blee/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
41e150734e
nix/litten.brenise.dev/configuration.nix

537 lines
13 KiB
Nix
Raw Normal View History

Initialize sanitized repo for tracking nix config changes.
2024-10-29 19:35:34 +00:00
{ config, pkgs, lib, ... }:
let
# Add nixpkgs-unstable channel with the following command:
# nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgs-unstable && nix-channel --update
unstable = import <nixpkgs-unstable> { config = config.nixpkgs.config; };
host_name = "litten";
host_fqdn = "${host_name}.brenise.dev";
in
{
imports = [
./hardware-configuration.nix
];
nixpkgs = {
config.permittedInsecurePackages = [
"electron-27.3.11" # logseq
];
config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"obsidian" # https://github.com/obsidianmd/obsidian-releases
"packer"
"vscode"
"terraform"
"zoom"
];
overlays = [
(self: super: {
ansible = super.ansible.overrideAttrs (oldAttrs: {
propagatedBuildInputs = oldAttrs.propagatedBuildInputs ++ [ super.python311Packages.jmespath ];
});
})
];
};
boot = {
loader = {
systemd-boot.enable = true;
systemd-boot.configurationLimit = 20;
efi.canTouchEfiVariables = true;
};
};
hardware = {
bluetooth.enable = true;
keyboard.qmk.enable = true;
opengl = { # https://wiki.nixos.org/wiki/Accelerated_Video_Playback
enable = true;
extraPackages = with pkgs; [
intel-media-driver
];
};
};
networking = {
hostName = "${host_name}";
# networkmanager.enable = true;
firewall.enable = false;
interfaces = {
enp100s0.ipv4.addresses = [{
address = "192.168.1.35";
prefixLength = 24;
}];
};
defaultGateway = {
address = "192.168.1.1";
interface = "enp100s0";
};
# TODO https://nixos.wiki/wiki/Encrypted_DNS
nameservers = [ "1.1.1.1" "8.8.8.8" ];
extraHosts = ''
192.168.1.1 shinx.brenise.dev
'';
};
time.timeZone = "America/Los_Angeles";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
# keyMap = "us";
useXkbConfig = true; # use xkbOptions in tty.
};
users = {
groups.glance = {};
users = {
root = {
openssh.authorizedKeys.keyFiles = [
/etc/nixos/ssh/authorized_keys
];
};
blee = {
openssh.authorizedKeys.keyFiles = [
/etc/nixos/ssh/authorized_keys
];
isNormalUser = true;
extraGroups = [
"wheel"
"glance"
];
packages = with pkgs; [
chromium
coreutils # base64
element-desktop
firefox
gimp
jellyfin-media-player
kate # kwrite
kdenlive
libsForQt5.kcalc
logseq # 0.10.9 # uses insecure electron version 27.3.11 https://github.com/NixOS/nixpkgs/pull/340427
#unstable.logseq # 0.10.9 BUG: https://github.com/logseq/logseq/issues/10851
moonlight-qt
nmap
obs-studio
obsidian
qbittorrent
rtorrent
spek # beat saber mapping
synergy
tenacity
thunderbird
tor-browser
via
vlc
vscode
xcaddy # warning: absolute dumpster fire
yt-dlp
zoom-us
# Build vim huge with clipboard support
(vim_configurable.overrideAttrs (oldAttrs: {
features = "huge";
}))
awscli2
#aws-sam-cli # broken, fails to init. use pip install aws-sam-cli
#unstable.aws-sam-cli
packer
terraform
ansible
python3
python311Packages.pip
python311Packages.ipython
libreoffice-qt
hunspell
hunspellDicts.uk_UA
hunspellDicts.th_TH
nodejs_20
yarn
deno
];
};
glance = {
isSystemUser = true;
group = "glance";
home = "/var/lib/glance";
createHome = true;
description = "Glance service user";
# shell = pkgs.bash;
};
};
};
environment = {
systemPackages = with pkgs; [
# GPU tools
android-tools
arp-scan
cryptsetup
curl
difftastic
dig
dnscontrol
dnsutils
doas
exiftool
ffmpeg
file
fzf
git
go
htop
iftop
imagemagick
iperf
jq
lego
libressl
mediainfo
net-snmp # snmpwalk
netcat
nettools
parted
pass
pciutils # lspci
psmisc
qrencode
rsync
screen
tcpdump
tmux
tree
unzip
vim
vulkan-tools
wget
whois
wireguard-tools
zbar
zip
];
shellInit = ''
pheonix() {
systemctl restart "$1"
journalctl -fu "$1"
}
'';
plasma5.excludePackages = with pkgs.libsForQt5; [
plasma-browser-integration
];
etc = lib.mkMerge [
# Generate KDE config files
(lib.attrsets.mapAttrs' (name: value:
lib.attrsets.nameValuePair
( "xdg/${name}" )
{
source = (pkgs.formats.ini {}).generate name value;
}
) {
"baloofilerc" = {
"Basic Settings" = {
"Indexing-Enabled" = false;
};
};
})
{ # normal environment.etc block
gitconfig = {
text = ''
[init]
defaultBranch = main
'';
};
}
];
};
programs = {
appimage = {
enable = true;
binfmt = true;
package = pkgs.appimage-run.override {
extraPkgs = pkgs: [
pkgs.libthai # lume
];
};
};
fish.enable = true;
vim.defaultEditor = true;
bash = {
shellAliases = {
ll = "ls -lAF --classify --group-directories-first";
l = "ls -lF --classify --group-directories-first";
};
# https://nixos.wiki/wiki/Fish
interactiveShellInit = ''
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
then
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
fi
'';
};
mtr.enable = true;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
kdeconnect.enable = true;
chromium = {
enable = true;
extraOpts = {
"SpellcheckEnabled" = false;
"DefaultSearchProviderEnabled" = true;
"DefaultSearchProviderName" = "Kagi";
"DefaultSearchProviderSearchURL" = "https://kagi.com/search?q={searchTerms}";
"SearchSuggestEnabled" = false;
"DefaultSearchProviderSuggestURL" = "";
};
};
};
security = {
sudo.enable = false;
doas = {
enable = true;
extraRules = [
{
users = [ "blee" ];
persist = true;
}
];
};
# pki.certificateFiles = [ # self-signed CA trust for start9
# "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
# # "/etc/ssl/certs/dotted-turbans.pem"
# ];
};
services = {
openssh.enable = true;
udev.packages = [ pkgs.via ];
# https://discourse.nixos.org/t/bluetooth-a2dp-sink-not-showing-up-in-pulseaudio-on-nixos/32447/4?u=bleetube
pipewire = {
enable = true;
pulse.enable = true;
};
# avahi = { # for resolving start9 hostname
# enable = true;
# nssmdns4 = true; # Enable NSS support for mDNS
# };
syncthing = {
enable = true;
user = "blee";
dataDir = "/home/blee/Documents";
};
journald.extraConfig = "MaxRetentionSec=30day";
# https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/monitoring/prometheus/exporters.nix
prometheus.exporters.node = {
enable = true;
port = 8030;
enabledCollectors = [
"cpu.info"
"interrupts"
"netstat"
"vmstat"
"systemd"
"tcpstat"
"processes"
];
};
caddy = {
enable = true;
logFormat = "output discard";
extraConfig = let
tlsConfig = ''
tls {
dns namecheap {
api_key {env.NAMECHEAP_API_KEY}
user {env.NAMECHEAP_API_USER}
api_endpoint https://api.namecheap.com/xml.response
}
}
'';
in ''
${host_fqdn} { # open-webui
${tlsConfig}
reverse_proxy http://127.0.0.1:8080
# BUG: assets are all on root path
# handle /changedetection/* {
# uri strip_prefix /changedetection
# reverse_proxy http://127.0.0.1:${toString config.services.changedetection-io.port}
# }
# handle /files/* {
# root /mnt/usb/
# file_server browse
# }
}
${host_fqdn}:4430 { # node_exporter
${tlsConfig}
reverse_proxy http://127.0.0.1:8030
}
${host_fqdn}:4431 { # litellm
${tlsConfig}
reverse_proxy http://127.0.0.1:8031
}
${host_fqdn}:4432 { # glance
${tlsConfig}
reverse_proxy http://127.0.0.1:8032
}
# BUG: POST messages throw missing referrer error
${host_fqdn}:4433 { # changedetection-io
${tlsConfig}
reverse_proxy http://127.0.0.1:${toString config.services.changedetection-io.port}
header Referrer-Policy "strict-origin-when-cross-origin"
}
${host_fqdn}:4434 { # home-assistant
${tlsConfig}
reverse_proxy http://127.0.0.1:8034
}
'';
};
changedetection-io = {
enable = true;
port = 8033;
behindProxy = true;
# baseURL = "https://${host_fqdn}/changedetection/";
baseURL = "https://${host_fqdn}:4433/";
environmentFile = "/var/src/env_vars/changedetection-io";
};
displayManager = {
sddm.enable = true;
#defaultSession = "plasmawayland";
};
xserver = {
enable = true;
desktopManager.plasma5.enable = true;
};
};
systemd = {
services = {
caddy = {
serviceConfig = {
EnvironmentFile = "/var/src/secrets/namecheap";
ExecStart = [
"" # This empty string clears the existing ExecStart commands
"/opt/bin/caddy run --config /etc/caddy/caddy_config --adapter caddyfile"
];
ExecReload = [
"" # This empty string clears the existing ExecReload commands
"/opt/bin/caddy reload --config /etc/caddy/caddy_config --adapter caddyfile --force"
];
};
};
glance = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
User = "glance";
Group = "glance";
WorkingDirectory = "/var/lib/glance";
# Environment = "LOG_LEVEL=debug"; # https://github.com/glanceapp/glance/issues/196
ExecStart = "${pkgs.glance}/bin/glance --config config.yaml";
};
};
open-webui = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "forking";
User = "blee";
WorkingDirectory = "/opt/open-webui";
Environment = "NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels";
ExecStart = "${pkgs.nix}/bin/nix-shell";
};
};
};
# TODO: fix errors
# systemd.services.nightly-backups = {
# description = "Nightly Backup Service";
# wantedBy = [ "multi-user.target" ];
# after = [ "network.target" ];
# # enable = false; # testing
# serviceConfig = {
# User = "blee";
# Type = "oneshot";
# Environment = "NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels";
# WorkingDirectory = "/home/blee/ops/brenise.dev/scripts/backups";
# # batch.sh calls other shell scripts which leads to nix environment hell.
# # As a workaround, I think we could add multiple ExecStart lines for other backup scripts.
# # ExecStart = "${pkgs.bash}/bin/bash /home/blee/ops/brenise.dev/scripts/backups/batch.sh";
# ExecStart = "${pkgs.bash}/bin/bash /home/blee/ops/brenise.dev/scripts/backups/hosts/litten.brenise.dev.sh";
# # Path = [
# # "${pkgs.openssh}/bin"
# # "${pkgs.coreutils}/bin"
# # "${pkgs.gnugrep}/bin"
# # "${pkgs.gnused}/bin"
# # ];
# };
# };
# systemd.timers.nightly-backups = {
# wantedBy = [ "timers.target" ];
# partOf = [ "nightly-backups.service" ];
# timerConfig = {
# OnCalendar = "daily";
# nCalendar = "*-*-* 03:00:00";
# # Persistent = true;
# Unit = "nightly-backups.service";
# };
# };
};
# virtualisation.oci-containers = {
# backend = "podman"; # systemctl status podman-homeassistant
# containers.homeassistant = {
# volumes = [ "home-assistant:/config" ];
# environment.TZ = "US/Pacific";
# # Note: The image will not be updated on rebuilds, unless the version label changes
# image = "ghcr.io/home-assistant/home-assistant:stable";
# ports = [ "8123:8034" ];
# extraOptions = [
# "--network=host"
# "--cap-add=NET_ADMIN"
# "--cap-add=NET_RAW"
# ];
# };
# };
system.stateVersion = "23.05";
}
Reference in New Issue Copy Permalink