coolneng/panacea
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: coolneng:master
Branches Tags
coolneng:master
..
compare: coolneng:0230bc3613cdc062408f8ed23c97889b6f4331fb
Branches Tags
coolneng:master

1 Commits
master ... 0230bc3613

Author SHA1 Message Date
coolneng
0230bc3613 Enable audio and add a basic home configuration 2020-05-09 01:59:11 +02:00
32 changed files with 307 additions and 1706 deletions
Expand all files Collapse all files

5
.gitattributes vendored
View File

@@ -1,5 +0,0 @@
secrets/soundcloud_token filter=git-crypt diff=git-crypt
secrets/bandcamp_token filter=git-crypt diff=git-crypt
assets/bitwig/activation.bwreg filter=lfs diff=lfs merge=lfs -text
assets/bitwig/bitwig-studio.deb filter=lfs diff=lfs merge=lfs -text
assets/bitwig/bitwig.jar filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored
View File

@@ -1 +0,0 @@
!*.jar

17
Makefile
View File

@@ -1,17 +0,0 @@
switch:
nixos-rebuild switch --target-host root@localhost \
--build-host root@localhost --flake path://$(PWD)#panacea
update:
nix flake update --commit-lock-file
upgrade:
make update && make switch
install:
./scripts/install.sh
backup:
./scripts/backup.sh
.DEFAULT_GOAL := switch

19
README.org
View File

@@ -1,20 +1,13 @@
* NixOS Laptop * NixOS Laptop
Configuration files for my personal machine, powered by [[https://nixos.org/][NixOS]]. Configuration files for my personal machine, powered by [[https://nixos.org/][NixOS]].
** Modules ** Modules
The configuration is sliced into different files, per category: The configuration is sliced into different files, per category:
- ZFS pool configuration: hardware-configuration.nix - ZFS pool configuration: hardware-configuration.nix
- Globally installed packages: software.nix - Network configuration: networking.nix
- Network and VPN configuration: networking.nix - Printing and scanner client: printing.nix
- Window manager and userland services: gui.nix
- Synchronization and backup services: datasync.nix
- Sound and music setup: audio.nix
- Development tools: development.nix
- Printing and scanner client: printing.nix
- Systemd user services and timers: periodic.nix
- Power management: power.nix
All the modules are imported in *configuration.nix* All the modules are imported in *configuration.nix*

BIN
assets/bitwig/activation.bwreg LFS
View File

Binary file not shown.

BIN
assets/bitwig/bitwig-studio.deb LFS
View File

Binary file not shown.

BIN
assets/bitwig/bitwig.jar LFS
View File

Binary file not shown.

174
configuration.nix
View File

@@ -1,78 +1,54 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
inputs,
...
}:
with pkgs;
{ {
# Kernel configuration # Kernel configuration
boot = { boot = {
blacklistedKernelModules = [ kernelPackages = pkgs.linuxPackages_latest;
"btusb" kernelParams = [ "zfs.zfs_arc_max=536870912" ];
"bluetooth" kernelModules = [ "i915" "acpi_call" ];
]; extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
kernelParams = [
"zfs.zfs_arc_max=8589934592"
"zfs.zfs_arc_min=1073741824"
];
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
zfs = { zfs.requestEncryptionCredentials = true;
requestEncryptionCredentials = true;
package = zfs_unstable;
};
}; };
# Device firmware updates # Intel CPU tweaks
services.fwupd.enable = true; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Secure boot using lanzaboote hardware.opengl.extraPackages = with pkgs; [
vaapiIntel
vaapiVdpau
libvdpau-va-gl
];
# Bootloader configuration
boot.loader = { boot.loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
systemd-boot = { systemd-boot = {
enable = false;
configurationLimit = 50;
editor = false;
};
timeout = 3;
};
boot.lanzaboote = {
enable = true; enable = true;
pkiBundle = "/etc/secureboot"; configurationLimit = 50;
};
}; };
# Run Nix garbage collector and enable flakes # Run Nix garbage collector, while avoiding compiling
nix = { nix = {
settings = {
auto-optimise-store = true;
trusted-users = [
"root"
"coolneng"
];
lazy-trees = true;
eval-cores = 2;
};
gc = { gc = {
automatic = true; automatic = true;
options = "--delete-older-than 7d"; options = "--delete-older-than 14d";
dates = "Tue 23:00";
}; };
extraOptions = '' extraOptions = ''
keep-outputs = true keep-outputs = true
keep-derivations = true
gc-keep-outputs = true gc-keep-outputs = true
experimental-features = nix-command flakes
''; '';
}; };
# Clean tmp directory on shutdown # Clean tmp directory on shutdown
boot.tmp.cleanOnBoot = true; boot.cleanTmpDir = true;
# Keep logs for a month # Rotate logs after 7 days
services.journald.extraConfig = "MaxRetentionSec=4week"; services.journald.extraConfig = "SystemMaxFiles=7";
# Allow propietary software
nixpkgs.config.allowUnfree = true;
# Scrub zpool monthly # Scrub zpool monthly
services.zfs.autoScrub = { services.zfs.autoScrub = {
@@ -82,109 +58,23 @@ with pkgs;
# Set timezone and synchronize NTP # Set timezone and synchronize NTP
time.timeZone = "Europe/Brussels"; time.timeZone = "Europe/Brussels";
services.chrony.enable = true; services.timesyncd.enable = true;
# Enable the TLP daemon
services.tlp.enable = true;
# NixOS version # NixOS version
system.stateVersion = "24.05"; system.stateVersion = "20.09";
# Create coolneng user
users.users.coolneng = {
isNormalUser = true;
home = "/home/coolneng";
extraGroups = [
"wheel"
"video"
"audio"
"lp"
];
shell = fish;
};
# Set shell for root user
users.users.root.shell = fish;
# Specify secrets
age = {
secrets.wireguard = {
file = secrets/wireguard.age;
owner = "systemd-network";
group = "systemd-network";
};
secrets.syncthing.file = secrets/syncthing.age;
secrets.msmtp.file = secrets/msmtp.age;
identityPaths = [ "/etc/ssh/id_ed25519" ];
};
# Use same version of nixpkgs for nix-shell
nix.nixPath =
let
path = toString ./.;
in
[
"nixpkgs=${inputs.nixpkgs}"
"nixos-config=${path}/configuration.nix"
];
# Auto-upgrade the system
system.autoUpgrade = {
enable = true;
dates = "22:30";
flake = "/home/coolneng/Projects/panacea";
flags = [
"--update-input"
"nixpkgs"
"--commit-lock-file"
];
};
# Add required dependencies to the auto-upgrade service
systemd.services.nixos-upgrade.path = [
coreutils
gnutar
xz.bin
gzip
gitMinimal
config.nix.package.out
config.programs.ssh.package
git-crypt
git-lfs
inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default
];
# Configure git for auto-upgrade
programs.git = {
enable = true;
config = {
user.name = "coolneng";
user.email = "akasroua@gmail.com";
safe.directory = "/home/coolneng/Projects/panacea";
};
};
# Enable fish package completion
programs.fish.enable = true;
# Enable nix-index
programs.command-not-found.enable = false;
programs.nix-index = {
enable = true;
enableFishIntegration = true;
};
# Import other configuration modules # Import other configuration modules
imports = [ imports = [
./modules/hardware-configuration.nix
./modules/software.nix ./modules/software.nix
./modules/networking.nix ./modules/networking.nix
./modules/gui.nix ./modules/gui.nix
./modules/datasync.nix ./modules/datasync.nix
./modules/audio.nix ./modules/audio.nix
./modules/development.nix ./modules/home.nix
./modules/printing.nix ./modules/hardware-configuration.nix
./modules/periodic.nix
./modules/power.nix
./modules/monitoring.nix
./modules/latest-zfs-kernel.nix
]; ];
} }

500
flake.lock generated
View File

@@ -1,500 +0,0 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1762618334,
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
"owner": "ryantm",
"repo": "agenix",
"rev": "fcdea223397448d35d9b31f798479227e80183f6",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1765739568,
"narHash": "sha256-gQYx35Of4UDKUjAYvmxjUEh/DdszYeTtT6MDin4loGE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "67d2baff0f9f677af35db61b32b5df6863bcc075",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"cyrus-sasl-xoauth2": {
"flake": false,
"locked": {
"lastModified": 1611713742,
"narHash": "sha256-IaH8tNUhM0lUOmFiG4G9cGzsuM9mTWfQrzoQ78MIgZ0=",
"owner": "robn",
"repo": "sasl2-oauth",
"rev": "4236b6fb904d836b85b55ba32128b843fd8c2362",
"type": "github"
},
"original": {
"owner": "robn",
"repo": "sasl2-oauth",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"determinate": {
"inputs": {
"determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
"determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
"determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
"nix": "nix",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1765254444,
"narHash": "sha256-kAO/ZeBnjaF+uqOP6qweXlRk2ylocLuv/9Dn8FsuPlU=",
"rev": "3ccc0297525e51ac3d7905509e0616c9c8350108",
"revCount": 316,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.14.0/019b0160-c5de-7941-9c26-cb47bc17eec3/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
}
},
"determinate-nixd-aarch64-darwin": {
"flake": false,
"locked": {
"narHash": "sha256-6PWoqx52nvlWzlElTjcn7KAPKitfcKZYEFSsC3PoEoE=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/macOS"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/macOS"
}
},
"determinate-nixd-aarch64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-b1e25BUPL7Qf0QVbYlfZ/+QiClrP/SHIjMPtA47aOLc=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/aarch64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/aarch64-linux"
}
},
"determinate-nixd-x86_64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-8EI2f8IftPcRFlR6K4+cpIEAVf5UIeMCjHysEtVqDw0=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/x86_64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/x86_64-linux"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1761588595,
"narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"determinate",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1748821116,
"narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
"rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
"revCount": 377,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
}
},
"git-hooks-nix": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": [
"determinate",
"nix"
],
"nixpkgs": [
"determinate",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1747372754,
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"revCount": 1026,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"nixpkgs": [
"nixpkgs"
],
"pre-commit": "pre-commit",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1765887029,
"narHash": "sha256-s6LGO6kMlHRdnspV0LReSi47iaYaJ/Oveb4rM9fklPM=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "5a8c9b5339588bb6ec388da5d0a6e701a46a82c4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"local-bitwig": {
"flake": false,
"locked": {
"lastModified": 1765321606,
"narHash": "sha256-WteEWi5GPrGGfzLNTEmgQaH5/DAT/zeZofbBE6D+Po8=",
"path": "/home/coolneng/Projects/panacea/assets/bitwig",
"type": "path"
},
"original": {
"path": "/home/coolneng/Projects/panacea/assets/bitwig",
"type": "path"
}
},
"nix": {
"inputs": {
"flake-parts": "flake-parts",
"git-hooks-nix": "git-hooks-nix",
"nixpkgs": "nixpkgs",
"nixpkgs-23-11": "nixpkgs-23-11",
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
"lastModified": 1765252170,
"narHash": "sha256-p98D44tYJMgB5Qet5S8cTQFdffk/GmoaGkpQtZ3hqJU=",
"rev": "1ddd28880651054346c34009d7bb9de36f1db2c1",
"revCount": 23362,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.14.0/019b0159-8907-7fab-a120-9d287c7e6d2e/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
}
},
"nix-index-database": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1765267181,
"narHash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "nix-index-database",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1764440730,
"narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1761597516,
"narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
"rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
"revCount": 811874,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
}
},
"nixpkgs-23-11": {
"locked": {
"lastModified": 1717159533,
"narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
"type": "github"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1764611609,
"narHash": "sha256-yU9BNcP0oadUKupw0UKmO9BKDOVIg9NStdJosEbXf8U=",
"rev": "8c29968b3a942f2903f90797f9623737c215737c",
"revCount": 905078,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.905078%2Brev-8c29968b3a942f2903f90797f9623737c215737c/019add91-3add-7a0d-8a25-9569cbe01efe/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1766309749,
"narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1765464257,
"narHash": "sha256-dixPWKiHzh80PtD0aLuxYNQ0xP+843dfXG/yM3OzaYQ=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "09e45f2598e1a8499c3594fe11ec2943f34fe509",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"cyrus-sasl-xoauth2": "cyrus-sasl-xoauth2",
"determinate": "determinate",
"lanzaboote": "lanzaboote",
"local-bitwig": "local-bitwig",
"nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1765680428,
"narHash": "sha256-fyPmRof9SZeI14ChPk5rVPOm7ISiiGkwGCunkhM+eUg=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "eb3898d8ef143d4bf0f7f2229105fc51c7731b2f",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

82
flake.nix
View File

@@ -1,82 +0,0 @@
{
description = "System configuration for panacea";
nixConfig = {
extra-substituters = "https://cachix.cachix.org https://nix-community.cachix.org https://install.determinate.systems";
extra-trusted-public-keys = ''
cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=
nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
'';
};
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
cyrus-sasl-xoauth2 = {
url = "github:robn/sasl2-oauth";
flake = false;
};
nix-index-database = {
url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};
determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
local-bitwig = {
url = "path:/home/coolneng/Projects/panacea/assets/bitwig";
flake = false;
};
};
outputs =
{ self, nixpkgs, ... }@inputs:
let
system = "x86_64-linux";
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
overlays = [
(final: prev: {
emacs-vterm = (
(pkgs.emacsPackagesFor pkgs.emacs-pgtk).emacsWithPackages (
epkgs: with epkgs; [
vterm
mu4e
]
)
);
})
];
};
lib = nixpkgs.lib;
in
{
nixosConfigurations.panacea = lib.nixosSystem {
inherit system;
modules = [
(import ./configuration.nix)
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-amd
inputs.agenix.nixosModules.age
inputs.nix-index-database.nixosModules.nix-index
inputs.lanzaboote.nixosModules.lanzaboote
inputs.determinate.nixosModules.default
];
specialArgs = {
inherit inputs;
inherit pkgs;
};
};
};
}

106
modules/audio.nix
View File

@@ -1,105 +1,15 @@
{ config, lib, pkgs, ... }:
{ {
config, # Enable ALSA
lib, sound.enable = true;
pkgs,
inputs,
...
}:
with pkgs; # Configure PulseAudio with mopidy tweaks
hardware.pulseaudio = {
let
# HACK Replace youtube-dl with yt-dlp in mopidy-youtube
mopidy-youtube-yt_dlp = mopidy-youtube.overrideAttrs (old: rec {
propagatedBuildInputs = old.propagatedBuildInputs ++ [
python3.pkgs.yt-dlp
python3.pkgs.ytmusicapi
];
});
soundcloud_token = builtins.readFile ../secrets/soundcloud_token;
bandcamp_token = builtins.readFile ../secrets/bandcamp_token;
in
{
# Configure pipewire as sound server
services.pipewire = {
enable = true; enable = true;
alsa = { tcp = {
enable = true; enable = true;
support32Bit = true; anonymousClients.allowedIpRanges = [ "127.0.0.1" ];
};
pulse.enable = true;
wireplumber.enable = true;
# Enable pipewire-pulse's audio via TCP
extraConfig.pipewire-pulse.tcp-server = {
"pulse.properties" = {
"server.address" = [
"unix:native"
"tcp:127.0.0.1:4713"
];
};
};
};
security.rtkit.enable = true;
# Set up Mopidy
services.mopidy = {
enable = true;
extensionPackages = [
mopidy-mpd
mopidy-local
mopidy-youtube-yt_dlp
mopidy-bandcamp
mopidy-somafm
mopidy-soundcloud
];
settings = {
audio.output = "pulsesink server=127.0.0.1";
local = {
media_dir = "/home/coolneng/Music";
directories = ''
Album Artists local:directory?type=artist&role=albumartist
Albums local:directory?type=album
Artists local:directory?type=artist
Genres local:directory?type=genre
'';
excluded_file_extensions = ''
.directory
.html
.jpeg
.jpg
.log
.nfo
.png
.txt
'';
scan_timeout = 3000;
};
mpd.zeroconf = "";
m3u = {
playlists_dir = "/home/coolneng/.config/mpd/playlists";
base_dir = "/home/coolneng/Music";
};
youtube = {
search_results = 50;
youtube_dl_package = "yt_dlp";
musicapi_enabled = true;
};
somafm = {
encoding = "aac";
quality = "highest";
};
soundcloud = {
auth_token = soundcloud_token;
explore_songs = 100;
};
bandcamp.identity = bandcamp_token;
}; };
}; };
} }

13
modules/cachix.nix
View File

@@ -1,13 +0,0 @@
# WARN: this file will get overwritten by $ cachix use <name>
{ pkgs, lib, ... }:
let
folder = ../cachix;
toImport = name: value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in
{
inherit imports;
nix.binaryCaches = [ "https://cache.nixos.org/" ];
}

85
modules/datasync.nix
View File

@@ -1,30 +1,44 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
{ {
# ZFS automatic snapshots # ZFS automatic backup solution
services.zfs.autoSnapshot = { services.znapzend = {
enable = true; enable = true;
frequent = 4; autoCreation = true;
hourly = 24; features = {
daily = 7; compressed = true;
weekly = 4; recvu = true;
monthly = 12; };
zetup = {
"syscea/state/root" = {
plan = "1d=>1h,1m=>1d,1y=>1m";
recursive = true;
mbuffer = true;
destinations.remote = {
host = "coolneng@zion";
dataset = "syscea/root";
};
};
"syscea/state/home" = {
plan = "1d=>1h,1m=>1d,1y=>1m";
recursive = true;
mbuffer = true;
destinations.remote = {
host = "coolneng@zion";
dataset = "syscea/home";
};
};
};
}; };
# Syncthing configuration # Syncthing configuration
services.syncthing = { services.syncthing = {
enable = true; enable = true;
user = "coolneng";
dataDir = "/home/coolneng"; dataDir = "/home/coolneng";
settings = { declarative = {
devices.zion = { devices = {
id = "FLI2RS7-GNI5PDM-SQRNF7P-YJIOXJ7-46FRPEI-NRLQGBC-HXRWG7O-RKOVLAF"; zion = { id = "XABIMVG-K5RKMAF-KNC33AR-TDAVEGK-GHUIVFD-NIFCX6L-6PQXRM5-KLK2PAU"; };
addresses = [ "tcp://192.168.128.2:22000" ];
}; };
folders = { folders = {
Documents = { Documents = {
@@ -33,7 +47,9 @@
devices = [ "zion" ]; devices = [ "zion" ];
versioning = { versioning = {
type = "simple"; type = "simple";
params.keep = "5"; params = {
keep = "5";
};
}; };
}; };
@@ -43,7 +59,9 @@
devices = [ "zion" ]; devices = [ "zion" ];
versioning = { versioning = {
type = "simple"; type = "simple";
params.keep = "5"; params = {
keep = "5";
};
}; };
}; };
@@ -61,36 +79,11 @@
Projects = { Projects = {
id = "cjhmu-avy9v"; id = "cjhmu-avy9v";
type = "sendonly";
path = "/home/coolneng/Projects"; path = "/home/coolneng/Projects";
devices = [ "zion" ]; devices = [ "zion" ];
}; };
Phone = {
id = "m2007j20cg_vc7r-photos";
type = "receiveonly";
path = "/home/coolneng/Photos/Phone";
devices = [ "zion" ];
};
Phone-screenshots = {
id = "pp70r-pbr70";
type = "receiveonly";
path = "/home/coolneng/Photos/Phone-screenshots";
devices = [ "zion" ];
};
Files = {
id = "tsk52-u6rbk";
path = "/home/coolneng/Files";
devices = [ "zion" ];
};
Audio = {
id = "tarrs-5mxck";
path = "/home/coolneng/Audio";
devices = [ "zion" ];
}; };
}; };
}; };
};
} }

36
modules/development.nix
View File

@@ -1,36 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
# Improve nix-shell and direnv integration
environment.pathsToLink = [ "/share/nix-direnv" ];
programs.direnv.enable = true;
# Set up podman
virtualisation = {
containers.enable = true;
containers.storage.settings.storage = {
driver = "zfs";
graphroot = "/var/lib/containers/storage";
runroot = "/run/containers/storage";
};
oci-containers.backend = "podman";
podman = {
enable = true;
dockerCompat = true;
extraPackages = with pkgs; [ zfs ];
};
};
# Run unpatched binaries with Nix
programs.nix-ld.enable = true;
# Embedded development with PlatformIO
services.udev.packages = with pkgs; [ platformio ];
}

86
modules/gui.nix
View File

@@ -1,103 +1,61 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
with pkgs;
{ {
# Display manager # Display manager
services.greetd = { services.xserver.enable = true;
services.xserver.displayManager = {
defaultSession = "sway";
sddm = {
enable = true;
autoLogin = {
enable = true; enable = true;
settings = rec {
initial_session = {
command = "${sway}/bin/sway";
user = "coolneng"; user = "coolneng";
}; };
default_session = initial_session;
}; };
}; };
# Window manager # Window manager
programs.sway = { programs.sway = {
enable = true; enable = true;
extraPackages = [ extraPackages = with pkgs; [
xwayland xwayland
swaylock swaylock
swayidle
swaybg swaybg
rofi rofi
waybar waybar
cliphist clipman
wl-clipboard
grim grim
slurp slurp
swayimg brillo
imv
kanshi kanshi
kitty redshift-wlr
qt5.qtwayland
glib
]; ];
extraSessionCommands = '' extraSessionCommands = ''
export MOZ_ENABLE_WAYLAND=1 export MOZ_ENABLE_WAYLAND=1
export MOZ_USE_XINPUT2=1 export MOZ_DBUS_REMOTE=1
export GRIM_DEFAULT_DIR=/home/coolneng/Photos/Screenshots export GRIM_DEFAULT_DIR=/home/coolneng/Photos/Screenshots
export _JAVA_AWT_WM_NONREPARENTING=1 export _JAVA_AWT_WM_NONREPARENTING=1
export QT_QPA_PLATFORM=wayland
export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
export SDL_VIDEODRIVER=wayland export SDL_VIDEODRIVER=wayland
export XDG_SESSION_TYPE=wayland
export XDG_CURRENT_DESKTOP=sway
export NVIM_LISTEN_ADDRESS=/tmp/nvimsocket
export GIT_CONFIG_NOSYSTEM=true
export SYSTEMD_LESS=FRSMK
export WLR_RENDERER=vulkan
''; '';
wrapperFeatures.gtk = true;
}; };
# Backlight
programs.light.enable = true;
# Blue light filter # Blue light filter
location.provider = "geoclue2";
services.redshift = { services.redshift = {
package = pkgs.redshift-wlr;
enable = true; enable = true;
package = gammastep;
executable = "/bin/gammastep";
temperature = { temperature = {
day = 6500; day = 6500;
night = 5300; night = 5000;
}; };
}; };
location = {
# GPG agent latitude = 35.89;
programs.gnupg.agent = { longitude = -5.32;
enable = true;
pinentryPackage = pinentry-gnome3;
}; };
# Tmux # Bar
programs.tmux = { programs.waybar.enable = true;
enable = true;
historyLimit = 5000;
keyMode = "vi";
shortcut = "x";
terminal = "screen-256";
baseIndex = 1;
};
# Integrate pass with the browser
programs.browserpass.enable = true;
programs.firefox.enable = true;
# Enable WebRTC screensharing
xdg.portal = {
enable = true;
wlr.enable = true;
};
# Allow dbus to communicate with storage devices
services.udisks2.enable = true;
} }

66
modules/hardware-configuration.nix
View File

@@ -1,76 +1,46 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "rtsx_pci_sdmmc" ];
"nvme"
"xhci_pci"
"usbhid"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "syscea/stateful/root"; { device = "syscea/stateful/root";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nix" = { fileSystems."/nix" =
device = "syscea/ephemeral/nix"; { device = "syscea/ephemeral/nix";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/ugent" = { fileSystems."/tmp" =
device = "systemd-1"; { device = "syscea/ephemeral/tmp";
fsType = "autofs";
};
fileSystems."/home/coolneng" = {
device = "syscea/stateful/home";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/tmp" = { fileSystems."/home" =
device = "syscea/ephemeral/tmp"; { device = "syscea/stateful/home";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home/coolneng/Downloads" = { fileSystems."/boot" =
device = "syscea/stateful/home/downloads"; { device = "/dev/disk/by-uuid/4AED-6F54";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/C374-A2FD";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ swapDevices =
{ device = "/dev/disk/by-uuid/1231a42f-a71a-4c67-b4d8-7506c02a8328"; } [ { device = "/dev/disk/by-uuid/29d26e6a-b421-41c3-9826-76e4da00e3bb"; }
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wg0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

128
modules/home.nix Normal file
View File

@@ -0,0 +1,128 @@
{ config, lib, pkgs, ... }:
# Doom emacs overlay
let
doom-emacs = pkgs.callPackage (builtins.fetchTarball {
url = https://github.com/vlaci/nix-doom-emacs/archive/master.tar.gz;
}) {
doomPrivateDir = ./doom.d;
};
home-manager = builtins.fetchGit {
url = "https://github.com/rycee/home-manager.git";
rev = "";
};
in
{
imports = [
(import "${home-manager}/nixos")
];
# User packages
home.packages = [
# Text editors
doom-emacs
pkgs.neovim
# Terminals
pkgs.tmux
pkgs.tmuxp
# Development
pkgs.git
pkgs.direnv
pkgs.lorri
];
# Create coolneng user
users.users.coolneng = {
isNormalUser = true;
home = "/home/coolneng";
extraGroups = [ "wheel" "video" "audio" ];
shell = "/run/current-system/sw/bin/fish";
};
# Enable home manager
programs.home-manager.enable = true;
# Terminal emulator
programs.kitty = {
enable = true;
font.name = "Go Mono 11";
settings = {
repaint_delay = 30;
input_delay = 10;
enable_audio_bell = false;
foreground = "#c6c8d1";
background = "#161821";
color0 = "#161821";
color8 = "#6b7089";
color1 = "#e27878";
color9 = "#e98989";
color2 = "#b4be82";
color10= "#c0ca8e";
color3 = "#e2a478";
color11= "#e9b189";
color4 = "#84a0c6";
color12= "#91acd1";
color5 = "#a093c7";
color13= "#ada0d3";
color6 = "#89b8c2";
color14= "#95c4ce";
color7 = "#c6c8d1";
color15= "#d2d4de";
};
};
# Shell
home.sessionVariables = {
# fff colors [0-9]
FFF_COL1 = 4;
FFF_COL2 = 8;
# fff favourites;
FFF_FAV1 = "$HOME/Documents/Uni";
FFF_FAV2 = "$HOME/Documents/Papers";
FFF_FAV3 = "$HOME/Documents/Books/Academic";
FFF_FAV4 = "$HOME/Documents/Education";
};
programs.fish = {
enable = true;
shellAbbrs = {
la = "ls -lA";
f = "fff";
vim = "nvim";
};
shellAliases = {
wlan = "iw dev wlp2s0 scan | grep SSID";
bc = "bc -l";
docker = "podman";
docker-compose = "podman-compose";
};
plugins = [
{
name = "colored-man";
src = builtins.fetchGit {
name = "fish-colored-man";
url = "https://github.com/decors/fish-colored-man";
rev = "c1e9db7765c932587b795d6c8965e9cff2fd849a";
};
}
{
name = "prompt-theme";
src = builtins.fetchGit {
name = "fish-colored-man";
url = "https://github.com/oh-my-fish/theme-nai";
rev = "9616e644e95fe79eb59b8c9d77fe44b9f096db2f";
};
}
];
};
# Emacs startup
home.file.".emacs.d/init.el".text = ''
(load "default.el")
'';
}

28
modules/latest-zfs-kernel.nix
View File

@@ -1,28 +0,0 @@
{
lib,
pkgs,
config,
...
}:
let
isUnstable = config.boot.zfs.package == pkgs.zfs_unstable;
zfsCompatibleKernelPackages = lib.filterAttrs (
name: kernelPackages:
(builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (builtins.tryEval kernelPackages).success
&& (
(!isUnstable && !kernelPackages.zfs.meta.broken)
|| (isUnstable && !kernelPackages.zfs_unstable.meta.broken)
)
) pkgs.linuxKernel.packages;
latestKernelPackage = lib.last (
lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
builtins.attrValues zfsCompatibleKernelPackages
)
);
in
{
# Note this might jump back and worth as kernel get added or removed.
boot.kernelPackages = lib.mkIf (lib.meta.availableOn pkgs.hostPlatform pkgs.zfs) latestKernelPackage;
}

63
modules/monitoring.nix
View File

@@ -1,63 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with pkgs;
let
sender = "akasroua@disroot.org";
recipient = "akasroua+smart@disroot.org";
in
{
# Notify when a disk starts going haywire
services.smartd = {
enable = true;
defaults.monitored = "-H -f -t -C 197 -U 198 -d nvme";
autodetect = false;
devices = [ { device = "/dev/nvme0"; } ];
notifications.mail = {
enable = true;
sender = sender;
recipient = recipient;
mailer = "${msmtp}/bin/msmtp -t --read-envelope-from";
};
};
# Notify about zpool problems
services.zfs.zed = {
enableMail = false;
settings = {
ZED_EMAIL_ADDR = [ "root" ];
ZED_EMAIL_PROG = "${msmtp}/bin/msmtp";
ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@";
};
};
# HACK Use an alias to use msmtp instead of the ZED mailer
environment.etc.aliases.text = ''
root: ${recipient}
'';
# Set up msmtp as notifier
programs.msmtp = {
enable = true;
defaults = {
auth = true;
aliases = "/etc/aliases";
port = 587;
tls = true;
};
accounts = {
default = {
host = "disroot.org";
user = "akasroua@disroot.org";
passwordeval = "${coreutils}/bin/cat ${config.age.secrets.msmtp.path}";
};
};
};
}

175
modules/networking.nix
View File

@@ -1,158 +1,41 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let
wireguard_port = "1194";
in
{ {
# Set hostname, hostid and enable WiFi environment.systemPackages = with pkgs; [
avahi
wireguard
];
# Set hostname and hostid
networking = { networking = {
hostName = "panacea"; hostName = "panacea";
hostId = "8feb0bb8"; hostId = "8feb0bb8";
wireless.iwd.enable = true; wireless = {
};
# Enable systemd-networkd
networking = {
useDHCP = false;
interfaces = {
enp0s31f6.useDHCP = true;
wlan0.useDHCP = true;
};
useNetworkd = true;
dhcpcd.enable = false;
};
systemd.network.wait-online.enable = false;
# Enable mDNS
services.resolved = {
enable = true; enable = true;
llmnr = "false"; };
extraConfig = ''
MulticastDNS=yes
'';
}; };
# Prioritize ethernet over WiFi # Enable zeroconf
systemd.network.networks."40-enp0s31f6" = { services.avahi = {
dhcpV4Config.RouteMetric = 10;
networkConfig.MulticastDNS = "yes";
};
systemd.network.networks."40-wlan0" = {
dhcpV4Config.RouteMetric = 20;
networkConfig.MulticastDNS = "yes";
};
# Static IP for home network
systemd.network.networks."24-home" = {
name = "wlan0";
matchConfig = {
Name = "wlan0";
SSID = "anakinosi-5GHz";
};
address = [ "192.168.129.3/23" ];
gateway = [ "192.168.128.1" ];
dns = [ "192.168.128.2" ];
networkConfig.MulticastDNS = "yes";
};
systemd.network.networks."25-home" = {
name = "wlan0";
matchConfig = {
Name = "wlan0";
SSID = "Aminkas-5Ghz";
};
address = [ "192.168.13.3/24" ];
gateway = [ "192.168.13.1" ];
dns = [ "1.1.1.1" ];
networkConfig.MulticastDNS = "yes";
};
# VPN setup
systemd.network.netdevs."wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
ListenPort = wireguard_port;
PrivateKeyFile = config.age.secrets.wireguard.path;
FirewallMark = 34952;
};
wireguardPeers = [
{
PublicKey = "GN8lqPBZYOulh6xD4GhkoEWI65HMMCpSxJSH5871YnU=";
AllowedIPs = [
"0.0.0.0/0"
"::0"
];
Endpoint = "psydnd.org:1194";
}
];
};
systemd.network.networks."wg0" = {
matchConfig.Name = "wg0";
networkConfig = {
Address = [
"10.8.0.2/32"
"fd00::2/128"
];
DNS = [
"10.8.0.1"
"fd00::2"
];
DNSDefaultRoute = true;
};
routingPolicyRules = [
{
FirewallMark = 34952;
InvertRule = true;
Table = 1000;
Priority = 10;
}
];
routes = [
{
Gateway = "10.8.0.1";
GatewayOnLink = true;
Table = 1000;
}
];
};
# Firewall configuration
networking.firewall = {
allowedTCPPorts = [
9090 # Calibre Wireless
];
allowedUDPPorts = [
54982 # Calibre Wireless
5353 # mDNS
];
# Allow wireguard traffic
extraCommands = ''
iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN
iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN
'';
extraStopCommands = ''
iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN || true
iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN || true
'';
};
# Enable localhost SSH
services.openssh = {
enable = true; enable = true;
openFirewall = false; nssmdns = true;
startWhenNeeded = true; };
settings = {
PermitRootLogin = "without-password"; # Wireguard setup
PasswordAuthentication = false; networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.8.0.4/32" ];
privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
peers = [
# zion
{
publicKey = "GN8lqPBZYOulh6xD4GhkoEWI65HMMCpSxJSH5871YnU=";
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "coolneng.duckdns.org:1194";
persistentKeepalive = 25;
}
];
}; };
}; };
} }

128
modules/periodic.nix
View File

@@ -1,128 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with pkgs;
let
isync-oauth2 = (isync.override { withCyrusSaslXoauth2 = true; });
in
{
# Upgrade Doom Emacs daily
systemd.user.services.doom-upgrade = {
description = "Upgrade Doom Emacs";
path = [
bash
emacs-vterm
git
coreutils
];
script = ''
/home/coolneng/.emacs.d/bin/doom -! upgrade
'';
serviceConfig.Type = "oneshot";
startAt = "22:00:00";
after = [ "network-online.target" ];
};
# Push password-store changes to git daily
systemd.user.services.password-store-push = {
description = "Push password-store changes to git";
path = [
pass-wayland
git
pass-git-helper
];
script = "${pkgs.pass-wayland}/bin/pass git push";
serviceConfig.Type = "oneshot";
startAt = "18:00:00";
after = [ "network-online.target" ];
};
# Sync mail using IMAP IDLE
systemd.user.services.goimapnotify = {
description = "Sync mail using IMAP IDLE";
wantedBy = [ "default.target" ];
path = [
goimapnotify
pass-wayland
isync-oauth2
mu
procps
emacs-vterm
];
script = ''
${pkgs.goimapnotify}/bin/goimapnotify -conf /home/coolneng/.config/goimapnotify/goimapnotify.yaml
'';
serviceConfig = {
ExecStartPre = "/home/coolneng/.local/share/scripts/mail-sync";
Type = "simple";
Restart = "always";
RestartSec = 20;
};
after = [ "network-online.target" ];
};
# Do a full mail sync periodically
systemd.user.services.periodic-mail-sync = {
description = "Run a mail sync operation periodically";
wantedBy = [ "default.target" ];
path = [
pass-wayland
isync-oauth2
mu
procps
emacs-vterm
python3
gnupg
nix
];
script = ''
/home/coolneng/.local/share/scripts/mail-sync -a
'';
after = [ "network-online.target" ];
startAt = "*-*-* *:00,30:00";
};
# HACK Change home partition permissions for mopidy
systemd.services.chmod-home = {
description = "Change home partition permissions for Mopidy";
wantedBy = [ "default.target" ];
script = "chmod 751 /home/coolneng";
serviceConfig.Type = "oneshot";
after = [ "home-coolneng.mount" ];
before = [
"mopidy.service"
"mopidy-scan.service"
];
};
# Push panacea changes to git daily
systemd.user.services.panacea-push = {
description = "Push panacea changes to git";
path = [
pass-wayland
git
pass-git-helper
];
script = "${pkgs.git}/bin/git -C /home/coolneng/Projects/panacea push";
serviceConfig.Type = "oneshot";
startAt = "18:00:00";
after = [ "network-online.target" ];
};
# Show notification when the battery is low
systemd.user.services.swaynag-battery = {
description = "Show notification when the battery is low";
path = [
swaynag-battery
sway
];
script = "${pkgs.swaynag-battery}/bin/swaynag-battery --threshold 10";
wantedBy = [ "sway-session.target" ];
};
}

16
modules/power.nix
View File

@@ -1,16 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
# Enable power-profiles-daemon
services.power-profiles-daemon.enable = true;
# Suspend when the battery is critical
services.udev.extraRules = ''
SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{model_name}=="01AV405", ATTR{capacity}=="[0-5]", RUN+="${config.systemd.package}/bin/systemctl suspend -i"
'';
}

23
modules/printing.nix
View File

@@ -1,23 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
# Enable CUPS
services.printing = {
enable = true;
drivers = with pkgs; [
brgenml1cupswrapper
hplip
];
};
# Enable SANE
hardware.sane = {
enable = true;
brscan4.enable = true;
};
}

131
modules/software.nix
View File

@@ -1,134 +1,31 @@
{ config, lib, pkgs, ... }:
{ {
config, environment.systemPackages = with pkgs; [
lib,
pkgs,
inputs,
...
}:
with pkgs;
let
custom-mpv = (
mpv-unwrapped.wrapper {
mpv = mpv-unwrapped;
scripts = with mpvScripts; [
sponsorblock-minimal
mpv-cheatsheet
];
}
);
patched-bitwig = bitwig-studio.overrideAttrs (old: rec {
src = "${inputs.local-bitwig}/bitwig-studio.deb";
postInstall = ''
cp -r ${inputs.local-bitwig}/bitwig.jar $out/libexec/bin/bitwig.jar
'';
});
in
{
environment.systemPackages = [
# Monitoring # Monitoring
htop htop
acpi
# Password management # Password management
gnupg
pass-wayland pass-wayland
passff-host passff-host
pass-git-helper gitAndTools.pass-git-helper
inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default
git-crypt
git-lfs
# Browsers # Browsers
ungoogled-chromium firefox
chromium
# LaTeX # LaTeX
texlive.combined.scheme-full texlive.combined.scheme-full
pandoc pandoc
texlab # Declarative user config
# Text editors home-manager
neovim
emacs-vterm
# Emacs dependencies
(ripgrep.override { withPCRE2 = true; })
fd
clang
coreutils
# Terminals
tmux
tmuxp
fish
# Development
git
direnv
nix-direnv
gnumake
pre-commit
emacs-lsp-booster
# Rice
adapta-gtk-theme
paper-icon-theme
# Audio
mopidy
ncmpcpp
mpc
pulsemixer
easyeffects
patched-bitwig
# Productivity
zathura
libreoffice-fresh
simple-scan
bc
pdfgrep
# Mail stack
mu
(isync.override { withCyrusSaslXoauth2 = true; })
msmtp
# Media
gimp
custom-mpv
deluge
yt-dlp-light
ffmpeg
calibre
beets
# File management
zip
unzip
unar
# Overlays
cachix
# Budgeting
beancount
beancount-language-server
fava
# Programming tools
## Shell
shellcheck
shfmt
## Nix
nixfmt-rfc-style
## Python
ty
ruff
## C/C++
clang-tools
## Go
gopls
gotests
gore
golangci-lint
]; ];
# Fonts declaration # Fonts declaration
fonts.packages = with pkgs; [ fonts = {
fonts = with pkgs; [
google-fonts google-fonts
terminus_font_ttf siji
iosevka-bin cherry
libertine iosevka
nerd-fonts.inconsolata
nerd-fonts.symbols-only
]; ];
};
} }

8
scripts/backup.sh
View File

@@ -1,8 +0,0 @@
#!/bin/sh
wifi_backup() {
zip /tmp/iwd-networks.zip /var/lib/iwd
scp /tmp/iwd-networks.zip zion:/vault/backups/panacea/iwd
}
wifi_backup

69
scripts/install.sh
View File

@@ -1,69 +0,0 @@
#!/bin/sh
partition_disk() {
parted "$DISK" -- mklabel gpt
parted "$DISK" -- mkpart ESP fat32 1MiB 512MiB
parted "$DISK" -- mkpart primary 512MiB 100%
parted "$DISK" -- set 1 boot on
mkfs.fat -F32 -n BOOT "$DISK"p1
}
zfs_setup() {
zpool create -f -o ashift=13 -o autotrim=on -O acltype=posixacl -O relatime=on \
-O xattr=sa -O dnodesize=legacy -O normalization=formD -O mountpoint=none \
-O canmount=off -O devices=off -R /mnt -O compression=zstd -O encryption=aes-256-gcm \
-O keyformat=passphrase -O keylocation=prompt syscea "$DISK"p2
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false syscea/ephemeral
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false syscea/ephemeral/nix
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false -o sync=disabled -o setuid=off syscea/ephemeral/tmp
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false syscea/stateful
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true syscea/stateful/home
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false syscea/stateful/home/downloads
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false syscea/stateful/root
zfs create -V 6G -b "$(getconf PAGESIZE)" -o compression=zle -o logbias=throughput -o sync=always \
-o primarycache=metadata -o secondarycache=none -o com.sun:auto-snapshot=false syscea/ephemeral/swap
mkswap -f /dev/zvol/syscea/ephemeral/swap && swapon /dev/zvol/syscea/ephemeral/swap
}
mount_datasets() {
mount -t zfs syscea/stateful/root /mnt
mkdir -p /mnt/boot
mount "$DISK"p1 /mnt/boot
mkdir -p /mnt/home/coolneng
mount -t zfs syscea/stateful/home /mnt/home/coolneng
mkdir -p /mnt/home/coolneng/Downloads
mount -t zfs syscea/stateful/home/downloads /mnt/home/coolneng/Downloads
mkdir -p /mnt/nix
mount -t zfs syscea/ephemeral/nix /mnt/nix
mkdir -p /mnt/tmp
mount -t zfs syscea/ephemeral/tmp /mnt/tmp
}
install_system() {
nixos-generate-config --root /mnt
sed -i "s/\${soundcloud_token}/PLACEHOLDER/" modules/audio.nix
mv /mnt/etc/nixos/hardware-configuration.nix modules/hardware-configuration.nix
nix-shell -p git nixFlakes --command "nixos-install --root /mnt --flake .#panacea"
}
usage() {
echo "Usage: install.sh <disk>"
echo "disk: full path to the disk (e.g. /dev/sda)"
exit 1
}
if [ $# != 1 ]; then
usage
fi
DISK="$1"
echo "Let's start by partitioning the disk"
partition_disk
echo "Starting up the ZFS machinery"
zfs_setup
echo "Mounting the horse"
mount_datasets
echo "Lift off to the NixOS planet"
install_system
echo "All ready, time to rejoice"

BIN
secrets/bandcamp_token
View File

Binary file not shown.

8
secrets/msmtp.age
View File

@@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 G5UUhw yZ6q0+opG1dPd+bziS6EK4Da2R1HI4SN5CNZTFR0NFI
xx6fet9CzAuWdwEzQrR7qc6DJZDPUM+Ug995OHJnO+w
-> -ENU/-grease sB@d>Z >aJ<En""
rUSbcqOSzKWJRomQ8uqM0L1wq1OeKtmbAXRtDhisJcSIg82+eIF2jwf8Id7tMEyk
KrTfLHN7Ts9b/duzBrM9FDqm6pE9DqxUp652Tyo9ENa/
--- 07ccdiEaTyEPofLC2xPqYeF3lkMMFiAM2g1MKqv2pwc
<20><>+4<>/ǃTR٠<52><D9A0><EFBFBD><EFBFBD>ym<79>*<18>p<EFBFBD><70>~<7E><> E<>g5v<35>ʽ<13>Pn'<27><>i<01><>><3E><><EFBFBD>^$R<>P<14><>zS<1E>!<<3C><><EFBFBD><EFBFBD>><3E><><1F>#<23><>Ϟ<><CF9E>h<EFBFBD><01><>

8
secrets/secrets.nix
View File

@@ -1,8 +0,0 @@
let
coolneng = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC57m1j/G6iQyi2EpU3nj3+df5Z4PL/XbiOmDcqA7ODg";
in
{
"wireguard.age".publicKeys = [ coolneng ];
"syncthing.age".publicKeys = [ coolneng ];
"msmtp.age".publicKeys = [ coolneng ];
}

BIN
secrets/soundcloud_token
View File

Binary file not shown.

BIN
secrets/syncthing.age
View File

Binary file not shown.

7
secrets/wireguard.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 G5UUhw ORYEDFD+GUYWiTOhOgjFNa/SQ7DGPIdDFXTUnYkjKUg
4oM7eE8cg15T8gbHBNOa/oB97SCaSANd7/7vM6+EbNc
-> ",?]B-grease #sF Zg_{'
P+bwL7YflfWA4f9LRIM
--- O+3vZIjCS6xIQwO/fwmdfeMcFqBCpQWTe9UltdlXx5o
<EFBFBD>]?<3F><18>w><17><><EFBFBD><EFBFBD>ͯ<EFBFBD>8sn<73><6E><EFBFBD>"_<01><><EFBFBD><EFBFBD>@4<>w<EFBFBD>c<11><04><>W<10><>N<EFBFBD><4E><EFBFBD><EFBFBD>x<19>e<EFBFBD>~<7E>O<EFBFBD><4F><EFBFBD><EFBFBD>P<EFBFBD>!<21>~1<><31>>