{ config, pkgs, lib, ... }: let host_name = "litten"; host_fqdn = "${host_name}.brenise.dev"; secrets = import ./secrets.nix; # Add nixpkgs-unstable channel with the following command: # nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgs-unstable && nix-channel --update # 09/15/24: Use nixpkgs-unstable for logseq, see https://github.com/NixOS/nixpkgs/pull/340427 unstable = import { config = config.nixpkgs.config; }; # https://github.com/NixOS/nixpkgs/pull/358586 caddyWithPlugins = unstable.caddy.withPlugins { # commit: 7095083a353829fc83632c34e8988fd8eb72f43d (01/14/2024) plugins = ["github.com/caddy-dns/namecheap@v0.0.0-20240114194457-7095083a3538"]; hash = "sha256-Wu4j6XBNHX+ckCBmqTMC7ECLnOc3D3IJ04sJF14NHJo="; # WARNING: This will change every update }; in { # nix.settings.experimental-features = [ "nix-command" "flakes" ]; # nix.shellHook = '' # if [ -z "$IN_NIX_SHELL" ]; then # exec fish # fi # ''; nixpkgs.config = { allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "obsidian" "packer" "reaper" "n8n" "vscode" "terraform" "zoom" "charlatan3" "steam" "steam-original" "steam-unwrapped" "steam-run" "tokenizer.json" # goose-cli ]; }; nixpkgs.overlays = [ (self: super: { ansible = super.ansible.overrideAttrs (oldAttrs: { propagatedBuildInputs = oldAttrs.propagatedBuildInputs ++ [ super.python312Packages.jmespath ]; }); # Add jmespath to ansible build inputs }) # (self: super: { # charlatan3 = super.callPackage ./overlays/clap/charlatan3.nix { }; # }) # https://blaukraut.info/ ]; imports = [ ./hardware-configuration.nix ]; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; }; hardware = { bluetooth.enable = true; keyboard.qmk.enable = true; graphics = { # https://wiki.nixos.org/wiki/Accelerated_Video_Playback enable = true; extraPackages = with pkgs; [ intel-media-driver ]; }; }; networking = { hostName = "${host_name}"; firewall.enable = false; interfaces = { enp100s0.ipv4.addresses = [{ address = "192.168.1.35"; prefixLength = 24; }]; }; defaultGateway = { address = "192.168.1.1"; interface = "enp100s0"; }; # TODO https://nixos.wiki/wiki/Encrypted_DNS nameservers = [ "1.1.1.1" "8.8.8.8" ]; extraHosts = '' 192.168.1.1 shinx.${host_fqdn} ''; localCommands = '' ip route add 10.19.21.11/32 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true # timburr ip route add 10.19.21.34/32 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true # weavile ''; }; time.timeZone = "America/Los_Angeles"; i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; # keyMap = "us"; useXkbConfig = true; # use xkbOptions in tty. }; users = { groups = { glance = {}; n8n = {}; mealie = {}; }; users = { root = { openssh.authorizedKeys.keyFiles = [ /etc/nixos/ssh/authorized_keys ]; }; blee = { openssh.authorizedKeys.keyFiles = [ /etc/nixos/ssh/authorized_keys ]; isNormalUser = true; extraGroups = [ "wheel" "adbusers" "docker" "glance" "n8n" "mealie" ]; packages = with pkgs; [ # unstable.n8n # unstable.goose-cli gh solaar binutils chromium coreutils # base64 element-desktop firefox gimp gnumake home-manager jellyfin-media-player kate # kwrite kdenlive libsForQt5.kcalc # unstable.logseq # warning: https://github.com/logseq/logseq/issues/10851#issuecomment-2402925912 unstable.ghostty moonlight-qt nmap obs-studio obsidian pavucontrol # qbittorrent rclone rtorrent sq synergy tenacity thunderbird tor-browser via vlc vscode yt-dlp zoom-us # Build vim huge with clipboard support (vim_configurable.overrideAttrs (oldAttrs: { features = "huge"; })) awscli2 aws-sam-cli packer terraform ansible python311 python311Packages.pip python311Packages.ipython libreoffice-qt hunspell hunspellDicts.en-us # postman # nope, auth is broken nodejs_20 yarn deno nix-init nix-tree nurl # music apps reaper spek ]; }; glance = { isSystemUser = true; group = "glance"; home = "/var/lib/glance"; createHome = true; description = "Glance service user"; # shell = pkgs.bash; }; n8n = { isSystemUser = true; group = "n8n"; home = "/var/lib/n8n"; createHome = true; description = "System account for n8n"; shell = pkgs.bashInteractive; packages = with pkgs; [ unstable.n8n ]; }; mealie = { isSystemUser = true; group = "mealie"; description = "Mealie service user"; home = "/var/lib/mealie"; createHome = true; packages = with pkgs; [ unstable.mealie ]; }; }; }; # home-manager.users.blee = { imports = [ ./home.nix ]; }; environment = { systemPackages = with pkgs; [ # GPU tools arp-scan cryptsetup curl difftastic dig dnscontrol dnsutils doas exiftool ffmpeg file fzf git go htop iftop imagemagick iperf jq lego libressl lm_sensors mediainfo net-snmp # snmpwalk netcat nettools parted pass pciutils # lspci psmisc qrencode rsync screen tcpdump tmux tree unzip vim vulkan-tools wget whois wireguard-tools zbar zip ]; shellInit = '' pheonix() { systemctl restart "$1" journalctl -fu "$1" } ''; plasma5.excludePackages = with pkgs.libsForQt5; [ plasma-browser-integration ]; etc."gitconfig".text = '' [init] defaultBranch = main ''; # vscode on Wayland #sessionVariables.NIXOS_OZONE_WL = "1"; }; programs = { adb.enable = true; appimage = { enable = true; binfmt = true; package = pkgs.appimage-run.override { extraPkgs = pkgs: [ pkgs.libthai # lume ]; }; }; # hyprland = { # enable = true; # xwayland.enable = true; # }; fish.enable = true; vim = { enable = true; defaultEditor = true; }; bash = { shellAliases = { ll = "ls -lAF --classify --group-directories-first"; l = "ls -lF --classify --group-directories-first"; }; # https://nixos.wiki/wiki/Fish interactiveShellInit = '' if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] then shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" exec ${pkgs.fish}/bin/fish $LOGIN_OPTION fi ''; }; mtr.enable = true; gnupg.agent = { enable = true; enableSSHSupport = true; }; kdeconnect.enable = true; steam.enable = true; chromium = { enable = true; extraOpts = { "SpellcheckEnabled" = false; "DefaultSearchProviderEnabled" = true; "DefaultSearchProviderName" = "Kagi"; "DefaultSearchProviderSearchURL" = "https://kagi.com/search?q={searchTerms}"; "SearchSuggestEnabled" = false; "DefaultSearchProviderSuggestURL" = ""; }; }; }; security = { sudo.enable = false; doas = { enable = true; extraRules = [ { users = [ "blee" ]; persist = true; } ]; }; # pki.certificateFiles = [ # "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" # # "/etc/ssl/certs/dotted-turbans.pem" # ]; }; services = { openssh.enable = true; udev.packages = [ pkgs.via ]; # https://discourse.nixos.org/t/bluetooth-a2dp-sink-not-showing-up-in-pulseaudio-on-nixos/32447/4?u=bleetube pipewire = { enable = true; pulse.enable = true; alsa.enable = true; # for tenacity # jack.enable = true; # this might be useful for reaper, but enabling it breaks stereo audio for some reason }; avahi = { # for resolving start9 hostname enable = true; nssmdns4 = true; # Enable NSS support for mDNS }; syncthing = { enable = true; user = "blee"; dataDir = "/home/blee/Documents"; }; journald.extraConfig = "MaxRetentionSec=30day"; # https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/monitoring/prometheus/exporters.nix prometheus.exporters.node = { enable = true; port = 8030; # openFirewall = true; enabledCollectors = [ "cpu.info" "interrupts" "netstat" "vmstat" "systemd" "tcpstat" "processes" ]; }; caddy = { enable = true; package = caddyWithPlugins; logFormat = "output discard"; extraConfig = let tlsConfig = '' tls { dns namecheap { api_key {env.NAMECHEAP_API_KEY} user {env.NAMECHEAP_API_USER} api_endpoint https://api.namecheap.com/xml.response } } ''; in '' ${host_fqdn} { # open-webui ${tlsConfig} reverse_proxy http://127.0.0.1:8080 # handle /files/* { # root /mnt/usb/ # file_server browse # } } ${host_fqdn}:4430 { # node_exporter ${tlsConfig} reverse_proxy http://127.0.0.1:8030 } ${host_fqdn}:4431 { # litellm ${tlsConfig} reverse_proxy http://127.0.0.1:8031 } ${host_fqdn}:4432 { # glance ${tlsConfig} reverse_proxy http://127.0.0.1:8032 } ${host_fqdn}:4433 { # n8n ${tlsConfig} reverse_proxy http://127.0.0.1:8033 } ${host_fqdn}:4434 { # tandoor-recipes ${tlsConfig} reverse_proxy http://127.0.0.1:8034 } :9999 { respond "success" } ''; }; displayManager = { sddm.enable = true; #defaultSession = "plasmawayland"; }; xserver = { enable = true; desktopManager.plasma5.enable = true; }; tandoor-recipes = { enable = true; # address = "127.0.0.1"; port = 8034; extraConfig = { # https://github.com/TandoorRecipes/recipes/raw/refs/heads/develop/docs/system/configuration.md SECRET_KEY = "${secrets.tandoorSecretKey}"; ALLOWED_HOSTS = "${host_fqdn}"; TANDOOR_PORT = "8034"; }; }; }; systemd = { services.mealie = { enable = true; description = "Mealie"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { User = "mealie"; Group = "mealie"; WorkingDirectory = "/var/lib/mealie"; ExecStart = "${pkgs.mealie}/bin/mealie"; Restart = "on-failure"; RestartSec = "1m"; Environment = [ "MEALIE_PORT=8035" ]; }; }; services.n8n = { enable = true; description = "n8n"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { User = "n8n"; Group = "n8n"; ExecStart = "${unstable.n8n}/bin/n8n"; Restart = "on-failure"; RestartSec = "1m"; Environment = [ "N8N_PORT=8033" "N8N_EDITOR_BASE_URL=https://${host_fqdn}:4433" "N8N_HIRING_BANNER_ENABLED=false" "N8N_METRICS=true" ]; }; }; services.glance = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { User = "glance"; Group = "glance"; WorkingDirectory = "/var/lib/glance"; # Environment = "LOG_LEVEL=debug"; # https://github.com/glanceapp/glance/issues/196 ExecStart = "${pkgs.glance}/bin/glance --config config.yaml"; }; }; services.open-webui = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { Type = "forking"; User = "blee"; WorkingDirectory = "/opt/open-webui"; Environment = "NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels"; }; script = "${pkgs.nix}/bin/nix-shell"; }; }; virtualisation.docker = { enable = true; rootless = { enable = true; setSocketVariable = true; }; autoPrune = { enable = true; dates = "monthly"; }; }; system.stateVersion = "23.05"; }