gerg-l/nixos
1
0
Fork 0
mirror of https://github.com/Gerg-L/nixos.git synced 2025-12-10 00:43:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

systems -> hosts

Browse source 
moved functions to /lib

inputs over imports

turned each module file into a nixosModule

moved registry and $NIX_PATH pinning to /modules/pinning.nix
This commit is contained in:
Gerg-L 2023-06-22 22:55:43 -04:00
parent ee2beea680
commit f43d0b741c
42 changed files with 224 additions and 240 deletions
Download patch file Download diff file Expand all files Collapse all files

100
hosts/gerg-desktop/containers/minecraft.nix_ Normal file
View file

@ -0,0 +1,100 @@
_:{
containers."minecraft" = {
ephemeral = true;
autoStart = true;
privateNetwork = true;
hostBridge = "bridge0";
localAddress = "192.168.1.10/24";
bindMounts."/minecraft" = {
hostPath = "/persist/minecraft";
isReadOnly = false;
};
config = {pkgs, ...}: {
nixpkgs.config.allowUnfree = true;
environment.systemPackages = [pkgs.neovim];
networking = {
defaultGateway = "192.168.1.1";
nameservers = ["192.168.1.1"];
firewall = {
allowedUDPPorts = [25565];
allowedTCPPorts = [25565];
};
};
systemd.services.setmacaddr = {
script = ''
/run/current-system/sw/bin/ip link set dev eth0 address 00:00:00:00:00:10
'';
wantedBy = ["basic.target"];
after = ["dhcpcd.service"];
};
boot.initrd.postDeviceCommands = "mkdir -p /minecraft";
system.stateVersion = "unstable";
users.users.minecraft = {
description = "Minecraft server service user";
home = "/minecraft";
createHome = true;
isSystemUser = true;
group = "minecraft";
};
users.groups.minecraft = {};
systemd.sockets.minecraft-server = {
bindsTo = ["minecraft-server.service"];
socketConfig = {
ListenFIFO = "/run/minecraft-server.stdin";
SocketMode = "0660";
SocketUser = "minecraft";
SocketGroup = "minecraft";
RemoveOnStop = true;
FlushPending = true;
};
};
systemd.services.minecraft-server = {
enable = true;
description = "Minecraft Server Service";
wantedBy = ["multi-user.target"];
requires = ["minecraft-server.socket"];
after = ["network.target" "minecraft-server.socket"];
serviceConfig = {
ExecStart = "${pkgs.papermc}/bin/minecraft-server -Xms8G -Xmx8G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
Restart = "always";
User = "minecraft";
WorkingDirectory = "/minecraft";
StandardInput = "socket";
StandardOutput = "journal";
StandardError = "journal";
# Hardening
CapabilityBoundingSet = [""];
DeviceAllow = [""];
LockPersonality = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
};
preStart = ''
echo "eula=true" > eula.txt
'';
};
};
};
}

155
hosts/gerg-desktop/containers/website.nix_ Normal file
View file

@ -0,0 +1,155 @@
_:{
sops.secrets = {
"website/sql_gitea" = {
mode = "0444";
};
"website/sql_nextcloud" = {
mode = "0444";
};
"website/nextcloud" = {
mode = "0444";
};
"website/ssl_key" = {
mode = "0444";
};
"website/ssl_cert" = {
mode = "0444";
};
};
containers."website" = {
ephemeral = true;
autoStart = true;
privateNetwork = true;
hostBridge = "bridge0";
localAddress = "192.168.1.11/24";
bindMounts = {
"/var" = {
hostPath = "/persist/website/var";
isReadOnly = false;
};
"/etc/ssh" = {
hostPath = "/persist/website/etc/ssh/";
isReadOnly = false;
};
"/secrets".hostPath = "/run/secrets/website";
};
config = {
pkgs,
config,
...
}: let
giteaPort = 3000;
in {
nixpkgs.config.allowUnfree = true;
environment.systemPackages = [pkgs.neovim];
networking = {
defaultGateway = "192.168.1.1";
nameservers = ["1.1.1.1" "1.0.0.1"];
firewall = {
allowedTCPPorts = [giteaPort 80 443 22];
};
};
systemd.services.setmacaddr = {
script = ''
/run/current-system/sw/bin/ip link set dev eth0 address 00:00:00:00:00:11
'';
wantedBy = ["basic.target"];
after = ["dhcpcd.service"];
};
system.stateVersion = "unstable";
services = {
gitea = {
enable = true;
appName = "Powered by NixOS";
domain = "git.gerg-l.com";
rootUrl = "https://git.gerg-l.com/";
httpPort = giteaPort;
settings = {
server = {
LANDING_PAGE = "/explore/repos";
};
ui = {
DEFAULT_THEME = "arc-green";
};
service = {
DISABLE_REGISTRATION = true;
};
};
database = {
type = "postgres";
passwordFile = "/secrets/sql_gitea";
};
};
nextcloud = {
enable = true;
package = pkgs.nextcloud26;
hostName = "next.gerg-l.com";
autoUpdateApps.enable = true;
enableBrokenCiphersForSSE = false;
config = {
dbtype = "pgsql";
dbhost = "/run/postgresql";
dbpassFile = "/secrets/sql_nextcloud";
adminpassFile = "/secrets/nextcloud";
adminuser = "admin-root";
defaultPhoneRegion = "IL";
};
};
postgresql = {
enable = true;
package = pkgs.postgresql_13;
ensureDatabases = [config.services.nextcloud.config.dbname];
ensureUsers = [
{
name = config.services.nextcloud.config.dbuser;
ensurePermissions."DATABASE ${config.services.nextcloud.config.dbname}" = "ALL PRIVILEGES";
}
];
authentication = ''
local gitea all ident map=gitea-users
'';
identMap = ''
gitea-users gitea gitea
'';
};
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = let
template = {
forceSSL = true;
sslCertificate = "/secrets/ssl_cert";
sslCertificateKey = "/secrets/ssl_key";
};
in {
"git.gerg-l.com" =
template
// {
locations."/" = {
proxyPass = "http://localhost:${toString giteaPort}";
};
};
"next.gerg-l.com" = template;
};
};
openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
};
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
};
};
}

125
hosts/gerg-desktop/default.nix Normal file
View file

@ -0,0 +1,125 @@
{nvim-flake, ...}: {
pkgs,
config,
...
}: {
localModules = {
remoteBuild.isBuilder = true;
X11Programs = {
sxhkd.enable = true;
};
DE.dwm.enable = true;
DM = {
lightdm.enable = true;
autoLogin = true;
loginUser = "gerg";
};
theming = {
enable = true;
kmscon.enable = true;
};
};
hardware.nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.beta;
nvidiaPersistenced = false;
nvidiaSettings = false;
modesetting.enable = true;
open = false;
};
services.xserver = {
videoDrivers = ["nvidia" "amdgpu"];
};
nixpkgs.allowedUnfree = [
"nvidia-x11"
"steam"
"steam-original"
];
nix.settings.system-features = ["kvm" "big-parallel" "nixos-test" "benchmark"];
environment = {
systemPackages = builtins.attrValues {
inherit
(pkgs)
bitwarden #store stuff
qbittorrent #steal stuff
pavucontrol #gui volume control
pcmanfm #file manager
librewolf #best browser
vlc #play stuff
ripgrep
xautoclick
webcord
prismlauncher
;
inherit (nvim-flake.packages.${pkgs.system}) neovim;
};
etc = {
"jdks/17".source = pkgs.openjdk17 + /bin;
"jdks/8".source = pkgs.openjdk8 + /bin;
};
};
networking = {
useDHCP = false;
hostName = "gerg-desktop";
hostId = "288b56db";
nameservers = [
"192.168.1.1"
"2605:59c8:252e:500::1"
];
defaultGateway = "192.168.1.1";
interfaces = {
"enp11s0" = {
name = "eth0";
};
"bridge0" = {
name = "bridge0";
macAddress = "D8:5E:D3:E5:47:90";
ipv4.addresses = [
{
address = "192.168.1.4";
prefixLength = 24;
}
];
};
};
bridges."bridge0".interfaces = ["eth0"];
firewall.enable = true;
};
#user managment
sops.secrets = {
gerg.neededForUsers = true;
};
users = {
mutableUsers = false;
users = {
gerg = {
useDefaultShell = true;
uid = 1000;
isNormalUser = true;
extraGroups = ["wheel" "audio"];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuO/3IF+AjH8QjW4DAUV7mjlp2Mryd+1UnpAUofS2yA gerg@gerg-phone"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpYY2uw0OH1Re+3BkYFlxn0O/D8ryqByJB/ljefooNc gerg@gerg-windows"
];
passwordFile = config.sops.secrets.gerg.path;
};
"root" = {
uid = 0;
home = "/root";
hashedPassword = "!";
};
};
};
boot = {
kernelModules = ["amdgpu"];
initrd = {
availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"];
includeDefaultModules = false;
};
};
system.stateVersion = "23.05";
}

193
hosts/gerg-desktop/disko.nix Normal file
View file

@ -0,0 +1,193 @@
{disko, ...}: {disks ? [], ...}: {
dummyvalue = {inherit disks;};
imports = [disko.nixosModules.disko];
disko.devices = {
disk = {
nvme0 = {
type = "disk";
device = "/dev/disk/by-id/nvme-SHPP41-500GM_SSB4N6719101A4N22";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
start = "0";
end = "1M";
part-type = "primary";
flags = ["bios_grub"];
}
{
name = "ESP";
start = "1M";
end = "1G";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/efis/nvme-SHPP41-500GM_SSB4N6719101A4N22";
};
}
{
name = "zfsboot";
start = "1G";
end = "5G";
content = {
type = "zfs";
pool = "bpool";
};
}
{
name = "swap";
start = "5G";
end = "21G";
content = {
type = "swap";
randomEncryption = true;
};
}
{
name = "zfsroot";
start = "21G";
end = "100%";
content = {
type = "zfs";
pool = "rpool";
};
}
];
};
};
nvme1 = {
type = "disk";
device = "/dev/disk/by-id/nvme-SHPP41-500GM_SSB4N6719101A4N0E";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "BIOS";
start = "0";
end = "1M";
part-type = "primary";
flags = ["bios_grub"];
}
{
name = "ESP";
start = "1M";
end = "1G";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/efis/nvme-SHPP41-500GM_SSB4N6719101A4N0E";
};
}
{
name = "zfsboot";
start = "1G";
end = "5G";
content = {
type = "zfs";
pool = "bpool";
};
}
{
name = "swap";
start = "5G";
end = "21G";
content = {
type = "swap";
randomEncryption = true;
};
}
{
name = "zfsroot";
start = "21G";
end = "100%";
content = {
type = "zfs";
pool = "rpool";
};
}
];
};
};
};
zpool = {
rpool = {
type = "zpool";
mode = "mirror";
rootFsOptions = {
acltype = "posixacl";
compression = "zstd";
dnodesize = "auto";
normalization = "formD";
relatime = "on";
xattr = "sa";
encryption = "on";
keyformat = "passphrase";
keylocation = "prompt";
};
options = {
ashift = "12";
autotrim = "on";
};
datasets = {
"root" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/";
};
"nix" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/nix";
};
"var" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/var";
};
"persist" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/persist";
};
"home" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/home";
};
};
};
bpool = {
type = "zpool";
mode = "mirror";
rootFsOptions = {
acltype = "posixacl";
compression = "lz4";
devices = "off";
normalization = "formD";
relatime = "on";
xattr = "sa";
canmount = "off";
};
options = {
compatibility = "grub2";
ashift = "12";
autotrim = "on";
};
datasets = {
"boot" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/boot";
};
};
};
};
};
}

21
hosts/gerg-desktop/parrot.nix Normal file
View file

@ -0,0 +1,21 @@
{self, ...}: {
pkgs,
config,
lib,
...
}: {
#discord bot stuff
systemd.services.parrot = {
enable = true;
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
script = lib.getExe self.packages.${pkgs.system}.parrot;
serviceConfig = {
EnvironmentFile = config.sops.secrets.discordenv.path;
Restart = "on-failure";
RestartSec = "30s";
};
};
sops.secrets.discordenv = {};
}

28
hosts/gerg-desktop/secrets.yaml Normal file
View file

@ -0,0 +1,28 @@
discordenv: ENC[AES256_GCM,data:/A46urPOiqH2ejKmmzCIpR/g2hU6n/AUTNQPikAxvp1PikWgX8JX+NPrGSGgxpn82B70JlwGK9T+9Fe9gaFgswhMrUj19TQ1kERW8HWLJ1LptvJTOsX57rKihJZUwD0v7g/Xof75U68dKPzdSlH7z16r0iOVA6ET4/w=,iv:0HK+0eBMf3awgQrbwXAEsBniTsxqj+izmftoB/UEp64=,tag:EajyB09aJPnHpss3Jv5SaQ==,type:str]
gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str]
website:
nextcloud: ENC[AES256_GCM,data:JoxSXYzBhXV+h4Ar,iv:jKlAwWfX58DpgGbGOqWBIwcnx8EdIxhFKOUzsDccr7w=,tag:L6UBHh1HU8Je+OczQCypXg==,type:str]
sql_gitea: ENC[AES256_GCM,data:Usfd0QDm/4ntj7kzXXYa3O7H7/E=,iv:3xUD2KuQvJUQtai6C+qAnQ2RbkpN5VLK8BUJFiMpQkY=,tag:E6KNzFIZekgecJCBPlw4YA==,type:str]
sql_nextcloud: ENC[AES256_GCM,data:xkJioAZCCd8aIxS283UhZ2yfLgQ=,iv:7SQ2iSJShX6dDP3qD0KPaJP49CQ6RMHQ6uY5J/WODtI=,tag:HNXYa1L88mGB5uOrmTuFDg==,type:str]
ssl_key: ENC[AES256_GCM,data:EBs5NZ5nHvC687N+YxY62MtJMK2Mi8FfhVrhrmOtmHLnZJlHEzljYBvImypvLEMA2v1++PEN+j7d/utv2kdHrSxBETKiE6ckk8DpjK6MWcjS2fVanYT/XRScJCLOx0PI6E2AR6L8snQ/Wp/3Ado+hLr6Ze7MI3DZd/gwJyrTZtdcSVzBGAJhmzgrF9/Hwb8qtFnJxj7z5kJ3FrXYdaobgSthsdjRpElGNJw0xgz3MVN67LVAMgkmkOXB6NF8FS5rsrvF2nYsqF0bkySCRSSjCjvlxRNAu3kUJQR+o4dA/Zu353z3mbh0driKAO2iih3rfRr+eVrTVjImoGVxpVcjEyCRI0vL8PBLgdC1L5uvE+KgodfaoBiCHTaQt++QbXsa29U4iO5U8hykt0JJW9yZSCaMAspZu/mb1EhChd5lj0q1WLgeGLAtzBN2QCIQ79yRs+nSK0Jgd9k/M4GC4+QufBAM1KZ9FrjZD5RgFuoGpvE69sR4MiekuNXTnFKwBp1WQo7MzWjutXN/x30k2JfaH/s9GoM0DZNPovg16Cgf7SLMCPUo9ynBbeFLOp/Pb+AhIQuNtjX8IpwJDYSJQAKrhUrV/NyI9OKjXVfIWO2yN5wIO2b2u72cIJrOgsMpYO1mGkyEbPtntew4EXPsgw8gdF7bfT6WPpJivvxNhGHSYuNDDoXvh+/t72yFXDuXu28/R6DIg+HmknYNu1On1sHZPrg9BnLny/4tD8OSYr4lKT/0FvQmspM6JPu5ZnxseJf3qjClQbcnwX4deqZX4JHhPXolDJ+LLycl4i62C7dTcO4/B/HLJ5J/+3WP9YvHd+FW3KlrRw/YVGcY+Mjn43/s0vgufH/VxFJ6+CIZZ8CiNt0MtMtajg5Xz8eFHbJRuKJlzzC5JQ1rJ2j0ZnZX19qmvC2nuowdZG7yDX9Htbgv0Elg7cNyO3T3NEKjbU2EjPj9NEah0zWzdymRVoVCv0E9EJIX73K/OSDNrjxJr5P8gNC4p/qD6Ufl3j9MTq1uujIQxFYEYQmSymQiaVbIbY2dmp5ISS6mioGJ4clQluuVsNNFQyFM0fM82Bsmk6MKlHaVk3pyvSLQ6j3R/YFtN9cwGKTdbcHmZIsTUF0XysU7LHM9JmHE9BXPsku01ONszHFlPz/GEgHGxB3bTthE2BHrTR9K6gZZy3j9/cpp6rZe711gnjyfWXpVOL2oPFL+nZZ17WDPOjD/w9KNB3Av4XSAHOJj8F6BcS7f6c69F9vTUlVeG7a6lTQ+4n5o/FQ+mPFyXgCJaMR88T+vYEG+tNbvZrGjyEYaDkfDOXfnqWL/ITDL/lD2YEdB/Vvi8cZtFqQ5fP91T/wOn9Gae0QG4zG6f1aKKW03WJKIvSMh0sUZ1QKVf/8KYUMBho1ZdXcjnxFpn0dpW8bCxIe3juhayyyGrLrMN1+Kr8aHYLTUcB4FU6DppD1esjJN05Y9Im9OqdLCK7UsldUb16j0Xk+2xYKqyQ8JniSL8XQaqeVIJnLaw0Vx1mvnrpe0GHPZVWxFjHzkFzx2H9+M5RuBqZnuWQtfAlCnQ631VvOG1BF+oY89CXG9d/SN6IY3kJ01LzG5XXbBnqeUjcNAIGwkHaVVn4w74Sko5hASWLX60Fo0Cq/BLuUw4qeZ/x0zPtICrl7JXcu4Ei+LO4aZVaDX/ZLw6nkN/GFf5Lc8FZ3COW9I39Dzo3VfK6wfMMnjNgk0cIQZqYC8oIhyexwE047+nwGw10h0jAerHqZmTsaWy+NCBweXWy2lHvQBGnXr8L0db0vrPr+XkrPmoDckSp2J0+/GPTQdWUWijPWLnd3K3hAU7jwkPwfAQNVpVPBbhTea51TcGej5CiphnEElIiuAvUO60kAxyRsbFYDESnJPCj5G+biiKVvN0rzrjU4KpS5wDgyJC8tq8SNv6tGUrqTsNKZXmKQ1wpEadQVam+hpC81HJOr8He51ZZm9OQLkfzN4U8dJx6ax27GOW/1OSzqEycZ3gNJE3MJmFyeRL9cY9+78L5ZB5UrpOJtFPm09fxKKY4A2/E/u70rnbWDkip8aKjflun3Skdr8meC1JiMW/awe8ausTy4cZzkkJWUqBogjTJCfH8UvOo1zwFRubOQLFeFrK3pSD74ALfG8OlT1mTnjSHc4xD6I11LTrGEetyfngNcRQElP44ipslaGno7390J6Tbv8i/8J1SPTvVzqSdHBIzjsMp0/HzyL4LuxRRn2mfrEuGaz0INeeYfATCJf/XsIrPX2uvnimJOLOKD4,iv:plv5vk1K1MvSvG4qfCgktRLaONHKYlJpKz89c9miGO4=,tag:FIOgCYD7X/G0I0+4XrtuQw==,type:str]
ssl_cert: ENC[AES256_GCM,data:+MVjz7j3LAjWNmNOw2tIWdyXGnNukLI9iQM+xoca0t4mZgU8TQcx71sanxD4SpnIOMy/vVNAUHJS3wAM7XMIbTy2S8qSG1bbk6EVC8TB7zfgSVY6BqD4H1lCiVe43AjWwc/qkdxGHO/nX8e7KkxFY4H7RnROdhqH1MYnXUvMXZgHrY/Bv/pNkJ/fC9UapQWKciw26uORk6Ji+ihmhp6h9qLUPIt4UBTljruUhr34UhwxQ1tib6j1GFdPcSpXmbnQ8dQ5s64DShs7aMcS87vwY5r2bZowaX+FdpWokDXCF3wXwS+vhS/pMvzcN0cKogT4uXC3FatIByuLpvb35JD0k2f8OYi1zdKNRyffFkveWySXzVUojq56zhyY6d0rFpW14s5m4WdBpQUDHLe1kO8B4EUv3ZmOQz+SgbPL9EQVzpwoQt2yNkFENJbu2Jvs3LVwoclLM81hOomSThPRMgbixRcttf1MbmU8ED1EoNwF04VgDbNDOOyZFsSkz2rOVTlv/gIWTnBgngh3nU+8VWU6PPbNvYliXvU2XRPhGnXeKH2yCyilQ7aLsWjjvco257p4XvS8g7uuFpyau1UkO81kc3R1qrBjyPdxZylDvxI7JCDQZqWxtNiRRRWTWd+4oHTt8REp7aZlGP9FLDW10LWnOtCe56dbuVvFQd/3mjF1YDEkqE7Q3ZotiV6JzbkouV1rue8jpReREDp7Dsm7ZPdBn58Z0c3NaI8OTffOhQ2oDEJn2I/lUuvGhrEU41SxLvDDmpNVi2ISI/c6PfdKlATKZUDVWP7L6nu2M1bb1HvVXaYoKxldZmLGSdVGk3rhY6HUVSM3BgsgkLiFO0AHui0ETQnkfuhy1T8IMPb3WaAQmHHzR9YipZ03xlUoOSeICgDohMw/bLaP4zNAs+gMgLssWJd8Jm9iK5K/OKN6gG0V7YFdUwNyeX7guEADND0hlT0mFkKlLKywBEGwiSdzrqIvrnE7tzUdD/SlL+WOYKBCByksHwmC51ImFe3/GapAPEoMlxtwy4o/E8nExL/WAMEoNT9wxV4/Mk5l5CT1sUDGG8ifzMVcq4LxPxvQDFYLyKf5Apg4f0MkB4kOvS5hFRF9Ewx3hEjHgKJL4HTWFPut7ktbGvYvfJTSvpyJv9s+uk+b69Y+YhwxFgCLc6oTkHoGaekGaQN8rbPGiomepDK/ZdYr/720zDZuC9Z1WMdRsR7E4GX1Ko31pQEk2tUWmjQk76hp299Sly7tjrh7mRtZXNNVhAzh3DEdqmTZPKNObXI/sf7KM4e0SzSbdJd4DdbV+S8vwbqBYdmEtBwSZNp0YnApBoEC/R7iPp7T98sdt2Y8cWcFITMyHTOQ0Qk9/hFzrdYi+rrOQ33AP/rjzOFp11t99nZKNZGuMucSTRUKgTuRLumjD5dS6PWuTm6k94HUNT8p8BSgGOBSIPqBdvZvKe7titvtfoH7iqoafHfePJ8sUd5dKZdpvDBl5bW2aiTB9v/qP/vlmThAG6t1ukmqbo3rS/6QC2N8X2X4GKqcPrVLKk1vtlnI4qWzLLieePxruJoWhctdp14CjKotVAzgYXtAvuKm1MI5gNWKRqwykeNS5w3C/CQT0KpyqUNLAkEa5+Fg4PUxeLCitpgnz6jq8+1WCltwdWAAkp8RwdMncbG2Jk6AA0iC6lu0kog9U7gsclRc16+jVFYPA+h3trbt8DnFLQTrCEaeOeRwli+WBibO31+0efk4D4e/IUz3c3PkNVwLV3RPFF7FeAo9w7HYOaHrmvbFevnbyUb+aI8i/EiDkoCzgaIcG9nOWSjBjNjZPrK5JZR+hXvTZ163k2eFj7uwfuQkUUakXfFJxLjHzko87oEiOsUkieEamp0yZ4n8eMq/BgNSPMYmnpmxaotdDB/czN5qM0myLKsDgHZso0sLMmPs1YfoDGjsZsMNaQh3C92XyzR4psSwy81wXFLahvt3E/DczOFaBoJ0VtmqFcGuYep/r3Ft6YCXf0y0Yruj5kZRSBvSSu6bfOwppA7gJKChlKKyRiKROMbt9Oh843tWuGKgKajOZZCY/mQH5D1VyxQ8YqxotgbCpEUu/gLPuqf2upCMxA+Vhw8plwrPUOmgnsjybdYoNayfzo28X8ek8ryWKHAcOrIAcCO9e6RHeuZFmstcJsDz7gjpolbufWu7oZkF9NoqksI46+1isb7iZ58U777RSLJWcGlrYdvzJA==,iv:QvDjeJf7D1eqdhDPO472F4MsM5DTcs+4aGgJfhI9J9k=,tag:jVGgIZqzaEqjRAGJxy/zCw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age180y8kdtdlqelayyz9mq2c7xv248rh4gdfr3amjzvdcjrz6wdaqmsj762pp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NWRPckFGSDlWZHpFSFFo
bHMxbHNhRmdEVUJjdnpjeEIwYXFJWUtuYVdBCm13bHVudzBKaXFwVW0xRzErYW9J
ZUN2QnhjZndVQUUxSTFJZWF6KzFzNkEKLS0tIDVmcnd0WGtLK2dFR3lqWktDd1hG
dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy
MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-19T00:33:35Z"
mac: ENC[AES256_GCM,data:YWGS3fxhEh6Xz/OohJkQdvGzfe9Do7IRN7MiuHo8URbidq6DLsuvN086QNlMQEnopR5BDJ2V+4inKS1xOM+G66e4Ta/uYH7VweamGSk/dGGqAnG5uylljIupSS9WDvI0tpv2PMWrbGV6oEps0SPC2HN7CvhI8EaSQdz3CvEYKgo=,iv:YDKgb90IvwEkfRFMwoy/Y1LREHe2Dzf3Dt97BT/wJuo=,tag:HSmmPdyhF5dr+5IvM+Xo6Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

37
hosts/gerg-desktop/spicetify.nix Normal file
View file

@ -0,0 +1,37 @@
{spicetify-nix, ...}: {pkgs, ...}: let
spicePkgs = spicetify-nix.legacyPackages.${pkgs.system};
ex = spicePkgs.extensions;
in {
imports = [spicetify-nix.nixosModule];
nixpkgs.allowedUnfree = ["spotify"];
programs.spicetify = {
enable = true;
spotifyPackage = spicePkgs.spotify;
spicetifyPackage = spicePkgs.spicetify-cli;
enabledExtensions = [
ex.adblock
ex.hidePodcasts
ex.shuffle
];
theme = spicePkgs.themes.Dribbblish;
colorScheme = "custom";
customColorScheme = {
text = "f8f8f8";
subtext = "f8f8f8";
sidebar-text = "79dac8";
main = "000000";
sidebar = "323437";
player = "000000";
card = "000000";
shadow = "000000";
selected-row = "7c8f8f";
button = "74b2ff";
button-active = "74b2ff";
button-disabled = "555169";
tab-active = "80a0ff";
notification = "80a0ff";
notification-error = "e2637f";
misc = "282a36";
};
};
}

156
hosts/gerg-desktop/vfio.nix Normal file
View file

@ -0,0 +1,156 @@
{
self,
pipewire_fix,
...
}: {
pkgs,
config,
lib,
...
}:
###TAKEN FROM HERE:https://github.com/NixOS/nixpkgs/blob/4787ebf7ae2ab071389be7ff86cf38edeee7e9f8/nixos/modules/services/x11/xserver.nix#L106-L136
let
xcfg = config.services.xserver;
xserverbase = let
fontsForXServer =
config.fonts.fonts
++ [
pkgs.xorg.fontadobe100dpi
pkgs.xorg.fontadobe75dpi
];
in
pkgs.runCommand "xserverbase"
{
fontpath =
lib.optionalString (xcfg.fontPath != null)
''FontPath "${xcfg.fontPath}"'';
inherit (xcfg) config;
preferLocalBuild = true;
}
''
echo 'Section "Files"' >> $out
echo $fontpath >> $out
for i in ${toString fontsForXServer}; do
if test "''${i:0:''${#NIX_STORE}}" == "$NIX_STORE"; then
for j in $(find $i -name fonts.dir); do
echo " FontPath \"$(dirname $j)\"" >> $out
done
fi
done
for i in $(find ${toString xcfg.modules} -type d); do
if test $(echo $i/*.so* | wc -w) -ne 0; then
echo " ModulePath \"$i\"" >> $out
fi
done
echo '${xcfg.filesSection}' >> $out
echo 'EndSection' >> $out
echo >> $out
'';
oneMonitor = pkgs.writeText "1-monitor.conf" (lib.concatStrings [(builtins.readFile xserverbase) (builtins.readFile (self + /misc/1-monitor.conf))]);
twoMonitor = pkgs.writeText "2-monitor.conf" (lib.concatStrings [(builtins.readFile xserverbase) (builtins.readFile (self + /misc/2-monitor.conf))]);
in {
####VM SOUND BORKED
services.pipewire.package = pipewire_fix.legacyPackages.${pkgs.system}.pipewire;
boot = {
kernelParams = ["amd_iommu=on" "iommu=pt" "vfio_iommu_type1.allow_unsafe_interrupts=1" "kvm.ignore_msrs=1"];
};
virtualisation = {
libvirtd = {
enable = true;
qemu = {
#don't hook evdev at vm start
package = pkgs.qemu.overrideAttrs (old: {
patches =
old.patches
++ [
(pkgs.writeText "qemu.diff" ''
diff --git a/ui/input-linux.c b/ui/input-linux.c
index e572a2e..a9d76ba 100644
--- a/ui/input-linux.c
+++ b/ui/input-linux.c
@@ -397,12 +397,6 @@ static void input_linux_complete(UserCreatable *uc, Error **errp)
}
qemu_set_fd_handler(il->fd, input_linux_event, NULL, il);
- if (il->keycount) {
- /* delay grab until all keys are released */
- il->grab_request = true;
- } else {
- input_linux_toggle_grab(il);
- }
QTAILQ_INSERT_TAIL(&inputs, il, next);
il->initialized = true;
return;
'')
];
});
runAsRoot = true;
ovmf.enable = true;
verbatimConfig = ''
user = "gerg"
group = "kvm"
namespaces = []
'';
};
};
};
environment = {
systemPackages = [
pkgs.virt-manager
];
shellAliases = {
vm-start = "virsh start Windows";
vm-stop = "virsh shutdown Windows";
};
};
users.users.gerg.extraGroups = ["kvm" "libvirtd"];
services.xserver.displayManager.xserverArgs = lib.mkAfter ["-config /tmp/xorg.conf"];
services.xserver.displayManager.sessionCommands = lib.mkBefore ''
if ! (test -e "/tmp/ONE_MONITOR"); then
xrandr --output DP-0 --auto --mode 3440x1440 --rate 120 --primary --pos 0x0
xrandr --output HDMI-A-1-0 --auto --mode 1920x1080 --rate 144 --set TearFree on --pos 3440x360
xset -dpms
fi
'';
systemd.tmpfiles.rules = let
qemuHook = pkgs.writeShellScript "qemu-hook" ''
GUEST_NAME="$1"
OPERATION="$2"
SUB_OPERATION="$3"
if [ "$GUEST_NAME" == "Windows" ]; then
if [ "$OPERATION" == "prepare" ]; then
systemctl stop display-manager.service
modprobe -r -a nvidia_uvm nvidia_drm nvidia nvidia_modeset
${pkgs.libvirt}/bin/virsh nodedev-detach pci_0000_01_00_0
${pkgs.libvirt}/bin/virsh nodedev-detach pci_0000_01_00_1
systemctl set-property --runtime -- user.slice AllowedCPUs=8-15,24-31
systemctl set-property --runtime -- system.slice AllowedCPUs=8-15,24-31
systemctl set-property --runtime -- init.scope AllowedCPUs=8-15,24-31
ln -fs ${oneMonitor} /tmp/xorg.conf
touch /tmp/ONE_MONITOR
systemctl start display-manager.service
fi
if [ "$OPERATION" == "release" ]; then
systemctl stop display-manager.service
systemctl set-property --runtime -- user.slice AllowedCPUs=0-31
systemctl set-property --runtime -- system.slice AllowedCPUs=0-31
systemctl set-property --runtime -- init.scope AllowedCPUs=0-31
${pkgs.libvirt}/bin/virsh nodedev-reattach pci_0000_01_00_0
${pkgs.libvirt}/bin/virsh nodedev-reattach pci_0000_01_00_1
modprobe -a nvidia_uvm nvidia_drm nvidia nvidia_modeset
ln -fs ${twoMonitor} /tmp/xorg.conf
rm /tmp/ONE_MONITOR
systemctl start display-manager.service
fi
fi
'';
in [
"L /tmp/xorg.conf - - - - ${twoMonitor}"
"L+ /var/lib/libvirt/hooks/qemu - - - - ${qemuHook}"
"L+ /var/lib/libvirt/qemu/Windows.xml - - - - ${self + /misc/Windows.xml}"
];
}

75
hosts/gerg-desktop/zfs.nix Normal file
View file

@ -0,0 +1,75 @@
_: {
config,
lib,
...
}: {
#link some stuff
systemd.tmpfiles.rules = [
"L+ /etc/ssh/ssh_host_ed25519_key - - - - /persist/ssh/ssh_host_ed25519_key"
"L+ /etc/ssh/ssh_host_ed25519_key.pub - - - - /persist/ssh/ssh_host_ed25519_key.pub"
];
#create machine-id for spotify
environment.etc = {
"machine-id".text = "b6431c2851094770b614a9cfa78fb6ea";
};
#make sure the sopskey is found
sops.age.sshKeyPaths = lib.mkForce ["/persist/ssh/ssh_host_ed25519_key"];
fileSystems."/persist".neededForBoot = true;
boot = {
zfs = {
devNodes = "/dev/disk/by-id/";
forceImportAll = true;
};
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
#disable hibernate and set cache max
kernelParams = ["nohibernate" "zfs.zfs_arc_max=17179869184"];
supportedFilesystems = ["zfs" "vfat"];
initrd = {
#module for multiple swap devices
kernelModules = ["dm_mod"];
#keyboard module for zfs password
availableKernelModules = ["hid_generic"];
#wipe / and /var on boot
postDeviceCommands = lib.mkAfter ''
zfs rollback -r rpool/root@empty
zfs rollback -r rpool/var@empty
'';
};
plymouth.enable = false;
loader = {
generationsDir.copyKernels = true;
#override defaults
systemd-boot.enable = false;
efi.canTouchEfiVariables = false;
grub = {
enable = true;
efiInstallAsRemovable = true;
copyKernels = true;
efiSupport = true;
zfsSupport = true;
mirroredBoots = [
{
path = "/boot/efis/nvme-SHPP41-500GM_SSB4N6719101A4N0E";
devices = ["/dev/disk/by-id/nvme-SHPP41-500GM_SSB4N6719101A4N0E"];
}
{
path = "/boot/efis/nvme-SHPP41-500GM_SSB4N6719101A4N22";
devices = ["/dev/disk/by-id/nvme-SHPP41-500GM_SSB4N6719101A4N22"];
}
];
splashImage = null;
extraConfig = ''
GRUB_TIMEOUT_STYLE=hidden
'';
};
};
};
systemd.services.zfs-mount.enable = false;
services.zfs = {
autoScrub.enable = true;
trim.enable = true;
};
}