Merge branch 'main' of orion:kiri/nixos-config

hosts/orion/system.nix

@@ -10,9 +10,9 @@
     ../../modules/nixos/caddy.nix
     ../../modules/nixos/bitwarden.nix
     ../../modules/nixos/firewall.nix
+    ../../modules/nixos/syncthing.nix
     ../../modules/nixos/filebrowser.nix
     ../../modules/nixos/home-assistant.nix
-    ../../modules/nixos/glance.nix
     ../../modules/nixos/radicale.nix
     ../../modules/nixos/actual-budget.nix
     ../../modules/nixos/gitea.nix

hosts/polaris/system.nix

@@ -3,10 +3,22 @@
   imports = [
     ../../modules/nixos/desktop.nix
 
+    ../../modules/nixos/ssh.nix
     ./hardware-configuration.nix
     ./variables.nix
   ];
 
+  networking = {
+    interfaces = {
+      enp5s0 = {
+        wakeOnLan.enable = true;
+      };
+    };
+    firewall = {
+      allowedUDPPorts = [ 9 ];
+    };
+  };
+
   home-manager.users."${config.var.username}" = import ./home.nix;
 
   system.stateVersion = "24.05";

modules/home-manager/desktop.nix

@@ -23,7 +23,6 @@
     ./kitty.nix
     ./lazygit.nix
     ./nh.nix
-    ./rclone.nix
     ./spicetify.nix
     ./ssh.nix
     ./thunar.nix
@@ -90,6 +89,8 @@
       cmatrix
 
       libreoffice-qt6-fresh
+
+      trash-cli
     ];
   };
 }

modules/home-manager/gpg.nix

@@ -2,7 +2,8 @@
   config,
   pkgs,
   ...
-}: {
+}:
+{
   programs.gpg = {
     enable = true;
     homedir = "${config.xdg.dataHome}/gnupg";
@@ -15,6 +16,9 @@
     pinentry = {
       package = pkgs.pinentry-gnome3;
     };
-    sshKeys = ["CD848796822630B280FC6DFA55F24A20040F22B5"];
+    sshKeys = [
+      "CD848796822630B280FC6DFA55F24A20040F22B5"
+      "B8FBDFBD7F42C444C17E086E0EE2E34FB43A7187"
+    ];
   };
 }

modules/home-manager/hyprland/default.nix

@@ -144,9 +144,10 @@ in
 
       windowrule = [
         "match:title hyprpanel-settings, float on"
-        "match:class xdg-desktop-portal-gtk, float on, center on, size monitor_w/2 monitor_h/2"
+        "match:class xdg-desktop-portal-gtk, float on, center on, size (monitor_w * 0.5) (monitor_h * 0.5)"
         # Match on bitwarden chrome extension id
-        "match:class .*nngceckbapebfimnlniiiahkandclblb.*, float on, center on, size monitor_w/2 monitor_h/2"
+        "match:class .*nngceckbapebfimnlniiiahkandclblb.*, float on, center on, size (monitor_w * 0.5) (monitor_h * 0.5)"
+        "match:class imv, float on, center on, max_size (monitor_w * 0.8) (monitor_h * 0.8)"
       ];
 
       layerrule = [

modules/home-manager/nixCats/default.nix

@@ -45,6 +45,7 @@ let
           typescript
           typescript-language-server
 
+          rustc
           rust-analyzer
           rustfmt
 
@@ -60,6 +61,8 @@ let
           typstyle
 
           ltex-ls-plus
+
+          harper
         ];
       };
 

modules/home-manager/nixCats/lua/plugins/coding.lua

@@ -171,13 +171,25 @@ require("lz.n").load({
       require("luasnip.loaders.from_vscode").lazy_load()
     end,
   },
+  {
+    -- lazydev makes your lsp way better in your config without needing extra lsp configuration.
+    "lazydev.nvim",
+    cmd = "LazyDev",
+    ft = "lua",
+    after = function()
+      require("lazydev").setup({
+        library = {
+          { words = { "nixCats" }, path = (nixCats.nixCatsPath or "") .. "/lua" },
+        },
+      })
+    end,
+  },
   {
     "blink.cmp",
     before = function()
       -- Trigger lazydev so it's ready for blink source
       require("lz.n").trigger_load({ "lazydev.nvim", "luasnip" })
     end,
-    event = "VimEnter",
     after = function()
       require("blink.cmp").setup({
         keymap = {

modules/home-manager/nixCats/lua/plugins/lsp.lua

@@ -1,18 +1,4 @@
 require("lz.n").load({
-  {
-    {
-      -- lazydev makes your lsp way better in your config without needing extra lsp configuration.
-      "lazydev.nvim",
-      cmd = "LazyDev",
-      ft = "lua",
-      after = function()
-        require("lazydev").setup({
-          library = {
-            { words = { "nixCats" }, path = (nixCats.nixCatsPath or "") .. "/lua" },
-          },
-        })
-      end,
-    },
   {
     "nvim-lspconfig",
     event = { "BufReadPre", "BufNewFile" },
@@ -78,7 +64,7 @@ require("lz.n").load({
       -- 1. Setup Diagnostics (Visuals)
       vim.diagnostic.config({
         severity_sort = true,
-          underline = { severity = vim.diagnostic.severity.ERROR },
+        -- underline = { severity = vim.diagnostic.severity.ERROR },
         signs = {
           text = {
             [vim.diagnostic.severity.ERROR] = " ",
@@ -179,7 +165,8 @@ require("lz.n").load({
         },
       })
       vim.lsp.enable("ltex_plus")
+
+      vim.lsp.enable("harper_ls")
     end,
   },
-  },
 })

modules/home-manager/rclone.nix

@@ -15,33 +15,33 @@
     '';
 
     remotes = {
-      gdrive = {
+      # gdrive = {
-        config = {
+      #   config = {
-          type = "drive";
+      #     type = "drive";
-          scope = "drive";
+      #     scope = "drive";
-
+      #
-          root_folder_id = "";
+      #     root_folder_id = "";
-        };
+      #   };
-
+      #
-        secrets = {
+      #   secrets = {
-          token = "${config.xdg.configHome}/rclone/gdrive_token";
+      #     token = "${config.xdg.configHome}/rclone/gdrive_token";
-
+      #
-          client_id = "${config.xdg.configHome}/rclone/gdrive_client_id";
+      #     client_id = "${config.xdg.configHome}/rclone/gdrive_client_id";
-          client_secret = "${config.xdg.configHome}/rclone/gdrive_client_secret"; # TODO: sops?
+      #     client_secret = "${config.xdg.configHome}/rclone/gdrive_client_secret"; # TODO: sops?
-        };
+      #   };
-
+      #
-        mounts = {
+      #   mounts = {
-          "/" = {
+      #     "/" = {
-            enable = true;
+      #       enable = true;
-            mountPoint = "${config.home.homeDirectory}/gdrive";
+      #       mountPoint = "${config.home.homeDirectory}/gdrive";
-
+      #
-            options = {
+      #       options = {
-              dir-cache-time = "5m";
+      #         dir-cache-time = "5m";
-              poll-interval = "10s";
+      #         poll-interval = "10s";
-            };
+      #       };
-          };
+      #     };
-        };
+      #   };
-      };
+      # };
 
       orion = {
         config = {

modules/home-manager/ssh.nix

@@ -4,6 +4,15 @@
     enable = true;
     enableDefaultConfig = false;
 
+    matchBlocks = {
+      "github-work" = {
+        hostname = "github.com";
+        user = "git";
+        identityFile = "/home/kiri/.ssh/github-work.pub";
+        identitiesOnly = true;
+      };
+    };
+
     includes = [
       config.sops.secrets.ssh_config_orion.path
     ];

modules/home-manager/todoman.nix

@@ -7,7 +7,7 @@
       time_format = "%H:%M"
       default_list = "personal"
       default_due = 0
-      default_command = "list --sort due"
+      default_command = "list --sort priority,due"
       humanize = True
     '';
   };

modules/nixos/desktop.nix

@@ -9,5 +9,6 @@
     ./hyprland.nix
     ./printing.nix
     ./systemd-boot.nix
+    ./syncthing.nix
   ];
 }

modules/nixos/homepage.nix

@@ -0,0 +1,165 @@
+{ config, pkgs, ... }:
+let
+  # Define standard colors/icons for consistency
+  domain = "jelles.net";
+in
+{
+  # Enable the Homepage Dashboard service
+  services.homepage-dashboard = {
+    enable = true;
+    listenPort = 8082; # Different from Glance (8101)
+    allowedHosts = "dashboard.${domain}";
+
+    # 1. Service Discovery & API Secrets
+    # For live stats (widgets), Homepage needs API keys.
+    # You can reference sops secrets here if you map them to a file readable by the homepage user.
+    # For now, I have set them to placeholders or disabled the API widgets where secrets are required.
+
+    services = [
+      {
+        "Personal" = [
+          {
+            "Home Assistant" = {
+              href = "https://home.${domain}";
+              description = "Smart Home Control";
+              icon = "home-assistant.png";
+              # To enable live stats (lights on, etc), un-comment and add a Long Lived Access Token:
+              # widget = {
+              #   type = "homeassistant";
+              #   url = "http://127.0.0.1:8123";
+              #   key = "YOUR_LONG_LIVED_TOKEN";
+              # };
+            };
+          }
+          {
+            "Actual Budget" = {
+              href = "https://finance.${domain}";
+              description = "Finance Tracking";
+              icon = "actual-budget.png";
+            };
+          }
+          {
+            "Vaultwarden" = {
+              href = "https://vault.${domain}";
+              description = "Password Manager";
+              icon = "bitwarden.png";
+              # Widget to show status
+              widget = {
+                type = "vaultwarden";
+                url = "https://vault.${domain}";
+              };
+            };
+          }
+          {
+            "Radicale" = {
+              href = "https://radicale.${domain}";
+              description = "Calendar & Contacts";
+              icon = "radicale.png";
+            };
+          }
+        ];
+      }
+      {
+        "Code & Files" = [
+          {
+            "Gitea" = {
+              href = "https://git.${domain}";
+              description = "Git Server";
+              icon = "gitea.png";
+            };
+          }
+          {
+            "FileBrowser" = {
+              href = "https://files.${domain}";
+              description = "Web File Manager";
+              icon = "filebrowser.png";
+            };
+          }
+        ];
+      }
+      {
+        "Websites" = [
+          {
+            "Community" = {
+              href = "https://community.${domain}";
+              icon = "globe.png";
+              description = "Community Site";
+            };
+          }
+          {
+            "Zentire" = {
+              href = "https://zentire.${domain}";
+              icon = "globe.png";
+              description = "Zentire Site";
+            };
+          }
+        ];
+      }
+    ];
+
+    # 2. Widgets (Calendar, Search, Resources)
+    widgets = [
+      {
+        search = {
+          provider = "google";
+          target = "_blank";
+        };
+      }
+      {
+        # Shows system stats. Requires 'glances' or similar installed,
+        # but Homepage can also just show simple resources if running locally.
+        resources = {
+          cpu = true;
+          memory = true;
+          disk = "/";
+        };
+      }
+      {
+        # Calendar Widget linked to Radicale
+        # You need the "Private Export URL" for your calendar from Radicale.
+        calendar = {
+          showTime = true;
+          maxEvents = 10;
+          integrations = [
+            {
+              type = "ical";
+              url = "https://radicale.${domain}/kiri/personal.ics"; # Verify this path in your Radicale
+              name = "Personal";
+              color = "blue";
+              # If your Radicale is private, you might need to pass auth in the URL
+              # e.g. https://user:pass@radicale.jelles.net/...
+            }
+          ];
+        };
+      }
+    ];
+
+    settings = {
+      title = "Orion Dashboard";
+      background = {
+        # Using the wallpaper from your config if accessible, or a hex color
+        image = "https://raw.githubusercontent.com/anotherhadi/awesome-wallpapers/refs/heads/main/app/static/wallpapers/leef_dark_purple_minimalist.png";
+        opacity = 50;
+      };
+      layout = {
+        "Personal" = {
+          style = "row";
+          columns = 4;
+        };
+        "Code & Files" = {
+          style = "row";
+          columns = 2;
+        };
+        "Websites" = {
+          style = "row";
+          columns = 2;
+        };
+      };
+    };
+  };
+
+  # Expose Homepage via Caddy
+  services.caddy.virtualHosts."dashboard.${domain}".extraConfig = ''
+    reverse_proxy :8082
+  '';
+}

modules/nixos/syncthing.nix

@@ -0,0 +1,73 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  devices = {
+    "altair" = {
+      id = "HDHWROJ-ZLNQKCL-PN6WGHA-IGJHIRI-3UHDYUU-LUJHYK4-UMKWLAZ-VFISJQF";
+    };
+    "orion" = {
+      id = "7ESQ3BX-FEW7656-ZPT3CKF-FLXON26-HXRNTDW-THSJBNF-LFWCHFB-ASP4WAG";
+    };
+    "polaris" = {
+      id = "6YBO3OK-3QVMKWL-ZOS4ZTF-G53CY6K-WYZJNFG-DTYCUA4-WJF2LRC-PJT3NAL";
+    };
+  };
+
+  username = config.var.username;
+  hostname = config.var.hostname;
+  isOrion = hostname == "orion";
+
+  # On desktops, sync to home directory. On server, sync to filebrowser storage.
+  syncPath = if isOrion then "/var/lib/filebrowser/files" else "/home/${username}/sync";
+  group = if isOrion then "filebrowser" else "users";
+in
+{
+  # 1. Firewall rules for synchronization
+  networking.firewall = {
+    allowedTCPPorts = [ 22000 ];
+    allowedUDPPorts = [
+      22000
+      21027
+    ];
+  };
+
+  # 3. Syncthing Service Configuration
+  services.syncthing = {
+    enable = true;
+
+    user = username;
+    group = group;
+
+    overrideDevices = true; # Overrides any devices added via Web UI
+    overrideFolders = true; # Overrides any folders added via Web UI
+
+    settings = {
+      devices = devices;
+
+      folders = {
+        "sync" = {
+          path = syncPath;
+          devices = builtins.attrNames devices; # Share with all defined devices
+          # Ensure new files are readable by the group (chmod 770 approx)
+          ignorePerms = true;
+        };
+      };
+
+      gui = {
+        # access the GUI on localhost:8384
+        theme = "black";
+      };
+    };
+  };
+
+  # 4. Permission Hardening for Orion
+  # Force syncthing to write files with group-write permissions (007 umask = 770 perms)
+  systemd.services.syncthing.serviceConfig.UMask = lib.mkIf isOrion "0007";
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/syncthing 0700 ${username} ${group} -"
+  ];
+}