--- /dev/null
+secrets.nix
+secrets/
+result
+hosts/*.ygg
+WIP/
+
+*.save
+# ---> Emacs
+# -*- mode: gitignore; -*-
+*~
+*~undo-tree~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+*.elc
+auto-save-list
+tramp
+.\#*
+
+# Org-mode
+.org-id-locations
+*_archive
+
+# flymake-mode
+*_flymake.*
+
+# eshell files
+/eshell/history
+/eshell/lastdir
+
+# elpa packages
+/elpa/
+
+# reftex files
+*.rel
+
+# AUCTeX auto folder
+/auto/
+
+# cask packages
+.cask/
+dist/
+
+# Flycheck
+flycheck_*.el
+
+# server auth directory
+/server/
+
+# projectiles files
+.projectile
+
+# directory configuration
+.dir-locals.el
+
+# network security
+/network-security.data
+
+
--- /dev/null
+{
+ "nodes": {
+ "base16": {
+ "inputs": {
+ "nixpkgs": [
+ "stylix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1658847131,
+ "narHash": "sha256-X6Mml7cT0YR3WCD5fkUhpRVV5ZPcwdcDsND8r8xMqTE=",
+ "owner": "SenchoPens",
+ "repo": "base16.nix",
+ "rev": "6b404cda2e04ca3cf5ca7b877af9c469e1386acb",
+ "type": "github"
+ },
+ "original": {
+ "owner": "SenchoPens",
+ "repo": "base16.nix",
+ "type": "github"
+ }
+ },
+ "blobs": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1604995301,
+ "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+ "owner": "simple-nixos-mailserver",
+ "repo": "blobs",
+ "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+ "type": "gitlab"
+ },
+ "original": {
+ "owner": "simple-nixos-mailserver",
+ "repo": "blobs",
+ "type": "gitlab"
+ }
+ },
+ "flake-compat": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1673956053,
+ "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
+ "home-manager": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "utils": "utils"
+ },
+ "locked": {
+ "lastModified": 1680555990,
+ "narHash": "sha256-Tu/i5sd0hk4c4VtWO8XpY3c9KmHDcOWF5Y2GSCh3LXA=",
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "rev": "d6f3ba090ed090ae664ab5bac329654093aae725",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "ref": "release-22.11",
+ "repo": "home-manager",
+ "type": "github"
+ }
+ },
+ "home-manager_2": {
+ "inputs": {
+ "nixpkgs": [
+ "stylix",
+ "nixpkgs"
+ ],
+ "utils": "utils_3"
+ },
+ "locked": {
+ "lastModified": 1680000368,
+ "narHash": "sha256-TlgC4IJ7aotynUdkGRtaAVxquaiddO38Ws89nB7VGY8=",
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "rev": "765e4007b6f9f111469a25d1df6540e8e0ca73a6",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "type": "github"
+ }
+ },
+ "libcamera-apps-src": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1674645888,
+ "narHash": "sha256-UBTDHN0lMj02enB8im4Q+f/MCm/G2mFPP3pLImrZc5A=",
+ "owner": "raspberrypi",
+ "repo": "libcamera-apps",
+ "rev": "9f08463997b82c4bf60e12c4ea43577959a8ae15",
+ "type": "github"
+ },
+ "original": {
+ "owner": "raspberrypi",
+ "ref": "v1.1.1",
+ "repo": "libcamera-apps",
+ "type": "github"
+ }
+ },
+ "nixlib": {
+ "locked": {
+ "lastModified": 1680397293,
+ "narHash": "sha256-wBpJ73+tJ8fZSWb4tzNbAVahC4HSo2QG3nICDy4ExBQ=",
+ "owner": "nix-community",
+ "repo": "nixpkgs.lib",
+ "rev": "b18d328214ca3c627d3cc3f51fd9d1397fdbcd7a",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "nixpkgs.lib",
+ "type": "github"
+ }
+ },
+ "nixos-generators": {
+ "inputs": {
+ "nixlib": "nixlib",
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1680764424,
+ "narHash": "sha256-2tNAE9zWbAK3JvQnhlnB1uzHzhwbA9zF6A17CoTjnbk=",
+ "owner": "nix-community",
+ "repo": "nixos-generators",
+ "rev": "15ae4065acbf414989a8677097804326fe7c0532",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "nixos-generators",
+ "type": "github"
+ }
+ },
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1680665430,
+ "narHash": "sha256-MTVhTukwza1Jlq2gECITZPFnhROmylP2uv3O3cSqQCE=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "5233fd2ba76a3accb5aaa999c00509a11fd0793c",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-22.11",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-22_11": {
+ "locked": {
+ "lastModified": 1669558522,
+ "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
+ "type": "github"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "ref": "nixos-22.11",
+ "type": "indirect"
+ }
+ },
+ "nixpkgs-unstable": {
+ "locked": {
+ "lastModified": 1680669251,
+ "narHash": "sha256-AVNE+0u4HlI3v96KCXE9risH7NKqj0QDLLfSckYXIbA=",
+ "owner": "nixos",
+ "repo": "nixpkgs",
+ "rev": "9c8ff8b426a8b07b9e0a131ac3218740dc85ba1e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixos",
+ "ref": "nixos-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_2": {
+ "locked": {
+ "lastModified": 1669542132,
+ "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "a115bb9bd56831941be3776c8a94005867f316a7",
+ "type": "github"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "ref": "nixos-unstable",
+ "type": "indirect"
+ }
+ },
+ "raspberry-pi-nix": {
+ "inputs": {
+ "libcamera-apps-src": "libcamera-apps-src",
+ "rpi-bluez-firmware-src": "rpi-bluez-firmware-src",
+ "rpi-firmware-nonfree-src": "rpi-firmware-nonfree-src",
+ "rpi-firmware-stable-src": "rpi-firmware-stable-src",
+ "rpi-linux-5_15-src": "rpi-linux-5_15-src",
+ "u-boot-src": "u-boot-src"
+ },
+ "locked": {
+ "lastModified": 1678801763,
+ "narHash": "sha256-yELOVlxvXouMpoosFQlnk8bFzs48pBl5goiUh8d2tnU=",
+ "owner": "tstat",
+ "repo": "raspberry-pi-nix",
+ "rev": "3ca8c6898ae3bc4d5527a75d9f499018afeb65dc",
+ "type": "github"
+ },
+ "original": {
+ "owner": "tstat",
+ "repo": "raspberry-pi-nix",
+ "type": "github"
+ }
+ },
+ "root": {
+ "inputs": {
+ "home-manager": "home-manager",
+ "nixos-generators": "nixos-generators",
+ "nixpkgs": "nixpkgs",
+ "nixpkgs-unstable": "nixpkgs-unstable",
+ "raspberry-pi-nix": "raspberry-pi-nix",
+ "simple-nixos-mailserver": "simple-nixos-mailserver",
+ "stylix": "stylix",
+ "zero": "zero"
+ }
+ },
+ "rpi-bluez-firmware-src": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1672928175,
+ "narHash": "sha256-gKGK0XzNrws5REkKg/JP6SZx3KsJduu53SfH3Dichkc=",
+ "owner": "RPi-Distro",
+ "repo": "bluez-firmware",
+ "rev": "9556b08ace2a1735127894642cc8ea6529c04c90",
+ "type": "github"
+ },
+ "original": {
+ "owner": "RPi-Distro",
+ "repo": "bluez-firmware",
+ "type": "github"
+ }
+ },
+ "rpi-firmware-nonfree-src": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1674638139,
+ "narHash": "sha256-54JKmwypD7PRQdd7k6IcF7wL8ifMavEM0UwZwmA24O4=",
+ "owner": "RPi-Distro",
+ "repo": "firmware-nonfree",
+ "rev": "7f29411baead874b859eda53efdc2472345ea454",
+ "type": "github"
+ },
+ "original": {
+ "owner": "RPi-Distro",
+ "repo": "firmware-nonfree",
+ "type": "github"
+ }
+ },
+ "rpi-firmware-stable-src": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1673003776,
+ "narHash": "sha256-tdaH+zZwmILNFBge2gMqtzj/1Hydj9cxhPvhw+7jTrU=",
+ "owner": "raspberrypi",
+ "repo": "firmware",
+ "rev": "78852e166b4cf3ebb31d051e996d54792f0994b0",
+ "type": "github"
+ },
+ "original": {
+ "owner": "raspberrypi",
+ "ref": "stable",
+ "repo": "firmware",
+ "type": "github"
+ }
+ },
+ "rpi-linux-5_15-src": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1675874870,
+ "narHash": "sha256-oy+VgoB4IdFZjGwkx88dDSpwWZj2D5t3PyXPIwDsY1Q=",
+ "owner": "raspberrypi",
+ "repo": "linux",
+ "rev": "14b35093ca68bf2c81bbc90aace5007142b40b40",
+ "type": "github"
+ },
+ "original": {
+ "owner": "raspberrypi",
+ "ref": "rpi-5.15.y",
+ "repo": "linux",
+ "type": "github"
+ }
+ },
+ "simple-nixos-mailserver": {
+ "inputs": {
+ "blobs": "blobs",
+ "nixpkgs": "nixpkgs_2",
+ "nixpkgs-22_11": "nixpkgs-22_11",
+ "utils": "utils_2"
+ },
+ "locked": {
+ "lastModified": 1671659164,
+ "narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=",
+ "owner": "simple-nixos-mailserver",
+ "repo": "nixos-mailserver",
+ "rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd",
+ "type": "gitlab"
+ },
+ "original": {
+ "owner": "simple-nixos-mailserver",
+ "ref": "nixos-22.11",
+ "repo": "nixos-mailserver",
+ "type": "gitlab"
+ }
+ },
+ "stylix": {
+ "inputs": {
+ "base16": "base16",
+ "flake-compat": "flake-compat",
+ "home-manager": "home-manager_2",
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1680432579,
+ "narHash": "sha256-sIcl3DvrDdQZM5kBWY25ocxJsIQFPV4gm54l79ZysB0=",
+ "owner": "danth",
+ "repo": "stylix",
+ "rev": "4205a141bfcc0b9d1c04932ec7fdf0f86f99aaf6",
+ "type": "github"
+ },
+ "original": {
+ "owner": "danth",
+ "repo": "stylix",
+ "type": "github"
+ }
+ },
+ "u-boot-src": {
+ "flake": false,
+ "locked": {
+ "narHash": "sha256-30fe8klLHRsEtEQ1VpYh4S+AflG5yCQYWlGmpWyFL8w=",
+ "type": "tarball",
+ "url": "https://ftp.denx.de/pub/u-boot/u-boot-2023.01.tar.bz2"
+ },
+ "original": {
+ "type": "tarball",
+ "url": "https://ftp.denx.de/pub/u-boot/u-boot-2023.01.tar.bz2"
+ }
+ },
+ "utils": {
+ "locked": {
+ "lastModified": 1667395993,
+ "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "utils_2": {
+ "locked": {
+ "lastModified": 1605370193,
+ "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "utils_3": {
+ "locked": {
+ "lastModified": 1676283394,
+ "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "zero": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1672452192,
+ "narHash": "sha256-MId839OmZiiXkt9qAOM8WzKZMZ9WLpfd9enI0QoejOg=",
+ "type": "git",
+ "url": "file:/home/cw/0x00"
+ },
+ "original": {
+ "type": "git",
+ "url": "file:/home/cw/0x00"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
--- /dev/null
+# This can be built with nixos-rebuild --flake .#myhost build
+{
+ description = "the simplest flake for nixos-rebuild";
+
+ inputs = {
+ nixpkgs = {
+ url = "github:NixOS/nixpkgs/nixos-22.11";
+ };
+ # inputs.emacs-overlay.url = "github:nix-community/emacs-overlay";
+ # inputs.coricamu.url = "github:danth/coricamu";
+ nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11";
+ home-manager = {
+ url = "github:nix-community/home-manager/release-22.11";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+ # alfis.url = "github:Revertron/Alfis";
+ stylix = {
+ url = "github:danth/stylix";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+ nixos-generators = {
+ url = "github:nix-community/nixos-generators";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+ raspberry-pi-nix.url = "github:tstat/raspberry-pi-nix";
+ };
+
+ # Outputs can be anything, but the wiki + some commands define their own
+ # specific keys. Wiki page: https://nixos.wiki/wiki/Flakes#Output_schema
+ outputs = {
+ self,
+ nixpkgs,
+ nixpkgs-unstable,
+ home-manager,
+ nixos-generators,
+ # hm-unstable,
+ stylix,
+ # alfis,
+ # colmena,
+ # coricamu,
+ # deploy-rs,
+ zero,
+ raspberry-pi-nix,
+ simple-nixos-mailserver,
+ ...
+ } @inputs:
+ let
+ system = "x86_64-linux";
+ overlay-unstable = final: prev: {
+ # unstable = nixpkgs-unstable.legacyPackages.${prev.system};
+ unstable = import nixpkgs-unstable {
+ inherit system;
+ config.allowUnfree = true;
+ };
+ };
+ in {
+ overlays = import ./overlays/unstable.nix { inherit inputs; };
+ nixosConfigurations = {
+ powerbook = nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ specialArgs = self.colmena.meta.specialArgs;
+ # Import our old system configuration.nix
+ modules = self.colmena.powerbook.imports;
+ };
+ marigold = nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ specialArgs = self.colmena.meta.specialArgs;
+ # Import our old system configuration.nix
+ modules = self.colmena.marigold.imports;
+ };
+ };
+ packages."x86_64-linux" = {
+ marigold-install-iso = nixos-generators.nixosGenerate {
+ system = "x86_64-linux";
+ modules = [
+ ./hosts/iso.nix
+ stylix.nixosModules.stylix
+ home-manager.nixosModules.home-manager
+ {
+ home-manager.useGlobalPkgs = true;
+ home-manager.useUserPackages = true;
+ home-manager.users.cw = import ./users/home.nix { user = "cw"; pkgs = nixpkgs.legacyPackages.x86_64-linux; };
+ }
+ ];
+ format = "install-iso";
+ };
+ marigold-iso = nixos-generators.nixosGenerate {
+ system = "x86_64-linux";
+ pkgs = nixpkgs.legacyPackages.x86_64-linux;
+ modules = [
+ ./hosts/iso.nix
+ stylix.nixosModules.stylix
+ home-manager.nixosModules.home-manager
+ {
+ home-manager.useGlobalPkgs = true;
+ home-manager.useUserPackages = true;
+ home-manager.users.cw = import ./users/home.nix { user = "cw"; pkgs = nixpkgs.legacyPackages.x86_64-linux; };
+ }
+ ];
+ format = "iso";
+ };
+ };
+ colmena = {
+ meta = {
+ nixpkgs = import nixpkgs {
+ system = "x86_64-linux";
+ overlays = [];
+ };
+ nodeNixpkgs.bike = import nixpkgs {
+ system = "aarch64-linux";
+ };
+ specialArgs = inputs;
+ };
+ marigold = {
+ imports = [
+ ./WIP/hosts/marigold.nix
+ ];
+ deployment.targetHost = "marigold.cw.ygg";
+ };
+ moto = {
+ imports = [
+ ./WIP/hosts/moto.nix
+ ];
+ deployment.targetHost = "moto.cw.ygg";
+ };
+ powerbook = {
+ imports = [
+ ./WIP/hosts/powerbook.nix
+ ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+ home-manager.nixosModules.home-manager
+ ];
+ deployment = {
+ allowLocalDeployment = true;
+ targetHost = null;
+ };
+ };
+ kernelpanic = {
+ imports = [
+ ./WIP/hosts/kernelpanic.nix
+ home-manager.nixosModules.home-manager
+ stylix.nixosModules.stylix
+ simple-nixos-mailserver.nixosModule
+ ];
+ deployment = {
+ targetHost = "kernelpanic.cw.ygg";
+ keys = {
+ "yggdrasil.conf.secret" = {
+ keyFile = "./secrets/yggdrasil-kernelpanic.conf";
+ uploadAt = "pre-activation";
+ };
+ };
+ };
+ };
+ telescreen = {
+ imports = [
+ ./WIP/hosts/telescreen.nix
+ home-manager.nixosModules.home-manager
+ stylix.nixosModules.stylix
+ ];
+ deployment = {
+ targetHost = "telescreen.cw.ygg";
+ };
+ };
+ };
+ };
+}
--- /dev/null
+{ config, pkgs, lib, ... }:
+let
+ cfg = config.services.charm;
+in {
+ options.services.charm = {
+ enable = lib.mkEnableOption "Charm cloud server";
+ };
+ config = lib.mkIf cfg.enable {
+ systemd.services.charm = {
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ description = "The Cloud";
+ serviceConfig = {
+ DynamicUser = true;
+ ExecStart = ''${pkgs.charm}/bin/charm serve'';
+ Restart = "always";
+ Type = "simple";
+ RestartSec = 1;
+ Environment = "CHARM_SERVER_DATA_DIR=/var/lib/charm";
+ StateDirectory = "charm";
+ WorkingDirectory = "/var/lib/charm";
+ };
+ };
+ };
+}
--- /dev/null
+{ config, lib, pkgs, ... }:
+let
+ cfg = config.helpers.pelican;
+in
+{
+ options.helpers.pelican = lib.mkOption {
+ description = "Pelican SSG helper";
+ default = {};
+ type = with lib.types; attrsOf (submodule {
+ options = {
+ path = lib.mkOption {
+ type = str;
+ };
+ # auth = lib.mkOption {
+ # type = bool;
+ # default = true;
+ # };
+ };
+ });
+ };
+ config = {
+ networking.hosts."127.0.0.1" = builtins.attrNames cfg;
+
+
+ # lifted from https://nixos.wiki/wiki/Nginx#Authentication_via_PAM
+ # also https://github.com/NixOS/nixpkgs/issues/117578
+ # Have not tested to see which of these can be re-enabled. Not a fan of killing all that stuff just for pam.
+ # Maybe copy /etc/shadow to /run/keys via colmena?
+ # security.pam.services.nginx.setEnvironment = false;
+ # systemd.services.nginx.serviceConfig = {
+ # SupplementaryGroups = [ "shadow" ];
+ # NoNewPrivileges = lib.mkForce false;
+ # PrivateDevices = lib.mkForce false;
+ # ProtectHostname = lib.mkForce false;
+ # ProtectKernelTunables = lib.mkForce false;
+ # ProtectKernelModules = lib.mkForce false;
+ # RestrictAddressFamilies = lib.mkForce [ ];
+ # LockPersonality = lib.mkForce false;
+ # MemoryDenyWriteExecute = lib.mkForce false;
+ # RestrictRealtime = lib.mkForce false;
+ # RestrictSUIDSGID = lib.mkForce false;
+ # SystemCallArchitectures = lib.mkForce "";
+ # ProtectClock = lib.mkForce false;
+ # ProtectKernelLogs = lib.mkForce false;
+ # RestrictNamespaces = lib.mkForce false;
+ # SystemCallFilter = lib.mkForce "";
+ # };
+
+
+ # services.nginx.virtualHosts."nfo".locations."/subdomain"
+ services.nginx = {
+ enable = lib.mkDefault true;
+ additionalModules = [ pkgs.nginxModules.pam ];
+ virtualHosts = lib.attrsets.mapAttrs (fqdn: name: {
+ enableACME = config.security.acme.acceptTerms;
+ forceSSL = config.security.acme.acceptTerms;
+ locations."/" = {
+ root = "${name.path}/output";
+ # extraConfig = lib.mkIf name.localOnly ''
+ # allow 127.0.0.1;
+ # deny all;
+ # '';
+ };
+ # extraConfig = lib.mkIf name.auth ''
+ # auth_pam "Password Required";
+ # auth_pam_service_name "nginx";
+ # '';
+ }) cfg;
+ };
+ systemd.services = lib.attrsets.mapAttrs' (fqdn: name: lib.attrsets.nameValuePair "${fqdn}-reloader" {
+ after = [ "networking.target" ];
+ script = ''
+ exec ${pkgs.python310Packages.pelican}/bin/pelican content
+ exec systemd-tmpfiles --create
+ exec systemctl restart nginx.service
+ '';
+ serviceConfig = {
+ Type = "oneshot";
+ WorkingDirectory = "${name.path}";
+ };
+ }) cfg;
+ systemd.paths = lib.attrsets.mapAttrs' (fqdn: name: lib.attrsets.nameValuePair "${fqdn}-watcher" {
+ wantedBy = [ "multi-user.target" ];
+ pathConfig = {
+ PathModified = "${name.path}/content";
+ Unit = "${fqdn}-reloader.service";
+ # TriggerLimitIntervalSec = "10s";
+ # TriggerLimitBurst = 50;
+ };
+ }) cfg;
+ };
+}
--- /dev/null
+{ config, lib, pkgs, ... }:
+let
+ cfg = config.helpers.webservices;
+in
+{
+ options.helpers.webservices = lib.mkOption {
+ description = "Webservice helper";
+ default = {};
+ type = with lib.types; attrsOf (submodule {
+ options = {
+ port = lib.mkOption {
+ type = port;
+ };
+ # fqdn = lib.mkOption {
+ # type = bool;
+ # default = true;
+ # };
+ # localOnly = lib.mkOption {
+ # type = bool;
+ # default = false;
+ # };
+ auth = lib.mkOption {
+ type = bool;
+ default = true;
+ };
+ };
+ });
+ };
+ config = { # lib.attrsets.mapAttrs (fqdn: name: {
+
+ # helpers.webservices = (lib.mapAttrs (name: nameAttrs: lib.mkIf nameAttrs.fqdn {
+ # port =
+ # }) cfg);
+ # networking.hosts."127.0.0.1" = (lib.attrsets.mapAttrsToList (name: nameattrs: "${name}") cfg) ++ (lib.attrsets.mapAttrsToList (name: nameattrs: if nameattrs.fqdn then "${name}.${config.networking.fqdn}" else "" ) cfg);
+ # networking.hosts."127.0.0.1" = builtins.attrNames cfg ++ (lib.mapAttrsToList (name: nameattrs: lib.mkIf nameattrs.fqdn "${name}.${config.networking.fqdn}") cfg);
+ networking.hosts."127.0.0.1" = builtins.attrNames cfg;
+ # lifted from https://nixos.wiki/wiki/Nginx#Authentication_via_PAM
+ # also https://github.com/NixOS/nixpkgs/issues/117578
+ # Have not tested to see which of these can be re-enabled. Not a fan of killing all that stuff just for pam.
+ # Maybe copy /etc/shadow to /run/keys via colmena?
+ # security.pam.services.nginx.setEnvironment = false;
+ # systemd.services.nginx.serviceConfig = {
+ # SupplementaryGroups = [ "shadow" ];
+ # NoNewPrivileges = lib.mkForce false;
+ # PrivateDevices = lib.mkForce false;
+ # ProtectHostname = lib.mkForce false;
+ # ProtectKernelTunables = lib.mkForce false;
+ # ProtectKernelModules = lib.mkForce false;
+ # RestrictAddressFamilies = lib.mkForce [ ];
+ # LockPersonality = lib.mkForce false;
+ # MemoryDenyWriteExecute = lib.mkForce false;
+ # RestrictRealtime = lib.mkForce false;
+ # RestrictSUIDSGID = lib.mkForce false;
+ # SystemCallArchitectures = lib.mkForce "";
+ # ProtectClock = lib.mkForce false;
+ # ProtectKernelLogs = lib.mkForce false;
+ # RestrictNamespaces = lib.mkForce false;
+ # SystemCallFilter = lib.mkForce "";
+ # };
+
+
+ # services.nginx.virtualHosts."nfo".locations."/subdomain"
+ services.nginx = {
+ enable = lib.mkDefault true;
+ additionalModules = [ pkgs.nginxModules.pam ];
+ virtualHosts = lib.attrsets.mapAttrs (fqdn: name: {
+ enableACME = config.security.acme.acceptTerms;
+ forceSSL = config.security.acme.acceptTerms;
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:${toString name.port}";
+ # extraConfig = lib.mkIf name.localOnly ''
+ # allow 127.0.0.1;
+ # deny all;
+ # '';
+ proxyWebsockets = true;
+ };
+ # extraConfig = lib.mkIf name.auth ''
+ # auth_pam "Password Required";
+ # auth_pam_service_name "nginx";
+ # '';
+ }) cfg;
+ };
+ };
+}
--- /dev/null
+self: super:
+let unstable = self.nixpkgs-unstable.legacyPackages.x86_64-linux;
+in
+{
+ alfis = unstable.alfis;
+ # yggmail = unstable.yggmail;
+ charm = unstable.charm;
+ plik = unstable.plik;
+ yt-dlp = unstable.yt-dlp;
+ gallery-dl = unstable.gallery-dl;
+ zerobin = unstable.zerobin;
+ freenet = unstable.freenet;
+ # factorio = unstable.factorio;
+ openmvs = unstable.openmvs;
+ wasabibackend = unstable.wasabibackend;
+ wasabiwallet = unstable.wasabiwallet;
+}
+
--- /dev/null
+{ config, lib, pkgs, ... }:
+let
+ fqdn = "gitea.${config.networking.hostName}.${config.networking.domain}";
+in {
+ environment.systemPackages = [ pkgs.tea ];
+ services.gitea = {
+ enable = true;
+ domain = "${fqdn}";
+ rootUrl = if config.security.acme.acceptTerms then "https://${fqdn}" else "http://${fqdn}";
+ httpAddress = "127.0.0.1";
+ disableRegistration = true;
+ settings = {
+ server = {
+ SSH_DOMAIN = "${fqdn}";
+ LANDING_PAGE = "explore";
+ };
+ ui = {
+ DEFAULT_THEME = "arc-green";
+ };
+ U2F = {
+ APP_ID = if config.security.acme.acceptTerms then "https://${fqdn}" else "http://${fqdn}";
+ TRUSTED_FACETS = if config.security.acme.acceptTerms then "https://${fqdn}" else "http://${fqdn}";
+ };
+ };
+ };
+ helpers.webservices."${fqdn}" = {
+ port = config.services.gitea.httpPort;
+ auth = false;
+ };
+}
+
--- /dev/null
+{ config, ... }:
+let
+ fqdn = "git.${config.networking.fqdn}";
+in
+{
+ services.nginx.gitweb = {
+ enable = true;
+ location = "";
+ virtualHost = "${fqdn}";
+ };
+ # BOILER
+ # PLATE
+ networking.hosts."127.0.0.1" = [ "${fqdn}" ];
+ # TODO Check perms see if they are g2g. idk about recursive +x
+ systemd.tmpfiles.rules = [
+ "d '${config.services.gitweb.projectroot}' 0775 ${config.services.nginx.user} git"
+ "Z '${config.services.gitweb.projectroot}' 0775 ${config.services.nginx.user} git"
+ ];
+ users.groups.git = {};
+}
--- /dev/null
+{ ... }:
+{
+ services.i2p.enable = true;
+}
--- /dev/null
+# User interface stuffs...
+{ config, pkgs, lib, ... }:
+lib.mkIf config.services.xserver.enable {
+ services.xserver = {
+ displayManager = {
+ defaultSession = "xfce+i3";
+ };
+ windowManager.i3 = {
+ enable = lib.mkIf config.services.xserver.enable true;
+ package = pkgs.i3-gaps;
+ extraPackages = with pkgs; [
+ dmenu
+ i3status
+ i3lock
+ raiseorlaunch
+ # xfce.xfce4-clipman-plugin
+ ];
+ };
+ desktopManager = {
+ xfce = {
+ enable = true;
+ noDesktop = true;
+ enableXfwm = false;
+ };
+ };
+ };
+}
--- /dev/null
+{ config, lib, ... }:
+let
+ fqdn = "invidious.${config.networking.fqdn}";
+in {
+ services.invidious = {
+ enable = true;
+ port = 3255;
+ domain = "${fqdn}";
+ settings = {
+ https_only = config.security.acme.acceptTerms;
+ external_port = if config.security.acme.acceptTerms then 443 else 80;
+ };
+ };
+ helpers.webservices."${fqdn}".port = config.services.invidious.port;
+}
--- /dev/null
+{ config, lib, ... }:
+let
+ fqdn = "jellyfin.${config.networking.fqdn}";
+in {
+ networking.hosts = {
+ "127.0.0.1" = [ fqdn ];
+ };
+ helpers.webservices."${fqdn}".port = 8096;
+ services.jellyfin = {
+ enable = true;
+ group = lib.mkDefault "media";
+ };
+ users.groups.media = {};
+}
--- /dev/null
+{ config, lib, ... }:
+let
+ fqdn = "libreddit.${config.networking.fqdn}";
+in {
+ services.libreddit = {
+ enable = true;
+ port = 3357;
+ };
+ helpers.webservices."${fqdn}".port = config.services.libreddit.port;
+}
--- /dev/null
+{ config, pkgs, ... }:
+let
+ fqdn = "${config.networking.hostName}.${config.networking.domain}";
+in{
+ mailserver = {
+ enable = true;
+ fqdn = "mail.${fqdn}";
+ domains = [ "${fqdn}" ];
+ # A list of all login accounts. To create the password hashes, use
+ # mkpasswd -m sha-512 "super secret password"
+ loginAccounts = {
+ "admin@${fqdn}" = {
+ # nix-shell -p mkpasswd --run "mkpasswd -m sha-512 easypassword"
+ hashedPassword = "$6$mwL/Pqv4WZHIP7j.$rU2inAQ8QCICBPCF5MiITptHcbZopBqwHYDudxBHun3zfnaAINqCDaeC/uq7CrzgNtDF2HbFEikz7GYNX6kXZ.";
+ aliases = [
+ "postmaster@${fqdn}"
+ "webmaster@${fqdn}"
+ "abuse@${fqdn}"
+ ];
+ };
+ };
+ # Extra virtual aliases. These are email addresses that are forwarded to
+ # loginAccounts addresses.
+ extraVirtualAliases = {
+ # address = forward address;
+ #"abuse@${fqdn}" = "postmaster@${fqdn}";
+ };
+ # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+ # down nginx and opens port 80.
+ certificateScheme = 3;
+ # Enable IMAP and POP3
+ enableImap = false;
+ enableImapSsl = true;
+ enableSubmission = false;
+ enableSubmissionSsl = true;
+ # Enable the ManageSieve protocol
+ enableManageSieve = true;
+ # whether to scan inbound emails for viruses (note that this requires at least
+ # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
+ virusScanning = false;
+ localDnsResolver = false;
+ };
+}
--- /dev/null
+{ pkgs, config, lib, ... }:
+let
+ fqdn = "${config.networking.hostName}.${config.networking.domain}";
+in {
+
+
+ services.postgresql.enable = true;
+ services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
+ CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+ CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+ TEMPLATE template0
+ LC_COLLATE = "C"
+ LC_CTYPE = "C";
+ '';
+
+ services.nginx = {
+ enable = true;
+ clientMaxBodySize = lib.mkDefault "50M";
+ # only recommendedProxySettings and recommendedGzipSettings are strictly required,
+ # but the rest make sense as well
+ recommendedTlsSettings = true;
+ recommendedOptimisation = true;
+ recommendedGzipSettings = true;
+ recommendedProxySettings = true;
+
+ virtualHosts = {
+ # This host section can be placed on a different host than the rest,
+ # i.e. to delegate from the host being accessible as ${config.networking.domain}
+ # to another host actually running the Matrix homeserver.
+ "${fqdn}" = {
+ enableACME = config.security.acme.acceptTerms;
+ forceSSL = config.security.acme.acceptTerms;
+ locations."= /.well-known/matrix/server".extraConfig =
+ let
+ # use 443 instead of the default 8448 port to unite
+ # the client-server and server-server port for simplicity
+ server = { "m.server" = "matrix.${fqdn}:443"; };
+ in ''
+ add_header Content-Type application/json;
+ return 200 '${builtins.toJSON server}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig =
+ let
+ client = {
+ "m.homeserver" = { "base_url" = "https://matrix.${fqdn}"; };
+ #"m.identity_server" = { "base_url" = "https://vector.im"; };
+ };
+ # ACAO required to allow element-web on any URL to request this json file
+ in ''
+ add_header Content-Type application/json;
+ add_header Access-Control-Allow-Origin *;
+ return 200 '${builtins.toJSON client}';
+ '';
+ };
+ # Reverse proxy for Matrix client-server and server-server communication
+ "matrix.${fqdn}" = {
+ enableACME = config.security.acme.acceptTerms;
+ forceSSL = config.security.acme.acceptTerms;
+
+ # Or do a redirect instead of the 404, or whatever is appropriate for you.
+ # But do not put a Matrix Web client here! See the Element web section below.
+ locations."/".extraConfig = ''
+ return 404;
+ '';
+
+ # forward all Matrix API calls to the synapse Matrix homeserver
+ locations."/_matrix" = {
+ proxyPass = "http://[::1]:8008"; # without a trailing /
+ };
+ };
+ };
+ };
+ services.matrix-synapse = {
+ enable = true;
+ server_name = "${fqdn}";
+ plugins = with config.services.matrix-synapse.package.plugins; [
+ # matrix-synapse-ldap3
+ matrix-synapse-pam
+ ];
+ listeners = [
+ {
+ port = 8008;
+ bind_address = "::1";
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = [ "client" "federation" ];
+ compress = false;
+ }
+ ];
+ }
+ ];
+ extraConfig = ''
+public_baseurl: https://matrix.${fqdn}
+password_providers:
+ - module: "pam_auth_provider.PAMAuthProvider"
+ config:
+ create_users: true
+ skip_user_check: false
+max_upload_size: 50M
+
+caches:
+ global_factor: 1.0
+ per_cache_factors:
+ get_users_who_share_room_with_user: 2.0
+ sync_response_cache_duration: 2m
+ cache_autotuning:
+ max_cache_memory_usage: 1024M
+ target_cache_memory_usage: 512M
+ min_cache_ttl: 5m
+'';
+ };
+
+ # Element web client
+ services.nginx.virtualHosts."element.${fqdn}" = {
+ enableACME = config.security.acme.acceptTerms;
+ forceSSL = config.security.acme.acceptTerms;
+
+ root = pkgs.element-web.override {
+ conf = {
+ default_server_config."m.homeserver" = {
+ "base_url" = "https://matrix.${fqdn}";
+ "server_name" = "${fqdn}";
+ };
+ };
+ };
+ };
+}
--- /dev/null
+{ ... }:
+{
+ services.murmur = {
+ enable = true;
+ bonjour = true;
+ bandwidth = 72000;
+ logFile = "/var/log/murmur/murmurd.log";
+ logDays = 7;
+ };
+}
--- /dev/null
+{ config, lib, ... }:
+let
+ fqdn = "nitter.${config.networking.fqdn}";
+in {
+ services.nitter = {
+ enable = true;
+ server = {
+ hostname = "${fqdn}";
+ address = "127.0.0.1";
+ https = config.security.acme.acceptTerms;
+ };
+ preferences = {
+ replaceTwitter = "${fqdn}";
+ replaceInstagram = "farside.link/bibliogram";
+ replaceYouTube = if config.services.invidious.enable then "${config.services.invidious.domain}" else "farside.link/invidious";
+ };
+ };
+ helpers.webservices."${fqdn}".port = config.services.nitter.server.port;
+}
--- /dev/null
+{ pkgs, ... }:
+{
+ environment.systemPackages = with pkgs; [
+ unstable.rPackages.multiview # older version
+ # unstable.rPackages.multiviewtest # newer version
+ # unstable.python311Packages.opensfm
+ colmap
+ # unstable.colmapWithCuda # CUDA support
+ unstable.openmvs
+ unstable.openmvg
+ meshlab
+ ];
+}
--- /dev/null
+{ config, lib, ... }:
+let
+ fqdn = "plik.${config.networking.fqdn}";
+in {
+ services.plikd = {
+ enable = true;
+ openFirewall = true;
+ settings = {
+ ListenAddress = "0.0.0.0";
+ ListenPort = 8844;
+ MaxFileSize = lib.mkDefault 1000000000;
+ MaxTTL = lib.mkDefault 7776000;
+ };
+ };
+ helpers.webservices."${fqdn}".port = config.services.plikd.settings.ListenPort;
+ services.nginx = {
+ clientMaxBodySize = lib.mkDefault "1000M";
+ };
+}
--- /dev/null
+{ pkgs, config, lib, ... }:
+let
+ hostname = "syncthing.${config.networking.fqdn}";
+in
+{
+
+ services.syncthing = {
+ enable = true;
+ # openDefaultPorts = true;
+ };
+ systemd.tmpfiles.rules = lib.mkIf config.services.syncthing.enable [
+ "d '/var/lib/syncthing' 0775 ${config.services.syncthing.user} ${config.services.syncthing.group}"
+ "Z '/var/lib/syncthing' 0775 ${config.services.syncthing.user} ${config.services.syncthing.group}"
+ ];
+}
--- /dev/null
+{ pkgs, config, users, lib, ... }:
+let
+ fqdn = "twtxt.${config.networking.fqdn}";
+in
+{
+ users.groups = {
+ twtxt = {};
+ };
+ environment.systemPackages = [
+ pkgs.twtxt
+ ];
+ services.nginx = {
+ enable = lib.mkDefault true;
+ virtualHosts."${fqdn}" = {
+ root = "/var/lib/twtxt";
+ enableACME = config.security.acme.acceptTerms;
+ forceSSL = config.security.acme.acceptTerms;
+ locations = {
+ "/" = {
+ tryFiles = "/twtxt.txt =404"; # Read that path out loud three times fast.
+ };
+ };
+ };
+ };
+ systemd.tmpfiles.rules = lib.mkIf config.services.syncthing.enable [
+ "d '/var/lib/twtxt' 0774 ${config.services.nginx.user} twtxt"
+ "Z '/var/lib/twtxt' 0774 ${config.services.nginx.user} twtxt"
+ ];
+}
--- /dev/null
+{
+ services.yggdrasil = {
+ enable = true;
+ # persistentKeys = true;
+ # The NixOS module will generate new keys and a new IPv6 address each time
+ # it is started if persistentKeys is not enabled.
+
+ config = {
+ IFName = "ygg0";
+ Listen = [
+ "tls://0.0.0.0:32333"
+ "tls://[::]:32333"
+ ];
+ MulticastInterfaces = [
+ {
+ Regex = ".*";
+ Beacon = true;
+ Listen = true;
+ Port = 32332;
+ Priority = 0;
+ }
+ ];
+ Peers = [
+ # Yggdrasil will automatically connect and "peer" with other nodes it
+ # discovers via link-local multicast annoucements. Unless this is the
+ # case (it probably isn't) a node needs peers within the existing
+ # network that it can tunnel to.
+
+ # Public Peers: https://github.com/yggdrasil-network/public-peers
+ ];
+ };
+ };
+ # configFile = "/run/keys/yggdrasil.conf";
+}
--- /dev/null
+{ pkgs,
+ lib,
+ config,
+ ... }:
+{
+ specialisation.hardened.configuration = {
+ imports = [
+ # This includes a hardened kernel, and limiting the system information available to processes through the /sys and /proc filesystems. It also disables the User Namespaces feature of the kernel, which stops Nix from being able to build anything (this particular setting can be overriden via security.allowUserNamespaces). See the profile source for further detail on which settings are altered.
+ <nixpkgs/nixos/modules/profiles/hardened.nix>
+ # Manual section: https://nixos.org/manual/nixos/stable/index.html#sec-profile-hardened
+ # profile source: https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix
+ ];
+
+ # system.nixos.label = "marigoldOS-${config.system.nixos.release}-hardened";
+ # system.nixos.tags = [ "hardened" ];
+
+ networking.firewall.allowPing = false;
+
+ # doas instead of sudo
+ security.sudo.enable = false;
+ security.doas = {
+ enable = true;
+ extraRules = [{
+ groups = ["wheel"];
+ persist = false;
+ noPass = false;
+ keepEnv = true;
+ }];
+ };
+ # alias
+ environment.shellAliases = { sudo = "doas "; };
+
+ # Once this is in a spot where it looks good, move this to the main profile
+ # security.auditd.enable = true;
+ # security.audit.enable = true;
+ # TODO actually make the rules, lel.
+ # https://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
+ # https://security.blogoverflow.com/2013/09/stump-the-chump-with-auditd-01/
+
+ # TODO investigate this
+ # security.allowUserNamespaces
+
+ # TODO Investigate this
+ # boot.kernel.randstructSeed = "Change this. Also does hiding this from version control provide any (meaningful) security advantages? Maybe from a targeted attack, but enough to matter?";
+
+ # TODO Read then rip off archbros
+ # https://wiki.archlinux.org/title/Security
+ };
+}
--- /dev/null
+{ config, ... }:
+{
+ specialisation.lowpower.configuration = {
+ # system.nixos.label = "marigoldOS-${config.system.nixos.release}-lowPower";
+ # system.nixos.tags = [ "lowpower" ];
+ services = {
+ tlp.enable = true;
+ upower.enable = true;
+ throttled.enable = true;
+ };
+
+ powerManagement = {
+ enable = true;
+ cpuFreqGovernor = "powersave";
+ powertop.enable = true;
+ };
+ };
+}
--- /dev/null
+{ pkgs,
+ config,
+ ... }:
+{
+ specialisation.performance.configuration = {
+ # system.nixos.label = "marigoldOS-${config.system.nixos.release}-performance";
+ # system.nixos.tags = [ "performance" ];
+ boot.kernelPackages = pkgs.linuxPackages_zen;
+ powerManagement = {
+ enable = true;
+ cpuFreqGovernor = "performance";
+ };
+ };
+}
projects / MarigoldOS / .git / commitdiff