erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

Compare commits

base: erwin:c4343b98554da9c943795d1b4f1bced281570695
Branches Tags
erwin:main
..
compare: erwin:217dfcd3897e40091660dd5bc2b87caef940cc9e
Branches Tags
erwin:main

No commits in common. "c4343b98554da9c943795d1b4f1bced281570695" and "217dfcd3897e40091660dd5bc2b87caef940cc9e" have entirely different histories.
c4343b9855 ... 217dfcd389

14 changed files with 119 additions and 272 deletions
Show stats Expand all files Collapse all files

54
flake.lock generated
View file

@ -148,11 +148,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1709140068,
"narHash": "sha256-lvRBx3t6wF4crVlHko6Rm7rV2bSES4rgPC8a2zoaic8=",
"lastModified": 1708938386,
"narHash": "sha256-WTSScoG1LhH+PBo3l4+Fcl1oGNuISmRzkYDrASPWefk=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "8c56baa0e5ba4bbf9947605a31672e2f4735b1a9",
"rev": "dc68b375c2733198f642804a3cfacab5ede99761",
"type": "github"
},
"original": {
@ -324,11 +324,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
@ -414,11 +414,11 @@
]
},
"locked": {
"lastModified": 1708988456,
"narHash": "sha256-RCz7Xe64tN2zgWk+MVHkzg224znwqknJ1RnB7rVqUWw=",
"lastModified": 1708806879,
"narHash": "sha256-MSbxtF3RThI8ANs/G4o1zIqF5/XlShHvwjl9Ws0QAbI=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "1d085ea4444d26aa52297758b333b449b2aa6fca",
"rev": "4ee704cb13a5a7645436f400b9acc89a67b9c08a",
"type": "github"
},
"original": {
@ -438,11 +438,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1709054352,
"narHash": "sha256-JGxCz3Zv7sErrf1ROn1OjWy8BtP5w/YDp5PnQrJxZnQ=",
"lastModified": 1708906061,
"narHash": "sha256-8WlGYMCtggvybPdzQschOoC9r3dl0d3lnGmlTZB6pAw=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "df3254b6a9ff2ddbbd4be27d75d8cc9f1b637d4b",
"rev": "4583e2394e1e5723746fb55dbb912385c6c6bda1",
"type": "github"
},
"original": {
@ -521,11 +521,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1709147990,
"narHash": "sha256-vpXMWoaCtMYJ7lisJedCRhQG9BSsInEyZnnG5GfY9tQ=",
"lastModified": 1708594753,
"narHash": "sha256-c/gH7iXS/IYH9NrFOT+aJqTq+iEBkvAkpWuUHGU3+f0=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "33a97b5814d36ddd65ad678ad07ce43b1a67f159",
"rev": "3f7d0bca003eac1a1a7f4659bbab9c8f8c2a0958",
"type": "github"
},
"original": {
@ -586,11 +586,11 @@
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1708979614,
"narHash": "sha256-FWLWmYojIg6TeqxSnHkKpHu5SGnFP5um1uUjH+wRV6g=",
"lastModified": 1708831307,
"narHash": "sha256-0iL/DuGjiUeck1zEaL+aIe2WvA3/cVhp/SlmTcOZXH4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b7ee09cf5614b02d289cd86fcfa6f24d4e078c2a",
"rev": "5bf1cadb72ab4e77cb0b700dab76bcdaf88f706b",
"type": "github"
},
"original": {
@ -634,11 +634,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1708984720,
"narHash": "sha256-gJctErLbXx4QZBBbGp78PxtOOzsDaQ+yw1ylNQBuSUY=",
"lastModified": 1708807242,
"narHash": "sha256-sRTRkhMD4delO/hPxxi+XwLqPn8BuUq6nnj4JqLwOu0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "13aff9b34cc32e59d35c62ac9356e4a41198a538",
"rev": "73de017ef2d18a04ac4bfd0c02650007ccb31c2a",
"type": "github"
},
"original": {
@ -762,11 +762,11 @@
]
},
"locked": {
"lastModified": 1709086241,
"narHash": "sha256-3QHK5zu/5XOa+ghBeKzvt+/BLdEPjw/xDNLcpDfbkmg=",
"lastModified": 1708913568,
"narHash": "sha256-76PGANC2ADf0h7fe0w2nWpfdGN+bemFs2rvW2EdU/ZY=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "5d56056fb905ff550ee61b6ebb6674d494f57a9e",
"rev": "cbdf3e5bb205ff2ca165fe661fbd6d885cbd0106",
"type": "github"
},
"original": {
@ -783,11 +783,11 @@
"nixpkgs-stable": "nixpkgs-stable_4"
},
"locked": {
"lastModified": 1708987867,
"narHash": "sha256-k2lDaDWNTU5sBVHanYzjDKVDmk29RHIgdbbXu5sdzBA=",
"lastModified": 1708830076,
"narHash": "sha256-Cjh2xdjxC6S6nW6Whr2dxSeh8vjodzhTmQdI4zPJ4RA=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "a1c8de14f60924fafe13aea66b46157f0150f4cf",
"rev": "2874fbbe4a65bd2484b0ad757d27a16107f6bc17",
"type": "github"
},
"original": {

1
home-manager/modules/firefox/default.nix
View file

@ -9,7 +9,6 @@ let
cfg = config.eboskma.programs.firefox;
profileSettings = {
"browser.chrome.guess_favicon" = false;
"browser.shell.checkDefaultBrowser" = false;
"browser.translations.enable" = false;
"devtools.theme" = "dark";

6
lib/default.nix
View file

@ -36,11 +36,7 @@ rec {
config = {
allowUnfree = true;
firefox = {
speechSynthesisSupport = true;
ffmpegSupport = true;
pipewireSupport = true;
};
firefox.speechSynthesisSupport = true;
};
};
home-manager = {

31
machines/default.nix
View file

@ -4,7 +4,7 @@ inputs: {
# deploy = {
# # host = "10.0.0.202";
# host = "ci.barn-beaver.ts.net";
# targetUser = "erwin";
# sshUser = "erwin";
# buildOn = "local";
# substituteOnTarget = true;
# tags = [ "container" ];
@ -15,7 +15,7 @@ inputs: {
deploy = {
# host = "10.0.0.205";
host = "frigate.barn-beaver.ts.net";
targetUser = "erwin";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -26,7 +26,7 @@ inputs: {
deploy = {
# host = "10.0.0.203";
host = "gitea.barn-beaver.ts.net";
targetUser = "erwin";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -37,7 +37,7 @@ inputs: {
deploy = {
# host = "10.0.0.210";
host = "gitea-runner.barn-beaver.ts.net";
targetUser = "erwin";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -48,7 +48,7 @@ inputs: {
deploy = {
# host = "heimdall.datarift.nl";
host = "heimdall.barn-beaver.ts.net";
targetUser = "erwin";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "metal" ];
@ -59,7 +59,7 @@ inputs: {
deploy = {
# host = "10.0.0.167";
host = "10.0.0.208";
targetUser = "erwin";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -76,7 +76,7 @@ inputs: {
deploy = {
# host = "10.0.0.204";
host = "minio.barn-beaver.ts.net";
targetUser = "erwin";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -106,7 +106,7 @@ inputs: {
deploy = {
# host = "10.0.0.251";
host = "proxy.barn-beaver.ts.net";
targetUser = "erwin";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -116,21 +116,12 @@ inputs: {
system = "aarch64-linux";
config = import ./regin/configuration.nix inputs;
};
saga = {
config = import ./saga/configuration.nix inputs;
deploy = {
# host = "10.0.0.212";
host = "saga.barn-beaver.ts.net";
targetUser = "erwin";
tags = [ "container" ];
};
};
# thor = {
# system = "aarch64-linux";
# config = import ./thor/configuration.nix inputs;
# # deploy = {
# # host = "10.0.0.198";
# # targetUser = "erwin";
# # sshUser = "erwin";
# # buildOn = "local";
# # substituteOnTarget = true;
# # };
@ -140,7 +131,7 @@ inputs: {
deploy = {
# host = "10.0.0.207";
host = "unifi.barn-beaver.ts.net";
targetUser = "erwin";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -151,7 +142,7 @@ inputs: {
deploy = {
# host = "10.0.0.206";
host = "valkyrie.barn-beaver.ts.net";
targetUser = "erwin";
sshUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];

30
machines/loki/configuration.nix
View file

@ -1,4 +1,9 @@
{ nixos-hardware, nix-ld-rs, ... }:
{
nixos-hardware,
nix-ld-rs,
attic,
...
}:
{ pkgs, config, ... }:
{
imports = [
@ -473,19 +478,18 @@
];
};
# nix.settings.post-build-hook =
# let
# inherit (attic.packages.${pkgs.system}) attic-client;
# in
# pkgs.writeScript "upload-to-cache" ''
# set -eu
# set -f
# export IFS=' '
nix.settings.post-build-hook =
let
inherit (attic.packages.${pkgs.system}) attic-client;
in
pkgs.writeScript "upload-to-cache" ''
set -eu
set -f
export IFS=' '
# OUT_PATHS=$(echo -n ''${OUT_PATHS} | ${pkgs.gawk}/bin/awk 'BEGIN { RS = " "; ORS = " "; } $0 !~ /horus_vcpkg/ { print $0 }')
# echo "Uploading paths to cache " ''${OUT_PATHS}
# exec ${attic-client}/bin/attic push main ''${OUT_PATHS}
# '';
echo "Uploading paths to cache " ''${OUT_PATHS}
exec ${attic-client}/bin/attic push main ''${OUT_PATHS}
'';
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {

10
machines/nix-cache/configuration.nix
View file

@ -95,7 +95,7 @@
listen = "127.0.0.1:8080";
garbage-collection = {
default-retention-period = "6 weeks";
default-retention-period = "3 months";
};
storage = {
@ -116,16 +116,16 @@
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 256 * 1024; # 256 KiB
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 128 * 1024; # 128 KiB
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 256 * 1024; # 256 KiB
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 1024 * 1024; # 1024 KiB
max-size = 256 * 1024; # 256 KiB
};
};
};

80
machines/saga/configuration.nix
View file

@ -1,80 +0,0 @@
{ self, ... }:
{ modulesPath, lib, ... }:
{
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
./grafana
./prometheus
];
eboskma = {
users.erwin = {
enable = true;
server = true;
};
nix-common = {
enable = true;
remote-builders = true;
};
tailscale.enable = true;
};
boot = {
isContainer = true;
};
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = lib.mkIf (self ? rev) self.rev;
networking = {
hostName = "saga";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall.trustedInterfaces = [ "tailscale0" ];
};
systemd.network = {
enable = true;
wait-online.anyInterface = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.212/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
# sops.defaultSopsFile = ./secrets.yaml;
# sops.secrets = {
# };
system.stateVersion = "24.05";
}

13
machines/saga/grafana/default.nix
View file

@ -1,13 +0,0 @@
{
services.grafana = {
enable = true;
settings = {
server = {
domain = "saga.datarift.nl";
enforce_domain = true;
http_addr = "0.0.0.0";
root_url = "https://saga.datarift.nl";
};
};
};
}

37
machines/saga/prometheus/default.nix
View file

@ -1,37 +0,0 @@
{ config, ... }:
{
services.prometheus = {
enable = true;
scrapeConfigs = [
{
job_name = "saga";
static_configs = [
{
targets = [
"saga:${toString config.services.prometheus.exporters.node.port}" # node
];
}
];
}
{
job_name = "valkyrie";
static_configs = [
{
targets = [
"valkyrie:${toString config.services.prometheus.exporters.node.port}" # node
"valkyrie:${toString config.services.prometheus.exporters.unbound.port}" # unbound
];
}
];
}
];
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
};
};
}

118
machines/valkyrie/unbound/default.nix
View file

@ -1,82 +1,68 @@
{
services = {
unbound = {
enable = true;
localControlSocketPath = "/run/unbound/unbound.ctl";
settings = {
server = {
# Setting logfile to an empty string outputs to stderr
log-queries = false;
verbosity = 1;
services.unbound = {
enable = true;
localControlSocketPath = "/run/unbound/unbound.ctl";
settings = {
server = {
# Setting logfile to an empty string outputs to stderr
log-queries = false;
verbosity = 1;
port = 5335;
do-ip4 = true;
do-ip6 = true;
do-udp = true;
do-tcp = true;
prefer-ip6 = true;
port = 5335;
do-ip4 = true;
do-ip6 = true;
do-udp = true;
do-tcp = true;
prefer-ip6 = true;
hide-identity = true;
hide-version = true;
hide-identity = true;
hide-version = true;
# Trust glue only if it is within the server's authority
harden-glue = true;
# Trust glue only if it is within the server's authority
harden-glue = true;
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped = true;
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped = true;
harden-referral-path = true;
harden-referral-path = true;
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id = false;
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id = false;
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size = 1472;
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size = 1472;
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch = true;
prefetch-key = true;
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch = true;
prefetch-key = true;
# This attempts to reduce latency by serving the outdated record before
# updating it instead of the other way around. Alternative is to increase
# cache-min-ttl to e.g. 3600.
cache-min-ttl = 0;
serve-expired = true;
# This attempts to reduce latency by serving the outdated record before
# updating it instead of the other way around. Alternative is to increase
# cache-min-ttl to e.g. 3600.
cache-min-ttl = 0;
serve-expired = true;
rrset-cache-size = "256m";
msg-cache-size = "128m";
msg-cache-slabs = 4;
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads = 2;
rrset-cache-size = "256m";
msg-cache-size = "128m";
msg-cache-slabs = 4;
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads = 2;
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf = "8m";
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf = "1m";
# Ensure privacy of local IP ranges
private-address = [
"192.168.0.0/16"
"169.254.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"fd00::/8"
"fe80::/10"
];
};
};
};
prometheus.exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
unbound = {
enable = true;
unbound.host = "unix:///run/unbound/unbound.ctl";
# Ensure privacy of local IP ranges
private-address = [
"192.168.0.0/16"
"169.254.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"fd00::/8"
"fe80::/10"
];
};
};
};

5
modules/caddy-proxy/default.nix
View file

@ -14,7 +14,6 @@ let
tls {
dns cloudflare {env.CF_API_TOKEN}
propagation_timeout -1
}
'';
};
@ -33,7 +32,6 @@ let
tls {
dns cloudflare {env.CF_API_TOKEN}
propagation_timeout -1
}
'';
};
@ -51,7 +49,7 @@ in
email = "erwin@datarift.nl";
acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
virtualHosts = {
"home.datarift.nl" = mkProxyHost "homeassistant.barn-beaver.ts.net:8123";
@ -60,7 +58,6 @@ in
"git.datarift.nl" = mkProxyHost "gitea.barn-beaver.ts.net:3000";
"minio.datarift.nl" = mkProxyHost "minio.barn-beaver.ts.net:9000";
"minio-admin.datarift.nl" = mkLocalProxyHost "minio.barn-beaver.ts.net:9001";
"saga.datarift.nl" = mkLocalProxyHost "saga.barn-beaver.ts.net:3000";
"unifi.datarift.nl" = mkLocalProxyHost "unifi.barn-beaver.ts.net:8443";
};
};

2
modules/podman/default.nix
View file

@ -30,6 +30,7 @@ in
virtualisation.podman = {
enable = true;
enableNvidia = cfg.enableNvidia;
dockerCompat = true;
autoPrune = {
@ -42,7 +43,6 @@ in
virtualisation.containers = {
enable = true;
cdi.dynamic.nvidia.enable = cfg.enableNvidia;
registries = {
insecure = cfg.insecureRegistries;
};

2
users/erwin/home.nix
View file

@ -72,6 +72,8 @@ in
};
eww = {
enable = true;
# This will fail once https://github.com/NixOS/nixpkgs/pull/289595 is merged
package = pkgs.eww.override { withWayland = true; };
};
firefox = {
enable = true;

2
users/erwin/work.nix
View file

@ -87,6 +87,8 @@ in
};
eww = {
enable = true;
# This will fail once https://github.com/NixOS/nixpkgs/pull/289595 is merged
package = pkgs.eww.override { withWayland = true; };
};
firefox = {
enable = true;