diff --git a/README.md b/README.md index 3f186be..ee71641 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [Felix Nixos Config](https://github.com/Stunkymonkey/nixos) -## structure +## Structure ``` . @@ -14,10 +14,18 @@ └── environments # summarize module collections into single options ``` +## Commands -## ToDo's: - - [ ] Developer Workbench - - [ ] Use Disko for drives - - [ ] fully automate installation +```bash +# Rebuild (switch/boot/test) +sudo nixos-rebuild switch --flake '.#jupiter' -## usage \ No newline at end of file + +# Update Flake +nix flake update + +# Channel list +sudo nix-channel --list +# Channel update +sudo nix-channel --update +``` diff --git a/flake.lock b/flake.lock index 8b9c5b0..599059d 100644 --- a/flake.lock +++ b/flake.lock @@ -21,11 +21,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1736143030, - "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", + "lastModified": 1759362264, + "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", "type": "github" }, "original": { @@ -55,24 +55,6 @@ "type": "github" } }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "git-hooks-nix": { "inputs": { "flake-compat": [ @@ -109,17 +91,16 @@ "flake-compat": "flake-compat", "flake-parts": "flake-parts_2", "git-hooks-nix": "git-hooks-nix", - "nixfmt": "nixfmt", "nixpkgs": "nixpkgs", "nixpkgs-23-11": "nixpkgs-23-11", "nixpkgs-regression": "nixpkgs-regression" }, "locked": { - "lastModified": 1738052114, - "narHash": "sha256-OqHJ6mnBh2Ayqr2Sz7FUR2gOzupBBh9zC1DAaj61+OA=", + "lastModified": 1759772381, + "narHash": "sha256-xhNd/WR6/ZSNEJV+9MnZ31cHbk5NAvCG8j4gV1ucJPo=", "owner": "NixOS", "repo": "nix", - "rev": "fbe2940a08b0f850ee3a01978256b4c4d5906587", + "rev": "1e709554d565be51ab8d5a7e4941b0cc1da70807", "type": "github" }, "original": { @@ -128,24 +109,6 @@ "type": "github" } }, - "nixfmt": { - "inputs": { - "flake-utils": "flake-utils" - }, - "locked": { - "lastModified": 1736283758, - "narHash": "sha256-hrKhUp2V2fk/dvzTTHFqvtOg000G1e+jyIam+D4XqhA=", - "owner": "NixOS", - "repo": "nixfmt", - "rev": "8d4bd690c247004d90d8554f0b746b1231fe2436", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixfmt", - "type": "github" - } - }, "nixlib": { "locked": { "lastModified": 1736643958, @@ -169,11 +132,11 @@ ] }, "locked": { - "lastModified": 1737057290, - "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=", + "lastModified": 1751903740, + "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453", + "rev": "032decf9db65efed428afd2fa39d80f7089085eb", "type": "github" }, "original": { @@ -184,11 +147,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1737751639, - "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=", + "lastModified": 1759582739, + "narHash": "sha256-spZegilADH0q5OngM86u6NmXxduCNv5eX9vCiUPhOYc=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4", + "rev": "3441b5242af7577230a78ffb03542add264179ab", "type": "github" }, "original": { @@ -199,16 +162,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1734359947, - "narHash": "sha256-1Noao/H+N8nFB4Beoy8fgwrcOQLVm9o4zKW1ODaqK9E=", + "lastModified": 1756178832, + "narHash": "sha256-O2CIn7HjZwEGqBrwu9EU76zlmA5dbmna7jL1XUmAId8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "48d12d5e70ee91fe8481378e540433a7303dbf6a", + "rev": "d98ce345cdab58477ca61855540999c86577d19d", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-24.11", + "ref": "nixos-25.05-small", "repo": "nixpkgs", "type": "github" } @@ -231,14 +194,17 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1735774519, - "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + "lastModified": 1754788789, + "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" } }, "nixpkgs-regression": { @@ -259,11 +225,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1737885589, - "narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=", + "lastModified": 1759381078, + "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "852ff1d9e153d8875a83602e03fdef8a63f0ecf8", + "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", "type": "github" }, "original": { @@ -274,11 +240,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1750005367, - "narHash": "sha256-h/aac1dGLhS3qpaD2aZt25NdKY7b+JT0ZIP2WuGsJMU=", + "lastModified": 1759580034, + "narHash": "sha256-YWo57PL7mGZU7D4WeKFMiW4ex/O6ZolUS6UNBHTZfkI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6c64dabd3aa85e0c02ef1cdcb6e1213de64baee3", + "rev": "3bcc93c5f7a4b30335d31f21e2f1281cba68c318", "type": "github" }, "original": { @@ -296,21 +262,6 @@ "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable" } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/machines/jupiter/configuration.nix b/machines/jupiter/configuration.nix index 715a350..9e12a31 100644 --- a/machines/jupiter/configuration.nix +++ b/machines/jupiter/configuration.nix @@ -10,13 +10,14 @@ ./disks.nix ./hardware-configuration.nix ./environments.nix +# ./network.nix ]; networking.hostName = "jupiter"; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - boot.kernelPackages = pkgs.unstable.linuxPackages_latest; + boot.kernelPackages = pkgs.linuxPackages; # Shitfuck SOnar Dotnet dependency nixpkgs.config = { @@ -31,9 +32,9 @@ services.openssh.enable = true; # Configure keymap in X11 - services.xserver = { + services.xserver.xkb = { layout = "de"; - xkbVariant = ""; + variant = ""; }; # Configure console keymap @@ -45,6 +46,19 @@ security.rtkit.enable = true; + # Try fix wifi disconnect + networking.networkmanager.wifi.powersave = false; + + # Disable hibernate completely + powerManagement.enable = true; + systemd.targets."hibernate".enable = false; + systemd.targets."hybrid-sleep".enable = false; + systemd.targets."suspend-then-hibernate".enable = false; + + # Optional: kernel parameter to fully disable hibernation + boot.kernelParams = [ "nohibernate" ]; + + system = { stateVersion = "23.05"; autoUpgrade.enable = true; diff --git a/machines/jupiter/environments.nix b/machines/jupiter/environments.nix index 271715e..d7ab6db 100644 --- a/machines/jupiter/environments.nix +++ b/machines/jupiter/environments.nix @@ -8,11 +8,13 @@ in hyprland.enable = false; zsh.enable = true; apps = { - desktop_apps = true; + desktop_apps = false; dev_apps = false; gnome_apps = false; }; - kde-desktop.enable = true; + actual.enable = true; + audiobookshelf.enable = true; + kde-desktop.enable = false; radarr.enable = true; docker.enable = true; readarr.enable = true; @@ -21,7 +23,7 @@ in jellyseerr.enable = true; development.enable = true; paperless = { - enable = false; + enable = true; port = 28981; # Optional, to override the default port extraConfig = { PAPERLESS_ADMIN_USER = "finn"; @@ -33,10 +35,11 @@ in my.hardware = { bluetooth.enable = true; - sound.enable = true; + sound.enable = false; }; my.services = { vpn.enable = true; + webserver.enable = false; }; } diff --git a/machines/jupiter/hardware-configuration.nix b/machines/jupiter/hardware-configuration.nix index be2142d..7d482e8 100644 --- a/machines/jupiter/hardware-configuration.nix +++ b/machines/jupiter/hardware-configuration.nix @@ -18,7 +18,6 @@ "xhci_pci" "ahci" "nvme" - "usbhid" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; @@ -29,7 +28,7 @@ nixpkgs.config.packageOverrides = pkgs: { vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; }; - hardware.opengl = { + hardware.graphics = { enable = true; extraPackages = with pkgs; [ intel-media-driver # LIBVA_DRIVER_NAME=iHD diff --git a/machines/jupiter/network.nix b/machines/jupiter/network.nix new file mode 100644 index 0000000..95114a2 --- /dev/null +++ b/machines/jupiter/network.nix @@ -0,0 +1,10 @@ +_: { + networking.firewall.allowedTCPPorts = [ + 8080 # aria + ]; + + networking = { + domain = "jupiter.solar.internal"; + search = [ "jupiter.solar.internal" ]; + }; +} \ No newline at end of file diff --git a/modules/environments/actual/default.nix b/modules/environments/actual/default.nix new file mode 100644 index 0000000..67661ee --- /dev/null +++ b/modules/environments/actual/default.nix @@ -0,0 +1,35 @@ +# manages and downloads films +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.my.profiles.audiobookshelf; +in +{ + options.my.profiles.actual = with lib; { + enable = mkEnableOption "Audio Book Service"; + + }; + + config = lib.mkIf cfg.enable { + services.actual = { + enable = true; + openFirewall = true; + settings = { + port = 40465; + hostname = "0.0.0.0"; + }; + }; + + environment.systemPackages = with pkgs; [ + actual-server + ]; + + systemd.services.actual = { + after = [ "network-online.target" ]; + }; + }; +} diff --git a/modules/environments/audiobookshelf/default.nix b/modules/environments/audiobookshelf/default.nix new file mode 100644 index 0000000..ff37aaf --- /dev/null +++ b/modules/environments/audiobookshelf/default.nix @@ -0,0 +1,33 @@ +# manages and downloads films +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.my.profiles.audiobookshelf; +in +{ + options.my.profiles.audiobookshelf = with lib; { + enable = mkEnableOption "Audio Book Service"; + + }; + + config = lib.mkIf cfg.enable { + services.audiobookshelf = { + enable = true; + openFirewall = true; + port = 63834; + host = "0.0.0.0"; + }; + + environment.systemPackages = with pkgs; [ + audiobookshelf + ]; + + systemd.services.audiobookshelf = { + after = [ "network-online.target" ]; + }; + }; +} diff --git a/modules/environments/default.nix b/modules/environments/default.nix index cc5cab2..f51579f 100644 --- a/modules/environments/default.nix +++ b/modules/environments/default.nix @@ -1,7 +1,9 @@ { ... }: { imports = [ + ./actual ./apps + ./audiobookshelf ./development ./hyprland ./zsh diff --git a/modules/environments/development/default.nix b/modules/environments/development/default.nix index 615f936..af1e151 100644 --- a/modules/environments/development/default.nix +++ b/modules/environments/development/default.nix @@ -18,7 +18,7 @@ in google-chrome vscode neovim - jetbrains.idea-ultimate + # jetbrains.idea-ultimate go (python3.withPackages ( ps: with ps; [ diff --git a/modules/environments/kde-desktop/default.nix b/modules/environments/kde-desktop/default.nix index 0a7cbc6..fed26ef 100644 --- a/modules/environments/kde-desktop/default.nix +++ b/modules/environments/kde-desktop/default.nix @@ -14,14 +14,14 @@ in }; config = lib.mkIf cfg.enable { - services.xserver = { - enable = true; + services = { displayManager.sddm.enable = true; - desktopManager.plasma5.enable = true; + displayManager.sddm.wayland.enable = true; + desktopManager.plasma6.enable = true; }; users.users.finn.packages = with pkgs; [ # Programms can be added here... numix-icon-theme ]; }; -} +} \ No newline at end of file diff --git a/modules/environments/paperless/default.nix b/modules/environments/paperless/default.nix index 967c485..74ed94c 100644 --- a/modules/environments/paperless/default.nix +++ b/modules/environments/paperless/default.nix @@ -28,10 +28,8 @@ in services.paperless = { enable = true; address = "0.0.0.0"; - dataDir = "/home/finn/documents/paperless"; - #inherit (cfg) port extraConfig; port = cfg.port; - extraConfig = cfg.extraConfig; +# settings = cfg.extraConfig; }; networking.firewall.allowedTCPPorts = [ cfg.port ]; }; diff --git a/modules/hardware/default.nix b/modules/hardware/default.nix index 59038c3..464ae26 100644 --- a/modules/hardware/default.nix +++ b/modules/hardware/default.nix @@ -12,6 +12,6 @@ #./yubikey ./sound #./thunderbolt - #./wifi + # ./wifi ]; } diff --git a/modules/hardware/sound/default.nix b/modules/hardware/sound/default.nix index 4c4a7f2..8305717 100644 --- a/modules/hardware/sound/default.nix +++ b/modules/hardware/sound/default.nix @@ -13,8 +13,11 @@ in }; config = lib.mkIf cfg.enable { - hardware.pulseaudio.enable = false; - hardware.pulseaudio.support32Bit = true; + services.pulseaudio = { + enable = false; + support32Bit = true; + }; + users.extraUsers.finn.extraGroups = [ "audio" ]; environment.systemPackages = with pkgs; [ headsetcontrol diff --git a/modules/services/default.nix b/modules/services/default.nix index 46a0a16..3fa092a 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -4,5 +4,6 @@ { imports = [ ./vpn + ./webserver ]; } diff --git a/modules/services/webserver/default.nix b/modules/services/webserver/default.nix new file mode 100644 index 0000000..527835a --- /dev/null +++ b/modules/services/webserver/default.nix @@ -0,0 +1,187 @@ +# public webserver with reverseproxy +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.my.services.webserver; + inherit (config.networking) domain; + + virtualHostOption = lib.types.submodule { + options = { + subdomain = lib.mkOption { + type = lib.types.str; + example = "dev"; + description = '' + Which subdomain, under config.networking.domain, to use + for this virtual host. + ''; + }; + port = lib.mkOption { + type = with lib.types; nullOr port; + default = null; + example = 8080; + description = '' + Which port to proxy to, through localhost, for this virtual host. + This option is incompatible with `root`. + ''; + }; + root = lib.mkOption { + type = with lib.types; nullOr path; + default = null; + example = "/var/www/blog"; + description = '' + The root folder for this virtual host. This option is incompatible + with `port`. + ''; + }; + extraConfig = lib.mkOption { + type = with lib.types; nullOr lines; + example = lib.literalExpression '' + { + locations."/socket" = { + proxyPass = "http://localhost:8096/"; + proxyWebsockets = true; + }; + } + ''; + default = null; + description = '' + Any extra configuration that should be applied to this virtual host. + ''; + }; + }; + }; + +in +{ + options.my.services.webserver = { + enable = lib.mkEnableOption "webserver"; + virtualHosts = lib.mkOption { + type = lib.types.listOf virtualHostOption; + default = [ ]; + example = lib.literalExpression '' + [ + { + subdomain = "gitea"; + port = 8080; + } + { + subdomain = "dev"; + root = "/var/www/dev"; + } + { + subdomain = "jellyfin"; + port = 8096; + extraConfig = { + locations."/socket" = { + proxyPass = "http://localhost:8096/"; + proxyWebsockets = true; + }; + }; + } + ] + ''; + description = '' + List of virtual hosts to set-up using default settings. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = lib.allUnique (builtins.filter (p: p != null) (map (v: v.port) cfg.virtualHosts)); + message = + let + portsWithSubdomains = builtins.filter (v: v.port != null) cfg.virtualHosts; + duplicates = lib.filter ( + p: builtins.length (lib.filter (x: x.port == p.port) portsWithSubdomains) > 1 + ) portsWithSubdomains; + in + if duplicates == [ ] then + "" + else + "Duplicate ports found in my.services.webserver.virtualHosts: " + + builtins.concatStringsSep ", " (map (v: v.subdomain + ":" + builtins.toString v.port) duplicates); + } + ]; + + services = { + nginx.enable = false; + caddy = { + enable = true; + email = "jupiter@solar.internal"; + + globalConfig = '' + servers{ + + } + ''; + extraConfig = '' + (compress) { + encode gzip zstd + } + (headers) { + header { + # enable CORS + Access-Control-Allow-Origin "https://${config.networking.domain}" + # disable FLoC tracking + Permissions-Policy interest-cohort=() + # enable HSTS + Strict-Transport-Security max-age=31536000; + # disable clients from sniffing the media type + X-Content-Type-Options "nosniff" + # clickjacking protection + X-Frame-Options "DENY" + # enable XSS protection + X-XSS-Protection "1; mode=block" + # referrer policy + Referrer-Policy "strict-origin-when-cross-origin" + } + } + (common) { + import headers + import compress + } + ''; + + virtualHosts = + let + mkVHost = + { subdomain, ... }@args: + lib.nameValuePair "${subdomain}.${domain}" ( + lib.foldl lib.recursiveUpdate { } [ + { + useACMEHost = domain; + extraConfig = '' + import common + ${lib.optionalString (args.root != null) '' + root * ${args.root} + file_server + ''} + ${lib.optionalString (args.port != null) '' + reverse_proxy localhost:${toString args.port} { + # remove CORS headers from proxied server, because duplicate headers are not allowed + # remove after new release: https://github.com/navidrome/navidrome/commit/657fe11f5327ff7a3cb6aa9308b0bb7c71eea5c6 + header_down -Access-Control-Allow-Origin + } + ''} + ${lib.optionalString (args.extraConfig != null) args.extraConfig} + ''; + } + ] + ); + in + lib.listToAttrs (map mkVHost cfg.virtualHosts); + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; +}