
games.enable = true; performanceIndex = 8;
gpu.amd.enable = true; };
gui.enable = true; gui.enable = true;
libvirt.enable = true;
media-proxy.enable = true; media-proxy.enable = true;
restic = { mullvad.enable = true;
restic.system = {
enable = true; enable = true;
extraPaths = [ extraPaths = [
"/data" "/data"
]; ];
}; };
ssd.enable = true;
unfree.allowSoftware = true; unfree.allowSoftware = true;
wireguard.home = { wireguard.home.enable = true;
enable = true; };
address = "10.80.0.5";
}; virtualisation.libvirtd = {
enable = true;
qemu.package = pkgs.qemu_kvm;
}; };
services.tor = { services.tor = {
enable = true; enable = true;
client.enable = true; client.enable = true;
}; };
services.privoxy = {
enable = true;
enableTor = true;
};
services.samba = {
enable = true;
securityType = "user";
extraConfig = ''
interfaces = 192.168.122.1
bind interfaces only = yes
map to guest = bad user
load printers = no
printing = bsd
disable spoolss = yes
usershare max shares = 0
acl allow execute always = True
'';
shares = {
qemu = {
path = "/data/cache/win10/shared";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"force user" = "simon";
};
};
};
networking.firewall.trustedInterfaces = [ "virbr0" ];
networking.hostName = "sayuri"; networking.hostName = "sayuri";
system.stateVersion = "20.03";
specialisation = {
foldingathome.configuration = {
services.foldingathome = {
enable = true;
user = "sbruder";
};
};
intel-sucks.configuration = {
# https://make-linux-fast-again.com/
boot.kernelParams = [
"l1tf=off"
"mds=off"
"mitigations=off"
"no_stf_barrier"
"noibpb"
"noibrs"
"nopti"
"nospec_store_bypass_disable"
"nospectre_v1"
"nospectre_v2"
"tsx=on"
"tsx_async_abort=off"
];
sbruder.gui.enable = lib.mkForce false;
};
};
} }

View file

@ -8,14 +8,14 @@
boot = { boot = {
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ]; extraModulePackages = [ ];
loader.grub.device = "/dev/disk/by-id/ata-MTFDDAK256TBN-1AR15ABHA_UFZMQ01ZR50NMM"; loader.grub.device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_250GB_S4EUNJ0N412342P";
initrd = { initrd = {
availableKernelModules = [ "ahci" "ehci_pci" "sd_mod" "usb_storage" "usbhid" "xhci_pci" ]; availableKernelModules = [ "aesni_intel" "ahci" "ehci_pci" "nvme" "sd_mod" "sr_mod" "usb_storage" "usbhid" "xhci_pci" ];
kernelModules = [ "dm-snapshot" ]; kernelModules = [ "dm-snapshot" ];
luks.devices = { luks.devices = {
root = { root = {
name = "root"; name = "root";
device = "/dev/disk/by-uuid/d7e4d213-8a13-4059-a011-0f68081e86d8"; device = "/dev/disk/by-uuid/1607bb2a-329b-4252-b11a-b43eb6b7bf0c";
preLVM = true; preLVM = true;
allowDiscards = true; allowDiscards = true;
}; };
@ -25,29 +25,56 @@
fileSystems = { fileSystems = {
"/" = { "/" = {
device = "/dev/disk/by-uuid/024e31ab-aa98-4070-95be-7980043541ac"; device = "/dev/disk/by-uuid/9e6b279e-6995-44da-b673-21b9e23a5278";
fsType = "ext4"; fsType = "btrfs";
options = [ "discard=async" "noatime" "compress=zstd" ];
}; };
"/boot" = { "/boot" = {
device = "/dev/disk/by-uuid/c5bde64b-c629-438d-a78b-c4341796dae9"; device = "/dev/disk/by-uuid/7b8b75d2-f779-4a49-b09d-b2a1bbd801bb";
fsType = "ext2"; fsType = "ext2";
}; };
"/data" = { "/data" = {
device = "/dev/mapper/data"; device = "/dev/mapper/data";
fsType = "btrfs";
options = [ "compress=zstd" ];
encrypted = { encrypted = {
label = "data"; label = "data";
enable = true; enable = true;
blkDev = "/dev/disk/by-uuid/576088d4-9aae-4159-a028-feadb2621a1a"; blkDev = "/dev/disk/by-uuid/7f4ba71e-3aca-4294-b37f-49f37b584dbd";
keyFile = "/mnt-root" + toString <secrets/luks-data>; keyFile = "/mnt-root/root/luks-data";
};
};
"/data/ssd" = {
device = "/dev/mapper/data-ssd";
fsType = "btrfs";
options = [ "discard=async" "noatime" "compress=zstd" ];
encrypted = {
# !!! HACK
label = "data-ssd --allow-discards";
enable = true;
blkDev = "/dev/disk/by-uuid/41baa168-7fa0-4eb3-b314-50766ddf126d";
keyFile = "/mnt-root/root/luks-data";
}; };
}; };
}; };
swapDevices = [ swapDevices = [
{ device = "/dev/disk/by-uuid/78f5277f-a6e5-4297-99cd-d3ea5de5317e"; } { device = "/dev/disk/by-uuid/2774d182-ddc9-4d79-886e-995fcd60a88a"; }
]; ];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
# GPU
hardware.opengl.extraPackages = with pkgs; [
rocm-opencl-icd
];
environment.systemPackages = with pkgs; [
clinfo
radeontop
rocm-smi
];
} }

View file

@ -0,0 +1,51 @@
wg-home-private-key: ENC[AES256_GCM,data:0KVRmI3QrtLF5rPwL1XjVcI1q3UT8iJojXrzXhnvdyDiDAh6zk1ppPwZ/tM=,iv:CWkCy9EBT7zubB9BsnIp95fdc1/aSzBzBcgjWaiROzE=,tag:beDPXpB/L2c3+jwoJvKJwg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
lastmodified: '2021-04-10T09:42:48Z'
mac: ENC[AES256_GCM,data:kKi9fAbikpohqIUEBR8c5ge0/fStxkrnWXfVhPvQMMeMO+rN/UPHpHJJMCC/v6TjFMC5ckTKTBflpGWL7xYiREoKONLIx9tMtaH02NrTs/MxVJZ4Ji+GKG0TY8mKGfidoJ4tM6a+8Yk1kgugeePmRXwCJDQKxQyEFyZ3BNKMxcA=,iv:l0OmGCg+DTs9KuFj2ZdW5DDH/0kKxjjX3ej43+X9x5c=,tag:/x8CigyZZJQIV3ZvqqVeXg==,type:str]
pgp:
- created_at: '2021-04-10T09:42:21Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4ARAA491uKx1mGdZ4QpjGkVeS5O8UowNdiLAvSnBZ31BGbzQc
MrGffPpaDJgjxRfZ4yaGVra8OKOsGg5gAinTc+SCNaHjhIqKFpyQbKjFUDGlu4RW
9flBowWQzz0VP475zxTALQ2i9ZrDdAIBMtycA3XdcZx241h4Ty5gvnB8WIqNp0+n
9RpOtK4jEZ+SSJXSGlI2RR+3cEI863N0PidepFf4wsqKhWvv34p9kQ3rVCt8VTMG
pPelbcxLdx6JfVXFKHSKjJApW+cOUcaVwOU27GefWHclanZWMOYsl16+eGKnmSqB
sTiH7z9o0khVxU5vVq6+q63Xu9reaBoAHIq/tTwpTswxGhAoY4CXbPqK1pVFcnKV
RfIxkjYffYR9x5W1zWuLoVwC3ueknGWj6g79aMVtcC8lJoRWT/w+GOdwW7lJGex1
W56n2+jcnnWtL2ljvUz3AuoJlx3dluquX1Q7H/76U8Gy0FN2TzgBoQw0jo6kvnX9
BDLzN/mtA7ph0oWDMCdDSKMW3OBWg3C9Ak+nmV67mIDnysNRfT93fi2OJ7Y5Tb1p
KuoodOOo7BqS8hbiS9G4ZUImGECb+GlivwuuoJ7LPrEPdvn87cWzsjDimTyQLgPi
RlFPVpw5nsVy8UihVvs/tj7LX99O4B1NNxXlW0Yj1qgcOhPBpvDcNms3o9GK+cDS
XgGalgUfb4BNzDclTwNYVILdNYM9AG9Ic5iJCZDNVtUXN65ptHHlCtiut08hqbFV
2+mMRJvH5gRTI1l+ZDAoHRV2LgWcn5s7xjENksx28xes9qH94GhWFK+b0yeoMKw=
=XxbY
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: '2021-04-10T09:42:21Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA2UzePEMpuAKAQ/8DzlMIWH7nDMIeM8HlDckfzeGgYhzr6lJ40vjtYtNqt3j
OF3i+6eaBX/SMsqStk7zLj53sNp++pCGev+TZV+1c+yJd4t8fllLTuRh2rfPXONT
Pehu3VhsudOjXKxBJcWmyfnPhtLjtIxdKEQpVgLFiEbbDW+OCSn1RveSiQ63/pyd
Su0BNYGmpF89/jEA1ttfknhxd69wsuBKGrxQc9P4ZPQvZajnbhQ2TbLeuLnub6yb
QTUNbJkAofw19AgBXY77AX+qreYq4esrAMDsz8ICnisPSO6g4FJ2feMc0Tvf5fwA
B0janl3G6D1znUG88tjsjUwv8/x/MHsGFJQvBLm4vqLOFoPDaJ9cO0n1Pv5uFtQB
XEwFFgkw9TY1gwsR2eJE/4qSiFaW1JYBHx70/Wyn1ZlJMmdUVh00RhY7Xjn3LMkj
JiA+LxvzbTglsMSvkswPbIfUUmB4Ws42P3fF55hCXkxd8jj0NjxByrfFy0VXNgJQ
KVYtcQS4ZWXyko+yllEV2TbxmTQilaBEUUdty4hYaoLtSX0jh3s8ZVN9jTv7SPcs
VhURedXKmtzogujft1wN8lcqzVGQhWHws2qjOMEiMmeyslooUptg7FkBt/Qw6z5j
rlJvWeudR20LCHjjCJnPl/eoNEkQkpOeb5kz4NV7n1okA0jEcOMBbG3+rWiX+JXS
UAEGnN0ClALycCU8Fj9lnswEd5LP20ohZUbzk30K2K0bqRregxoY+UMWAQ1asSdK
Xd4DYz27BFFPHmrpM1F5Gbxhvy+NiFYNu7+2DCkuLGNj
=w8xW
-----END PGP MESSAGE-----
fp: 17FEEBB45E4245330507C960653378F10CA6E00A
unencrypted_suffix: _unencrypted
version: 3.6.0

15
machines/vueko/README.md Normal file
View file

@ -0,0 +1,15 @@
# vueko
## Hardware
[Hetzner Cloud](https://hetzner.com/cloud) CX11 (1 vCPU, 2 GB RAM, 20 GB SSD).
It has no swap, since the disk is already small enough.
## Purpose
It provides services that should not be down that often and dont require much
disk space.
## Name
Vueko is a character from *Made in Abyss*

View file

@ -0,0 +1,119 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
./services/coturn.nix
./services/element-web.nix
];
sbruder = {
nginx.hardening.enable = true;
restic.system.enable = true;
wireguard.home.enable = true;
full = false;
mailserver = {
enable = true;
fqdn = "vueko.sbruder.de";
domains = [
"kegelschiene.net"
"sbruder.de"
];
users = import ./secrets/mail-users.nix;
rejectSenders = import ./secrets/mail-reject-senders.nix;
};
};
networking.hostName = "vueko";
system.stateVersion = "20.09";
# sadly, too many (legitimate) mail servers have broken dnssec on reverse
# lookups
services.resolved.dnssec = "false";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"vueko.sbruder.de" = {
enableACME = true;
forceSSL = true;
default = true;
root = pkgs.sbruder.imprint;
};
"dav.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:5232";
};
"mumble.sbruder.de" = {
enableACME = true;
forceSSL = true;
};
"bangs.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:8000";
};
};
};
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPS
];
services.radicale = {
enable = true;
settings = {
auth = {
type = "htpasswd";
htpasswd_encryption = "bcrypt";
htpasswd_filename = toString (pkgs.writeText
"radicale-htpasswd"
(lib.concatMapStringsSep
"\n"
({ address, passwordHash, ... }: "${address}:${passwordHash}")
config.sbruder.mailserver.users));
};
};
};
sops.secrets.murmur-superuser = {
owner = config.users.users.murmur.name;
sopsFile = ./secrets.yaml;
};
users.users.murmur.isSystemUser = true; # Infinisils module does not set that
services.murmur = {
enable = true;
openFirewall = true;
superuserPasswordFile = config.sops.secrets.murmur-superuser.path;
acmeDomain = "mumble.sbruder.de";
config = {
bandwidth = "128000";
obfuscate = true;
logfile = ""; # log to stdout
channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+'';
username = "[-_a-zäöüß]+|SuperUser";
};
};
services.bang-evaluator = {
enable = true;
listenAddress = ":8000";
};
}

View file

@ -0,0 +1,49 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
kernelModules = [ ];
extraModulePackages = [ ];
kernelParams = [ "ip=dhcp" ];
initrd = {
availableKernelModules = [ "aesni_intel" "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
kernelModules = [ ];
network.enable = true; # remote unlocking
luks.devices."root".device = "/dev/disk/by-uuid/9d3f544f-d502-4788-8187-1378a9ee0103";
};
loader.grub.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/cad3325d-775d-4771-bb2d-7beaff9dbaf1";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/52c65d2f-2208-48aa-9d0a-592bca2ecfe3";
fsType = "ext2";
};
};
networking.useDHCP = false;
networking.usePredictableInterfaceNames = false;
systemd.network = {
enable = true;
networks = {
eth0 = {
name = "eth0";
DHCP = "yes";
domains = [ "sbruder.de" ];
address = [ "2a01:4f8:1c1c:4397::/64" ];
gateway = [ "fe80::1" ];
};
};
};
# no smart on qemu disk
services.smartd.enable = false;
}

View file

@ -0,0 +1,54 @@
murmur-superuser: ENC[AES256_GCM,data:jTVEa1KmbGAIxxFS2/uIlDCnnJTtGmKFZQ==,iv:YJIfcXlgKEwIRzFEY94dgReNjWZqLAqL0Rb6TG4IHIE=,tag:MVzaRkb24QyyNyFCEMwmzQ==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str]
turn-static-auth-secret: ENC[AES256_GCM,data:Nz94xw5sBuAgEqVpwiV44Rd3km16H46X6jVf2gzE+mbbVt2TXExv/7yegQtXI++eBo6q4wbpOfxwl0b1Pvsa/A==,iv:HSdqj43Vmq5McWAbMoxeNUa38UD75Xe4PJEwY5mKjOQ=,tag:cFpFsVwhisWt7JMMzJemCA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-12-01T16:49:21Z"
mac: ENC[AES256_GCM,data:wLy9If4/YdAVILwz1vSzCQsjG0U8Z2GvpME/+xW9pS/xmKoXTwaxP2QQpy8ReTmtikpbKS327j5pz2dSMiweqaUFSVb1nIEvUFxV4PKnxf5ubJalPZAGa82Cw0aassMKz0IAd8rDF/xK9RoB3ayRluYKAP/qnbEcFrys0BokGE0=,iv:Yw3tG1J135QImJqXEGrpSq3k8Lo++uUXfEKmCCNCpDg=,tag:FChnsJ1qIzalpVypMIilrg==,type:str]
pgp:
- created_at: "2021-04-06T11:13:54Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4ARAAxn8UVtRKn0s+wpuUBpk3cCwSSa3te4BjHshyNrI3TyZ9
A2jEVz7xfZXItD5VMs9cZmwhm5kD5qC+2qFauwAnQA8JVn5pCKL1gVxGZURZHgPe
eLON75sxWCt6+A+HCXvl8x8ay2ZMSgQ3N+SSuqrihMKe0UcsngzAJQS4qIUPIrQd
YQYkm2Nf6n1Ya+t05W0CRqyHLLkwObOF0OWN/t8wvBOh4HY2UCRqvXqSEz6nCb06
8jDfy6GLhJBjSMV5000/GTvnbVNH11vYjqq0U/2k33HYD/ddX2TPRarWKQsWi8Fe
QYYMjU/zIubNQ1y2Iv89zzpd7DBVFlnCkjnSIjxop+eR4Kk8EUkJnGFHlRek67lc
k9le8sdlBTYBahT48igpKWfxrZ3bky27O39TLY7luLAXxpjWTGZ//8WD3eJyiY9d
k/TmI7ZLLtR42NKeD/anVmHpSf/rHtgHWwYm1m0Qz0/mvKWhZbdkFTPGWMPVAPNu
hBiBjuXd1Gt8ekKr3jZxLR4uRCzzeCA/zXib4x7HvYs/9cLib2UblHsB2hLYwZQ8
ah59+O51SrcJWcq56kRhwKbrqh6Oui/KCXUSTdbO2auwtzBxUMmcbJAZV5cxRdtA
eD9RXW8WfXVtcmvJ+B9Ab52+RfdYmd/bVpljLPY1kmUEKZG08jDfH08kAtcScyLS
XgG0mxcyhD+ZiGIeLgIPUwFC0UT8FT2V0+VAAso1CVH+iIzdF+9BiGPpc2usoOiY
XDcaU74seCR/EeiuMWfEeNasu6EULEG+AKOnG9s8zoPp5730EG9v8r4q7ma89jc=
=JlIF
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: "2021-04-06T11:13:54Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzy5uO/X/tdJAQ/9Hx6h7IIjr4vwFPC3UCx07rt/lljWHwqA8d8bN3VIcVWJ
39doJ3DigerCeZWZo/5Wvdm1TBLnbvnQndl+7EcP5mbAuGUmNo2VajTBOkFoySLa
A6g0HwkztuftjtxQV2ICunw1NEsqBCWlNKziGKBjEzsDgOuXLzIaN5ArJAkiUFel
kH8jGyHCP6W+nplHE1zOD20SA/oIyRfLW1m+G7d8KU6EuluaPSgASocS6t4oGtsG
gnApj6WwWOdM3tDefxtYxa/PlPDXo4gj+Dhak6mOMK88UW/wrDC/f4fYL9JrILmT
ImjtA+BIWCI9nLkeo3FTTFhtfr+evOhCsLc8qGL/NMCVZOXB0gK7rpCsReBRQS09
4t2KGI1Jti01rNFYvdTN16o59+oF0DoFYnE2dXHAnBA4jmWt+9eDqd5TPmlsuIyr
XBiqBcKK+1z0/3ad7nv7vb8jOYkUjKasJl+qhLUaUD5ehojfaCawDMUVia7Y2k72
yS77m3m/hCEq0vVvUvMev7hvSTKbfQy3gQkjcnWGavbFfdz64pVBI/KgSJPBM5YE
1VFRFZIf30wOF9Xlt++9Cc6xFMQH9JVLG/WouK5On4mfdWwcfnMLgpu83qmYtS6b
30hYAuuqKUwWDMbZtXsYOrfb6HXGqs0mtBfpJzgFaiZyHyIVVhb/blXF4ML4dfnS
UAGUryszfSsH+ag2oerNKEaDFmgdktmL0FdpP3ycf2qVkMmBNbTpTf2BZaVPcrzF
mSfsOU6k+KcWtXYpurZr31zUVK626Re0fsr5XbPSj+9G
=Grqu
-----END PGP MESSAGE-----
fp: BB046D773F54739757553A053CB9B8EFD7FED749
unencrypted_suffix: _unencrypted
version: 3.7.1

Binary file not shown.

Binary file not shown.

View file

@ -0,0 +1,78 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.coturn;
fqdn = "turn.sbruder.de";
ipAddresses = [ "195.201.139.15" "2a01:4f8:1c1c:4397::" ];
in
{
sops.secrets.turn-static-auth-secret = {
owner = "turnserver";
sopsFile = ../secrets.yaml;
};
services.coturn = {
enable = true;
# config adapted from synapses turn howto:
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
use-auth-secret = true;
realm = fqdn;
# the NixOS module does not support loading the secret from a dedicated file
static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path;
no-tcp-relay = true;
cert = "/run/turnserver/fullchain.pem";
pkey = "/run/turnserver/key.pem";
min-port = 49160;
max-port = 49200;
listening-ips = ipAddresses;
relay-ips = ipAddresses;
no-cli = true;
extraConfig = ''
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
user-quota=12
total-quota=1200
'';
};
systemd.services.coturn = {
after = [ "acme-finished-${fqdn}.target" ];
serviceConfig = {
ExecStartPre = lib.singleton "!${pkgs.writeShellScript "coturn-setup-tls" ''
cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
chgrp turnserver /run/turnserver/{fullchain,key}.pem
''}";
};
};
security.acme.certs."${fqdn}".postRun = ''
if systemctl is-active coturn; then
systemctl --no-block restart coturn
fi
'';
services.nginx.virtualHosts."${fqdn}" = {
enableACME = true;
forceSSL = true;
};
networking.firewall = {
allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
allowedUDPPortRanges = lib.singleton {
from = cfg.min-port;
to = cfg.min-port;
};
};
}

View file

@ -0,0 +1,53 @@
{ lib, pkgs, ... }:
let
# This uses
# https://github.com/vector-im/element-web#configuration-best-practices
# but allows to disable the frame-ancestors rule for /usercontent/.
mkSecurityHeaders = withFrameOptions: ''
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
'' + lib.optionalString withFrameOptions ''
add_header Content-Security-Policy "frame-ancestors 'none'";
'' + lib.optionalString (!withFrameOptions) ''
add_header Content-Security-Policy "frame-ancestors 'self'";
'';
in
{
services.nginx.virtualHosts."chat.sbruder.de" = {
enableACME = true;
forceSSL = true;
root = pkgs.element-web;
extraConfig = mkSecurityHeaders true;
locations."/usercontent/".extraConfig = mkSecurityHeaders false;
# nixpkgss override mechanism doesnt allow overriding of all options
locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.sbruder.de";
server_name = "matrix.sbruder.de";
};
};
showLabsSettings = true;
branding = {
authFooterLinks = [ ];
};
piwik = false;
defaultCountryCode = "DE";
settingDefaults = {
"UIFeature.feedback" = false;
"UIFeature.shareSocial" = false;
"UIFeature.identityServer" = false;
"UIFeature.thirdPartyId" = false;
};
disable_custom_urls = true;
jitsi.preferredDomain = "meet.jalr.de";
disable_guests = true;
disable_3pid_login = true;
desktopBuilds.available = false;
});
};
}

18
machines/yuzuru/README.md Normal file
View file

@ -0,0 +1,18 @@
# yuzuru
## Hardware
[Hetzner Cloud](https://hetzner.com/cloud) CX11 (1 vCPU, 2 GB RAM, 20 GB SSD).
It has no swap, since the disk is already small enough.
## Purpose
It provides privacy-friendly proxies/alternatives to popular web services:
* Invidious
* Libreddit
* Nitter
## Name
Yuzuru Nishimiya is a character from *A Silent Voice*

View file

@ -0,0 +1,40 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
./services/invidious
./services/libreddit.nix
./services/nitter.nix
./services/sbruder.xyz
./services/schabernack.nix
];
sbruder = {
nginx.hardening.enable = true;
wireguard.home.enable = true;
full = false;
trusted = false;
};
networking.hostName = "yuzuru";
system.stateVersion = "21.05";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
services.journald.extraConfig = ''
MaxRetentionSec=1week
'';
}

View file

@ -0,0 +1,39 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
initrd.kernelModules = [ "nvme" ];
loader.grub.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/b8ceb0bf-1a67-484b-bf57-c16653c23716";
fsType = "btrfs";
options = [ "discard=async" "noatime" "compress=zstd" ];
};
};
networking = {
useDHCP = false;
usePredictableInterfaceNames = false;
interfaces.eth0 = {
useDHCP = true;
ipv6.addresses = lib.singleton {
address = "2a01:4f9:c010:e4a7::";
prefixLength = 64;
};
};
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
};
# no smart on qemu disk
services.smartd.enable = false;
}

View file

@ -0,0 +1,53 @@
invidious-extra-settings: ENC[AES256_GCM,data:sWvf8ASNUTmdRj9HTsXCkPDg0yQ+Hc+ddnHst72pGBKq0403o5erMzudPm5TVvTEzHeeNDB5d+lTt760s6S2diUMc8l/k3G8Z9loYf0Dpx7o,iv:vqyzZ2B4WQB7AmGDp64nu+Xi+6Jxm6m7D3SUfYq0DZs=,tag:aeQQLerfBEjkpi1NW1x2jw==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:KIUvsIhz2Rc4uHRQla714xfOxL9ke1WzRAbXVTDd6UyNkYQkuYIxIpmXQw4=,iv:usnONR35DtIVH2CV4tGSBz5FsZyMlEDzSQiYLDQLRnw=,tag:M1V4HhtByXogMacjajl1iw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-09-08T16:21:04Z"
mac: ENC[AES256_GCM,data:8Q52a8+6mO/LCjNR7yo4olqz8fJIqus7XUZ6FtRzzlEGeYvkBD6zFuz0QJBUl8gRtmj04tQWUn4fEKz8LApSluHXHoBv4/WVBNm/vL9T2k7SiAJmxhbU5wZmNt+Hg++Kvn8yZ6KXgpG6KVl5qu+/CHuJu2m39AvpTj9NJ+ThCUc=,iv:r037pF9rVUqe87+D7pVjxqgFM/hFALSWHFx8kB/fXFk=,tag:GsA95+KyajrKb5XMpVOB2g==,type:str]
pgp:
- created_at: "2021-09-08T16:11:14Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4ARAAhB2PfDQ+KeTI22tc2i4Bc5mVUMDHVpUFn81GzEubwrL0
xKqhDgCYfOogahJ7nvor/kLo0YSQuNs8mSJEgnBVnC4GnzeTQucJ5y8Ke/erBV0P
xscrZSINv4XtUllGFKc6LcKC+J9sbEcjDUMLwTiMBMcnhjm6mjOkT46ldIwXfnVq
vbKaVvUj0U/6awt0f/mqmce8PNfHzJ6rubcEEplBTLG/Qu+tmYFNVcWtsmP21SCt
u3Va9JeKmkIa83MY1khtnpSA2rnUa/acZL7vTRTcpCh8qvShtfoMrn9BKTjFhV6i
ggrkZKf4StJ+A1wgqw2IbwTH+M+5FM5loI4/9xQnkPkyiJIQByZXwQP2/EmuFpPE
sF5UByFTrpC/d7kN7R/xXFcGDIf384RM7Ia4W4XleyKUJ4XHWDkecFU1oT1kLcsA
kIYNgjEq4TSAVJMCKa4q3fQilaJ0K27Bvs3p90brzVEnM128k6eavpkrcjojs0JU
mV3ixEcS9OBwFfmQolekEt9TJebGNVmzg89TAQ3xn3DAJJPtBsmgM1LliJ39/ev3
SeO1rQPBWaxurKksWsDoqcqUtB0r+yR/flfh+Lr+iAgi+fS4W67WwcPm/9SENlUV
8OJ/YEkFxhBGiwJEudIGXQ965Z7+wSbpn1ILUaEvGvWvuOg1L6KjCUVbIbH92fjS
XAETVqe2zqU2IENVIY/HiMfUQG58M+CVytaWr4zyQ9X4Fc9BmvmjUgSn/4d/LdU3
kDT/tDL1fvdX1prXIGUseScSQGPxOamWFB3TPqzWdjhvbkEtT8wp8FqKP/Es
=rPPP
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: "2021-09-08T16:11:14Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA2dFplKjEYbbARAAyvcLSp8ktZ/dqVROfa+xeeIFt9J5EGREnAgES2h9wy8m
21tsQWPajIwD3H52XW6Z1s0nxG8qUe1bz9RWvd51sonmZZobezagr9YfDMTMji8Z
Hmj+fQ0OdhQdJgaUc8JObvmTNeJyjodKS4TbOZqT/SCheS7DhnzcucqlN0uiVuHT
DIUzhM1uzHKcU8IOSclz4LPWLrKvn1yuRGKOplBuvwvd5g2I4QA5obq9Je4WYKEv
XL9quQfWW2OBV5XMK132Ttv6aXSJcrxDiI5CsvKivOcB+Rw9wjEesMJ9wBe8Od0L
jP/ehkGBsxq107M9srbn2WKjkvXFwpdDzpaQG2w1ZSIwHnsNunlDiU95oIDUcW3Y
p0JeL9Nn7uBvsnOKkBMCgXNH1VOBSLxRUDHlDVJIHWNl7TCqPfzKCc8ttq+lbmOf
dbATPhXh9wXQ1GgduexFGK4DSKteqSC8bgKC5JnmLx2ijOSgLGxaL4snAs3oqD2Q
gQptmLgiuFlof98l3TVJDN1yc6ononyIA72gvQ7e+zme6Q7UkkXU7gJHnd9k9YAL
7GQcxn9kTCz/iXxC3+ac/IMZae9b5bz8UGZdsI47RoovZ3dJlGj8jkjPJ7QTfZml
9EVuGkO0qWyPDzy14VTaCtKjtTOGm5iZwd8G63BPbaAlfyd6412QbisyC5ClICLS
TgF/ABxdrd/GbBzs3w7/8bAjR13EAVJWzqUQgKxluP0UxIthZn5od2f3pPaEyvfd
30eBLqpclcaQNIbGtv0qr5Ehjs26uKbAOXmNX+GbdA==
=h33S
-----END PGP MESSAGE-----
fp: F4B5F6971A1FAEA1216FCE1C6745A652A31186DB
unencrypted_suffix: _unencrypted
version: 3.7.1

View file

@ -0,0 +1,33 @@
From 3c692fc4fd5ea7faefc6b6ef63c9b6b20205a1cb Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Thu, 9 Sep 2021 16:56:57 +0200
Subject: [PATCH] Prefer opus audio streams in listen mode
---
src/invidious/views/components/player.ecr | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/invidious/views/components/player.ecr b/src/invidious/views/components/player.ecr
index 6418f66b..73524cfd 100644
--- a/src/invidious/views/components/player.ecr
+++ b/src/invidious/views/components/player.ecr
@@ -7,6 +7,16 @@
<source src="<%= URI.parse(hlsvp).request_target %><% if params.local %>?local=true<% end %>" type="application/x-mpegURL" label="livestream">
<% else %>
<% if params.listen %>
+ <%
+ opus_streams = audio_streams.select { |fmt|
+ metadata = itag_to_metadata?(fmt["itag"])
+ metadata ? metadata["acodec"] == "opus" : false
+ }.reverse!
+ if opus_streams.size > 0
+ audio_streams = opus_streams
+ end
+ audio_streams.sort_by! { |fmt| fmt["bitrate"].as_i }.reverse!
+ %>
<% audio_streams.each_with_index do |fmt, i| %>
<source src="/latest_version?id=<%= video.id %>&itag=<%= fmt["itag"] %><% if params.local %>&local=true<% end %>" type='<%= fmt["mimeType"] %>' label="<%= fmt["bitrate"] %>k" selected="<%= i == 0 ? true : false %>">
<% end %>
--
2.31.1

View file

@ -0,0 +1,53 @@
{ config, pkgs, ... }:
{
sops.secrets.invidious-extra-settings = {
sopsFile = ../../secrets.yaml;
group = "keys"; # not ideal, but required since the invidious user is dynamic
mode = "440";
};
systemd.services.invidious.serviceConfig.SupplementaryGroups = [ "keys" ];
services.invidious = {
enable = true;
package = pkgs.invidious.overrideAttrs (o: o // {
patches = (o.patches or [ ]) ++ [
./0001-Prefer-opus-audio-streams-in-listen-mode.patch
];
});
nginx.enable = true;
domain = "iv.sbruder.xyz";
settings = {
host_binding = "127.0.0.1";
log_level = "Warn";
default_user_preferences = {
# allow higher qualities
quality = "dash";
quality_dash = "auto";
# humane volume
volume = 50;
# no “popular” content
feed_menu = [ "Subscriptions" "Playlists" ];
default_home = ""; # search on /
};
disable_proxy = [ "downloads" ]; # legal precaution
local = true; # no external requests
use_pubsub_feeds = true;
modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches";
};
extraSettingsFile = config.sops.secrets.invidious-extra-settings.path;
};
systemd.services.invidious.serviceConfig = {
Restart = "on-failure";
};
services.nginx.virtualHosts."iv.sbruder.xyz" = {
locations = {
"/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
"/privacy".return = "301 'https://sbruder.xyz/#privacy'";
};
};
}

View file

@ -0,0 +1,19 @@
{ config, ... }:
let
cfg = config.services.libreddit;
in
{
services.libreddit = {
enable = true;
address = "127.0.0.1";
};
services.nginx.virtualHosts."libreddit.sbruder.xyz" = {
forceSSL = true;
enableACME = true;
locations = {
"/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
"/".proxyPass = "http://${cfg.address}:${toString cfg.port}";
};
};
}

View file

@ -0,0 +1,44 @@
{ config, lib, ... }:
let
cfg = config.services.nitter;
in
{
services.nitter = {
enable = true;
server = {
port = 8081;
hostname = "nitter.sbruder.xyz";
address = "127.0.0.1";
};
preferences = {
theme = "Auto";
replaceTwitter = "${cfg.server.hostname}";
muteVideos = true;
hlsPlayback = true;
replaceYouTube = "${config.services.invidious.domain}";
};
};
services.nginx.virtualHosts.${cfg.server.hostname} = {
forceSSL = true;
enableACME = true;
locations = {
"/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
"/" = {
proxyPass = "http://${cfg.server.address}:${toString cfg.server.port}";
extraConfig =
let
# workaround for nginx dropping parent headers
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
parentHeaders = lib.concatStringsSep "\n" (lib.filter
(lib.hasPrefix "add_header ")
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
in
''
${parentHeaders}
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'; media-src 'self' blob:";
'';
};
};
};
}

View file

@ -0,0 +1 @@
index.html

View file

@ -0,0 +1,40 @@
{ pkgs, ... }:
{
services.nginx.virtualHosts."sbruder.xyz" = {
forceSSL = true;
enableACME = true;
root = pkgs.stdenvNoCC.mkDerivation {
name = "sbruder.xyz";
src = ./.;
nativeBuildInputs = with pkgs; [ pandoc ];
buildPhase = ''
runHook preBuild
pandoc \
-s \
--metadata-file metadata.yaml \
-f commonmark_x \
-t html5 \
-o index.html \
index.md
runHook postBuild
'';
installPhase = ''
runHook preInstall
install -D index.html $out/index.html
runHook postInstall
'';
};
locations = {
"/imprint/".alias = "${pkgs.sbruder.imprint}/";
};
};
}

View file

@ -0,0 +1,64 @@
On this domain, the following services are currently available:
* [Invidious](https://iv.sbruder.xyz)
* [Libreddit](https://libreddit.sbruder.xyz)
* [Nitter](https://nitter.sbruder.xyz)
They are all semi-public instances.
That means, they are not included in lists of public instances,
but feel free to use them for personal purposes.
You can do so by using a browser plugin like [Privacy Redirect](https://github.com/SimonBrazell/privacy-redirect)
and configuring the addresses to point to this server.
However, please note the following if you want to use them:
* These services are provided as-is without any guarantees.
* You must not use these services for any activities illegal under Finnish or German law.
* You must not use these services to interfere with the operation of the services
or the sites that originally provide the data.
* Please dont over/abuse these services.
They run on a tiny VPS and wont be able to handle high workloads.
Also note the following service-specific things:
* **Invidious**: There are no backups, so you are responsible for using the data export feature to back up important data.
The VPS providing the services is running NixOS.
The configuration is available [here](https://git.sbruder.de/simon/nixos-config/src/branch/master/machines/yuzuru).
If you have any questions, please [contact me](https://sbruder.de).
## A Note to Copyright Holders
The services are only relaying content that is otherwise already available on the Internet.
If your rights are infringed by content available from this site,
please report this to the site originally making it available.
Otherwise the content will still be available on the Internet.
If you still want to report illegal content to me instead of the original site,
send me an Email to the address stated in the imprint.
This is the fastest way to resolve the issue,
so please use that if you care about it.
## Imprint
See [Imprint](/imprint/).
## Privacy
The Libreddit and Nitter services do not store your personally identifiable information.
If you log in to an Invidious account,
the data you provide to the service will be stored.
You can export or delete that data by using its built-in data control feature.
In the case of an error, details of the problematic request might be stored on the server
and used strictly for debugging and fixing the error.
Those logs will be deleted after one week.
#### Fine Print
<small>
This site and the services provided by it are not associated with YouTube, Reddit and/or Twitter.
Trademarks are property of their respective owners.
</small>

View file

@ -0,0 +1,3 @@
title: sbruder.xyz
mainfont: Roboto, Helvetica, Arial, sans-serif

View file

@ -0,0 +1,72 @@
{ config, lib, pkgs, ... }:
let
domain = "schulischer-schabernack.de";
in
{
services.nginx = {
commonHttpConfig = ''
# privacy-aware log format
log_format schabernack '$remote_addr_schabernack - - [$time_local] "$request" $status $body_bytes_sent "-" "$http_user_agent"';
# anonymise ip address
map $remote_addr $remote_addr_schabernack {
~(?P<ip>\d+\.\d+)\. $ip.0.0;
~(?P<ip>[^:]+:[^:]+): $ip::;
default 0.0.0.0;
}
'';
virtualHosts = {
${domain} = {
forceSSL = true;
enableACME = true;
root = "/var/www/schabernack/production";
# only log page views, rss feed access, media file download and embed views
extraConfig = ''
location ~ index\.html|rss\.xml|\.(opus|m4a|ogg|mp3|\.podlove.json)$ {
access_log /var/log/nginx/schabernack.log schabernack;
}
'';
};
"www.${domain}" = {
forceSSL = true;
enableACME = true;
globalRedirect = domain;
extraConfig = ''
access_log off;
'';
};
"staging.${domain}" = {
forceSSL = true;
enableACME = true;
root = "/var/www/schabernack/staging";
extraConfig = ''
access_log off;
'';
};
};
};
systemd.tmpfiles.rules = [
"d /var/www/schabernack/production 0755 schabernack root -"
"d /var/www/schabernack/staging 0755 schabernack root -"
];
users = {
users.schabernack = {
isSystemUser = true;
group = "schabernack";
shell = "/bin/sh";
openssh.authorizedKeys.keys = map
(key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/schabernack/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}")
config.sbruder.pubkeys.trustedKeys;
};
groups.schabernack = { };
};
}

View file

@ -1,11 +0,0 @@
{ config, lib, ... }:
let
cfg = config.sbruder.cpu.intel;
in
{
options.sbruder.cpu.intel.enable = lib.mkEnableOption "intel cpu configuration";
config = lib.mkIf cfg.enable {
hardware.cpu.intel.updateMicrocode = true;
};
}

View file

@ -8,33 +8,25 @@ lib.mkIf config.sbruder.gui.enable {
enable = true; enable = true;
drivers = with pkgs; [ drivers = with pkgs; [
gutenprint gutenprint
]; ] ++ lib.optional config.sbruder.unfree.allowSoftware (cups-kyocera-ecosys-m552x-p502x.override {
# in Kyocera terms, EU means duplex enabled by default
region = "EU";
});
}; };
avahi.enable = true; avahi.enable = true;
}; };
hardware.printers.ensurePrinters = [ hardware.printers.ensurePrinters = [
{
name = "kanna";
deviceUri = "socket://kanna.home.sbruder.de";
model = "${gutenprintWithVersion}://kyocera-fs-c5200dn/expert";
ppdOptions = {
PageSize = "A4";
};
}
# printer is broken and makes systemd unit fail
#{
# name = "tintenpisser";
# deviceUri = "ipp://tintenpisser.home.sbruder.de:631/ipp/print";
# model = "everywhere";
# ppdOptions = {
# PageSize = "A4";
# };
#}
{ {
name = "ich_drucke_nicht"; name = "ich_drucke_nicht";
deviceUri = "socket://192.168.178.26"; deviceUri = "socket://192.168.178.26";
model = "${gutenprintWithVersion}://bjc-TS3100-series/expert"; model = "${gutenprintWithVersion}://bjc-TS3100-series/expert";
} }
] ++ lib.optionals config.sbruder.unfree.allowSoftware [
{
name = "elma";
deviceUri = "socket://elma.home.sbruder.de";
model = "Kyocera/Kyocera ECOSYS P5021cdn.PPD";
}
]; ];
} }

View file

@ -1,50 +1,45 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let
# Taken from https://nixos.wiki/wiki/Overlays
overlaysCompat = pkgs.writeTextFile {
name = "overlays-compat";
destination = "/overlays.nix";
text = ''
self: super:
with super.lib;
let
# Load the system config and get the `nixpkgs.overlays` option
overlays = (import <nixpkgs/nixos> { }).config.nixpkgs.overlays;
in
# Apply all overlays to the input of the current "main" overlay
foldl' (flip extends) (_: super) overlays self
'';
};
in
{ {
# Options that affect multiple modules # Options that affect multiple modules
options.sbruder = { options.sbruder = {
full = lib.mkOption {
type = lib.types.bool;
description = ''
Whether to build the full system. If disabled, the system closure will
be smaller, but some features will not be available.
'';
default = true;
};
trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
gui.enable = lib.mkEnableOption "gui"; gui.enable = lib.mkEnableOption "gui";
games.enable = lib.mkEnableOption "games";
}; };
# All modules are imported but non-essential modules are activated by # All modules are imported but non-essential modules are activated by
# configuration options # configuration options
imports = [ imports = [
./cpu ../pkgs/modules.nix
./cups.nix ./cups.nix
./docker.nix ./docker.nix
./fonts.nix ./fonts.nix
./gpu ./games.nix
./grub.nix ./grub.nix
./gui.nix ./gui.nix
./initrd-ssh.nix ./initrd-ssh.nix
./libvirt.nix
./locales.nix ./locales.nix
./mailserver.nix
./media-proxy.nix ./media-proxy.nix
./mullvad
./network-manager.nix ./network-manager.nix
./nginx-interactive-index
./nginx.nix
./nix.nix
./office.nix ./office.nix
./prometheus/node_exporter.nix ./prometheus/node_exporter.nix
./pubkeys.nix ./pubkeys.nix
./pulseaudio.nix ./pipewire.nix
./restic.nix ./restic
./secrets.nix ./secrets.nix
./ssd.nix
./ssh.nix ./ssh.nix
./tools.nix ./tools.nix
./udev.nix ./udev.nix
@ -52,79 +47,75 @@ in
./wireguard ./wireguard
]; ];
config = { config = lib.mkMerge [
# Essential system tools {
environment.systemPackages = with pkgs; [ # Essential system tools
git environment.systemPackages = with pkgs; [
git-crypt # used to store secrets in configuration git
git-lfs # not so essential, but required to clone config git-crypt # used to store secrets in configuration
htop git-lfs # not so essential, but required to clone config
tmux htop
vim tmux
]; vim
# Clean temporary files on boot
boot.cleanTmpDir = true;
# Set zsh as default shell
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
# command-not-found does not work without channels
programs.command-not-found.enable = false;
# Sane swapping
boot.kernel.sysctl."vm.swapiness" = 10;
# Store logs persistently
services.journald.extraConfig = "Storage = persistent";
# Hard drive monitoring
services.smartd.enable = true;
# Network monitoring
services.vnstat.enable = true;
# Authentication/Encryption agents
programs.gnupg.agent.enable = true;
programs.ssh.startAgent = true;
# NixOS state version (see https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion)
system.stateVersion = "20.03";
nix = {
nixPath = [
"/var/src" # pinned nixpkgs and configuration
"nixpkgs=/var/src/nixpkgs" # for nix run
"nixpkgs-overlays=${overlaysCompat}"
]; ];
# Make sudoers trusted nix users
trustedUsers = [ "@wheel" ];
# On-the-fly optimisation of nix store # Clean temporary files on boot
autoOptimiseStore = true; boot.cleanTmpDir = true;
# Keep output of derivations with gc root
extraOptions = ''
keep-outputs = true
keep-derivations = true
'';
# Make nix build in background less noticeable # Set zsh as default shell
daemonIONiceLevel = 5; # 0-7 programs.zsh.enable = true;
}; users.defaultUserShell = pkgs.zsh;
systemd.services.nix-daemon.serviceConfig.CPUSchedulingPolicy = "batch"; environment.etc."zshrc.local".source = "${pkgs.grml-zsh-config}/etc/zsh/zshrc";
nixpkgs.config = { # command-not-found does not work without channels
# Add unstable channel programs.command-not-found.enable = false;
packageOverrides = pkgs: {
unstable = import (import ../nix/sources.nix).nixpkgs-unstable { # Hard drive monitoring
config = config.nixpkgs.config; services.smartd.enable = lib.mkDefault true;
overlays = config.nixpkgs.overlays; # Network monitoring
}; services.vnstat.enable = true;
# Support for exotic file systems
boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
# Authentication/Encryption agents
programs.gnupg.agent.enable = true;
programs.ssh.startAgent = true;
# When this is set to true (default), routing everything through a
# wireguard tunnel does not work.
networking.firewall.checkReversePath = false;
# Open ports for quick tests
networking.firewall = {
allowedTCPPortRanges = lib.singleton { from = 9990; to = 9999; };
allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; };
}; };
};
nixpkgs.overlays = [ # Globally set Lets Encrypt requirements
(import ../pkgs) security.acme = {
]; acceptTerms = true;
}; email = "security@sbruder.de";
};
system.activationScripts.diff = ''
[ -L /run/current-system ] && ${pkgs.nixFlakes}/bin/nix \
--experimental-features 'nix-command' \
store \
diff-closures /run/current-system "$systemConfig"
'';
}
(lib.mkIf config.sbruder.full {
services.fwupd.enable = true;
})
(lib.mkIf (!config.sbruder.full) {
# Adapted from nixpkgs/nixos/modules/profiles/minimal.nix
i18n.supportedLocales = map
(locale: locale + "/UTF-8")
((lib.singleton config.i18n.defaultLocale)
++ (lib.attrValues config.i18n.extraLocaleSettings));
documentation.enable = lib.mkDefault false;
})
];
} }

View file

@ -17,7 +17,7 @@
docker = { docker = {
enable = true; enable = true;
logDriver = "journald"; logDriver = "journald";
extraOptions = builtins.concatStringsSep " " [ extraOptions = lib.concatStringsSep " " [
"--ipv6" "--ipv6"
"--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64" "--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64"
]; ];

View file

@ -3,19 +3,20 @@
lib.mkIf config.sbruder.gui.enable { lib.mkIf config.sbruder.gui.enable {
fonts = { fonts = {
fonts = with pkgs; [ fonts = with pkgs; [
(nerdfonts.override { fonts = [ "Iosevka" ]; }) # default monospace font
] ++ lib.optionals config.sbruder.full [
google-fonts # google font collection (free) google-fonts # google font collection (free)
lmodern # Latin Modern for non-latex applications lmodern # Latin Modern for non-latex applications
(nerdfonts.override { fonts = [ "Iosevka" ]; })
#roboto # standalone roboto has awful kerning
source-han-sans source-han-sans
source-han-serif # CJK fonts source-han-serif # CJK fonts
] ++ lib.optionals (!config.sbruder.full) [
roboto # default sans-serif font (normally included in google-fonts)
] ++ lib.optionals config.sbruder.unfree.allowAssets [ ] ++ lib.optionals config.sbruder.unfree.allowAssets [
corefonts # good ol microsoft fonts corefonts # good ol microsoft fonts
vistafonts # newer microsoft fonts vistafonts # newer microsoft fonts
]; ];
enableDefaultFonts = true; enableDefaultFonts = true;
enableFontDir = true;
fontconfig = { fontconfig = {
defaultFonts = { defaultFonts = {
@ -23,7 +24,7 @@ lib.mkIf config.sbruder.gui.enable {
sansSerif = [ "Roboto" "Source Han Sans" ]; sansSerif = [ "Roboto" "Source Han Sans" ];
serif = [ "Georgia" "Source Han Serif" ]; serif = [ "Georgia" "Source Han Serif" ];
}; };
localConf = '' localConf = /* xml */ ''
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd"> <!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd">
<fontconfig> <fontconfig>

23
modules/games.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
let
cfg = config.sbruder.games;
in
{
options.sbruder.games = {
enable = lib.mkEnableOption "games";
performanceIndex = lib.mkOption {
type = lib.types.int;
description = ''
Arbitrary number specifying how powerful the machine is. To be
replaced by taking into account single- and multi-core CPU and GPU
metrics separately should this system not map to my machines in
practice.
* 2: ~ 2014 ultrabook
* 8: ~ 2016 quad-core workstation with mid-range GPU
'';
default = 1;
};
};
config = lib.mkIf cfg.enable { };
}

View file

@ -1,32 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.sbruder.gpu.amd;
in
{
options.sbruder.gpu.amd.enable = lib.mkEnableOption "amd gpu configuration";
config = lib.mkIf cfg.enable {
hardware.opengl.extraPackages = with pkgs; [
amdvlk
rocm-opencl-icd
];
environment.systemPackages = with pkgs; [
clinfo
radeontop
rocm-smi
];
# force RGB otput for HDMI (otherwise the default is YCbCr)
# see https://gitlab.freedesktop.org/drm/amd/-/issues/476
#boot.kernelPatches = [
# {
# name = "force-rgb";
# patch = pkgs.fetchpatch {
# url = "https://gitlab.freedesktop.org/drm/amd/uploads/99b3664a49ec759075bde5c454e1d7c2/0001-force-rgb.patch";
# sha256 = "03dhnlxx9vlj1x8izh3c3j4r9s75q47nx8kf6mbdxqfy3cj96mjm";
# };
# }
#];
};
}

View file

@ -1,7 +0,0 @@
{ lib, ... }:
{
imports = [
./amd.nix
./intel.nix
];
}

View file

@ -1,14 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.sbruder.gpu.intel;
in
{
options.sbruder.gpu.intel.enable = lib.mkEnableOption "intel gpu configuration";
config = lib.mkIf cfg.enable {
hardware.opengl.extraPackages = with pkgs; [
beignet
vaapiIntel
];
};
}

View file

@ -8,8 +8,23 @@ lib.mkIf config.sbruder.gui.enable {
extraPackages = [ ]; extraPackages = [ ];
}; };
# steam (and other high quality software) still ships 32 bit binaries xdg = {
hardware.opengl.driSupport32Bit = lib.mkIf pkgs.stdenv.isx86_64 true; portal = {
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
];
gtkUsePortal = true;
};
};
services.logind.lidSwitchDocked = config.services.logind.lidSwitch; services.upower.enable = true;
# steam (and other high quality software) still ships 32 bit binaries
hardware.opengl.driSupport32Bit = lib.mkDefault pkgs.stdenv.isx86_64;
environment.systemPackages = with pkgs; [
pkgs.gnome3.adwaita-icon-theme # lutris requires system-wide installation
];
} }

View file

@ -9,10 +9,10 @@
ssh = { ssh = {
enable = lib.mkDefault config.boot.initrd.network.enable; enable = lib.mkDefault config.boot.initrd.network.enable;
port = 2222; port = 2222;
# ssh-keygen -t ed25519 -N "" -f initrd-ssh-host-key -C HOSTNAME # ssh-keygen -t ed25519 -N "" -f ssh_host_ed25519_key_initrd -C HOSTNAME
# pass insert -m nixos/machines/HOSTNAME/initrd-ssh-host-key < initrd-ssh-host-key # scp ssh_host_ed25519_key_initrd root@machine:/etc/ssh/
hostKeys = [ hostKeys = [
(toString <secrets/initrd-ssh-host-key>) "/etc/ssh/ssh_host_ed25519_key_initrd"
]; ];
}; };
}; };

View file

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
{
options.sbruder.libvirt.enable = lib.mkEnableOption "libvirt";
config = {
virtualisation.libvirtd.enable = config.sbruder.libvirt.enable;
environment.systemPackages = lib.mkIf config.sbruder.gui.enable [ pkgs.virt-manager ];
};
}

View file

@ -10,4 +10,9 @@
console.keyMap = "de"; console.keyMap = "de";
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
location = {
latitude = 49.52;
longitude = 10.17;
};
} }

346
modules/mailserver.nix Normal file
View file

@ -0,0 +1,346 @@
{ config, lib, pkgs, ... }:
let
cfg = config.sbruder.mailserver;
certDir = config.security.acme.certs."${cfg.fqdn}".directory;
in
{
options.sbruder.mailserver = with lib; with lib.types; {
enable = mkEnableOption "simple mail server";
fqdn = mkOption {
type = str;
description = ''
FQDN of the mail server
It needs to have a matching reverse DNS record. Also, an acme
certificate with this name has to be present.
'';
example = "mail.example.com";
};
storage = mkOption {
type = path;
description = "Location of the storage for mails";
default = "/var/vmail";
};
domains = mkOption {
type = listOf str;
description = "Domains to serve";
example = [ "example.com" "example.org" ];
};
users = mkOption {
type = listOf (submodule {
options = {
address = mkOption {
type = str;
description = "Primary e-mail address of the user";
example = "jdoe@example.com";
};
passwordHash = mkOption {
type = str;
description = ''
Bcrypt hash of the users password. Please note that it will be
world-readable in the nix store.
You can generate a password with `nix run nixpkgs.apacheHttpd -c
htpasswd -nBC 12 "" | cut -d: -f2`
'';
example = "$2y$05$SHxhwVGx.XCd19HAcb1NKuidUxW1BwU7GeO0ZIcMTc5t2uZoYLVRK";
};
aliases = mkOption {
type = listOf str;
description = ''
A list of aliases for the user.
If multiple users have the same alias defined, mail will be
delivered to both of them.
'';
default = [ ];
example = [
"j.doe@example.com"
"jane.doe@example.com"
"postmaster@example.com"
];
};
};
});
description = "Users of the mail server";
};
cleanHeaders = mkOption {
type = listOf str;
description = "A list of regular expressions that define what headers are filtered";
default = [
"/^\\s*Received:/"
"/^\\s*User-Agent:/"
"/^\\s*X-Mailer:/"
"/^\\s*X-Originating-IP:/"
];
};
rejectSenders = mkOption {
type = listOf str;
description = "A list of senders to reject mails from";
default = [ ];
example = [
"newsletter@example.com"
"spammer@example.com"
];
};
};
config = lib.mkIf cfg.enable {
# Users and groups
users.users.vmail = {
uid = 10000;
group = "vmail";
home = cfg.storage;
createHome = true;
};
users.groups.vmail.gid = 10000;
# Firewall
networking.firewall.allowedTCPPorts = [
143 # IMAP
25 # SMTP
587 # SMTP submission
];
# Service dependencies
systemd.services.dovecot2 = {
wants = [ "acme-finished-${cfg.fqdn}.target" ];
after = [ "acme-finished-${cfg.fqdn}.target" ];
};
systemd.services.postfix = {
wants = [ "acme-finished-${cfg.fqdn}.target" ];
requires = [ "dovecot2.service" ];
after = [ "acme-finished-${cfg.fqdn}.target" "dovecot2.service" ];
};
# Reload on certificate renewal
security.acme.certs."${cfg.fqdn}".postRun = ''
if systemctl is-active dovecot2; then
systemctl --no-block reload dovecot2
fi
if systemctl is-active postfix; then
systemctl --no-block reload postfix
fi
'';
# Postfix
security.dhparams.params.postfix = { };
services.postfix =
let
listToString = lib.concatStringsSep ",";
valiases =
let
# List of attribute sets with single key-value pair
plainAliases = (lib.flatten
(map
({ address, aliases, ... }:
map
(alias: { "${alias}" = address; })
(aliases ++ lib.singleton address))
cfg.users));
# Attribute set with every alias mapped to a list of receivers
mergedAliases = (lib.attrsets.foldAttrs
(val: col: lib.singleton val ++ col)
[ ]
plainAliases);
# Contents of the aliases file
aliasesString = (lib.concatStringsSep
"\n"
(lib.mapAttrsToList
(alias: addresses: "${alias} ${listToString addresses}")
mergedAliases));
in
pkgs.writeText
"valiases"
aliasesString;
access_sender = pkgs.writeText
"access_sender"
(lib.concatMapStringsSep
"\n"
(sender: "${sender} REJECT")
cfg.rejectSenders);
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules"
(lib.concatMapStringsSep
"\n"
(regex: "${regex} IGNORE")
cfg.cleanHeaders);
in
{
enable = true;
enableSubmission = true;
hostname = cfg.fqdn;
networksStyle = "host";
sslCert = "${certDir}/fullchain.pem";
sslKey = "${certDir}/key.pem";
recipientDelimiter = "+";
mapFiles = {
inherit access_sender valiases;
};
config = {
# General
smtpd_banner = "${cfg.fqdn} ESMTP NO UCE";
disable_vrfy_command = true; # disable check if mailbox exists
enable_long_queue_ids = true; # better for debugging
strict_rfc821_envelopes = true; # only accept properly formatted envelope
message_size_limit = "50331648"; # 48MiB
virtual_mailbox_domains = listToString cfg.domains;
virtual_mailbox_maps = "hash:/var/lib/postfix/conf/valiases";
virtual_alias_maps = "hash:/var/lib/postfix/conf/valiases";
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
smtpd_recipient_restrictions = listToString [
"reject_non_fqdn_recipient"
"reject_rbl_client ix.dnsbl.manitu.net"
"reject_unknown_recipient_domain"
"reject_unverified_recipient"
];
smtpd_client_restrictions = listToString [
"reject_rbl_client ix.dnsbl.manitu.net"
"reject_unknown_client_hostname"
];
smtpd_sender_restrictions = listToString [
"check_sender_access hash:/var/lib/postfix/conf/access_sender"
"reject_non_fqdn_sender"
"reject_unknown_sender_domain"
];
# generated 2021-02-04, Mozilla Guideline v5.6, Postfix 3.5.6, OpenSSL 1.1.1i, intermediate configuration
# https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1i&guideline=5.6
smtpd_tls_security_level = "may";
smtpd_tls_auth_only = "yes";
smtpd_tls_mandatory_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
smtpd_tls_mandatory_ciphers = "medium";
smtpd_tls_loglevel = "1";
tls_medium_cipherlist = listToString [
"ECDHE-ECDSA-AES128-GCM-SHA256"
"ECDHE-RSA-AES128-GCM-SHA256"
"ECDHE-ECDSA-AES256-GCM-SHA384"
"ECDHE-RSA-AES256-GCM-SHA384"
"ECDHE-ECDSA-CHACHA20-POLY1305"
"ECDHE-RSA-CHACHA20-POLY1305"
"DHE-RSA-AES128-GCM-SHA256"
"DHE-RSA-AES256-GCM-SHA384"
];
tls_preempt_cipherlist = "no";
smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix.path;
};
submissionOptions = {
smtpd_tls_security_level = "encrypt";
smtpd_sasl_auth_enable = "yes";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "/run/dovecot2/auth";
smtpd_sender_login_maps = "hash:/etc/postfix/valiases";
smtpd_recipient_restrictions = listToString [ ];
smtpd_client_restrictions = listToString [
"permit_sasl_authenticated"
"reject"
];
smtpd_sender_restrictions = listToString [
"reject_sender_login_mismatch"
];
cleanup_service_name = "submission-header-cleanup";
};
masterConfig = {
submission-header-cleanup = {
private = false;
maxproc = 0;
command = "cleanup";
args = [ "-o" "header_checks=pcre:${submissionHeaderCleanupRules}" ];
};
};
};
# Dovecot
services.dovecot2 =
let
postfixCfg = config.services.postfix;
passdb = pkgs.writeText "dovecot-users"
(lib.concatMapStringsSep
"\n"
({ address, passwordHash, ... }: "${address}:{BLF-CRYPT}${passwordHash}")
cfg.users);
in
{
enable = true;
enableLmtp = true;
enablePAM = false;
mailUser = "vmail";
mailGroup = "vmail";
mailLocation = "maildir:${cfg.storage}/%d/%n";
sslServerCert = "${certDir}/fullchain.pem";
sslServerKey = "${certDir}/key.pem";
extraConfig = ''
# generated 2021-02-04, Mozilla Guideline v5.6, Dovecot 2.3.13, OpenSSL 1.1.1i, intermediate configuration
# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.13&config=intermediate&openssl=1.1.1i&guideline=5.6
ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no
service imap-login {
inet_listener imap {
}
}
service lmtp {
unix_listener dovecot-lmtp {
mode = 0600
user = ${postfixCfg.user}
group = ${postfixCfg.group}
}
}
passdb {
driver = passwd-file
args = username_format=%u ${passdb}
}
userdb {
driver = static
args = uid=vmail gid=vmail home=${cfg.storage}/%d/%n
}
service auth {
unix_listener auth {
mode = 0660
user = ${postfixCfg.user}
group = ${postfixCfg.group}
}
}
lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes
'';
};
};
}

View file

@ -2,21 +2,22 @@
let let
port = 8888; port = 8888;
services = { services = {
"media" = config.krops.secrets.media-proxy-auth.path; "media" = config.sops.secrets.media-proxy-auth.path;
"scan" = config.krops.secrets.media-proxy-auth.path; "torrent" = config.sops.secrets.torrent-proxy-auth.path;
"torrent" = config.krops.secrets.torrent-proxy-auth.path;
}; };
in in
{ {
options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy"; options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
config = lib.mkIf config.sbruder.media-proxy.enable { config = lib.mkIf config.sbruder.media-proxy.enable {
krops.secrets = { sops.secrets = {
torrent-proxy-auth.group = "nginx"; torrent-proxy-auth.owner = "nginx";
media-proxy-auth.group = "nginx"; media-proxy-auth.owner = "nginx";
}; };
users.users.nginx.extraGroups = [ "keys" ]; systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name;
# otherwise name resolution fails
systemd.services.nginx.after = [ "network-online.target" ];
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts.media-proxy = { virtualHosts.media-proxy = {
@ -27,7 +28,7 @@ in
]; ];
locations = { locations = {
"/".extraConfig = '' "/".extraConfig = ''
rewrite ^/__assets/(.*)$ /media/__assets/$1; rewrite ^/__nginx-interactive-index-assets__/(.*)$ /media/__nginx-interactive-index-assets__/$1;
''; '';
} // lib.mapAttrs' } // lib.mapAttrs'
(name: secret: { (name: secret: {

View file

@ -0,0 +1,72 @@
{ config, lib, pkgs, ... }:
let
relays = builtins.fromJSON (builtins.readFile ./relays.json);
cfg = config.sbruder.mullvad;
relayConfigs = lib.mapAttrs'
(name: configuration: lib.nameValuePair "mullvad-${name}.conf" (with configuration; ''
[Interface]
DNS = ${cfg.dnsServer}
[Peer]
Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
PublicKey = ${pubkey}
AllowedIPs = 0.0.0.0/0,::0/0
''))
relays;
# Creating 100+ files in a separate derivation each has too much overhead
relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
mkdir $out
'' + (lib.concatStringsSep
"\n"
(lib.mapAttrsToList
(name: content: ''
cat > $out/${lib.escapeShellArg name} << EOF
${content}
EOF
'')
relayConfigs)));
in
{
options.sbruder.mullvad = {
enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
dnsServer = lib.mkOption {
type = lib.types.str;
default = "193.138.218.74";
};
ipVersion = lib.mkOption {
type = lib.types.enum [ 4 6 ];
default = 4;
};
port = lib.mkOption {
type = lib.types.port;
default = 51820;
};
};
config = lib.mkIf cfg.enable {
environment = {
etc = builtins.listToAttrs
(map
(name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
(lib.attrNames relayConfigs));
systemPackages = lib.singleton (pkgs.stdenv.mkDerivation {
name = "mullvad-on-demand";
src = ./mullvad.sh;
dontUnpack = true;
dontBuild = true;
installPhase = ''
runHook preInstall
install -D $src $out/bin/mullvad
runHook postInstall
'';
});
};
};
}

60
modules/mullvad/mullvad.sh Executable file
View file

@ -0,0 +1,60 @@
#!/usr/bin/env bash
# This reads wg-quick compatible configuration files from
# /etc/wireguard/mullvad-LOCATION.conf
#
# Since they are autogenerated by nix and therefore world-readable, they do not
# include secrets like the private key and client address. Instead, they are
# manually added after wg-quick set up the tunnel by retrieving them with
# pass(1) from web/mullvad.net/wireguard.
#
# Format of pass entry:
# PrivateKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
# Address4: 10.0.0.1/32
# Address6: fd00::1/128
set -euo pipefail
if (( $# < 1 )); then
echo "USAGE: $0 LOCATION|off" >&2
exit 1
fi
INTERFACE="mullvad-$1"
cmd() {
echo "[#] $*" >&2
sudo "$@"
}
for interface in /sys/class/net/*; do
interface="${interface#/sys/class/net/}"
[[ $interface =~ ^mullvad-(v6-)?[a-z]{2}[0-9]*$ ]] && cmd wg-quick down "$interface"
done
if [ "$1" != "off" ]; then
# Make sure gpg-agent is unlocked so the period where the interface exists but
# no private key is set is minised.
pass web/mullvad.net/wireguard >/dev/null
cmd wg-quick up "$INTERFACE"
pass web/mullvad.net/wireguard | while read -r line; do
key="${line%%: *}"
value="${line#*: }"
case "$key" in
PrivateKey)
cmd wg set "$INTERFACE" private-key /dev/stdin <<< "$value"
continue
;;
Address4)
cmd ip -4 address add "$value" dev "$INTERFACE"
continue
;;
Address6)
cmd ip -6 address add "$value" dev "$INTERFACE"
continue
;;
*)
echo "Invalid key '$key'"
exit 1
esac
done
fi

2142
modules/mullvad/relays.json Normal file

File diff suppressed because it is too large Load diff

12
modules/mullvad/update.sh Executable file
View file

@ -0,0 +1,12 @@
#!/usr/bin/env bash
# This gets the current wireguard relay list from mullvads API and transforms
# it into a format that takes up less space than the original response.
set -euo pipefail
curl -s 'https://api.mullvad.net/www/relays/wireguard/' | jq '. | map({
key: .hostname | split("-")[0],
value: {
endpoint4: .ipv4_addr_in,
endpoint6: .ipv6_addr_in,
pubkey: .pubkey
}
}) | from_entries' > relays.json

View file

@ -1,7 +1,9 @@
{ config, lib, ... }: { config, lib, pkgs, ... }:
lib.mkIf config.sbruder.gui.enable { lib.mkIf config.sbruder.gui.enable {
networking.networkmanager = { networking.networkmanager.enable = true;
enable = true;
}; environment.systemPackages = with pkgs; [
networkmanagerapplet
];
} }

View file

@ -0,0 +1,69 @@
# This module implements an option with the same structure as the nginx module
# but does not extend the nginx module since that would cause infinite
# recursion.
{ config, lib, pkgs, ... }:
let
enabledLocations = lib.fold
(x: a: a ++ x)
[ ]
(lib.mapAttrsToList
(vhostName: vhostConfig: lib.mapAttrsToList
(locationName: locationConfig: [ vhostName locationName ])
(lib.filterAttrs
(_: location: location.enable)
vhostConfig.locations))
config.services.nginx-interactive-index.virtualHosts);
in
{
options.services.nginx-interactive-index.virtualHosts = with lib.types; lib.mkOption {
default = { };
type = attrsOf (submodule {
options = {
locations = lib.mkOption {
default = { };
type = attrsOf (submodule {
options = {
enable = lib.mkEnableOption "interactive directory index";
};
});
};
};
});
};
config.services.nginx.virtualHosts = lib.fold
(x: a: a // x)
{ }
(map
(path:
let
vhost = lib.elemAt path 0;
location = lib.elemAt path 1;
assetsPath = "${location}__nginx-interactive-index-assets__";
in
{
"${vhost}".locations = {
"${location}" = {
extraConfig = ''
autoindex on;
autoindex_exact_size on;
add_before_body ${assetsPath}/header.html;
'';
};
"${assetsPath}/" = {
alias = "${builtins.filterSource
(path: type: baseNameOf path != "default.nix")
./.}/";
};
"=${assetsPath}/header.html" = {
alias = pkgs.writeText "nginx-interactive-index-${location}-header.html" ''
<!DOCTYPE html>
<meta charset="utf-8">
<link rel="stylesheet" href="${assetsPath}/listing.css">
<script src="${assetsPath}/listing.js"></script>
'';
};
};
})
enabledLocations);
}

View file

@ -0,0 +1,48 @@
body, html {
background-color: #fdf6e3;
color: #657b83;
font-family: "TeX Gyre Heros", "Roboto", "Helvetica", "Arial", sans-serif;
}
tr.hidden {
display: none;
}
tr.zebra-stripe {
background: #eee8d5;
}
th, td {
padding: 0.1em 0.5em;
}
th {
text-align: left;
font-weight: bold;
background: #eee8d5;
border-bottom: 1px solid #657b83;
}
a {
color: #586e75;
}
a:hover {
color: #073642;
}
table {
width: 100%;
}
#search-field {
width: 100%;
border: none;
margin-bottom: 15px;
background: #eee8d5;
color: inherit;
}
hr {
display: none;
}

View file

@ -0,0 +1,91 @@
document.addEventListener('DOMContentLoaded', () => {
function humanFileSize(bytes) {
const thresh = 1024
if(Math.abs(bytes) < thresh) {
return bytes + ' B'
}
const units = ['KiB','MiB','GiB','TiB','PiB','EiB','ZiB','YiB']
var u = -1
do {
bytes /= thresh
++u
} while(Math.abs(bytes) >= thresh && u < units.length - 1)
return bytes.toFixed(1)+' '+units[u]
}
function textToA(line) {
let outerElement = document.createElement('div')
outerElement.innerHTML = line
return outerElement.getElementsByTagName('a')[0]
}
function parseLine(line) {
const href = textToA(line).href
const filename = href.substr(-1) === '/' ? decodeURIComponent(href.split('/').slice(-2, -1)[0]) : decodeURIComponent(href.split('/').pop())
const size = line.split(' ').pop()
return {
href: href,
filename: filename,
size: size
}
}
function processLine(line) {
meta = parseLine(line)
return `<tr><td><a href="${meta.href}">${meta.filename}</a></td><td>${meta.size === '-' ? '-' : humanFileSize(meta.size)}</td></tr>`
}
function addZebraStripes(rows) {
// this should be done in CSS, but AFAIU it does not support limiting
// :nth-child to elements matching a previous :not selector
rows.forEach((row, idx) => {
if (idx % 2 === 0) {
row.classList.add("zebra-stripe")
} else {
row.classList.remove("zebra-stripe")
}
})
}
const collator = new Intl.Collator('kn', {numeric: true})
// transform plain text to table
document.querySelector('pre').outerHTML = '<table><thead><tr><th>Name</th><th>Size</th></tr></thead><tbody><tr><td><a href="..">..</a></td><td>-</td></tr>' + document.querySelector('pre').innerHTML
.split('\n')
.filter(line => line !== '')
.filter(line => line !== '<a href="../">../</a>')
.map(processLine)
.sort(collator.compare)
.join('\n') + '</tbody></table>'
let searchField = document.createElement('input')
searchField.id = 'search-field'
searchField.autofocus = true
document.querySelector('body').insertBefore(searchField, document.querySelector('table'))
const rows = Array.from(document.querySelectorAll('tbody tr'))
addZebraStripes(rows)
document.querySelector('#search-field').addEventListener("input", e => {
const searchValue = e.target.value.toLowerCase()
rows.forEach(row => {
const file = row.querySelector('td:nth-child(1) a').innerText
if (!file.toLowerCase().includes(searchValue)) {
row.classList.add("hidden")
} else {
row.classList.remove("hidden")
}
})
const visibleRows = rows.filter(row => !row.classList.contains("hidden"))
if (visibleRows.length === 1) {
const target = visibleRows[0].querySelector('td a').href
if (target.substr(-1) === '/') {
window.location = target
}
}
addZebraStripes(visibleRows)
})
})

30
modules/nginx.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, ... }:
let
cfg = config.sbruder.nginx;
in
{
options.sbruder.nginx = {
hardening.enable = lib.mkEnableOption "nginx hardening";
privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
};
config = lib.mkMerge [
(lib.mkIf cfg.hardening.enable {
services.nginx.commonHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000";
}
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy strict-origin;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
'';
})
(lib.mkIf cfg.privacy.enable {
services.nginx.commonHttpConfig = ''
access_log off;
'';
})
];
}

91
modules/nix.nix Normal file
View file

@ -0,0 +1,91 @@
{ config, inputs, lib, pkgs, ... }:
let
# Adapted from https://nixos.wiki/wiki/Overlays
overlaysCompat = pkgs.writeTextFile {
name = "overlays-compat";
destination = "/overlays.nix";
text = /* nix */ ''
self: super:
with super.lib;
let
# Load the system config and get the `nixpkgs.overlays` option
# This fails gracefully if getFlake is not available
overlays = if builtins.hasAttr "getFlake" builtins
then (builtins.getFlake "/var/src/config").nixosConfigurations.${config.networking.hostName}.config.nixpkgs.overlays
else [ ];
in
# Apply all overlays to the input of the current "main" overlay
foldl' (flip extends) (_: super) overlays self
'';
};
in
{
sops.secrets = lib.mkIf config.sbruder.trusted {
binary-cache-secret-key = { };
nix-netrc = {
group = "wheel";
mode = "0440";
};
};
nix = {
# nix with flake support
package = pkgs.nixFlakes;
registry = with inputs; {
nixpkgs.flake = nixpkgs;
nixpkgs-unstable.flake = nixpkgs-unstable;
};
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"nixpkgs-overlays=${overlaysCompat}"
];
# Make sudoers trusted nix users
trustedUsers = [ "@wheel" ];
binaryCaches = [
"https://nix-cache.sbruder.de/"
];
binaryCachePublicKeys = [
"nix-cache.sbruder.de-1:bU13eF6IMMW2hgO7StgB6JCAoZPeAQ27NAzV0kru1XM="
];
# On-the-fly optimisation of nix store
autoOptimiseStore = true;
extraOptions = ''
experimental-features = nix-command flakes
'' + lib.optionalString config.sbruder.trusted ''
# Binary cache upload
secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
netrc-file = ${config.sops.secrets.nix-netrc.path}
'' + lib.optionalString config.sbruder.full ''
# Keep output of derivations with gc root
keep-outputs = true
keep-derivations = true
'';
# Make nix build in background less noticeable
daemonCPUSchedPolicy = "batch";
daemonIOSchedPriority = 5; # 0-7
};
nixpkgs.overlays = with inputs; [
self.overlay
nixpkgs-overlay.overlay
(final: prev: {
unstable = import nixpkgs-unstable {
inherit (config.nixpkgs)
config
overlays
system;
};
})
AriaNg.overlay
];
environment.systemPackages = with pkgs; [
cached-nix-shell
];
}

34
modules/pipewire.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, lib, modulesPath, pkgs, ... }:
let
bluetoothSupport = config.sbruder.full;
in
lib.mkIf config.sbruder.gui.enable {
sound.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
pulse.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
media-session = {
config = {
bluez-monitor = {
"bluez5.enable-hw-volume" = true;
};
};
};
};
environment.systemPackages = with pkgs; [
helvum # patch panel
pavucontrol
pulseaudio # pacmd and pactl
];
hardware.bluetooth.enable = lib.mkDefault bluetoothSupport;
services.blueman.enable = lib.mkDefault bluetoothSupport;
}

View file

@ -3,7 +3,8 @@
services.prometheus.exporters.node = { services.prometheus.exporters.node = {
enable = config.sbruder.wireguard.home.enable; enable = config.sbruder.wireguard.home.enable;
listenAddress = config.sbruder.wireguard.home.address; listenAddress = config.sbruder.wireguard.home.address;
enabledCollectors = [ "systemd " ]; enabledCollectors = [ "systemd" ];
disabledCollectors = [ "rapl" ];
}; };
systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ]; systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ];

View file

@ -8,22 +8,22 @@ in
type = lib.types.attrsOf lib.types.str; type = lib.types.attrsOf lib.types.str;
description = "Known public keys that can be used in the configuration"; description = "Known public keys that can be used in the configuration";
default = { default = {
"simon@nunotaba" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwMo0mYcTU1Y4BKpEUsvKAtcTPq3ylKaw+ZjUxNg9VqU5gDy2TDUfWk2FjM2VYcqQJ9ZaNGKE1S18fRU7ZHrcgtFPMgAuji87yOKojH74cwz9ZRf5ZiluWBmR3dFd7kddqHUKVS8utpiQuTLIyQwpgmUHA81IasWXuB2pHaI6HGntMlJTm1CvpcQvwKsDBqJ2bFjFMk6EDgAZWXyooQgthYAfmc+YfAX5T9fWKiqFnEJ0ryN3/RngJZe65HWV8WZwY1CxgKQhOZuRcPdkTEQlUk9Qu0JbVa2sTgdYDpw/Dz0ma+h4rxOrH63MD6Cf0pFgOwLeZVSmXqKTjXVaH1QkHWRat88J8Q6MM6LlhLx/48VcQshhIssAZ37YoW2W0NxnGSM7YtlwTVe+w7rU//cS5TyIQa4joq2pnIh4uurbNkIULa4Q2t2nEMzlqI9gEE9DK1ctOcuCyFOerNZD0yRZ5Rs8WouDLL1PR6ps4czK2N7h2MXABcELuVwX+sdxwFgf6AJaRvrlw4qIOohpeX48FhzZfcI9Cqvnakm+O42J3qXuUDVc6/NjE9zBku3dNaeseGv9CQxtvyVDq6o9MRDiFror3yEiN0Fwou7CXBfXrbeb7MvahsRxSKkSDY0uA+AXmsm1UwdArjEcEMsS1JeFQCdX1yR/Z5xzj2gx60NcR4w==";
"simon@sayuri" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1kQUoPII8A9/bgPA+OrZGQLPA8MxkdmPSCCsfGMh9qRZfF7BSD8W6VdE/28tLw+39QeUl1+/9VuVvGjZBP1zBAbKIcKx4DjtgxpNXCsfWMjXFtpTGk2dyl71CaY5n72YlADxXYwtEvuwfNixgE2yTCefMbBsfwqYC0GZGiDlFtjxdg+RuUC8jU++C+WFUFct9gj9ieQ0LWjud+Oh0AF0JhyGnou+wVZIIO8mwo7Cc5xiPldXhbc13XiNC3mpNGCLFj+nh1feazk8TeAVDBps6xaDkOd+hDwTBQh8LoimePK7MiShzLvC38Vd/sim5ym/IqY634CjqBDGCMp1KXnqHUTT8CqeifMv10+aRJKUPevVkO3nEE3VoSPt7Ui9ZzLnL4qhZyygoBau+PvD2WCWm+gRwBkvU1uNrYKi4HIGhB/gXcYHKJimqJwLMyqG5Wv1jfuhn3ZZN+uNqTgdAznGgPRU1Q/Mx6nMEDiQip78qdYEc0YGwdb/TldEL6aHRjuNuZPpTW+zakQHiQTRb/0VdZT1bAwyT9yL0Uf40h706Kh/pKiSQ1yq1dlSdl3RlfedbqLqGjspds1iRSrSXyH2MBghPbz/SF7Vt4LW/tXF0rcyV7CU98ZvxJDWeN60OE0vPf/AT5udYyfPO1691y0F8jGKxGYYPg9R/Y5o7J24PbQ=="; "simon@sayuri" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1kQUoPII8A9/bgPA+OrZGQLPA8MxkdmPSCCsfGMh9qRZfF7BSD8W6VdE/28tLw+39QeUl1+/9VuVvGjZBP1zBAbKIcKx4DjtgxpNXCsfWMjXFtpTGk2dyl71CaY5n72YlADxXYwtEvuwfNixgE2yTCefMbBsfwqYC0GZGiDlFtjxdg+RuUC8jU++C+WFUFct9gj9ieQ0LWjud+Oh0AF0JhyGnou+wVZIIO8mwo7Cc5xiPldXhbc13XiNC3mpNGCLFj+nh1feazk8TeAVDBps6xaDkOd+hDwTBQh8LoimePK7MiShzLvC38Vd/sim5ym/IqY634CjqBDGCMp1KXnqHUTT8CqeifMv10+aRJKUPevVkO3nEE3VoSPt7Ui9ZzLnL4qhZyygoBau+PvD2WCWm+gRwBkvU1uNrYKi4HIGhB/gXcYHKJimqJwLMyqG5Wv1jfuhn3ZZN+uNqTgdAznGgPRU1Q/Mx6nMEDiQip78qdYEc0YGwdb/TldEL6aHRjuNuZPpTW+zakQHiQTRb/0VdZT1bAwyT9yL0Uf40h706Kh/pKiSQ1yq1dlSdl3RlfedbqLqGjspds1iRSrSXyH2MBghPbz/SF7Vt4LW/tXF0rcyV7CU98ZvxJDWeN60OE0vPf/AT5udYyfPO1691y0F8jGKxGYYPg9R/Y5o7J24PbQ==";
"simon@mayushii" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna";
}; };
}; };
trustedNames = lib.mkOption { trustedNames = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
description = "Names of trusted public keys, used to generate <literal>sbruder.pubkeys.trustedKeys</literal>"; description = "Names of trusted public keys, used to generate <literal>sbruder.pubkeys.trustedKeys</literal>";
default = [ default = [
"simon@nunotaba"
"simon@sayuri" "simon@sayuri"
"simon@mayushii"
]; ];
}; };
trustedKeys = lib.mkOption { trustedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
description = "Trusted public keys, automatically generated from <literal>sbruder.pubkeys.trustedNames</literal>"; description = "Trusted public keys, automatically generated from <literal>sbruder.pubkeys.trustedNames</literal>";
default = builtins.map default = map
(name: cfg.keys."${name}") (name: cfg.keys."${name}")
cfg.trustedNames; cfg.trustedNames;
}; };

View file

@ -1,27 +0,0 @@
{ config, lib, pkgs, ... }:
lib.mkIf config.sbruder.gui.enable {
sound.enable = true;
hardware.pulseaudio = {
enable = true;
package = pkgs.pulseaudioFull;
extraModules = [
pkgs.pulseaudio-modules-bt # Non-standard codecs for bluetooth
];
daemon.config = {
"default-sample-format" = "s16le";
"default-sample-rate" = "48000";
"alternate-sample-rate" = "44100";
"resample-method" = "soxr-hq";
"flat-volumes" = "no";
};
};
# Bluetooth support
hardware.bluetooth.enable = true;
services.blueman.enable = true;
environment.systemPackages = with pkgs; [
pavucontrol
];
}

View file

@ -1,5 +1,5 @@
{ {
imports = [ imports = [
./intel.nix ./system.nix
]; ];
} }

Some files were not shown because too many files have changed in this diff Show more