{ config, pkgs, lib, ... }: let # Add nixpkgs-unstable channel with the following command: # nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgs-unstable && nix-channel --update unstable = import { config = config.nixpkgs.config; }; host_name = "litten"; host_fqdn = "${host_name}.brenise.dev"; in { imports = [ ./hardware-configuration.nix ]; nixpkgs = { config.permittedInsecurePackages = [ "electron-27.3.11" # logseq ]; config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "obsidian" # https://github.com/obsidianmd/obsidian-releases "packer" "vscode" "terraform" "zoom" ]; overlays = [ (self: super: { ansible = super.ansible.overrideAttrs (oldAttrs: { propagatedBuildInputs = oldAttrs.propagatedBuildInputs ++ [ super.python311Packages.jmespath ]; }); }) ]; }; boot = { loader = { systemd-boot.enable = true; systemd-boot.configurationLimit = 20; efi.canTouchEfiVariables = true; }; }; hardware = { bluetooth.enable = true; keyboard.qmk.enable = true; opengl = { # https://wiki.nixos.org/wiki/Accelerated_Video_Playback enable = true; extraPackages = with pkgs; [ intel-media-driver ]; }; }; networking = { hostName = "${host_name}"; # networkmanager.enable = true; firewall.enable = false; interfaces = { enp100s0.ipv4.addresses = [{ address = "192.168.1.35"; prefixLength = 24; }]; }; defaultGateway = { address = "192.168.1.1"; interface = "enp100s0"; }; # TODO https://nixos.wiki/wiki/Encrypted_DNS nameservers = [ "1.1.1.1" "8.8.8.8" ]; extraHosts = '' 192.168.1.1 shinx.brenise.dev ''; }; time.timeZone = "America/Los_Angeles"; i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; # keyMap = "us"; useXkbConfig = true; # use xkbOptions in tty. }; users = { groups.glance = {}; users = { root = { openssh.authorizedKeys.keyFiles = [ /etc/nixos/ssh/authorized_keys ]; }; blee = { openssh.authorizedKeys.keyFiles = [ /etc/nixos/ssh/authorized_keys ]; isNormalUser = true; extraGroups = [ "wheel" "glance" ]; packages = with pkgs; [ chromium coreutils # base64 element-desktop firefox gimp jellyfin-media-player kate # kwrite kdenlive libsForQt5.kcalc logseq # 0.10.9 # uses insecure electron version 27.3.11 https://github.com/NixOS/nixpkgs/pull/340427 #unstable.logseq # 0.10.9 BUG: https://github.com/logseq/logseq/issues/10851 moonlight-qt nmap obs-studio obsidian qbittorrent rtorrent spek # beat saber mapping synergy tenacity thunderbird tor-browser via vlc vscode xcaddy # warning: absolute dumpster fire yt-dlp zoom-us # Build vim huge with clipboard support (vim_configurable.overrideAttrs (oldAttrs: { features = "huge"; })) awscli2 #aws-sam-cli # broken, fails to init. use pip install aws-sam-cli #unstable.aws-sam-cli packer terraform ansible python3 python311Packages.pip python311Packages.ipython libreoffice-qt hunspell hunspellDicts.uk_UA hunspellDicts.th_TH nodejs_20 yarn deno ]; }; glance = { isSystemUser = true; group = "glance"; home = "/var/lib/glance"; createHome = true; description = "Glance service user"; # shell = pkgs.bash; }; }; }; environment = { systemPackages = with pkgs; [ # GPU tools android-tools arp-scan cryptsetup curl difftastic dig dnscontrol dnsutils doas exiftool ffmpeg file fzf git go htop iftop imagemagick iperf jq lego libressl mediainfo net-snmp # snmpwalk netcat nettools parted pass pciutils # lspci psmisc qrencode rsync screen tcpdump tmux tree unzip vim vulkan-tools wget whois wireguard-tools zbar zip ]; shellInit = '' pheonix() { systemctl restart "$1" journalctl -fu "$1" } ''; plasma5.excludePackages = with pkgs.libsForQt5; [ plasma-browser-integration ]; etc = lib.mkMerge [ # Generate KDE config files (lib.attrsets.mapAttrs' (name: value: lib.attrsets.nameValuePair ( "xdg/${name}" ) { source = (pkgs.formats.ini {}).generate name value; } ) { "baloofilerc" = { "Basic Settings" = { "Indexing-Enabled" = false; }; }; }) { # normal environment.etc block gitconfig = { text = '' [init] defaultBranch = main ''; }; } ]; }; programs = { appimage = { enable = true; binfmt = true; package = pkgs.appimage-run.override { extraPkgs = pkgs: [ pkgs.libthai # lume ]; }; }; fish.enable = true; vim.defaultEditor = true; bash = { shellAliases = { ll = "ls -lAF --classify --group-directories-first"; l = "ls -lF --classify --group-directories-first"; }; # https://nixos.wiki/wiki/Fish interactiveShellInit = '' if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] then shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" exec ${pkgs.fish}/bin/fish $LOGIN_OPTION fi ''; }; mtr.enable = true; gnupg.agent = { enable = true; enableSSHSupport = true; }; kdeconnect.enable = true; chromium = { enable = true; extraOpts = { "SpellcheckEnabled" = false; "DefaultSearchProviderEnabled" = true; "DefaultSearchProviderName" = "Kagi"; "DefaultSearchProviderSearchURL" = "https://kagi.com/search?q={searchTerms}"; "SearchSuggestEnabled" = false; "DefaultSearchProviderSuggestURL" = ""; }; }; }; security = { sudo.enable = false; doas = { enable = true; extraRules = [ { users = [ "blee" ]; persist = true; } ]; }; # pki.certificateFiles = [ # self-signed CA trust for start9 # "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" # # "/etc/ssl/certs/dotted-turbans.pem" # ]; }; services = { openssh.enable = true; udev.packages = [ pkgs.via ]; # https://discourse.nixos.org/t/bluetooth-a2dp-sink-not-showing-up-in-pulseaudio-on-nixos/32447/4?u=bleetube pipewire = { enable = true; pulse.enable = true; }; # avahi = { # for resolving start9 hostname # enable = true; # nssmdns4 = true; # Enable NSS support for mDNS # }; syncthing = { enable = true; user = "blee"; dataDir = "/home/blee/Documents"; }; journald.extraConfig = "MaxRetentionSec=30day"; # https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/monitoring/prometheus/exporters.nix prometheus.exporters.node = { enable = true; port = 8030; enabledCollectors = [ "cpu.info" "interrupts" "netstat" "vmstat" "systemd" "tcpstat" "processes" ]; }; caddy = { enable = true; logFormat = "output discard"; extraConfig = let tlsConfig = '' tls { dns namecheap { api_key {env.NAMECHEAP_API_KEY} user {env.NAMECHEAP_API_USER} api_endpoint https://api.namecheap.com/xml.response } } ''; in '' ${host_fqdn} { # open-webui ${tlsConfig} reverse_proxy http://127.0.0.1:8080 # BUG: assets are all on root path # handle /changedetection/* { # uri strip_prefix /changedetection # reverse_proxy http://127.0.0.1:${toString config.services.changedetection-io.port} # } # handle /files/* { # root /mnt/usb/ # file_server browse # } } ${host_fqdn}:4430 { # node_exporter ${tlsConfig} reverse_proxy http://127.0.0.1:8030 } ${host_fqdn}:4431 { # litellm ${tlsConfig} reverse_proxy http://127.0.0.1:8031 } ${host_fqdn}:4432 { # glance ${tlsConfig} reverse_proxy http://127.0.0.1:8032 } # BUG: POST messages throw missing referrer error ${host_fqdn}:4433 { # changedetection-io ${tlsConfig} reverse_proxy http://127.0.0.1:${toString config.services.changedetection-io.port} header Referrer-Policy "strict-origin-when-cross-origin" } ${host_fqdn}:4434 { # home-assistant ${tlsConfig} reverse_proxy http://127.0.0.1:8034 } ''; }; changedetection-io = { enable = true; port = 8033; behindProxy = true; # baseURL = "https://${host_fqdn}/changedetection/"; baseURL = "https://${host_fqdn}:4433/"; environmentFile = "/var/src/env_vars/changedetection-io"; }; displayManager = { sddm.enable = true; #defaultSession = "plasmawayland"; }; xserver = { enable = true; desktopManager.plasma5.enable = true; }; }; systemd = { services = { caddy = { serviceConfig = { EnvironmentFile = "/var/src/secrets/namecheap"; ExecStart = [ "" # This empty string clears the existing ExecStart commands "/opt/bin/caddy run --config /etc/caddy/caddy_config --adapter caddyfile" ]; ExecReload = [ "" # This empty string clears the existing ExecReload commands "/opt/bin/caddy reload --config /etc/caddy/caddy_config --adapter caddyfile --force" ]; }; }; glance = { wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; wants = [ "network-online.target" ]; serviceConfig = { User = "glance"; Group = "glance"; WorkingDirectory = "/var/lib/glance"; # Environment = "LOG_LEVEL=debug"; # https://github.com/glanceapp/glance/issues/196 ExecStart = "${pkgs.glance}/bin/glance --config config.yaml"; }; }; open-webui = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { Type = "forking"; User = "blee"; WorkingDirectory = "/opt/open-webui"; Environment = "NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels"; ExecStart = "${pkgs.nix}/bin/nix-shell"; }; }; }; # TODO: fix errors # systemd.services.nightly-backups = { # description = "Nightly Backup Service"; # wantedBy = [ "multi-user.target" ]; # after = [ "network.target" ]; # # enable = false; # testing # serviceConfig = { # User = "blee"; # Type = "oneshot"; # Environment = "NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels"; # WorkingDirectory = "/home/blee/ops/brenise.dev/scripts/backups"; # # batch.sh calls other shell scripts which leads to nix environment hell. # # As a workaround, I think we could add multiple ExecStart lines for other backup scripts. # # ExecStart = "${pkgs.bash}/bin/bash /home/blee/ops/brenise.dev/scripts/backups/batch.sh"; # ExecStart = "${pkgs.bash}/bin/bash /home/blee/ops/brenise.dev/scripts/backups/hosts/litten.brenise.dev.sh"; # # Path = [ # # "${pkgs.openssh}/bin" # # "${pkgs.coreutils}/bin" # # "${pkgs.gnugrep}/bin" # # "${pkgs.gnused}/bin" # # ]; # }; # }; # systemd.timers.nightly-backups = { # wantedBy = [ "timers.target" ]; # partOf = [ "nightly-backups.service" ]; # timerConfig = { # OnCalendar = "daily"; # nCalendar = "*-*-* 03:00:00"; # # Persistent = true; # Unit = "nightly-backups.service"; # }; # }; }; # virtualisation.oci-containers = { # backend = "podman"; # systemctl status podman-homeassistant # containers.homeassistant = { # volumes = [ "home-assistant:/config" ]; # environment.TZ = "US/Pacific"; # # Note: The image will not be updated on rebuilds, unless the version label changes # image = "ghcr.io/home-assistant/home-assistant:stable"; # ports = [ "8123:8034" ]; # extraOptions = [ # "--network=host" # "--cap-add=NET_ADMIN" # "--cap-add=NET_RAW" # ]; # }; # }; system.stateVersion = "23.05"; }