magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 16:04:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

stuff&things

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2022-08-18 22:55:46 +02:00
parent a5a651dbb9
commit 3fb5d945c0
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
17 changed files with 747 additions and 816 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

965
flake.lock
View file

File diff suppressed because it is too large Load diff

100
flake.nix
View file

@ -31,7 +31,7 @@
deploy-rs.inputs.utils.follows = "flake-utils";
deploy-rs.inputs.flake-compat.follows = "flake-compat";
nomad-driver-containerd-nix.url = "git+https://gitea.redalder.org/Magic_RB/nomad-driver-containerd-nix";
nomad-driver-containerd-nix.url = "github:MagicRB/nomad-driver-containerd-nix"; # "git+https://gitea.redalder.org/Magic_RB/nomad-driver-containerd-nix";
nomad-driver-containerd-nix.inputs.nixpkgs.follows = "nixpkgs";
nix-gaming.url = "github:fufexan/nix-gaming";
@ -46,6 +46,48 @@
flake-utils.url = "github:numtide/flake-utils";
webcord-flake.url = "github:fufexan/webcord-flake";
webcord-flake.inputs.nixpkgs.follows = "nixpkgs";
webcord-flake.inputs.dream2nix.follows = "dream2nix";
webcord-flake.inputs.webcord.follows = "webcord";
dream2nix.url = "github:nix-community/dream2nix";
dream2nix.inputs.nixpks.follows = "nixpkgs";
dream2nix.inputs.alejandra.follows = "alejandra";
dream2nix.inputs.pre-commit-hooks.follows = "pre-commit-hooks";
dream2nix.inputs.flake-utils-pre-commit.follows = "flake-utils";
alejandra.url = "github:kamadorueda/alejandra";
alejandra.inputs.nixpkgs.follows = "nixpkgs";
alejandra.inputs.fenix.follows = "fenix";
alejandra.inputs.flakeCompat.follows = "flake-compat";
pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix";
pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
nil.url = "github:oxalica/nil";
nil.inputs.nixpkgs.follows = "nixpkgs";
nil.inputs.flake-utils.follows = "flake-utils";
webcord.url = "github:SpacingBat3/WebCord";
webcord.flake = false;
fenix.url = "github:nix-community/fenix";
fenix.flake = false;
devshell.url = "github:numtide/devshell";
devshell.flake = false;
gomod2nix.url = "github:tweag/gomod2nix";
gomod2nix.flake = false;
mach-nix.url = "github:DavHau/mach-nix";
mach-nix.flake = false;
crane.url = "github:ipetkov/crane";
crane.flake = false;
flake-compat.url = "github:edolstra/flake-compat";
flake-compat.flake = false;
@ -81,39 +123,35 @@
self,
flake-parts,
nixpkgs,
nixinate,
...
} @ inputs:
# let
# inherit (nixpkgs-unstable.lib) nixosSystem;
# inherit (home-manager.lib) homeManagerConfiguration;
# supportedSystems = [ "x86_64-linux" ]; # add "i686-linux" "aarch64-linux" back after hls is fixed
# forAllSystems' = systems: f: nixpkgs.lib.genAttrs systems (system: f system);
# forAllSystems = forAllSystems' supportedSystems;
# pkgsForSystem =
# system:
# import nixpkgs
# { system = "x86_64-linux";
# overlays =
# [ inputs.poetry2nix.overlay
# ];
# };
# in
flake-parts.lib.mkFlake
{
inherit self;
specialArgs = {
roots.nixos = ./. + "/nixos";
roots.flake = ./.;
roots.home-manager = ./. + "/home-manager";
};
}
{
}:
let
systems = ["x86_64-linux" "aarch64-linux"];
flake =
flake-parts.lib.mkFlake
{
inherit self;
specialArgs = {
roots.nixos = ./. + "/nixos";
roots.flake = ./.;
roots.home-manager = ./. + "/home-manager";
};
}
{
inherit systems;
imports = [
./modules
];
};
imports = [
./modules
];
};
in
flake // {
apps = nixpkgs.lib.genAttrs systems (system:
(nixinate.nixinate.${system} self)
// flake.apps.${system}
);
};
# nixosConfigurations.omen = nixosSystem (import ./systems/omen.nix inputs);
# omen = self.nixosConfigurations.omen.config.system.build.toplevel;

2
home-manager/modules/3d-printing.nix
View file

@ -24,7 +24,7 @@ in {
openscad
cura
inkscape
prusa-slicer
# prusa-slicer
freecad
];
};

1
home-manager/modules/emacs/default.nix
View file

@ -51,6 +51,7 @@ in {
isync
exa
fd
rnix-lsp
]);
})
.bundle;

2
home-manager/modules/graphical-programs.nix
View file

@ -26,7 +26,7 @@ in {
mpv
slack
ungoogled-chromium
fufexan-discord-canary
webcord
element-desktop
xournalpp

5
modules/systems.nix
View file

@ -7,6 +7,7 @@
withSystem,
self,
roots,
config,
...
}:
with lib; let
@ -60,8 +61,4 @@ with lib; let
foldr mergeAttrs {} systemConfigurations;
in {
flake.nixosConfigurations = eachNixosSystem "${roots.nixos}/systems";
perSystem = {pkgs, system, ...}: {
apps = inputs.nixinate.nixinate.${system} self;
};
}

97
nixos/hardware/heater.nix
View file

@ -33,6 +33,12 @@ in {
];
initrd.kernelModules = ["dm-snapshot"];
kernelModules = ["i2c-dev" "kvm-amd"];
kernelParams = [
"zfs.zfs_arc_max=8589934592"
"nvidia.NVreg_EnablePCIeGen3=1"
"nvidia.NVreg_UsePageAttributeTable=1"
"nvidia-drm.modeset=1"
];
extraModulePackages = [];
kernelPackages = kernel;
};
@ -81,80 +87,45 @@ in {
};
"/mnt/cartman" = {
device = "storfa/ds1/cartman";
fsType = "zfs";
device = "192.168.0.71:/mnt/cartman";
fsType = "nfs";
options = [ "_netdev" "hard" "async" ];
};
"/mnt/kyle" = {
device = "storfa/ds1/kyle";
fsType = "zfs";
device = "192.168.0.71:/mnt/kyle";
fsType = "nfs";
options = [ "_netdev" "hard" "async" ];
};
"/mnt/stan" = {
device = "storfa/ds1/stan";
fsType = "zfs";
};
"/mnt/net/Magic_RB" = {
device = "192.168.0.71:/mnt/stan";
fsType = "nfs";
device = "${secret.network.ips.blowhole.ip}:/var/nfs/Magic_RB";
options = [
"hard"
"async"
"tcp"
"fsc"
];
options = [ "_netdev" "hard" "async" ];
};
"/var/cache/fscache" = {
device = "heater-zpool/persist/cachefilesd";
fsType = "zfs";
};
# "/mnt/net/Magic_RB" = {
# fsType = "nfs";
# device = "${secret.network.ips.blowhole.ip}:/var/nfs/Magic_RB";
# options = [
# "hard"
# "async"
# "tcp"
# "fsc"
# ];
# };
# "/var/cache/fscache" = {
# device = "heater-zpool/persist/cachefilesd";
# fsType = "zfs";
# };
};
systemd.services.mnt-kyle-zfs-relmount = {
requires = ["mnt-kyle.mount"];
after = ["mnt-kyle.mount"];
path = with pkgs; [zfs utillinux];
serviceConfig = {
RemainAfterExit = true;
Type = "oneshot";
ExecStart = "${pkgs.zfs-relmount}/bin/zfs-relmount storfa/ds1/kyle /mnt/kyle";
};
};
systemd.services.mnt-cartman-zfs-relmount = {
requires = ["mnt-cartman.mount"];
after = ["mnt-cartman.mount"];
path = with pkgs; [zfs utillinux];
serviceConfig = {
RemainAfterExit = true;
Type = "oneshot";
ExecStart = "${pkgs.zfs-relmount}/bin/zfs-relmount storfa/ds1/cartman /mnt/cartman";
};
};
systemd.services.mnt-stan-zfs-relmount = {
requires = ["mnt-stan.mount"];
after = ["mnt-stan.mount"];
path = with pkgs; [zfs utillinux];
serviceConfig = {
RemainAfterExit = true;
Type = "oneshot";
ExecStart = "${pkgs.zfs-relmount}/bin/zfs-relmount storfa/ds1/stan /mnt/stan";
};
};
services.cachefilesd = {
enable = true;
cacheDir = "/var/cache/fscache";
};
# services.cachefilesd = {
# enable = true;
# cacheDir = "/var/cache/fscache";
# };
swapDevices = [];
};

23
nixos/modules/pulseaudio.nix
View file

@ -16,22 +16,13 @@ in {
};
config = mkIf cfg.enable {
sound.enable = true;
hardware = {
pulseaudio = {
enable = true;
package = mkIf bluetooth-enable pkgs.pulseaudioFull;
daemon.config = {
default-sample-rate = 96000;
default-sample-format = "s32le";
resample-method = "speex-float-5";
nice-level = -19;
};
};
pulseaudio.support32Bit = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
systemd.user.services.pulseaudio.enable = true;
};
}

11
nixos/systems/blowhole/default.nix
View file

@ -21,6 +21,8 @@
./vault.nix
./bind.nix
./vault-agent.nix
./nas.nix
./firewall.nix
];
home-manager.users."main" = {...}: {
@ -37,7 +39,7 @@
};
_module.args.nixinate = {
host = "10.64.1.201";
host = "192.168.0.71";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
@ -58,12 +60,7 @@
networking = {
hostName = "blowhole";
useDHCP = false;
interfaces.eno1.useDHCP = true;
nameservers = [
# Needed for DNS to resolv in containerd containers
"10.64.1.1"
];
interfaces.enp7s0f1.useDHCP = true;
firewall = {
enable = true;

92
nixos/systems/blowhole/firewall.nix Normal file
View file

@ -0,0 +1,92 @@
{ pkgs, config, lib, ... }:
with lib;
let
wan = "enp7s0f1";
lan = "enp7s0f0";
doVPN = "do_vpn0";
in
{
boot.kernel.sysctl = {
# Enable forwarding on IPv4 but disable on IPv6
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = false;
# source: https://github.com/mdlayher/homelab/blob/master/nixos/routnerr-2/configuration.nix#L52
# By default, not automatically configure any IPv6 addresses.
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.all.autoconf" = 0;
"net.ipv6.conf.all.use_tempaddr" = 0;
# On WAN, allow IPv6 autoconfiguration and tempory address use.
# "net.ipv6.conf.${name}.accept_ra" = 2;
# "net.ipv6.conf.${name}.autoconf" = 1;
};
networking = {
useDHCP = false;
hostName = "blowhole";
nameservers = [ "8.8.8.8" ];
# Disable the in-built iptable based firewall
firewall.enable = mkForce false;
interfaces = {
# Don't do DHCP on the LAN interface
"${lan}".useDHCP = false;
# But do DHCP on the WAN interface
"${wan}".useDHCP = true;
};
wireguard = {
enable = true;
interfaces."${doVPN}" =
config.magic_rb.secret.wireguard."${config.networking.hostName}"
// {
listenPort = 6666;
privateKeyFile = "/var/secrets/${doVPN}.key";
};
};
nftables = {
enable = true;
ruleset = ''
table ip filter {
chain input_out {
ct state { established, related } accept comment "Allow established traffic"
icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
}
chain input {
type filter hook input priority 0; policy drop;
tcp dport 22 accept comment "Accept SSH traffic always"
iifname { "${lan}" } accept comment "Allow local network to access the router"
iifname { "${wan}", "${doVPN}" } jump input_out
}
chain forward {
type filter hook forward priority filter; policy drop;
iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"
iifname { "${wan}" } oifname { "${lan}" } ct state established, related accept comment "Allow established back to LANs"
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "${wan}" masquerade
}
}
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}
'';
};
};
}

161
nixos/systems/blowhole/nas.nix Normal file
View file

@ -0,0 +1,161 @@
{ pkgs, ... }:
{
fileSystems."/mnt/cartman" = {
device = "storfa/ds1/cartman";
fsType = "zfs";
};
systemd.services.mnt-kyle-zfs-relmount = {
requires = ["mnt-kyle.mount"];
after = ["mnt-kyle.mount"];
path = with pkgs; [zfs utillinux];
serviceConfig = {
RemainAfterExit = true;
Type = "oneshot";
ExecStart = "${pkgs.zfs-relmount}/bin/zfs-relmount mount storfa/ds1/kyle /mnt/kyle";
};
};
fileSystems."/mnt/kyle" = {
device = "storfa/ds1/kyle";
fsType = "zfs";
};
systemd.services.mnt-cartman-zfs-relmount = {
requires = ["mnt-cartman.mount"];
after = ["mnt-cartman.mount"];
path = with pkgs; [zfs utillinux];
serviceConfig = {
RemainAfterExit = true;
Type = "oneshot";
ExecStart = "${pkgs.zfs-relmount}/bin/zfs-relmount mount storfa/ds1/cartman /mnt/cartman";
};
};
fileSystems."/mnt/stan" = {
device = "storfa/ds1/stan";
fsType = "zfs";
};
systemd.services.mnt-stan-zfs-relmount = {
requires = ["mnt-stan.mount"];
after = ["mnt-stan.mount"];
path = with pkgs; [zfs utillinux];
serviceConfig = {
RemainAfterExit = true;
Type = "oneshot";
ExecStart = "${pkgs.zfs-relmount}/bin/zfs-relmount mount storfa/ds1/stan /mnt/stan";
};
};
# services.samba = {
# enable = true;
# package = pkgs.sambaFull;
# openFirewall = true;
# securityType = "user";
# extraConfig = ''
# workgroup = WORKGROUP
# server string = blowhole
# netbios name = blowhole
# security = user
# #use sendfile = yes
# #max protocol = smb2
# # note: localhost is the ipv6 localhost ::1
# hosts allow = 192.168.0. 127.0.0.1 localhost
# hosts deny = 0.0.0.0/0
# guest account = nobody
# map to guest = bad user
# # Enable POSIX ACLs
# vfs objects = acl_xattr
# map acl inherit = yes
# store dos attributes = yes
# smb2 unix extensions = yes
# '';
# shares = {
# cartman = {
# path = "/mnt/cartman";
# browseable = "yes";
# "read only" = "no";
# "guest ok" = "no";
# "force user" = "main";
# "force group" = "main";
# "locking" = "yes";
# "valid users" = "main";
# };
# kyle = {
# path = "/mnt/kyle";
# browseable = "yes";
# "read only" = "no";
# "guest ok" = "no";
# "force user" = "main";
# "force group" = "main";
# "locking" = "yes";
# "valid users" = "main";
# };
# stan = {
# path = "/mnt/stan";
# browseable = "yes";
# "read only" = "no";
# "guest ok" = "no";
# "force user" = "main";
# "force group" = "main";
# "locking" = "yes";
# "valid users" = "main";
# };
# };
# };
fileSystems."/run/restic" = {
fsType = "tmpfs";
options = [ "size=64M" ];
};
services.restic.backups.cartman = {
initialize = true;
timerConfig = {
OnCalendar = "03:00";
};
paths = [ "/run/restic/cartman" ];
backupPrepareCommand = ''
snapshot="$(date +restic%+4Y_%U_%u)"
${pkgs.zfs-relmount}/bin/zfs-relmount snapshot storfa/ds1/cartman "''${snapshot}"
mkdir /run/restic/cartman
${pkgs.zfs-relmount}/bin/zfs-relmount mount-snapshot storfa/ds1/cartman /run/restic/cartman "''${snapshot}"
'';
backupCleanupCommand = ''
${pkgs.zfs-relmount}/bin/zfs-relmount umount storfa/ds1/cartman /run/restic/cartman
rm -r /run/restic/cartman
'';
passwordFile = "";
};
systemd.timers."restic-backups-cartman" = {
timerConfig = {
Persistent = true;
WakeSystem = true;
};
};
systemd.services."restic-backups-cartman" = {
path = with pkgs; [
utillinux
zfs
];
serviceConfig = {
Nice = 19;
IOSchedulingClass = "idle";
EnvironmentFile = "/var/secrets/restic-b2";
};
};
}

10
overlays/fufexan-discord-canary.nix
View file

@ -8,10 +8,10 @@
fufexan-dotfiles,
nixpkgs,
} @ inputs: final: prev: {
fufexan-discord-canary = (import (fufexan-dotfiles + "/pkgs/default.nix") inputs final prev).discord-electron-openasar.override {
isWayland = false;
inherit (prev.discord-canary) src pname version;
binaryName = "DiscordCanary";
};
# fufexan-discord-canary = (import (fufexan-dotfiles + "/pkgs/default.nix") inputs final prev).discord-electron-openasar.override {
# isWayland = false;
# inherit (prev.discord-canary) src pname version;
# binaryName = "DiscordCanary";
# };
};
}

15
overlays/nil.nix Normal file
View file

@ -0,0 +1,15 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{
name = "nil";
overlay = {nil}:
final:
prev:
{
nil = nil.packages.${prev.stdenv.system}.default;
rnix-lsp = prev.writeShellScriptBin "rnix-lsp" ''
exec ${final.nil}/bin/nil "$@"
'';
};
}

10
overlays/nomad-driver-containerd-nix.nix
View file

@ -3,5 +3,13 @@
# SPDX-License-Identifier: LGPL-3.0-or-later
{
name = "nomad-driver-containerd-nix";
overlay = {nomad-driver-containerd-nix}: nomad-driver-containerd-nix.overlay;
overlay = {nomad-driver-containerd-nix}:
final:
prev:
{
nomad-driver-containerd-nix =
(nomad-driver-containerd-nix.overlay final prev).nomad-driver-containerd-nix.overrideAttrs (old:
{ vendorSha256 = "sha256-xLQZzs5WzdWUndKhc4hkVqijewfYY9CipAPCgi39a7M="; }
);
};
}

12
overlays/webcord.nix Normal file
View file

@ -0,0 +1,12 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{
name = "webcord";
overlay = {webcord-flake}:
final:
prev:
{
webcord = webcord-flake.packages.${prev.stdenv.system}.default;
};
}

55
overlays/zfs-relmount.sh
View file

@ -4,14 +4,13 @@
#
# SPDX-License-Identifier: LGPL-3.0-or-later
zfs_src="${1}"
dst_dir="${2}"
function recurse_children()
{
local volume="${1}"
local dir="${2}"
local relmount="${3}"
local children="${4}"
local action="${5}"
for child in $children
do
@ -20,14 +19,15 @@ function recurse_children()
continue
fi
mount_wc "${child}" "${dir}/$(basename "${child}")"
recursive_perform "${child}" "${dir}/$(basename "${child}")" "${action}"
done
}
function mount_wc()
function recursive_perform()
{
local volume="${1}"
local dir="${2}"
local action="${3}"
local relmount="$(zfs get -Ho value :relmount "${volume}")"
local children="$(zfs list -Hrd 1 "${volume}" -o name | tr '\n' ' ')"
@ -36,16 +36,47 @@ function mount_wc()
then
case "${relmount}" in
"yes")
mount -o X-mount.mkdir -t zfs "${volume}" "${dir}"
recurse_children "${volume}" "${dir}" "${relmount}"
;;
eval "${action}"
recurse_children "${volume}" "${dir}" "${relmount}" "${children}" "${action}"
;;
"pass")
recurse_children "${volume}" "${dir}" "${relmount}"
;;
recurse_children "${volume}" "${dir}" "${relmount}" "${children}" "${action}"
;;
"*")
;;
;;
esac
fi
}
mount_wc "${zfs_src}" "${dst_dir}"
action="${1}"
shift 1
case $action in
"mount")
zfs_src="${1}"
dst_dir="${2}"
recursive_perform "${zfs_src}" "${dst_dir}" 'mount -o X-mount.mkdir -t zfs "${volume}" "${dir}"'
;;
"mount-snapshot")
zfs_src="${1}"
dst_dir="${2}"
snapshot="${3}"
recursive_perform "${zfs_src}" "${dst_dir}" 'mount -o X-mount.mkdir -t zfs "${volume}"@'"${snapshot}"' "${dir}"'
;;
"umount")
zls_src="${1}"
dst_dir="${2}"
recursive_perform "${zfs_src}" "${dst_dir}" 'umount -t zfs "${dir}"'
;;
"snapshot")
root="${1}"
snapshot="${2}"
recursive_perform "${root}" "${root}" 'zfs snapshot "${volume}"@'"${snapshot}"
;;
"*")
;;
esac

2
secret

@ -1 +1 @@
Subproject commit d2a14f6c28127338aff150717d822133be394053
Subproject commit c023ce2434306ff9b435cc5585ee50e1b15e6f8a