From 1de15c45f2d7bb1136f61c244a4580b43ac6800b Mon Sep 17 00:00:00 2001 From: Emile Clark-Boman Date: Mon, 9 Feb 2026 01:51:30 +1000 Subject: [PATCH] super massive rewrite --- groups/cryde/default.nix | 140 ++++++ groups/cryde/programs.nix | 27 + groups/cryos/default.nix | 137 ++++++ groups/cryos/programs.nix | 114 +++++ groups/default.nix | 49 ++ groups/server/default.nix | 54 ++ hosts/butterfly/default.nix | 77 +++ hosts/butterfly/hardware-configuration.nix | 37 ++ hosts/butterfly/services/default.nix | 5 + .../services/forgejo.nix | 0 .../services/mailserver.nix | 0 .../services/minecraft-server.nix | 0 hosts/butterfly/services/nginx.nix | 83 ++++ .../services/vaultwarden.nix | 0 hosts/hyrule/default.nix | 121 +---- hosts/hyrule/services/default.nix | 7 + hosts/lolcathost/default.nix | 435 +---------------- hosts/myputer/default.nix | 460 +----------------- .../sddm-theme-corners/default.nix | 0 19 files changed, 746 insertions(+), 1000 deletions(-) create mode 100644 groups/cryde/default.nix create mode 100644 groups/cryde/programs.nix create mode 100644 groups/cryos/default.nix create mode 100644 groups/cryos/programs.nix create mode 100644 groups/default.nix create mode 100644 groups/server/default.nix create mode 100755 hosts/butterfly/default.nix create mode 100644 hosts/butterfly/hardware-configuration.nix create mode 100644 hosts/butterfly/services/default.nix rename hosts/{hyrule => butterfly}/services/forgejo.nix (100%) rename hosts/{hyrule => butterfly}/services/mailserver.nix (100%) rename hosts/{hyrule => butterfly}/services/minecraft-server.nix (100%) create mode 100644 hosts/butterfly/services/nginx.nix rename hosts/{hyrule => butterfly}/services/vaultwarden.nix (100%) create mode 100644 hosts/hyrule/services/default.nix rename hosts/sddm-theme-corners.nix => packages/sddm-theme-corners/default.nix (100%) diff --git a/groups/cryde/default.nix b/groups/cryde/default.nix new file mode 100644 index 0000000..daadfc0 --- /dev/null +++ b/groups/cryde/default.nix @@ -0,0 +1,140 @@ +{ + inputs, + pkgs, + config, + ... +}: { + imports = [ + ./programs.nix + + ../../hosts/modules/bashistrans.nix + ../../hosts/modules/wm/hyprland.nix + ../../hosts/modules/steam.nix + ../../hosts/modules/obsidian.nix + + inputs.nix-flatpak.nixosModules.nix-flatpak + ]; + + boot.loader.grub2-theme = { + enable = true; + # GitHub: vinceliuice/grub2-themes + theme = "whitesur"; # stylish, vimix, or whitesur + footer = true; + customResolution = "1920x1080"; + }; + + services = { + # Set display manager (login screen) + displayManager = { + # sddm relies on pkgs.libsForQt5.qt5.qtgraphicaleffects + sddm = { + enable = true; + wayland.enable = true; # experimental + theme = "corners"; + }; + defaultSession = + "hyprland" + + ( + if config.programs.hyprland.withUWSM == true + then "-uwsm" + else null + ); + }; + + tumbler.enable = true; # Thunar image thumbnail support + gvfs.enable = true; # Thunar mount, trash, and other functionality + }; + + programs = { + zsh.enable = true; + fish.enable = true; + + nix-ld.enable = true; + + neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + configure = { + customRC = '' + set number + set tabstop=4 + set shiftwidth=4 + ''; + }; + }; + + # Thunar also uses: `services.tumbler` & `services.gvfs` + thunar = { + enable = true; + plugins = with pkgs.xfce; [ + thunar-volman # for removable drives (ie USBs) + thunar-archive-plugin # create and extract archives + thunar-media-tags-plugin # change metadata for media files + ]; + }; + + # mozilla's email client + thunderbird.enable = true; + }; + + # ----- FONTS ----- + fonts = { + enableDefaultPackages = true; # no clue what this line does tbh + packages = with pkgs; + [ + geist-font # for my hyprlock theme + # texlive maintains a noto-emoji flake + texlivePackages.noto-emoji + ] + ++ builtins.filter lib.attrsets.isDerivation ( + builtins.attrValues pkgs.nerd-fonts + ); + + # TODO: change my default fonts + fontconfig = { + defaultFonts = { + serif = ["Geist"]; # TODO: package Iosevka Etoile since Iosevka isn't a serif font + sansSerif = ["Geist"]; + monospace = ["Cousine"]; + emoji = ["Noto Emoji"]; + }; + }; + }; + + # ---- ENVIRONMENT VARIABLES ---- + environment = { + sessionVariables = { + # Hint Electrons apps to use Wayland + NIXOS_OZONE_WL = "1"; + }; + systemPackages = with pkgs; [ + (callPackage ../sddm-theme-corners.nix {}).sddm-theme-corners + # dependencies for my sddm theme: + # XXX: add these as a buildInput + pkgs.libsForQt5.qt5.qtgraphicaleffects + ]; + }; + + # ------- USERS ------- + users = { + users = { + # literally me fr (personal account) + me = { + isNormalUser = true; + extraGroups = ["wheel" "netdev" "docker"]; + shell = pkgs.bash; + packages = with pkgs; [ + firefox + nitch + starfetch + + colmena-latest + + gitkraken + ]; + }; + }; + }; +} diff --git a/groups/cryde/programs.nix b/groups/cryde/programs.nix new file mode 100644 index 0000000..dbfe31e --- /dev/null +++ b/groups/cryde/programs.nix @@ -0,0 +1,27 @@ +{pkgs, ...}: { + # ---- SYSTEM PACKAGES ----- + environment.systemPackages = with pkgs; [ + # User Environment + swww + helvum + easyeffects + pavucontrol + ani-cli + bluetui + wl-clipboard # clipboard for wayland + hyprpicker # color picker + hyprshot # screenshot utility + wl-screenrec # screen recording utility + qbittorrent # torrenting + signal-desktop + kdePackages.gwenview # image viewer + video-trimmer + + # Games + prismlauncher # minecraft + upkgs.olympus # celeste + discord + discordo + ekphos + ]; +} diff --git a/groups/cryos/default.nix b/groups/cryos/default.nix new file mode 100644 index 0000000..795ed8b --- /dev/null +++ b/groups/cryos/default.nix @@ -0,0 +1,137 @@ +{ + pkgs, + lib, + ... +}: { + imports = [ + ./programs.nix + ]; + + nixpkgs.config.allowUnfreePredicate = let + whitelist = with pkgs; + map lib.getName [ + discord + steam + steamcmd + steam-unwrapped + + winbox + + obsidian + gitkraken + ]; + in + pkg: builtins.elem (lib.getName pkg) whitelist; + + boot.loader = { + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot/efi"; + }; + grub = { + efiSupport = true; + device = "nodev"; + # useOSProber = true; + }; + }; + + # Enable initrd hook for virtual console customisation + # aka cool colours when bootting yay!! + console = { + enable = true; + earlySetup = true; # initrd pre hook + keyMap = "us"; + font = "Lat2-Terminus16"; + # ANSI 24-bit color definitions (theme: dracula) + colors = [ + "21222c" + "ff5555" + "50fa7b" + "f1fa8c" + "bd93f9" + "ff79c6" + "8be9fd" + "f8f8f2" + "6272a4" + "ff6e6e" + "69ff94" + "ffffa5" + "d6acff" + "ff92df" + "a4ffff" + "ffffff" + ]; + }; + + hardware = { + graphics = { + enable = true; + enable32Bit = true; + }; + + bluetooth = { + enable = true; + powerOnBoot = true; + }; + }; + + virtualisation.docker.enable = true; + + services = { + # systemd-resolved provides network name resolution + # to local processes via a D-Bus interface. + resolved = { + enable = true; + dnssec = "true"; + domains = ["~."]; + # Use CloudFlare's WARP+ 1.1.1.1 DNS service + fallbackDns = [ + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" + ]; + dnsovertls = "true"; + }; + + # Multimedia Framework + # With backwards compatability for alsa/pulseaudio/jack + pipewire = { + enable = true; + audio.enable = true; + wireplumber.enable = true; + + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; + }; + + security = { + rtkit.enable = true; # I *think* this is for pipewire + sudo.wheelNeedsPassword = lib.mkDefault true; + }; + + # ---- ENVIRONMENT VARIABLES ---- + environment = { + # always install "dev" derivation outputs + extraOutputsToInstall = ["dev" "man"]; + + sessionVariables = { + # folder names with capitalisation look awful! + XDG_DOWNLOAD_DIR = "$HOME/downloads"; + }; + }; + + documentation = { + enable = true; + doc.enable = true; # install /share/doc packages + man.enable = true; # install manpages + info.enable = true; # install GNU info + dev.enable = true; # install docs intended for developers + nixos = { + enable = true; # install NixOS documentation (ie man -k nix, & nixos-help) + options.splitBuild = true; + includeAllModules = false; + }; + }; +} diff --git a/groups/cryos/programs.nix b/groups/cryos/programs.nix new file mode 100644 index 0000000..4b0fc6b --- /dev/null +++ b/groups/cryos/programs.nix @@ -0,0 +1,114 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + # Shell + bash + fish + shellcheck + grc # colorise command outputs + moreutils + + # Systems Emulation + qemu # Fellice Bellard's Quick Emulator + # Binaries + binutils + strace + ltrace + perf-tools # ftrace + perf + radare2 + gdb + hexyl + # ASM + nasm + x86-manpages + # C Family + gcc + clang + clang-tools + gnumake + cmake + + # Rust + cargo + rustc + rustfmt + # Go + go + # Nim + nim + nimble + # Haskell + ghc + ghcid + ormolu + + # Nix + nix-prefetch-git + nix-index + nix-unit + deploy-rs.deploy-rs + + # Python + python312 # I use 3.12 since it's in a pretty stable state now + python314 # also 3.14 for latest features + poetry + # Sage + sageWithDoc # SageMath + HTML Documentation + + # .NET + dotnetCorePackages.dotnet_9.sdk + dotnetCorePackages.dotnet_9.aspnetcore + dotnetCorePackages.dotnet_9.runtime + + openvpn + inetutils + wireguard-tools + + # security tools + rustscan + nmap + dig + gobuster + nth + zap + + httpie + curlie + zoxide + doggo + tldr + btop + eza + yazi + lazygit + ripgrep + viddy # modern `watch` command + timg # terminal image (sixel) viewer + + # Pretty necessary + git + git-filter-repo + brightnessctl + acpi + # upower + vim + powertop + imagemagick + + # "Standard" Unix Commands + file + wget + tree + pstree + zip + unzip + unrar-free + lz4 + man-pages + man-pages-posix + + # Cryptography + gnupg + openssl + libargon2 + ]; +} diff --git a/groups/default.nix b/groups/default.nix new file mode 100644 index 0000000..0dfb8f8 --- /dev/null +++ b/groups/default.nix @@ -0,0 +1,49 @@ +{ + root, + pkgs, + upkgs, + lib, + inputs, + config, + ... +}: { + nix.settings = { + # make wheel group trusted users allows my "ae" user + # to import packages not signed by a trusted key + # (aka super duper easier to remote deploy) + trusted-users = ["root" "@wheel"]; + experimental-features = [ + "nix-command" + "flakes" + "pipe-operators" + ]; + download-buffer-size = 524288000; # 500 MiB + }; + + time.timeZone = lib.mkDefault "Australia/Brisbane"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + users.defaultUserShell = pkgs.bash; + + home-manager = { + users = + config.users.users + |> builtins.attrNames + |> builtins.filter (x: builtins.pathExists (root + "/homes/${x}")) + |> lib.genAttrs (x: import (root + "/homes/${x}")); + + extraSpecialArgs = {inherit inputs pkgs upkgs;}; + }; + + environment.systemPackages = with pkgs; [ + git + vim + wget + tree + ]; +} diff --git a/groups/server/default.nix b/groups/server/default.nix new file mode 100644 index 0000000..4092412 --- /dev/null +++ b/groups/server/default.nix @@ -0,0 +1,54 @@ +{ + lib, + sshPort ? 22, + ... +}: { + networking = { + networkmanager.enable = true; + + # Use CloudFlare's WARP+ 1.1.1.1 DNS service + nameservers = [ + "1.1.1.1" + "1.0.0.1" + ]; + + firewall = { + enable = lib.mkDefault true; + allowedTCPPorts = [ + sshPort + ]; + }; + }; + + security = { + # accept Lets Encrypt's security policy + acme = { + acceptTerms = true; + defaults.email = "them@dobutterfliescry.net"; + }; + + sudo = { + enable = true; + wheelNeedsPassword = true; + }; + # allow SSH keys for passwordless auth + pam = { + enableSSHAgentAuth = true; + services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module + }; + }; + + services = { + openssh = { + enable = true; + ports = [sshPort]; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + # AllowUsers = ["cry"]; # DO NOT ALLOW ALL + UseDns = true; + X11Forwarding = false; + }; + }; + }; +} diff --git a/hosts/butterfly/default.nix b/hosts/butterfly/default.nix new file mode 100755 index 0000000..cc00dd3 --- /dev/null +++ b/hosts/butterfly/default.nix @@ -0,0 +1,77 @@ +{...}: { + imports = [ + ./hardware-configuration.nix + + ./services + ]; + + # super duper minimum grub2 config + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "butterfly"; + + firewall = { + allowedTCPPorts = [ + 80 # nginx + # 143 # IMAP4 + 443 # nginx + # 587 # SMTPS + 2222 # forgejo ssh + 2035 # debug (for my job) + # 3000 (INTERNAL) forgejo + # 3306 (INTERNAL) forgejo sqlite3 database + 5000 # debug (for my job) + # 8222 (INTERNAL) vaultwarden + 45000 # minecaft server + ]; + allowedUDPPorts = [ + 54231 # Wireguard + ]; + }; + + # wg-quick.interfaces = { + # wg0 = { + # address = [ + # "10.10.10.4/24" + # ]; + # dns = ["10.10.10.1"]; + # privateKeyFile = "/root/wg_agrivpn_hyrule"; + # peers = [ + # { + # # peer's public key + # publicKey = "iZ4aqYjbT8O8tfUHEuV+yWLtdoQbdBb6Nt0M4usMSiY="; + + # # choose which traffic to forward + # allowedIPs = [ + # "10.0.51.0/24" + # "10.10.10.0/24" + # ]; + # endpoint = "150.242.34.33:54231"; + # } + # ]; + # }; + # }; + }; + + users = { + users = { + # primary user + cry = { + isNormalUser = true; + home = "/home/cry"; + extraGroups = ["wheel"]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsUZY45rgezi+8iROdcR5vPeacJ2fbMjlDijfUrH9hRX2FzCsg/4e3aFKhi2seZMmyTfbstxmDrrH8paUS5TibFgLFBGNngaF3CTjg85i5pm25Hr4IVo31oziBnTWaG6j3buYKtz5e1qSPzXywinJR+5+FCUJU7Fxa+EWTZcOX4wYgArSj4q73rZmvk5N0X44Mudt4nvpD2chvxygsdTzD6ph92qCuaJ/AbfmOoC7b/xvOaOVydUfgDLpHi9VZbd3akvvKxRfW6ZklldgXEzPXKMuastN0mwcBxvIb5G1Vkj8jtSVtKPc5psZ9/NWA5l38xH4qZ6z7eib6thtEMdtcKmTZEEWDADjqTea5Gj61c1n18cr6f3Tff+0bn/cxsl4Y0esi+aDeuCXYiIYNmeKBx0ttDNIxpk4J5Fdh6Xs+AZif5lnJErtu8TPy2aC0bc9wehTjMyvilTHfyerOD1ZJXhN2XwRVDGN7t7leAJZISJlPjqTDcw3Vfvzte/5JqS+FR+hbpG4uz2ix8kUa20u5YF2oSdGl8+zsdozVsdQm10Iv9WSXBV7t4m+oyodgtfzydBpmXq7aBXudCiEKw+7TC7F+1a4YFrVrCNXKFgKUpd1MiVLl7DIbzm5U9MD2BB3Fy7BPCzr3tW6/ExOhhpBWY+HnzVGQfkNr7dRcqfipKw== ae@dobutterfliescry.net" + ]; + }; + }; + }; + + virtualisation.docker.enable = true; + + system.stateVersion = "24.11"; # DO NOT MODIFY +} diff --git a/hosts/butterfly/hardware-configuration.nix b/hosts/butterfly/hardware-configuration.nix new file mode 100644 index 0000000..13fe39a --- /dev/null +++ b/hosts/butterfly/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sd_mod" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-label/NIXBOOT"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/butterfly/services/default.nix b/hosts/butterfly/services/default.nix new file mode 100644 index 0000000..d6f75e1 --- /dev/null +++ b/hosts/butterfly/services/default.nix @@ -0,0 +1,5 @@ +{...}: { + imports = [ + ./nginx.nix + ]; +} diff --git a/hosts/hyrule/services/forgejo.nix b/hosts/butterfly/services/forgejo.nix similarity index 100% rename from hosts/hyrule/services/forgejo.nix rename to hosts/butterfly/services/forgejo.nix diff --git a/hosts/hyrule/services/mailserver.nix b/hosts/butterfly/services/mailserver.nix similarity index 100% rename from hosts/hyrule/services/mailserver.nix rename to hosts/butterfly/services/mailserver.nix diff --git a/hosts/hyrule/services/minecraft-server.nix b/hosts/butterfly/services/minecraft-server.nix similarity index 100% rename from hosts/hyrule/services/minecraft-server.nix rename to hosts/butterfly/services/minecraft-server.nix diff --git a/hosts/butterfly/services/nginx.nix b/hosts/butterfly/services/nginx.nix new file mode 100644 index 0000000..6d0205d --- /dev/null +++ b/hosts/butterfly/services/nginx.nix @@ -0,0 +1,83 @@ +{ + inputs, + pkgs, + ... +}: { + nixpkgs.overlays = [ + (self: super: { + # in wake of CVE-2022-3602/CVE-2022-3786 + nginxStable = super.nginxStable.override {openssl = pkgs.libressl;}; + }) + inputs.dobutterfliescry-net.overlays.default + ]; + + # simple nginx instance to host static construction page + # TODO: I want sshd and forgejo's ssh server to both be bound to port 22 + # So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc) + # and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address) + services.nginx = { + enable = true; + # XXX: TODO: this should auto use the nginxStable overlay no? + # in wake of CVE-2022-3602/CVE-2022-3786 + # package = pkgs.nginxStable.override {openssl = pkgs.libressl;}; + + recommendedGzipSettings = true; + recommendedZstdSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # streamConfig = '' + # server { + # listen 127.0.0.1:53 udp reuseport; + # proxy_timeout 20s; + # proxy_pass 192.168.0.1:53535; + # } + # ''; + + virtualHosts = let + localhost = "http://127.0.0.1"; + std = { + # TODO: should I run over QUIC+HTTP3? (experimental) + # quic = true; + # http3 = true; + enableACME = true; + # kTLS = true; # offload TLS to the linux kernel + }; + + vault = + { + forceSSL = true; + locations."/".proxyPass = "${localhost}:8222"; + } + // std; + forge = + { + forceSSL = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "${localhost}:3000"; + } + // std; + in { + "dobutterfliescry.net" = + { + default = true; + addSSL = true; # not strictly enforced <3 + # root = "/var/www/cry"; + root = "${pkgs.dobutterfliescry-net}/www"; + # extraConfig = '' + # error_page 404 /custom_404.html; + # ''; + } + // std; + # Route "vault" subdomain to vaultwarden + "vault.imbored.dev" = vault; + # Route "forge" subdomain to forgejo + # TODO: use `forgejo.settings.server.ENABLE_ACME` instead? + # "tearforge.net" = forge; + "forge.dobutterfliescry.net" = forge; + }; + }; +} diff --git a/hosts/hyrule/services/vaultwarden.nix b/hosts/butterfly/services/vaultwarden.nix similarity index 100% rename from hosts/hyrule/services/vaultwarden.nix rename to hosts/butterfly/services/vaultwarden.nix diff --git a/hosts/hyrule/default.nix b/hosts/hyrule/default.nix index beaa81d..6684f58 100755 --- a/hosts/hyrule/default.nix +++ b/hosts/hyrule/default.nix @@ -1,45 +1,10 @@ -{ - pkgs, - upkgs, - ... -}: let - home-manager = builtins.fetchTarball { - url = "https://github.com/nix-community/home-manager/archive/release-25.05.tar.gz"; - sha256 = "07pk5m6mxi666dclaxdwf7xrinifv01vvgxn49bjr8rsbh31syaq"; - }; -in { +{pkgs, ...}: { imports = [ ./hardware-configuration.nix - (import "${home-manager}/nixos") - ./services/forgejo.nix - ./services/vaultwarden.nix - ./services/nginx.nix - # ./mailserver.nix # TEMP: location - # ./minecraft-server.nix # TEMP: location - - ../modules/bashistrans.nix + ./services ]; - nix.settings = { - # make wheel group trusted users allows my "ae" user - # to import packages not signed by a trusted key - # (aka super duper easier to remote deploy) - trusted-users = ["root" "@wheel"]; - experimental-features = [ - "nix-command" - "flakes" - ]; - }; - - time.timeZone = "Australia/Brisbane"; - - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = "us"; - }; - # super duper minimum grub2 config boot.loader.grub = { enable = true; @@ -48,29 +13,10 @@ in { networking = { hostName = "hyrule"; - networkmanager.enable = true; - - # Use CloudFlare's WARP+ 1.1.1.1 DNS service - nameservers = [ - "1.1.1.1" - "1.0.0.1" - ]; - firewall = { - enable = true; allowedTCPPorts = [ - 22 # sshd 80 # nginx - # 143 # IMAP4 443 # nginx - # 587 # SMTPS - 2222 # forgejo ssh - 2035 # debug (for my job) - # 3000 (INTERNAL) forgejo - # 3306 (INTERNAL) forgejo sqlite3 database - 5000 # debug (for my job) - # 8222 (INTERNAL) vaultwarden - 45000 # minecaft server ]; allowedUDPPorts = [ 54231 # Wireguard @@ -102,11 +48,9 @@ in { }; users = { - defaultUserShell = pkgs.bash; - users = { # primary user - ae = { + cry = { isNormalUser = true; extraGroups = ["wheel"]; shell = pkgs.bash; @@ -115,16 +59,6 @@ in { ]; }; - # TODO: reduce security implications of subspace - subspace = { - isNormalUser = true; - shell = pkgs.bash; - home = "/home/subspace"; - packages = with pkgs; [ - wishlist - ]; - }; - friends = { isNormalUser = true; shell = pkgs.fish; @@ -135,54 +69,5 @@ in { virtualisation.docker.enable = true; - home-manager = { - users = { - ae = import ../../homes/ae; - subspace = import ../../homes/subspace; - }; - }; - - services = { - openssh = { - enable = true; - ports = [22]; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; - AllowUsers = ["ae" "subspace"]; # DO NOT ALLOW ALL - UseDns = true; - X11Forwarding = false; - }; - }; - }; - - security = { - # accept Lets Encrypt's security policy (for nginx) - acme = { - acceptTerms = true; - # TODO: change this to me@imbored.dev - defaults.email = "eclarkboman@gmail.com"; - }; - - sudo = { - enable = true; - wheelNeedsPassword = true; - }; - # allow SSH keys for passwordless auth - # TODO: DO NOT USE THIS (create my own alternative to colmena) - pam = { - enableSSHAgentAuth = true; - services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module - }; - }; - - environment.systemPackages = with pkgs; [ - eza - git - vim - helix - tcpdump - ]; - system.stateVersion = "24.11"; # DO NOT MODIFY } diff --git a/hosts/hyrule/services/default.nix b/hosts/hyrule/services/default.nix new file mode 100644 index 0000000..1f3c874 --- /dev/null +++ b/hosts/hyrule/services/default.nix @@ -0,0 +1,7 @@ +{...}: { + imports = [ + ./services/forgejo.nix + ./services/vaultwarden.nix + ./services/nginx.nix + ]; +} diff --git a/hosts/lolcathost/default.nix b/hosts/lolcathost/default.nix index 80b12fd..b0d87f8 100755 --- a/hosts/lolcathost/default.nix +++ b/hosts/lolcathost/default.nix @@ -1,451 +1,20 @@ -{ - lib, - pkgs, - upkgs, - inputs, - config, - ... -}: { +{...}: { imports = [ ./hardware-configuration.nix - - ../modules/bashistrans.nix - - ../modules/wm/hyprland.nix - - ../modules/steam.nix - ../modules/obsidian.nix ]; - nix.settings.experimental-features = [ - "nix-command" - "flakes" - "pipe-operators" - ]; - - nixpkgs.config.allowUnfreePredicate = let - whitelist = with pkgs; - map lib.getName [ - discord - steam - steamcmd - steam-unwrapped - - winbox - - obsidian - gitkraken - ]; - in - pkg: builtins.elem (lib.getName pkg) whitelist; - - boot.loader = { - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot/efi"; - }; - grub = { - efiSupport = true; - device = "nodev"; - useOSProber = false; - }; - # GitHub: vinceliuice/grub2-themes - grub2-theme = { - enable = true; - theme = "whitesur"; # stylish, vimix, or whitesur - footer = true; - customResolution = "1920x1080"; - }; - }; - - time.timeZone = "Australia/Brisbane"; - i18n.defaultLocale = "en_US.UTF-8"; # internationalisation - - # Enable initrd hook for virtual console customisation - # aka cool colours when bootting yay!! - console = { - enable = true; - earlySetup = true; # initrd pre hook - keyMap = "us"; - font = "Lat2-Terminus16"; - # ANSI 24-bit color definitions (theme: dracula) - colors = [ - "21222c" - "ff5555" - "50fa7b" - "f1fa8c" - "bd93f9" - "ff79c6" - "8be9fd" - "f8f8f2" - "6272a4" - "ff6e6e" - "69ff94" - "ffffa5" - "d6acff" - "ff92df" - "a4ffff" - "ffffff" - ]; - }; - - # ----- NETWORKING ----- - networking = { - hostName = "lolcathost"; - networkmanager.enable = true; - - firewall.enable = false; - - # Use CloudFlare's WARP+ 1.1.1.1 DNS service - nameservers = [ - "1.1.1.1#one.one.one.one" - "1.0.0.1#one.one.one.one" - ]; - }; + networking.hostName = "lolcathost"; # ----- SERVICES ----- services = { - # systemd-resolved provides network name resolution - # to local processes via a D-Bus interface. - resolved = { - enable = true; - dnssec = "true"; - domains = ["~."]; - # Use CloudFlare's WARP+ 1.1.1.1 DNS service - fallbackDns = [ - "1.1.1.1#one.one.one.one" - "1.0.0.1#one.one.one.one" - ]; - dnsovertls = "true"; - }; - - # Set display manager (login screen) - displayManager = { - # sddm relies on pkgs.libsForQt5.qt5.qtgraphicaleffects - sddm = { - enable = true; - wayland.enable = true; # experimental - theme = "corners"; - }; - defaultSession = - "hyprland" - + ( - if config.programs.hyprland.withUWSM == true - then "-uwsm" - else null - ); - }; - # dbus = { # # NOTE: programs.uwsm.enable sets implementation to dbus-broker, # # NOTE: however this seems to break dbus # implementation = lib.mkForce "dbus"; # }; - # Multimedia Framework - # With backwards compatability for alsa/pulseaudio/jack - pipewire = { - enable = true; - audio.enable = true; - wireplumber.enable = true; - - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - jack.enable = true; - }; - # Touchpad support libinput.enable = true; - - tumbler.enable = true; # Thunar image thumbnail support - gvfs.enable = true; # Thunar mount, trash, and other functionality - }; - security.rtkit.enable = true; # I *think* this is for pipewire - - # ------- USERS ------- - users = { - # Using fish as the login shell tends to go very poorly because it isn't - # POSIX compliant, so we default the login shell to Bash instead :) - defaultUserShell = pkgs.bash; - - users = { - # literally me fr (personal account) - me = { - isNormalUser = true; - extraGroups = ["wheel" "netdev" "docker"]; - shell = pkgs.bash; - packages = let - # TODO: can I just do this: https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-flake#url-like-syntax - # instead to use colmena's flake.nix by specifying a rev hash in the flake input? - colmena-src = pkgs.fetchFromGitHub { - owner = "zhaofengli"; - repo = "colmena"; - rev = "47b6414d800c8471e98ca072bc0835345741a56a"; - sha256 = "rINodqeUuezuCWOnpJgrH7u9vJ86fYT+Dj8Mu8T/IBc="; - }; - colmena-latest = pkgs.callPackage "${colmena-src}/package.nix" {}; - in - with pkgs; [ - firefox - nitch - starfetch - - colmena-latest - - gitkraken - ]; - }; - - # user for friends to ssh into - friends = { - isNormalUser = true; - shell = pkgs.fish; - }; - }; - }; - - home-manager = { - users.me = import ../../homes/me; - extraSpecialArgs = {inherit inputs pkgs upkgs;}; - sharedModules = []; - }; - - # ---- ENVIRONMENT VARIABLES ---- - environment = { - # always install "dev" derivation outputs - extraOutputsToInstall = ["dev" "man"]; - - sessionVariables = { - # folder names with capitalisation look awful! - XDG_DOWNLOAD_DIR = "$HOME/downloads"; - - # Hint Electrons apps to use Wayland - NIXOS_OZONE_WL = "1"; - }; - }; - - # ---- SYSTEM PACKAGES ----- - environment.systemPackages = with pkgs; [ - # User Environment - swww - helvum - easyeffects - pavucontrol - ani-cli - bluetui - wl-clipboard # clipboard for wayland - hyprpicker # color picker - hyprshot # screenshot utility - wl-screenrec # screen recording utility - qbittorrent # torrenting - signal-desktop - video-trimmer - - (callPackage ../sddm-theme-corners.nix {}).sddm-theme-corners - # dependencies for my sddm theme: - pkgs.libsForQt5.qt5.qtgraphicaleffects - - # Shell - bash - fish - elvish # reference for crysh development - shellcheck - grc # colorise command outputs - moreutils - - # Systems Emulation - qemu # Fellice Bellard's Quick Emulator - # Binaries - binutils - strace - ltrace - perf-tools # ftrace + perf - radare2 - gdb - hexyl - # ASM - nasm - # x86-manpages # WARNING: cerulean doesn't allow overlays bruh - # C Family - gcc - clang - clang-tools - gnumake - cmake - - # Rust - cargo - rustc - rustfmt - # Go - go - # Nim - nim - nimble - # Haskell - ghc - ghcid - ormolu - - # Nix - nix-prefetch-git - nix-index - nix-unit - deploy-rs.deploy-rs - - # Python - python312 # I use 3.12 since it's in a pretty stable state now - python314 # also 3.14 for latest features - poetry - # Sage - sageWithDoc # SageMath + HTML Documentation - - # .NET - dotnetCorePackages.dotnet_9.sdk - dotnetCorePackages.dotnet_9.aspnetcore - dotnetCorePackages.dotnet_9.runtime - - openvpn - inetutils - - # security tools - rustscan - nmap - dig - gobuster - nth - zap - - httpie - curlie - zoxide - doggo - tldr - btop - eza - yazi - lazygit - ripgrep - viddy # modern `watch` command - timg # terminal image (sixel) viewer - - # Pretty necessary - git - git-filter-repo - brightnessctl - acpi - # upower - vim - powertop - imagemagick - - # "Standard" Unix Commands - file - wget - tree - pstree - unzip - unrar-free - lz4 - man-pages - man-pages-posix - - # Cryptography - gnupg - openssl - libargon2 - - # Games - prismlauncher # minecraft - upkgs.olympus # celeste - discord - discordo - # ekphos # WARNING: cerulean doesnt allow overlays yet - ]; - - programs = { - fish.enable = true; - - nix-ld.enable = true; - - # Thunar also uses: `services.tumbler` & `services.gvfs` - thunar = { - enable = true; - plugins = with pkgs.xfce; [ - thunar-volman # for removable drives (ie USBs) - thunar-archive-plugin # create and extract archives - thunar-media-tags-plugin # change metadata for media files - ]; - }; - - # mozilla's email client - thunderbird.enable = true; - }; - - # ----- FONTS ----- - fonts = { - enableDefaultPackages = true; # no clue what this line does tbh - packages = with pkgs; - [ - #(nerdfonts.override { - # fonts = [ - # "Cousine" - # "Iosevka" - # "JetBrainsMono" - # ]; - # }) - - geist-font # for my hyprlock theme - # texlive maintains a noto-emoji flake - texlivePackages.noto-emoji - ] - ++ builtins.filter lib.attrsets.isDerivation ( - builtins.attrValues pkgs.nerd-fonts - ); - - # TODO: change my default fonts - fontconfig = { - defaultFonts = { - serif = ["Geist"]; # TODO: package Iosevka Etoile since Iosevka isn't a serif font - sansSerif = ["Geist"]; - monospace = ["Cousine"]; - emoji = ["Noto Emoji"]; - }; - }; - }; - - documentation = { - enable = true; - doc.enable = true; # install /share/doc packages - man.enable = true; # install manpages - info.enable = true; # install GNU info - dev.enable = true; # install docs intended for developers - nixos = { - enable = true; # install NixOS documentation (ie man -k nix, & nixos-help) - options.splitBuild = true; - # includeAllModules = true; - }; - }; - - virtualisation.docker.enable = true; - - hardware = { - graphics = { - enable = true; - enable32Bit = true; - }; - - # opengl = { - # enable = true; - # driSupport = true; - # driSupport32Bit = true; - # } - - bluetooth = { - enable = true; - powerOnBoot = true; - }; }; # DO NOT MODIFY diff --git a/hosts/myputer/default.nix b/hosts/myputer/default.nix index 5cb8368..cd0d683 100755 --- a/hosts/myputer/default.nix +++ b/hosts/myputer/default.nix @@ -1,139 +1,16 @@ { - lib, pkgs, upkgs, - inputs, - config, ... -}: let - home-manager = builtins.fetchTarball { - url = "https://github.com/nix-community/home-manager/archive/release-25.05.tar.gz"; - sha256 = "0q3lv288xlzxczh6lc5lcw0zj9qskvjw3pzsrgvdh8rl8ibyq75s"; - }; -in { +}: { imports = [ ./hardware-configuration.nix - (import "${home-manager}/nixos") - - ../modules/bashistrans.nix - - ../modules/wm/hyprland.nix - - ../modules/steam.nix - - ../modules/obsidian.nix - ../modules/apps/rider.nix - ../modules/apps/winbox.nix - - #../modules/flipperzero.nix - #../modules/chameleonultragui.nix - - inputs.nix-flatpak.nixosModules.nix-flatpak ]; - nix.settings = { - experimental-features = [ - "flakes" - "nix-command" - "pipe-operators" - ]; - download-buffer-size = 524288000; # 500 MiB - }; - # nixpkgs.overlays = [ - # (self: super: { - # jdk17 = super.jdk17.override (prev: { - # enableJavaFX = true; - # }); - # }) - # ]; - - nixpkgs.config.allowUnfreePredicate = let - vscext = pkgs.vscode-extensions; - whitelist = with pkgs; - map lib.getName [ - discord - steam - steamcmd - steam-unwrapped - - winbox - - obsidian - gitkraken - - vscode - vscext.ms-dotnettools.csharp - vscext.ms-dotnettools.csdevkit - vscext.github.copilot - vscext.github.copilot-chat - - # XXX: DEBUG - # rider-override - # XXX: DEBUG - - # jetbrains.rider - ]; - in - pkg: builtins.elem (lib.getName pkg) whitelist; - - boot.loader = { - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot/efi"; - }; - grub = { - efiSupport = true; - device = "nodev"; - # useOSProber = true; - }; - # GitHub: vinceliuice/grub2-themes - grub2-theme = { - enable = true; - theme = "whitesur"; # stylish, vimix, or whitesur - footer = true; - # TODO: switch my cables to switch default grub display - customResolution = "3840x2160"; - }; - }; - - time.timeZone = "Australia/Brisbane"; - i18n.defaultLocale = "en_US.UTF-8"; # internationalisation - - # Enable initrd hook for virtual console customisation - # aka cool colours when bootting yay!! - console = { - enable = true; - earlySetup = true; # initrd pre hook - keyMap = "us"; - font = "Lat2-Terminus16"; - # ANSI 24-bit color definitions (theme: dracula) - colors = [ - "21222c" - "ff5555" - "50fa7b" - "f1fa8c" - "bd93f9" - "ff79c6" - "8be9fd" - "f8f8f2" - "6272a4" - "ff6e6e" - "69ff94" - "ffffa5" - "d6acff" - "ff92df" - "a4ffff" - "ffffff" - ]; - }; - - # ----- NETWORKING ----- networking = { hostName = "myputer"; - networkmanager.enable = true; firewall = { - enable = true; allowedTCPPorts = [ 22 # SSH 80 # HTTP @@ -147,239 +24,40 @@ in { # ----- SERVICES ----- services = { flatpak.enable = true; - - # Set display manager (login screen) - displayManager = { - # sddm relies on pkgs.libsForQt5.qt5.qtgraphicaleffects - sddm = { - enable = true; - wayland.enable = true; # experimental - theme = "corners"; - }; - defaultSession = - "hyprland" - + ( - if config.programs.hyprland.withUWSM - then "-uwsm" - else null - ); - }; - - # Multimedia Framework - # With backwards compatability for alsa/pulseaudio/jack - pipewire = { - enable = true; - wireplumber.enable = true; - - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - jack.enable = true; - }; - - tumbler.enable = true; # Thunar image thumbnail support - gvfs.enable = true; # Thunar mount, trash, and other functionality }; - security.rtkit.enable = true; # I *think* this is for pipewire # ------- USERS ------- security.sudo.wheelNeedsPassword = false; users = { - # Using fish as the login shell tends to go very poorly because it isn't - # POSIX compliant, so we default the login shell to Bash instead :) - defaultUserShell = pkgs.bash; - users = { # just me fr (personal account) me = { isNormalUser = true; extraGroups = ["wheel" "netdev" "docker"]; shell = pkgs.bash; - packages = let - # TODO: can I just do this: https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-flake#url-like-syntax - # instead to use colmena's flake.nix by specifying a rev hash in the flake input? - colmena-src = pkgs.fetchFromGitHub { - owner = "zhaofengli"; - repo = "colmena"; - rev = "47b6414d800c8471e98ca072bc0835345741a56a"; - sha256 = "rINodqeUuezuCWOnpJgrH7u9vJ86fYT+Dj8Mu8T/IBc="; - }; - colmena-latest = pkgs.callPackage "${colmena-src}/package.nix" {}; - in - with pkgs; [ - firefox - nitch - starfetch + packages = with pkgs; [ + firefox + nitch + starfetch - colmena-latest + colmena-latest - gitkraken - # NOTE: downloadthing this causes my PC to freak!! ("too many open files" error) - #keyguard # bitwarden client app - ]; + gitkraken + # NOTE: downloadthing this causes my PC to freak!! ("too many open files" error) + #keyguard # bitwarden client app + ]; }; - - # user for my professional jobs and stuff - ae = { - isNormalUser = true; - extraGroups = ["wheel"]; - shell = pkgs.bash; - }; - }; - }; - - home-manager = { - users.me = import ../../homes/me; - extraSpecialArgs = {inherit inputs pkgs upkgs;}; - sharedModules = []; - }; - - # ---- ENVIRONMENT VARIABLES ---- - environment = { - # always install "dev" derivation outputs - extraOutputsToInstall = ["dev" "man"]; - - sessionVariables = { - # folder names with capitalisation look awful! - XDG_DOWNLOAD_DIR = "$HOME/downloads"; - - # Hint Electrons apps to use Wayland - NIXOS_OZONE_WL = "1"; }; }; # ---- SYSTEM PACKAGES ----- environment.systemPackages = with pkgs; [ # User Environment - swww - helvum - easyeffects - pavucontrol - ani-cli - bluetui - wl-clipboard # clipboard for wayland - hyprpicker # color picker - hyprshot # screenshot utility - qbittorrent - signal-desktop - kdePackages.gwenview # image viewer libreoffice - # TEST: WARNING - # ospd-openvas - # openvas-scanner - # openvas-smb - - (callPackage ../sddm-theme-corners.nix {}).sddm-theme-corners - # dependencies for my sddm theme: - pkgs.libsForQt5.qt5.qtgraphicaleffects - - # Shell - bash - fish - shellcheck - grc # colorise command outputs - moreutils - - # Systems Programming & Compilation - qemu # Fellice Bellard's Quick Emulator - # GNU Utils - gnumake - # Binaries - binutils - strace - ltrace - perf-tools # ftrace + perf - radare2 - gdb - # ASM - nasm - (callPackage ../packages/x86-manpages {}) - # C Family - gcc - clang - clang-tools - - # Rust - cargo - rustc - # Go - go - # Nim - nim - nimble - # Haskell - ghc - ghcid - ormolu - - # Java - visualvm - - # Python - python312 # I use 3.12 since it's in a pretty stable state now - python314 # also 3.14 for latest features - poetry - # Sage - sageWithDoc # SageMath + HTML Documentation - - openvpn - inetutils - - # security tools - rustscan - nmap - dig - gobuster - nth - zap - wireguard-tools - - httpie - curlie - zoxide - doggo - tldr - # btop - eza - yazi - lazygit - ripgrep - viddy # modern `watch` command - - deploy-rs - - tesseract # for my work with Agribit - - # Pretty necessary - git - git-filter-repo - nix-prefetch-git - brightnessctl - acpi - vim - powertop - imagemagick - - # "Standard" Unix Commands - file - wget - tree - pstree - unzip - unrar-free - lz4 - man-pages - man-pages-posix - - # Cryptography - gnupg - openssl - libargon2 - # Games prismlauncher # minecraft - upkgs.olympus + upkgs.olympus # CELESTE!! <3 :3 discord ]; @@ -399,122 +77,6 @@ in { # ]; #}; - programs = { - zsh.enable = true; - fish.enable = true; - - nix-ld.enable = true; - - neovim = { - enable = true; - defaultEditor = true; - viAlias = true; - vimAlias = true; - configure = { - customRC = '' - set number - set tabstop=4 - set shiftwidth=4 - ''; - }; - }; - - # Thunar also (optionally) requires: `services.tumbler` & `services.gvfs` - thunar = { - enable = true; - plugins = with pkgs.xfce; [ - thunar-volman # for removable drives (ie USBs) - thunar-archive-plugin # create and extract archives - thunar-media-tags-plugin # change metadata for media files - ]; - }; - - # mozilla's email client - thunderbird.enable = true; - - java = let - # XXX: WARNING: TEST :WARNING: XXX - # Test for CrazyCraft VoidLauncher - myjdk = pkgs.jdk17.override { - enableJavaFX = true; - # openjfx_jdk = pkgs.openjfx17.override {withWebKit = true;}; - }; - in { - enable = true; - package = myjdk; - }; - }; - - # ----- FONTS ----- - fonts = { - enableDefaultPackages = true; # no clue what this line does tbh - packages = with pkgs; - [ - # (nerdfonts.override { - # fonts = [ - # "Cousine" # its ok i guess - # "Iosevka" # nah nah - # "IosevkaTerm" # big nah - # "CascadiaCode" # potential - # "FiraCode" # potential - # "JetBrainsMono" # for my rofi theme - # "Hasklig" - # "Hack" - # ]; - # }) - - geist-font # for my hyprlock theme - # texlive maintains a noto-emoji flake - texlivePackages.noto-emoji - ] - ++ builtins.filter lib.attrsets.isDerivation ( - builtins.attrValues pkgs.nerd-fonts - ); - - # TODO: change my default fonts - fontconfig = { - defaultFonts = { - serif = ["Iosevka"]; - sansSerif = ["Iosevka "]; - monospace = ["Cousine"]; - emoji = ["Noto Emoji"]; - }; - }; - }; - - documentation = { - enable = true; - doc.enable = true; # install /share/doc packages - man.enable = true; # install manpages - info.enable = true; # install GNU info - dev.enable = true; # install docs intended for developers - nixos = { - enable = true; # install NixOS documentation (ie man -k nix, & nixos-help) - options.splitBuild = true; - # includeAllModules = true; - }; - }; - - virtualisation.docker.enable = true; - - hardware = { - graphics = { - enable = true; - enable32Bit = true; - }; - - # opengl = { - # enable = true; - # driSupport = true; - # driSupport32Bit = true; - # } - - bluetooth = { - enable = true; - powerOnBoot = true; - }; - }; - # DO NOT MODIFY system.stateVersion = "24.05"; # Did you read the comment? } diff --git a/hosts/sddm-theme-corners.nix b/packages/sddm-theme-corners/default.nix similarity index 100% rename from hosts/sddm-theme-corners.nix rename to packages/sddm-theme-corners/default.nix