liv/nixos-config
1
0
Fork 0
mirror of https://github.com/Ahwxorg/nixos-config.git synced 2025-12-04 15:00:13 +01:00
Code Issues 1 Projects Releases Packages Wiki Activity Actions

chore: merge remote-tracking branch 'refs/remotes/origin/master'

Browse source
This commit is contained in:
Ahwx 2025-05-25 01:02:56 +02:00
commit 093108b2c2
25 changed files with 550 additions and 135 deletions
Download patch file Download diff file Expand all files Collapse all files

146
flake.lock generated
View file

@ -8,11 +8,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1742767019, "lastModified": 1747531250,
"narHash": "sha256-FdyHDbf31jl5rIU7IQtBVTbZ1ojGrrp5aFaRrE2819s=", "narHash": "sha256-uDhXNURTJgQSpiaCgzqAizbblpcEWEB1WGWEqtCnLLM=",
"owner": "KZDKM", "owner": "KZDKM",
"repo": "Hyprspace", "repo": "Hyprspace",
"rev": "5b62529c2011ede6069445de9b5b3f8a1f10ecfe", "rev": "511d399120bdcafb43e57ca5ff35167c2bba6db8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -50,11 +50,11 @@
"systems": "systems_3" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1736955230, "lastModified": 1747575206,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", "rev": "4835b1dc898959d8547a871ef484930675cb47f1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -104,11 +104,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1744289235, "lastModified": 1745357003,
"narHash": "sha256-ZFkHLdimtFzQACsVVyZkZlfYdj4iNy3PkzXfrwmlse8=", "narHash": "sha256-jYwzQkv1r7HN/4qrAuKp+NR4YYNp2xDrOX5O9YVqkWo=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "aquamarine", "repo": "aquamarine",
"rev": "c8282f4982b56dfa5e9b9f659809da93f8d37e7a", "rev": "a19cf76ee1a15c1c12083fa372747ce46387289f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -122,11 +122,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1745352209, "lastModified": 1747519437,
"narHash": "sha256-u3vJEzi6zxgG59KXjMR5koERsdKT5nd1OEKCpr6zgn8=", "narHash": "sha256-uv9Wv59d+mckS2CkorOF484wp2G5TNGijdoBZ5RkAk0=",
"owner": "catppuccin", "owner": "catppuccin",
"repo": "nix", "repo": "nix",
"rev": "6268e50dbb0ac9375e110560395b5dc199e4dfb8", "rev": "3ba714046ee32373e88166e6e9474d6ae6a5b734",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -143,11 +143,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1700795494, "lastModified": 1744478979,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -338,11 +338,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1703113217, "lastModified": 1745494811,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -358,11 +358,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1745494811, "lastModified": 1747688838,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "narHash": "sha256-FZq4/3OtGV/cti9Vccsy2tGSUrxTO4hkDF9oeGRTen4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", "rev": "45c2985644b60ab64de2a2d93a4d132ecb87cf66",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -376,11 +376,11 @@
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"
}, },
"locked": { "locked": {
"lastModified": 1743417258, "lastModified": 1747572947,
"narHash": "sha256-YItzk1pj8Kz+b7VlC9zN1pSZ6CuX35asYy3HuMQ3lBQ=", "narHash": "sha256-PMQoXbfmWPuXnF8EaWqRmvTvl7+WFUrDVgufFRPgOM4=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "contrib", "repo": "contrib",
"rev": "bc2ad24e0b2e66c3e164994c4897cd94a933fd10", "rev": "910dad4c5755c1735d30da10c96d9086aa2a608d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -405,11 +405,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742215578, "lastModified": 1745948457,
"narHash": "sha256-zfs71PXVVPEe56WEyNi2TJQPs0wabU4WAlq0XV7GcdE=", "narHash": "sha256-lzTV10FJTCGNtMdgW5YAhCAqezeAzKOd/97HbQK8GTU=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprcursor", "repo": "hyprcursor",
"rev": "2fd36421c21aa87e2fe3bee11067540ae612f719", "rev": "ac903e80b33ba6a88df83d02232483d99f327573",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -465,11 +465,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1745443874, "lastModified": 1747610850,
"narHash": "sha256-sEI5r1IjmJEgNn/al7zd5lUsjWpeGAY0uOoCab5Pqcc=", "narHash": "sha256-eGOtDlq3h+r/X/j4oSNo6cmQlt67TVolgUJMnGKTRt4=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "b06fbdb7431aa2b6653d788ad9fb758478c72d4c", "rev": "eb3b38d40baca5c05ddbc1507b3d3f02a0ccb164",
"revCount": 6021, "revCount": 6127,
"submodules": true, "submodules": true,
"type": "git", "type": "git",
"url": "https://github.com/hyprwm/Hyprland" "url": "https://github.com/hyprwm/Hyprland"
@ -585,11 +585,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1739048983, "lastModified": 1745951494,
"narHash": "sha256-REhTcXq4qs3B3cCDtLlYDz0GZvmsBSh947Ub6pQWGTQ=", "narHash": "sha256-2dModE32doiyQMmd6EDAQeZnz+5LOs6KXyE0qX76WIg=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland-qtutils", "repo": "hyprland-qtutils",
"rev": "3504a293c8f8db4127cb0f7cfc1a318ffb4316f8", "rev": "4be1d324faf8d6e82c2be9f8510d299984dfdd2e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -614,11 +614,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1744468525, "lastModified": 1746655412,
"narHash": "sha256-9HySx+EtsbbKlZDlY+naqqOV679VdxP6x6fP3wxDXJk=", "narHash": "sha256-kVQ0bHVtX6baYxRWWIh4u3LNJZb9Zcm2xBeDPOGz5BY=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprlang", "repo": "hyprlang",
"rev": "f1000c54d266e6e4e9d646df0774fac5b8a652df", "rev": "557241780c179cf7ef224df392f8e67dab6cef83",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -635,11 +635,11 @@
"systems": "systems_5" "systems": "systems_5"
}, },
"locked": { "locked": {
"lastModified": 1745357051, "lastModified": 1747584204,
"narHash": "sha256-iA+aN9HYnqukhD1nHWuS903NHE90J+KFiGGL4wXZHgM=", "narHash": "sha256-F3hXDTk28yyFzkDpsWbhrU+QbUzjMsVX9/jO/aTLJwc=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprpicker", "repo": "hyprpicker",
"rev": "5dcb341c13be994e954eb6d0b3a59c20f7db93f9", "rev": "500c46185dd4f2b5e16cd1a4edfe9ed1e126452e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -657,11 +657,11 @@
"systems": "systems_6" "systems": "systems_6"
}, },
"locked": { "locked": {
"lastModified": 1742816163, "lastModified": 1746481417,
"narHash": "sha256-EIJka3UtSEtmkDBjYiGeR/hO6s6R4x3K+rbUlc9KPBE=", "narHash": "sha256-mal2vIpRz5BU/0ll6gP/N2FqjFtgFNDgMBgoI6tLWag=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprsunset", "repo": "hyprsunset",
"rev": "7b7339f0deef23ec23a723651528cb8ae56c11d9", "rev": "2a8ef76c6a77ca249e4613fefcd96bad74b5f9b2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -682,11 +682,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743950287, "lastModified": 1746635225,
"narHash": "sha256-/6IAEWyb8gC/NKZElxiHChkouiUOrVYNq9YqG0Pzm4Y=", "narHash": "sha256-W9G9bb0zRYDBRseHbVez0J8qVpD5QbizX67H/vsudhM=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprutils", "repo": "hyprutils",
"rev": "f2dc70e448b994cef627a157ee340135bd68fbc6", "rev": "674ea57373f08b7609ce93baff131117a0dfe70d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -856,11 +856,11 @@
"nixpkgs": "nixpkgs_7" "nixpkgs": "nixpkgs_7"
}, },
"locked": { "locked": {
"lastModified": 1745373052, "lastModified": 1747620037,
"narHash": "sha256-YoxUn3PXwLN7GxtzRLNAWBAgE728FwLy2oy9roiz/Xg=", "narHash": "sha256-M5yyl1Cp5rolwGBuCEKXG6qJj9lao16lshqPF83z0qs=",
"owner": "fufexan", "owner": "fufexan",
"repo": "nix-gaming", "repo": "nix-gaming",
"rev": "8582d6d908005589e1e0818da7558d63edbbbaf2", "rev": "5d7985a2d5c877f6a276a2b024fff6bb2995ff24",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -871,11 +871,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1745503349, "lastModified": 1747684167,
"narHash": "sha256-bUGjvaPVsOfQeTz9/rLTNLDyqbzhl0CQtJJlhFPhIYw=", "narHash": "sha256-l6jbonaboCBlB8lCjBkrqgh2zEnvt6F3f4dOU/8CLd4=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "f7bee55a5e551bd8e7b5b82c9bc559bc50d868d1", "rev": "e8f38b2c19c0647e39021c3d47172ff5469af8a9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -886,11 +886,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1703013332, "lastModified": 1745391562,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -948,11 +948,11 @@
}, },
"nixpkgs_11": { "nixpkgs_11": {
"locked": { "locked": {
"lastModified": 1745391562, "lastModified": 1747542820,
"narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", "narHash": "sha256-GaOZntlJ6gPPbbkTLjbd8BMWaDYafhuuYRNrxCGnPJw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", "rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1044,11 +1044,11 @@
}, },
"nixpkgs_7": { "nixpkgs_7": {
"locked": { "locked": {
"lastModified": 1744868846, "lastModified": 1747426788,
"narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", "narHash": "sha256-N4cp0asTsJCnRMFZ/k19V9akkxb7J/opG+K+jU57JGc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", "rev": "12a55407652e04dcf2309436eb06fef0d3713ef3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1060,11 +1060,11 @@
}, },
"nixpkgs_8": { "nixpkgs_8": {
"locked": { "locked": {
"lastModified": 1745391562, "lastModified": 1747542820,
"narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", "narHash": "sha256-GaOZntlJ6gPPbbkTLjbd8BMWaDYafhuuYRNrxCGnPJw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", "rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1137,11 +1137,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1745506616, "lastModified": 1747683907,
"narHash": "sha256-m8M88SUdaKeB2+l+tvyh7I4L7NLWsF/E5Td0y7UGIPo=", "narHash": "sha256-dgEK4d1QPNFhv0s5s9lpvEWOVBlRZENp7TVh8V8qYDU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "d900870bec8e29aae928c868ecea88f220ae87fa", "rev": "64046fedb710701f87e5e86390b4dbe77f1d733b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1184,11 +1184,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742649964, "lastModified": 1747372754,
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1387,11 +1387,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1744644585, "lastModified": 1745871725,
"narHash": "sha256-p0D/e4J6Sv6GSb+9u8OQcVHSE2gPNYB5ygIfGDyEiXQ=", "narHash": "sha256-M24SNc2flblWGXFkGQfqSlEOzAGZnMc9QG3GH4K/KbE=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland", "repo": "xdg-desktop-portal-hyprland",
"rev": "be6771e754345f18244fb00aae5c9e5ab21ccc26", "rev": "76bbf1a6b1378e4ab5230bad00ad04bc287c969e",
"type": "github" "type": "github"
}, },
"original": { "original": {

7
hosts/dandelion/default.nix
View file

@ -1,4 +1,9 @@
{ pkgs, config, ... }: {
lib,
pkgs,
config,
...
}:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix

189
hosts/lily/default.nix
View file

@ -1,41 +1,176 @@
{ pkgs, config, ... }: {
lib,
pkgs,
config,
...
}:
let
externalInterface = "wan0";
# networks = config.homelab.networks.local;
# internalInterfaces = lib.mapAttrsToList (_: val: val.interface) networks;
# internalIPs = lib.mapAttrsToList (
# _: val: lib.strings.removeSuffix ".1" val.cidr + ".0/24"
# ) networks;
in
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./variables.nix ./variables.nix
./../../modules/core/default.server.nix ./dns.nix
./wireguard.nix
./../../modules/core/default.router.nix
./../../modules/services/lily.nix
]; ];
networking.hostName = "lily"; liv = {
server.enable = true;
router.enable = true;
};
liv.server.enable = true; boot = {
loader.grub = {
enable = true;
device = "/dev/sda";
useOSProber = true;
};
kernel = {
sysctl = {
# Forward both IPv4 and IPv6 on all interfaces
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = false;
# By default, do not automatically configure any IPv6 addresses.
# "net.ipv6.conf.all.accept_ra" = 0;
# "net.ipv6.conf.all.autoconf" = 0;
# "net.ipv6.conf.all.use_tempaddr" = 0;
# Allow IPv6 autoconfiguration and tempory address use on WAN.
"net.ipv6.conf.${externalInterface}.accept_ra" = 2;
"net.ipv6.conf.${externalInterface}.autoconf" = 1;
};
};
};
networking = {
firewall = {
enable = false;
allowPing = true;
# allow ssh on *all* interfaces, even wan.
allowedTCPPorts = lib.mkForce [ 22 ];
allowedUDPPorts = lib.mkForce [ 22 ];
# interface-specific rules
interfaces = {
"lan0" = {
allowedTCPPorts = [
22
53
];
allowedUDPPorts = [
22
53
];
};
};
};
# <100 is trusted; =>100 is untrusted.
vlans = {
lan = {
id = 1;
interface = "lan1";
};
servers = {
id = 10;
interface = "lan1";
};
management = {
id = 21;
interface = "lan1";
};
iot = {
id = 100;
interface = "lan1";
};
guest = {
id = 110;
interface = "lan1";
};
};
};
services = {
udev.extraRules = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2"
'';
dhcpd4 = {
enable = true;
interfaces = [
"lan"
"servers"
"management"
"iot"
"guest"
];
extraConfig = ''
option domain-name-servers 9.9.9.9, 149.112.112.112;
option subnet-mask 255.255.255.0;
subnet 172.16.1.0 netmask 255.255.255.0 {
option broadcast-address 172.16.1.255;
option routers 172.16.1.1;
interface lan;
range 172.16.1.50 172.16.1.254;
}
subnet 172.16.10.0 netmask 255.255.255.0 {
option broadcast-address 172.16.10.255;
option routers 172.16.10.1;
interface servers;
range 172.16.10.50 172.16.10.254;
}
subnet 172.16.21.0 netmask 255.255.255.0 {
option broadcast-address 172.16.21.255;
option routers 172.16.21.1;
interface management;
range 172.16.21.50 172.16.21.254;
}
subnet 172.16.100.0 netmask 255.255.255.0 {
option broadcast-address 172.16.100.255;
option routers 172.16.100.1;
interface iot;
range 172.16.100.50 172.16.100.254;
}
subnet 172.16.110.0 netmask 255.255.255.0 {
option broadcast-address 172.16.110.255;
option routers 172.16.110.1;
interface guest;
range 172.16.110.50 172.16.110.254;
}
'';
};
avahi = {
enable = true;
reflector = true;
interfaces = [
"lan"
"iot"
];
};
};
networking.hostName = "lily";
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
kitty.terminfo kitty.terminfo
zfs tcpdump
dnsutils
bind
ethtool
]; ];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = [ "zfs" ];
};
networking.hostId = "8wfk1d8a";
services.zfs = {
autoScrub.enable = true;
trim.enable = true;
};
# boot.zfs.extraPools = [ "terrabite" ];
# fileSystems."/terrabite/main" = {
# device = "terrabite/main";
# fsType = "zfs";
# };
} }

31
hosts/lily/dns.nix Normal file
View file

@ -0,0 +1,31 @@
{ lib, config, ... }:
{
services = {
dnsmasq = {
enable = true;
settings = {
cache-size = 10000; # Specifies the size of the DNS query cache. It will store up to n cached DNS queries to improve response times for frequently accessed domains.
server = [
"9.9.9.9"
"149.112.112.112"
];
domain-needed = true; # Ensures that DNS queries are only forwarded for domains that are not found in the local configuration.
bogus-priv = true; # Blocks DNS queries for private IP address ranges to prevent accidental exposure of private resources.
no-resolv = true; # Prevents dnsmasq from using /etc/resolv.conf for DNS server configuration.
# configure DHCP server; get leases by running: `cat /var/lib/dnsmasq/dnsmasq.leases`
dhcp-range = [ "br-lan,172.16.10.50,172.16.10.254,24h" ];
interface = "br-lan";
dhcp-host = "172.16.10.1";
# local sets the local domain name to "n". Combinded with expand-hosts = true, it will add a .local suffix to any local defined name when trying to resolve it.
local = "/local/";
domain = "local";
expand-hosts = true;
no-hosts = true; # Prevents the use of /etc/hosts. This ensures that the local hosts file is not used to override DNS resolution.
address = "/booping.local/172.16.10.1";
};
};
};
}

37
hosts/lily/hardware-configuration.nix Normal file
View file

@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/75447a73-848e-4b34-a1b3-d5b7a8e804ee";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/d4552527-c7c6-4047-929b-aeb3500299e3"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

3
hosts/lily/wireguard.nix Normal file
View file

@ -0,0 +1,3 @@
{
}

1
hosts/sakura/default.nix
View file

@ -10,6 +10,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./../../modules/core ./../../modules/core
./../../modules/core/virtualization.nix ./../../modules/core/virtualization.nix
./../../modules/services/tailscale.nix
inputs.nixos-hardware.nixosModules.framework-13-7040-amd inputs.nixos-hardware.nixosModules.framework-13-7040-amd
]; ];

11
modules/core/default.router.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
imports =
[ (import ./hardware.nix) ]
++ [ (import ./program.nix) ]
++ [ (import ./sshd.nix) ]
++ [ (import ./security.nix) ]
++ [ (import ./services.nix) ]
++ [ (import ./system.nix) ]
++ [ (import ./user.nix) ];
}

4
modules/core/sshd.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }: { lib, config, ... }:
{ {
services.openssh = { services.openssh = {
enable = true; enable = true;
@ -11,6 +11,8 @@
}; };
}; };
networking.firewall.allowedTCPPorts = [ config.services.openssh.ports ];
users.users.liv.openssh.authorizedKeys.keys = [ users.users.liv.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXi00z/rxVrWLKgYr+tWIsbHsSQO75hUMSTThNm5wUw liv@sakura" # main laptop "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXi00z/rxVrWLKgYr+tWIsbHsSQO75hUMSTThNm5wUw liv@sakura" # main laptop
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2nsQHyWnrmuQway0ehoMUcYYfhD8Ph/vpD0Tzip1b1 liv@meow" # main phone "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2nsQHyWnrmuQway0ehoMUcYYfhD8Ph/vpD0Tzip1b1 liv@meow" # main phone

2
modules/core/user.nix
View file

@ -23,6 +23,8 @@
[ ./../home/default.server.nix ] [ ./../home/default.server.nix ]
else if (host == "dandelion") then else if (host == "dandelion") then
[ ./../home/default.server.nix ] [ ./../home/default.server.nix ]
else if (host == "lily") then
[ ./../home/default.server.nix ]
# else if (host == "yoshino") then # else if (host == "yoshino") then
# [ ./../home/default.nix ] # [ ./../home/default.nix ]
else else

1
modules/home/hyprland/config.nix
View file

@ -214,6 +214,7 @@
bind = [ bind = [
# keybindings # keybindings
"$mainMod, Return, exec, kitty" "$mainMod, Return, exec, kitty"
"$mainMod, Backspace, exec, [float; center; size 950 650] kitty"
"$mainMod, Q, killactive," "$mainMod, Q, killactive,"
"$mainMod, F, fullscreen, 0" # set 1 to 0 to set full screen without waybar "$mainMod, F, fullscreen, 0" # set 1 to 0 to set full screen without waybar
"$mainMod, Space, togglefloating," "$mainMod, Space, togglefloating,"

3
modules/home/hyprland/scripts.nix
View file

@ -12,6 +12,9 @@
case "$1" in case "$1" in
"w") setbg "$file" ;; "w") setbg "$file" ;;
"d") mv "$file" "$HOME/.trash/";; "d") mv "$file" "$HOME/.trash/";;
"s") mkdir -p "$HOME/temp" && cp "$file" "$HOME/temp" ;;
"r") mkdir -p "$HOME/temp" && cp "$(basename "$file" ".JPG").RAF" "$HOME/temp" ;;
"e") echo -e "'$(pwd)"/"$(basename "$file" ".JPG").RAF'\n'$(pwd)/""$file""'" ;;
esac esac
done done
''; '';

11
modules/services/gokapi.nix
View file

@ -1,8 +1,15 @@
{ lib, config, pkgs, ... }: { {
lib,
config,
pkgs,
...
}:
{
services = { services = {
nginx.virtualHosts."share.liv.town" = { nginx.virtualHosts."share.liv.town" = {
useACMEHost = "liv.town";
forceSSL = true; forceSSL = true;
sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/" = { locations."/" = {
proxyPass = "http://localhost:53842"; proxyPass = "http://localhost:53842";
}; };

3
modules/services/grafana.nix
View file

@ -11,8 +11,9 @@
}; };
nginx.virtualHosts.${config.services.grafana.domain} = { nginx.virtualHosts.${config.services.grafana.domain} = {
useACMEHost = "liv.town";
forceSSL = true; forceSSL = true;
sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true; proxyWebsockets = true;

4
modules/services/immich.nix
View file

@ -1,11 +1,11 @@
{ config, ... }: { { config, ... }:
{
services.immich = { services.immich = {
enable = true; enable = true;
port = 2283; port = 2283;
}; };
# services.nginx.virtualHosts."" = { # services.nginx.virtualHosts."" = {
# enableACME = true;
# forceSSL = true; # forceSSL = true;
# locations."/" = { # locations."/" = {
# proxyPass = "http://localhost:${toString config.services.immich.port}"; # proxyPass = "http://localhost:${toString config.services.immich.port}";

3
modules/services/invidious.nix
View file

@ -12,7 +12,8 @@
virtualHosts = { virtualHosts = {
"video.liv.town" = { "video.liv.town" = {
forceSSL = true; forceSSL = true;
enableACME = true; sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}";
}; };
}; };

10
modules/services/lily.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
imports =
[ (import ./docker.nix) ]
++ [ (import ./monitoring.nix) ]
++ [ (import ./smart-monitoring.nix) ]
++ [ (import ./unifi.nix) ]
++ [ (import ./tailscale.nix) ]
++ [ (import ./grafana.nix) ];
}

2
modules/services/monitoring.nix
View file

@ -26,8 +26,6 @@
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
9001 9001
22
9123 # always also allow ssh :screaming:
]; ];
}; };
} }

72
modules/services/nginx.nix
View file

@ -1,4 +1,11 @@
{ pkgs, config, lib, ... }: { {
pkgs,
config,
lib,
...
}:
{
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = lib.mkDefault "ahwx@ahwx.org"; defaults.email = lib.mkDefault "ahwx@ahwx.org";
@ -10,7 +17,15 @@
dnsProvider = "desec"; dnsProvider = "desec";
environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value] environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
webroot = null; webroot = null;
}; };
"quack.social" = {
domain = "*.quack.social";
extraDomainNames = [ "quack.social" ];
group = config.services.nginx.group;
dnsProvider = "desec";
environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
webroot = null;
};
}; };
}; };
@ -22,8 +37,42 @@
recommendedProxySettings = true; recommendedProxySettings = true;
clientMaxBodySize = lib.mkDefault "10G"; clientMaxBodySize = lib.mkDefault "10G";
defaultListen =
let
listen = [
{
addr = "[::]";
port = 80;
extraParameters = [ "proxy_protocol" ];
}
{
addr = "[::]";
port = 443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
in
map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
# Hardened TLS and HSTS preloading # Hardened TLS and HSTS preloading
appendHttpConfig = '' appendHttpConfig = ''
# Proxying
# real_ip_header proxy_protocol;
server {
listen 80 proxy_protocol;
listen 443 ssl proxy_protocol;
# set_real_ip_from 10.7.0.0/24;
}
ssl_certificate /var/lib/acme/quack.social/cert.pem;
ssl_certificate_key /var/lib/acme/quack.social/key.pem;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# Add HSTS header with preloading to HTTPS requests. # Add HSTS header with preloading to HTTPS requests.
# Do not add HSTS header to HTTP requests. # Do not add HSTS header to HTTP requests.
map $scheme $hsts_header { map $scheme $hsts_header {
@ -49,5 +98,24 @@
add_header pronouns "any but neopronouns"; add_header pronouns "any but neopronouns";
add_header locale "[en_US, nl_NL]"; add_header locale "[en_US, nl_NL]";
''; '';
appendConfig = ''
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
# set_real_ip_from 213.210.34.27;
# real_ip_header proxy_protocol;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $proxy_protocol_addr;
# proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
'';
};
networking.firewall = {
allowedTCPPorts = [
80
443
];
}; };
} }

6
modules/services/ntfy.nix
View file

@ -2,7 +2,8 @@ let
hostname = "notify.liv.town"; hostname = "notify.liv.town";
port = 2586; port = 2586;
url = "https://" + hostname; url = "https://" + hostname;
in { in
{
services = { services = {
ntfy-sh = { ntfy-sh = {
enable = true; enable = true;
@ -16,8 +17,9 @@ in {
}; };
}; };
nginx.virtualHosts.${hostname} = { nginx.virtualHosts.${hostname} = {
useACMEHost = "liv.town";
forceSSL = true; forceSSL = true;
sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}"; proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true; proxyWebsockets = true;

23
modules/services/sharkey-proxy.nix
View file

@ -2,8 +2,9 @@
{ {
services = { services = {
nginx.virtualHosts."quack.social" = { nginx.virtualHosts."quack.social" = {
enableACME = true;
forceSSL = true; forceSSL = true;
sslCertificate = "/var/lib/acme/quack.social/cert.pem";
sslCertificateKey = "/var/lib/acme/quack.social/key.pem";
locations."/" = { locations."/" = {
proxyPass = "http://localhost:3000"; proxyPass = "http://localhost:3000";
proxyWebsockets = true; proxyWebsockets = true;
@ -16,26 +17,6 @@
''; '';
}; };
locations."/files/" = {
proxyPass = "http://localhost:3000";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $remote_addr;
# Try cache?
# proxy_cache sharkey;
# proxy_cache_path /var/cache/nginx/sharkey levels=1:2 keys_zone=sharkey:15m;
# proxy_cache_lock on;
# proxy_cache_use_stale updating;
# proxy_force_ranges on;
# add_header X-Cache $upstream_cache_status;
'';
};
locations."/wiki/" = { locations."/wiki/" = {
# Nepenthis # Nepenthis
proxyPass = "http://localhost:8893"; proxyPass = "http://localhost:8893";

3
modules/services/tailscale.nix Normal file
View file

@ -0,0 +1,3 @@
{
services.tailscale.enable = true;
}

66
modules/services/unifi.nix Normal file
View file

@ -0,0 +1,66 @@
{ pkgs, lib, ... }:
{
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi8;
mongodbPackage = pkgs.mongodb-7_0;
};
# services.nginx = {
# enable = true;
# recommendedProxySettings = true;
# virtualHosts."unifi.local" = {
# forceSSL = true;
# useACMEHost = "unifi.local";
# locations."/" = {
# proxyPass = "https://127.0.0.1:8443";
# proxyWebsockets = true;
# };
# };
# };
# virtualisation.oci-containers.containers."unifi" = {
# image = "lscr.io/linuxserver/unifi-network-application:latest";
# autoStart = true;
# environmentFiles = [ /run/unifi/container-vars.env ];
# volumes = [
# "/etc/localtime:/etc/localtime:ro"
# "/run/unifi/data:/config"
# ];
# ports = [
# "8443:8443" # web admin UI
# "3478:3478/udp" # STUN
# "10001:10001/udp" # AP discovery
# "8080:8080" # device communication
# "6789:6789/udp" # mobile throughput test (assumption: wifiman)
# "5514:5514/udp" # remote syslog (optional)
# ];
# dependsOn = [
# "unifi-mongo"
# ];
# log-driver = "journald";
# };
# virtualisation.oci-containers.containers."unifi-mongo" = {
# image = "mongo:latest";
# autoStart = true;
# volumes = [
# "/etc/localtime:/etc/localtime:ro"
# "/run/unifi/mongo/db:/data/db"
# "/run/unifi/mongo/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro"
# ];
# log-driver = "journald";
# };
networking.firewall.interfaces."lan0" = {
allowedTCPPorts = [
8443 # web admin UI
8080 # device communication
];
allowedUDPPorts = [
6789 # mobile throughput test (assumption: wifiman)
5514 # remote syslog (optional)
3478 # STUN
10001 # AP discovery
];
};
}

1
roles/default.nix
View file

@ -5,6 +5,7 @@
++ [ (import ./amdgpu.nix) ] ++ [ (import ./amdgpu.nix) ]
++ [ (import ./nvidia.nix) ] ++ [ (import ./nvidia.nix) ]
++ [ (import ./server.nix) ] ++ [ (import ./server.nix) ]
++ [ (import ./router.nix) ]
++ [ (import ./desktop.nix) ] ++ [ (import ./desktop.nix) ]
++ [ (import ./wine.nix) ] ++ [ (import ./wine.nix) ]
++ [ (import ./creative.nix) ] ++ [ (import ./creative.nix) ]

46
roles/router.nix Normal file
View file

@ -0,0 +1,46 @@
{
lib,
pkgs,
config,
username,
home-manager,
...
}:
with lib;
let
cfg = config.liv.router;
in
{
options.liv.router = {
enable = mkEnableOption "Enable router";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
pkgs.kitty.terminfo
powertop
bind
];
services = {
thermald.enable = true;
vnstat.enable = true;
# cpupower-gui.enable = true;
# power-profiles-daemon.enable = true;
# auto-cpufreq = {
# enable = true;
# settings = {
# battery = {
# governor = "powersave";
# turbo = "auto";
# };
# charger = {
# governor = "performance";
# turbo = "auto";
# };
# };
# };
};
};
}