kiri/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restructure repo

Browse Source
This commit is contained in:
kiri
2025-11-29 20:18:45 +01:00
parent e1e2040deb
commit 1e89b45042
97 changed files with 114 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
modules/nixos/actual-budget.nix Normal file
View File

@@ -0,0 +1,14 @@
{ config, pkgs, ... }:
{
services.actual = {
enable = true;
openFirewall = false;
settings = {
port = 3000;
hostname = "127.0.0.1"; # Listen on all IPv4 addresses
};
};
services.caddy.virtualHosts."finance.jelles.net".extraConfig = "reverse_proxy :3000";
}

20
modules/nixos/adguardhome.nix Normal file
View File

@@ -0,0 +1,20 @@
# Adguard is a network-wide ad blocker
# When installed, open localhost:3000 to setup
{config, ...}: let
domain = "adguard.hadi.diy";
in {
services = {
adguardhome = {
enable = true;
port = 3000;
};
nginx.virtualHosts."${domain}" = {
useACMEHost = "hadi.diy";
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.port}";
};
};
};
}

65
modules/nixos/arr.nix Normal file
View File

@@ -0,0 +1,65 @@
# *arr is a collection of media management applications.
# See https://github.com/rasmus-kirk/nixarr
# Setup guide: https://nixarr.com/wiki/setup/
{config, ...}: let
domain = "hadi.diy";
mkVirtualHost = port: {
useACMEHost = domain;
forceSSL = true;
locations."/" = {proxyPass = "http://127.0.0.1:${toString port}";};
};
username = config.var.username;
in {
# Add my secrets
sops.secrets = {
recyclarr = {
owner = "recyclarr";
mode = "0777";
};
wireguard-pia = {
group = "media";
mode = "0600";
};
};
nixarr = {
enable = true;
mediaUsers = [username];
mediaDir = "/mnt/data/media";
stateDir = "/mnt/data/.state/nixarr";
vpn = {
enable = true;
wgConf = config.sops.secrets.wireguard-pia.path;
};
jellyfin.enable = true;
jellyseerr.enable = true;
prowlarr.enable = true;
radarr.enable = true;
sonarr.enable = true;
bazarr.enable = true;
readarr.enable = true;
transmission = {
enable = true;
extraSettings = {trash-original-torrent-files = true;};
vpn.enable = true;
};
recyclarr = {
enable = true;
configFile = config.sops.secrets.recyclarr.path;
};
};
services.nginx.virtualHosts = {
"jellyfin.${domain}" = mkVirtualHost 8096;
"jellyseerr.${domain}" = mkVirtualHost 5055;
"bazarr.${domain}" = mkVirtualHost 6767;
"prowlarr.${domain}" = mkVirtualHost 9696;
"radarr.${domain}" = mkVirtualHost 7878;
"sonarr.${domain}" = mkVirtualHost 8989;
"transmission.${domain}" = mkVirtualHost 9091;
"readarr.${domain}" = mkVirtualHost 8787;
};
}

21
modules/nixos/audio.nix Normal file
View File

@@ -0,0 +1,21 @@
# Audio configuration for NixOS using PipeWire
{
security.rtkit.enable = true;
services.pulseaudio.enable = false;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber = {
enable = true;
extraConfig = {
"10-disable-camera" = {
"wireplumber.profiles" = {main."monitor.libcamera" = "disabled";};
};
};
};
};
}

23
modules/nixos/bitwarden.nix Normal file
View File

@@ -0,0 +1,23 @@
# Bitwarden (or vaultwarden) is a self-hosted password manager.
{ config, ... }:
let
domain = "vault.jelles.net";
in
{
services = {
vaultwarden = {
enable = true;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://" + domain;
SIGNUPS_ALLOWED = true;
ROCKET_PORT = 8100;
ROCKET_LOG = "critical";
};
};
caddy.virtualHosts."vault.jelles.net".extraConfig =
"reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
}

9
modules/nixos/bluetooth.nix Normal file
View File

@@ -0,0 +1,9 @@
# Bluetooth configuration for NixOS
{pkgs, ...}: {
environment.systemPackages = with pkgs; [blueman];
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
};
services.blueman.enable = true;
}

22
modules/nixos/caddy.nix Normal file
View File

@@ -0,0 +1,22 @@
{ inputs, pkgs, ... }:
{
services.caddy = {
enable = true;
virtualHosts."community.jelles.net".extraConfig = ''
root * ${inputs.community-website.packages.${pkgs.stdenv.hostPlatform.system}.default}
file_server
'';
virtualHosts."zentire.jelles.net".extraConfig = ''
root * ${inputs.zentire-website.packages.${pkgs.stdenv.hostPlatform.system}.default}
file_server
'';
email = "mail@jelles.net";
};
networking.firewall = {
allowedTCPPorts = [
80
443
];
};
}

14
modules/nixos/copyparty.nix Normal file
View File

@@ -0,0 +1,14 @@
{
services = {
copyparty = {
enable = true;
settings = {
e2dsa = true;
no-cfg = true;
};
};
caddy.virtualHosts."files.jelles.net".extraConfig = "reverse_proxy :3923";
};
}

6
modules/nixos/docker.nix Normal file
View File

@@ -0,0 +1,6 @@
# Docker is a containerization platform that allows you to run applications in isolated environments called containers.
{ config, ... }:
{
virtualisation.docker.enable = true;
users.users."${config.var.username}".extraGroups = [ "docker" ];
}

35
modules/nixos/eleakxir.nix Normal file
View File

@@ -0,0 +1,35 @@
{
config,
inputs,
pkgs,
...
}:
{
users.groups.eleakxir = { };
users.users.hadi.extraGroups = [ "eleakxir" ];
services.eleakxir = {
enable = true;
port = 9198;
user = "eleakxir";
group = "eleakxir";
limit = 1000;
folders = [
"/var/lib/eleakxir/leaks/"
"/mnt/data/clean-leak/"
];
debug = true;
};
environment.systemPackages = [
inputs.eleakxir.packages.${pkgs.stdenv.hostPlatform.system}.leak-utils
];
services.nginx.virtualHosts."eleakxir-back.hadi.diy" = {
useACMEHost = "hadi.diy";
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.eleakxir.port}";
};
};
}

9
modules/nixos/firewall.nix Normal file
View File

@@ -0,0 +1,9 @@
# Firewall configuration for NixOS
{
networking.firewall = {
enable = true;
allowPing = false;
};
networking.nftables.enable = true;
}

27
modules/nixos/fonts.nix Normal file
View File

@@ -0,0 +1,27 @@
# Fonts configuration for NixOS
{ pkgs, ... }:
{
fonts = {
packages = with pkgs; [
roboto
work-sans
comic-neue
source-sans
comfortaa
inter
lato
lexend
jost
dejavu_fonts
noto-fonts
noto-fonts-cjk-sans
noto-fonts-color-emoji
nerd-fonts.fira-code
nerd-fonts.meslo-lg
openmoji-color
twemoji-color-font
];
enableDefaultPackages = false;
};
}

46
modules/nixos/gitea.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, pkgs, ... }:
{
services.gitea = {
enable = true;
appName = "Git Server"; # A name for your Gitea instance
user = "git";
group = "git";
settings = {
server = {
PROTOCOL = "http"; # Use http for now, caddy will handle https
DOMAIN = "git.jelles.net";
ROOT_URL = "https://git.jelles.net/";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3001;
START_SSH_SERVER = false;
DISABLE_SSH = false; # Disable the built-in SSH server, use HTTPS for cloning
SSH_PORT = 22;
};
service = {
DISABLE_REGISTRATION = true; # Consider enabling for public instances
};
};
};
services.caddy.virtualHosts."git.jelles.net".extraConfig = "reverse_proxy :3001";
users.users.git = {
isSystemUser = true;
description = "Gitea Service User";
home = config.services.gitea.stateDir;
createHome = true;
homeMode = "750";
useDefaultShell = true;
group = "git";
};
users.groups.git = { };
systemd.tmpfiles.rules = [
"Z /var/lib/gitea 0750 git git - -"
];
}

353
modules/nixos/glance-nixy.nix Normal file
View File

@@ -0,0 +1,353 @@
# Glance is a self-hosted homepage/dashboard service.
{
config,
lib,
...
}: let
domain = "start.hadi.diy";
rgb-to-hsl = color: let
r = ((lib.toInt config.lib.stylix.colors."${color}-rgb-r") * 100.0) / 255;
g = ((lib.toInt config.lib.stylix.colors."${color}-rgb-g") * 100.0) / 255;
b = ((lib.toInt config.lib.stylix.colors."${color}-rgb-b") * 100.0) / 255;
max = lib.max r (lib.max g b);
min = lib.min r (lib.min g b);
delta = max - min;
fmod = base: int: base - (int * builtins.floor (base / int));
h =
if delta == 0
then 0
else if max == r
then 60 * (fmod ((g - b) / delta) 6)
else if max == g
then 60 * (((b - r) / delta) + 2)
else if max == b
then 60 * (((r - g) / delta) + 4)
else 0;
l = (max + min) / 2;
s =
if delta == 0
then 0
else 100 * delta / (100 - lib.max (2 * l - 100) (100 - (2 * l)));
roundToString = value: toString (builtins.floor (value + 0.5));
in
lib.concatMapStringsSep " " roundToString [h s l];
in {
# TODO: Add tailscale custom widget
services = {
glance = {
enable = true;
settings = {
theme = {
contrast-multiplier = lib.mkForce 1.4;
};
pages = [
{
hide-desktop-navigation = true;
columns = [
{
size = "small";
widgets = [
{
type = "clock";
hour-format = "24h";
}
{
type = "weather";
location = "Paris, France";
}
{
type = "markets";
markets = [
{
symbol = "BTC-USD";
name = "Bitcoin";
chart-link = "https://www.tradingview.com/chart/?symbol=INDEX:BTCUSD";
}
{
symbol = "SOL-USD";
name = "Solana";
chart-link = "https://www.tradingview.com/chart/?symbol=INDEX:SOLUSD";
}
{
symbol = "ETH-USD";
name = "Ethereum";
chart-link = "https://www.tradingview.com/chart/?symbol=INDEX:ETHUSD";
}
];
}
{
type = "dns-stats";
service = "adguard";
url = "https://adguard.hadi.diy";
username = "hadi";
password = "\${secret:adguard-pwd}";
}
];
}
{
size = "full";
widgets = [
{
type = "search";
search-engine = "duckduckgo";
}
{
type = "bookmarks";
groups = [
{
title = "";
same-tab = true;
color = "200 50 50";
links = [
{
title = "ProtonMail";
url = "https://proton.me/mail";
}
{
title = "Github";
url = "https://github.com";
}
{
title = "Youtube";
url = "https://youtube.com";
}
{
title = "Figma";
url = "https://figma.com";
}
];
}
{
title = "Docs";
same-tab = true;
color = "200 50 50";
links = [
{
title = "Nixpkgs repo";
url = "https://github.com/NixOS/nixpkgs";
}
{
title = "Nixvim";
url = "https://nix-community.github.io/nixvim/";
}
{
title = "Hyprland wiki";
url = "https://wiki.hyprland.org/";
}
{
title = "Search NixOS";
url = "https://search-nixos.hadi.diy";
}
];
}
{
title = "Homelab";
same-tab = true;
color = "100 50 50";
links = [
{
title = "Router";
url = "http://192.168.1.254/";
}
{
title = "Cloudflare";
url = "https://dash.cloudflare.com/";
}
];
}
{
title = "Work";
same-tab = true;
color = "50 50 50";
links = [
{
title = "Outlook";
url = "https://outlook.office.com/";
}
{
title = "Teams";
url = "https://teams.microsoft.com/";
}
{
title = "Office";
url = "https://www.office.com/";
}
];
}
{
title = "Cyber";
same-tab = true;
color = rgb-to-hsl "base09";
links = [
{
title = "CyberChef";
url = "https://cyberchef.org/";
}
{
title = "TryHackMe";
url = "https://tryhackme.com/";
}
{
title = "RootMe";
url = "https://www.root-me.org/";
}
{
title = "Exploit-DB";
url = "https://www.exploit-db.com/";
}
{
title = "CrackStation";
url = "https://crackstation.net/";
}
];
}
{
title = "Misc";
same-tab = true;
color = rgb-to-hsl "base01";
links = [
{
title = "Svgl";
url = "https://svgl.app/";
}
{
title = "Excalidraw";
url = "https://excalidraw.com/";
}
{
title = "Cobalt (Downloader)";
url = "https://cobalt.tools/";
}
{
title = "Mazanoke (Image optimizer)";
url = "https://mazanoke.com/";
}
{
title = "Vert (File converter)";
url = "https://vert.sh/";
}
];
}
];
}
{
type = "server-stats";
servers = [
{
type = "local";
name = "Jack";
}
];
}
{
type = "group";
widgets = [
{
type = "monitor";
title = "Services";
cache = "1m";
sites = [
{
title = "Vaultwarden";
url = "https://vault.hadi.diy";
icon = "si:bitwarden";
}
{
title = "Nextcloud";
url = "https://cloud.hadi.diy";
icon = "si:nextcloud";
}
{
title = "Adguard";
url = "https://adguard.hadi.diy";
icon = "si:adguard";
}
{
title = "Mealie";
url = "https://mealie.hadi.diy";
icon = "si:mealie";
}
];
}
{
type = "monitor";
title = "*arr";
cache = "1m";
sites = [
{
title = "Jellyfin";
url = "https://jellyfin.hadi.diy";
icon = "si:jellyfin";
}
{
title = "Jellyseerr";
url = "https://jellyseerr.hadi.diy";
icon = "si:odysee";
}
{
title = "Radarr";
url = "https://radarr.hadi.diy";
icon = "si:radarr";
}
{
title = "Sonarr";
url = "https://sonarr.hadi.diy";
icon = "si:sonarr";
}
{
title = "Prowlarr";
url = "https://prowlarr.hadi.diy";
icon = "si:podcastindex";
}
{
title = "Transmission";
url = "https://transmission.hadi.diy";
icon = "si:transmission";
}
];
}
];
}
];
}
];
name = "Home";
}
];
server = {port = 5678;};
};
};
nginx.virtualHosts."${domain}" = {
useACMEHost = "hadi.diy";
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${
toString config.services.glance.settings.server.port
}";
};
};
};
systemd.services.glance = {
serviceConfig = {
DynamicUser = lib.mkForce false;
User = "glance";
Group = "glance";
};
};
users = {
groups.glance = {};
users.glance = {
isSystemUser = true;
description = "Glance user";
group = "glance";
};
};
sops.secrets.adguard-pwd = {
owner = "glance";
mode = "0600";
};
}

300
modules/nixos/glance.nix Normal file
View File

@@ -0,0 +1,300 @@
{ config, lib, ... }:
let
rgb-to-hsl =
color:
let
r = ((lib.toInt config.lib.stylix.colors."${color}-rgb-r") * 100.0) / 255;
g = ((lib.toInt config.lib.stylix.colors."${color}-rgb-g") * 100.0) / 255;
b = ((lib.toInt config.lib.stylix.colors."${color}-rgb-b") * 100.0) / 255;
max = lib.max r (lib.max g b);
min = lib.min r (lib.min g b);
delta = max - min;
fmod = base: int: base - (int * builtins.floor (base / int));
h =
if delta == 0 then
0
else if max == r then
60 * (fmod ((g - b) / delta) 6)
else if max == g then
60 * (((b - r) / delta) + 2)
else if max == b then
60 * (((r - g) / delta) + 4)
else
0;
l = (max + min) / 2;
s = if delta == 0 then 0 else 100 * delta / (100 - lib.max (2 * l - 100) (100 - (2 * l)));
roundToString = value: toString (builtins.floor (value + 0.5));
in
lib.concatMapStringsSep " " roundToString [
h
s
l
];
in
{
services = {
glance = {
enable = true;
settings = {
server.port = 8101;
pages = [
{
hide-desktop-navigation = true;
columns = [
{
size = "small";
widgets = [
{
type = "clock";
hour-format = "24h";
}
{
type = "weather";
location = "Paris, France";
}
{
type = "markets";
markets = [
{
symbol = "BTC-USD";
name = "Bitcoin";
chart-link = "https://www.tradingview.com/chart/?symbol=INDEX:BTCUSD";
}
{
symbol = "SOL-USD";
name = "Solana";
chart-link = "https://www.tradingview.com/chart/?symbol=INDEX:SOLUSD";
}
{
symbol = "ETH-USD";
name = "Ethereum";
chart-link = "https://www.tradingview.com/chart/?symbol=INDEX:ETHUSD";
}
];
}
];
}
{
size = "full";
widgets = [
{
type = "search";
search-engine = "google";
}
{
type = "bookmarks";
groups = [
{
title = "";
same-tab = true;
color = "200 50 50";
links = [
{
title = "Github";
url = "https://github.com";
}
{
title = "Youtube";
url = "https://youtube.com";
}
{
title = "Figma";
url = "https://figma.com";
}
];
}
{
title = "Docs";
same-tab = true;
color = "200 50 50";
links = [
{
title = "Nixpkgs repo";
url = "https://github.com/NixOS/nixpkgs";
}
{
title = "Nixvim";
url = "https://nix-community.github.io/nixvim/";
}
{
title = "Hyprland wiki";
url = "https://wiki.hyprland.org/";
}
{
title = "Search NixOS";
url = "https://search-nixos.hadi.diy";
}
];
}
{
title = "Homelab";
same-tab = true;
color = "100 50 50";
links = [
{
title = "Router";
url = "http://192.168.1.254/";
}
{
title = "Cloudflare";
url = "https://dash.cloudflare.com/";
}
];
}
{
title = "Work";
same-tab = true;
color = "50 50 50";
links = [
{
title = "Outlook";
url = "https://outlook.office.com/";
}
{
title = "Teams";
url = "https://teams.microsoft.com/";
}
{
title = "Office";
url = "https://www.office.com/";
}
];
}
{
title = "Cyber";
same-tab = true;
color = rgb-to-hsl "base09";
links = [
{
title = "CyberChef";
url = "https://cyberchef.org/";
}
{
title = "TryHackMe";
url = "https://tryhackme.com/";
}
{
title = "RootMe";
url = "https://www.root-me.org/";
}
{
title = "Exploit-DB";
url = "https://www.exploit-db.com/";
}
{
title = "CrackStation";
url = "https://crackstation.net/";
}
];
}
{
title = "Misc";
same-tab = true;
color = rgb-to-hsl "base01";
links = [
{
title = "Svgl";
url = "https://svgl.app/";
}
{
title = "Excalidraw";
url = "https://excalidraw.com/";
}
{
title = "Cobalt (Downloader)";
url = "https://cobalt.tools/";
}
{
title = "Mazanoke (Image optimizer)";
url = "https://mazanoke.com/";
}
{
title = "Vert (File converter)";
url = "https://vert.sh/";
}
];
}
];
}
{
type = "server-stats";
servers = [
{
type = "local";
name = "orion";
}
];
}
{
type = "group";
widgets = [
{
type = "monitor";
title = "Services";
cache = "1m";
sites = [
{
title = "Vaultwarden";
url = "https://vault.jelles.net";
icon = "si:bitwarden";
}
{
title = "Files";
url = "https://fiels.jelles.net";
icon = "si:nextcloud";
}
];
}
{
type = "monitor";
title = "*arr";
cache = "1m";
sites = [
{
title = "Jellyfin";
url = "https://jellyfin.hadi.diy";
icon = "si:jellyfin";
}
{
title = "Jellyseerr";
url = "https://jellyseerr.hadi.diy";
icon = "si:odysee";
}
{
title = "Radarr";
url = "https://radarr.hadi.diy";
icon = "si:radarr";
}
{
title = "Sonarr";
url = "https://sonarr.hadi.diy";
icon = "si:sonarr";
}
{
title = "Prowlarr";
url = "https://prowlarr.hadi.diy";
icon = "si:podcastindex";
}
{
title = "Transmission";
url = "https://transmission.hadi.diy";
icon = "si:transmission";
}
];
}
];
}
];
}
];
name = "Home";
}
];
};
};
caddy.virtualHosts."jelles.net".extraConfig =
"reverse_proxy :${toString config.services.glance.settings.server.port}";
};
}

48
modules/nixos/home-assistant.nix Normal file
View File

@@ -0,0 +1,48 @@
{ config, ... }:
{
services = {
home-assistant = {
enable = true;
openFirewall = false;
extraComponents = [
"evohome" # The Honeywell TCC (Europe) component
"met" # Default weather
"radio_browser" # Default radio
];
# Configuration for components that support YAML (like Evohome)
config = {
homeassistant = {
name = "My Home";
latitude = 51.5; # Update with your actual location
longitude = 5.9; # Update with your actual location
unit_system = "metric";
time_zone = config.var.timeZone;
};
# Honeywell TCC (Europe) / Evohome configuration
# https://www.home-assistant.io/integrations/evohome/
evohome = {
username = "!secret honeywell_username";
password = "!secret honeywell_password";
};
# Basic default setup
default_config = { };
http = {
server_port = 8123;
server_host = "127.0.0.1";
use_x_forwarded_for = true;
trusted_proxies = [
"127.0.0.1"
"::1"
];
};
};
};
caddy.virtualHosts."home.jelles.net".extraConfig =
"reverse_proxy :${toString config.services.home-assistant.config.http.server_port}";
};
}

9
modules/nixos/home-manager.nix Normal file
View File

@@ -0,0 +1,9 @@
# Home-manager configuration for NixOS
{inputs, ...}: {
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
backupFileExtension = "hm-backup";
extraSpecialArgs = {inherit inputs;};
};
}

15
modules/nixos/hyprland.nix Normal file
View File

@@ -0,0 +1,15 @@
# Hyprland is a dynamic tiling Wayland compositor.
{
inputs,
pkgs,
...
}:
{
programs.hyprland = {
enable = true;
withUWSM = true;
package = inputs.hyprland.packages."${pkgs.stdenv.hostPlatform.system}".hyprland;
portalPackage =
inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
};
}

19
modules/nixos/mealie.nix Normal file
View File

@@ -0,0 +1,19 @@
# Mealie is a recipe management and meal planning application.
{config, ...}: let
domain = "mealie.hadi.diy";
in {
services = {
mealie = {
enable = true;
port = 8092;
};
nginx.virtualHosts."${domain}" = {
useACMEHost = "hadi.diy";
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.mealie.port}";
};
};
};
}

45
modules/nixos/nginx.nix Normal file
View File

@@ -0,0 +1,45 @@
# Nginx is a web server that can also be used as a reverse proxy, load balancer, and HTTP cache.
{config, ...}: let
domain = "hadi.diy";
in {
security.acme = {
acceptTerms = true;
defaults.email = config.var.git.email;
certs."${domain}" = {
domain = "${domain}";
extraDomainNames = ["*.${domain}"];
group = "nginx";
dnsProvider = "cloudflare";
dnsPropagationCheck = true;
credentialsFile = config.sops.secrets.cloudflare-dns-token.path;
};
};
# Return 444 for all requests not matching a used subdomain.
services.nginx = {
enable = true;
virtualHosts = {
"default" = {
default = true;
locations."/" = {return = 444;};
};
"*.${domain}" = {
useACMEHost = domain;
forceSSL = true;
locations."/" = {return = 444;};
};
"aaaaaa.${domain}" = {
useACMEHost = domain;
forceSSL = true;
locations."/" = {return = 444;};
};
};
};
networking.firewall = {
allowedTCPPorts = [80 443];
allowedUDPPorts = [80 443];
};
sops.secrets.cloudflare-dns-token = {path = "/etc/cloudflare/dnskey.txt";};
}

58
modules/nixos/nix.nix Normal file
View File

@@ -0,0 +1,58 @@
# Nix configuration for NixOS
{
config,
inputs,
...
}:
let
autoGarbageCollector = config.var.autoGarbageCollector;
in
{
security.sudo.extraRules = [
{
users = [ config.var.username ];
commands = [
{
command = "/run/current-system/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}
];
}
];
nixpkgs.config.allowUnfree = true;
nix = {
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
channel.enable = false;
extraOptions = ''
warn-dirty = false
'';
settings = {
download-buffer-size = 262144000; # 250 MB (250 * 1024 * 1024)
auto-optimise-store = true;
trusted-users = [ config.var.username ]; # Allows remote nixos-rebuild to vps
experimental-features = [
"nix-command"
"flakes"
];
substituters = [
# high priority since it's almost always used
"https://cache.nixos.org?priority=10"
"https://hyprland.cachix.org"
"https://nix-community.cachix.org"
"https://numtide.cachix.org"
];
trusted-public-keys = [
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
];
};
gc = {
automatic = autoGarbageCollector;
persistent = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
}

63
modules/nixos/omen.nix Normal file
View File

@@ -0,0 +1,63 @@
# Omen laptop configuration for NixOS
# Import this only if you have an HP Omen laptop
{
config,
pkgs,
...
}: let
hp-omen-linux-module =
pkgs.callPackage
({
kernel ? config.boot.kernelPackages.kernel,
stdenv,
fetchFromGitHub,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "hp-omen-linux-module";
version = "rebase-6.14";
src = fetchFromGitHub {
owner = "ranisalt";
repo = "hp-omen-linux-module";
rev = finalAttrs.version;
sha256 = "sha256-2zCm29bdboSjRm/caMjBPGNc0tZXPUnIIYlHxxfhAok=";
};
setSourceRoot = ''
export sourceRoot=$(pwd)/${finalAttrs.src.name}/src
'';
nativeBuildInputs = kernel.moduleBuildDependencies;
makeFlags = [
"KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
];
installPhase = ''
runHook preInstall
install hp-wmi.ko -Dm444 -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/platform/x86/hp/
runHook postInstall
'';
})) {kernel = config.boot.kernelPackages.kernel;};
in {
boot.extraModulePackages = [hp-omen-linux-module];
boot.kernelModules = ["hp-wmi"];
users.groups.omen-rgb = {};
users.users.${config.var.username}.extraGroups = ["omen-rgb"];
systemd.tmpfiles.rules = [
"w /sys/devices/platform/hp-wmi/rgb_zones/zone00 0660 root omen-rgb -"
"w /sys/devices/platform/hp-wmi/rgb_zones/zone01 0660 root omen-rgb -"
"w /sys/devices/platform/hp-wmi/rgb_zones/zone02 0660 root omen-rgb -"
"w /sys/devices/platform/hp-wmi/rgb_zones/zone03 0660 root omen-rgb -"
];
services.udev.extraRules = ''
SUBSYSTEM=="platform", KERNEL=="hp-wmi", ACTION=="add", \
RUN+="${pkgs.coreutils-full}/bin/sleep 2", \
RUN+="${pkgs.coreutils}/bin/chgrp omen-rgb /sys/devices/platform/hp-wmi/rgb_zones/zone00", \
RUN+="${pkgs.coreutils}/bin/chmod 0660 /sys/devices/platform/hp-wmi/rgb_zones/zone00", \
RUN+="${pkgs.coreutils}/bin/chgrp omen-rgb /sys/devices/platform/hp-wmi/rgb_zones/zone01", \
RUN+="${pkgs.coreutils}/bin/chmod 0660 /sys/devices/platform/hp-wmi/rgb_zones/zone01", \
RUN+="${pkgs.coreutils}/bin/chgrp omen-rgb /sys/devices/platform/hp-wmi/rgb_zones/zone02", \
RUN+="${pkgs.coreutils}/bin/chmod 0660 /sys/devices/platform/hp-wmi/rgb_zones/zone02", \
RUN+="${pkgs.coreutils}/bin/chgrp omen-rgb /sys/devices/platform/hp-wmi/rgb_zones/zone03", \
RUN+="${pkgs.coreutils}/bin/chmod 0660 /sys/devices/platform/hp-wmi/rgb_zones/zone03"
'';
}

25
modules/nixos/radicale.nix Normal file
View File

@@ -0,0 +1,25 @@
{
services.radicale = {
enable = true;
settings = {
server = {
hosts = [ "127.0.0.1:5232" ];
};
auth = {
type = "htpasswd";
htpasswd_filename = "/var/lib/radicale/users";
htpasswd_encryption = "bcrypt";
};
storage = {
filesystem_folder = "/var/lib/radicale/collections";
};
};
};
services.caddy.virtualHosts."radicale.jelles.net".extraConfig = ''
reverse_proxy :5232 {
header_up X-Script-Name /
header_up X-Forwarded-For {remote}
header_up X-Remote-User {http.auth.user.id}
}'';
}

47
modules/nixos/sddm.nix Normal file
View File

@@ -0,0 +1,47 @@
# SDDM is a display manager for X11 and Wayland
{
pkgs,
inputs,
config,
...
}:
let
foreground = config.theme.textColorOnWallpaper;
sddm-astronaut = pkgs.sddm-astronaut.override {
embeddedTheme = "purple_leaves";
themeConfig = {
HeaderTextColor = "#${foreground}";
DateTextColor = "#${foreground}";
TimeTextColor = "#${foreground}";
LoginFieldTextColor = "#${foreground}";
PasswordFieldTextColor = "#${foreground}";
UserIconColor = "#${foreground}";
PasswordIconColor = "#${foreground}";
WarningColor = "#${foreground}";
LoginButtonBackgroundColor = "#${foreground}";
SystemButtonsIconsColor = "#${foreground}";
SessionButtonTextColor = "#${foreground}";
VirtualKeyboardButtonTextColor = "#${foreground}";
DropdownBackgroundColor = "#${foreground}";
HighlightBackgroundColor = "#${foreground}";
};
};
in
{
services.displayManager = {
sddm = {
package = pkgs.kdePackages.sddm;
extraPackages = [ sddm-astronaut ];
enable = true;
wayland.enable = true;
theme = "sddm-astronaut-theme";
settings = {
Wayland.SessionDir = "${
inputs.hyprland.packages."${pkgs.stdenv.hostPlatform.system}".hyprland
}/share/wayland-sessions";
};
};
};
environment.systemPackages = [ sddm-astronaut ];
}

26
modules/nixos/ssh.nix Normal file
View File

@@ -0,0 +1,26 @@
# SSH configuration
{ config, ... }:
let
username = config.var.username;
in
{
services.openssh = {
enable = true;
ports = [ 22 ];
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
AllowUsers = [
username
"git"
];
};
};
# Add my public SSH key to my user
users.users."${username}" = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAU2LydkXRTtNFY7oyX8JQURwXLVhB71DeK8XzrXeFX1 openpgp:0xA490D93A"
];
};
}

50
modules/nixos/systemd-boot.nix Normal file
View File

@@ -0,0 +1,50 @@
# Systemd-boot configuration for NixOS
{ pkgs, config, ... }:
{
boot = {
bootspec.enable = true;
loader = {
efi.canTouchEfiVariables = true;
systemd-boot = {
enable = true;
consoleMode = "auto";
configurationLimit = 5;
extraInstallCommands = ''
ENTRIES="${config.boot.loader.efi.efiSysMountPoint}/loader/entries"
PROFILES="/nix/var/nix/profiles"
for file in "$ENTRIES"/nixos-generation-*.conf; do
generation=$(${pkgs.coreutils}/bin/basename "$file" | ${pkgs.gnugrep}/bin/grep -o -E '[0-9]+')
timestamp=$(${pkgs.coreutils}/bin/stat -c %y "$PROFILES/system-$generation-link" 2>/dev/null | ${pkgs.coreutils}/bin/cut -d. -f1)
if [ -z "$timestamp" ]; then
timestamp="Unknown Date"
fi
${pkgs.gnused}/bin/sed -i "s/^version .*/version Generation $generation - $timestamp/" "$file"
done
'';
};
};
tmp.cleanOnBoot = true;
kernelPackages = pkgs.linuxPackages_latest; # _zen, _hardened, _rt, _rt_latest, etc.
# Silent boot
kernelParams = [
"quiet"
"splash"
"rd.systemd.show_status=false"
"rd.udev.log_level=3"
"udev.log_priority=3"
"boot.shell_on_fail"
];
consoleLogLevel = 0;
initrd.verbose = false;
};
# To avoid systemd services hanging on shutdown
systemd.settings.Manager = {
DefaultTimeoutStopSec = "10s";
};
}

19
modules/nixos/users.nix Normal file
View File

@@ -0,0 +1,19 @@
# Users configuration for NixOS
{
config,
pkgs,
...
}: let
username = config.var.username;
in {
programs.zsh.enable = true;
users = {
defaultUserShell = pkgs.zsh;
users.${username} = {
isNormalUser = true;
description = "${username} account";
extraGroups = ["networkmanager" "wheel"];
};
};
}

137
modules/nixos/utils.nix Normal file
View File

@@ -0,0 +1,137 @@
# Misc
{
pkgs,
config,
...
}:
let
hostname = config.var.hostname;
keyboardLayout = config.var.keyboardLayout;
configDir = config.var.configDirectory;
timeZone = config.var.timeZone;
defaultLocale = config.var.defaultLocale;
otherLocale = config.var.otherLocale;
numericLocale = config.var.numericLocale;
timeLocale = config.var.timeLocale;
autoUpgrade = config.var.autoUpgrade;
editor = config.var.preferred.editor;
terminal = config.var.preferred.terminal;
browser = config.var.preferred.browser;
in
{
networking.hostName = hostname;
networking.networkmanager.enable = true;
systemd.services.NetworkManager-wait-online.enable = false;
# system.autoUpgrade = {
# enable = autoUpgrade;
# dates = "04:00";
# flake = "${configDir}";
# flags = [
# "--update-input"
# "nixpkgs"
# "--commit-lock-file"
# ];
# allowReboot = false;
# };
time = {
timeZone = timeZone;
};
i18n.defaultLocale = defaultLocale;
i18n.extraLocaleSettings = {
LC_ADDRESS = otherLocale;
LC_IDENTIFICATION = otherLocale;
LC_MEASUREMENT = otherLocale;
LC_MONETARY = numericLocale;
LC_NAME = otherLocale;
LC_NUMERIC = numericLocale;
LC_PAPER = otherLocale;
LC_TELEPHONE = otherLocale;
LC_TIME = timeLocale;
};
services = {
xserver = {
enable = true;
xkb.layout = keyboardLayout;
xkb.variant = "";
};
# gnome.gnome-keyring.enable = true;
# psd = {
# enable = true;
# resyncTimer = "10m";
# };
};
console.keyMap = keyboardLayout;
environment.variables = {
XDG_DATA_HOME = "$HOME/.local/share";
PASSWORD_STORE_DIR = "$HOME/.local/share/password-store";
EDITOR = editor;
TERMINAL = terminal;
TERM = terminal;
BROWSER = browser;
};
services.libinput.enable = true;
programs.dconf.enable = true;
services = {
dbus = {
enable = true;
implementation = "broker";
packages = with pkgs; [
gcr
gnome-settings-daemon
];
};
gvfs.enable = true;
upower.enable = true;
power-profiles-daemon.enable = true;
udisks2.enable = true;
};
# enable zsh autocompletion for system packages (systemd, etc)
environment.pathsToLink = [ "/share/zsh" ];
# Faster rebuilding
documentation = {
enable = true;
doc.enable = true;
man.enable = true;
dev.enable = true;
info.enable = true;
nixos.enable = true;
};
environment.systemPackages = with pkgs; [
hyprland-qtutils
xdg-utils
];
xdg.portal = {
enable = true;
xdgOpenUsePortal = true;
config = {
common.default = [ "gtk" ];
hyprland.default = [
"gtk"
"hyprland"
];
};
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
};
security = {
# allow wayland lockers to unlock the screen
pam.services.hyprlock.text = "auth include login";
# userland niceness
rtkit.enable = true;
# don't ask for password for wheel group
sudo.wheelNeedsPassword = false;
};
}