TFC/tfc-nixos
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into 'main'

Browse source 
The basic setup of tfc's nixos base

See merge request chriscochrun/tfc-nixos!1
This commit is contained in:
Chris Cochrun 2023-01-27 20:44:56 +00:00
parent a87b4fcfc0 7210c8d8b1
commit 594975aa03
7 changed files with 785 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

117
chris/home.nix Normal file
View file

@ -0,0 +1,117 @@
{ config, lib, pkgs, ... }:
{
# Home Manager needs a bit of information about you and the
# paths it should manage.
home.username = "chris";
home.homeDirectory = "/home/chris";
# This value determines the Home Manager release that your
# configuration is compatible with. This helps avoid breakage
# when a new Home Manager release introduces backwards
# incompatible changes.
#
# You can update Home Manager without changing this value. See
# the Home Manager release notes for a list of state version
# changes in each release.
home.stateVersion = "21.11"; # Did you read the comment?
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
programs.git = {
enable = true;
userName = "Chris Cochrun";
userEmail = "chris@cochrun.xyz";
};
home.packages = with pkgs; [
];
# home.file.".config/fish/config.fish" = {
# source = ../fish/config.fish;
# };
# home.file.".config/fish/functions" = {
# source = ../fish/functions;
# };
programs.nushell = {
enable = true;
};
# home.file.".config/macchina" = {
# source = ../macchina;
# recursive = true;
# };
home.file."bin" = {
source = ../scripts;
recursive = true;
};
home.shellAliases = {
ls = "exa -l";
la = "exa -la";
mkdir = "mkdir -pv";
nupd = "update-nix";
nupg = "upgrade-nix";
suspend = "systemctl suspend";
sysuse = "systemctl --user";
myip = "curl icanhazip.com";
nixs = "nix search nixpkgs";
ytd = "yt-dlp -o ~/Videos/%(title)s.%(ext)s";
};
programs.starship = {
enable = true;
enableBashIntegration = true;
};
programs.bash = {
enable = true;
bashrcExtra = ''
# export ENV_EFI_CODE_SECURE=/run/libvirt/nix-ovmf/OVMF_CODE.fd ENV_EFI_VARS_SECURE=/run/libvirt/nix-ovmf/OVMF_VARS.fd
if [[ $TERM != "dumb" && (-z $INSIDE_EMACS || $INSIDE_EMACS == "vterm") ]]; then
source $(blesh-share)
ble-face auto_complete="fg=238"
fi
# eval "$(starship init bash)"
export LESS_TERMCAP_mb=$'\e[1;32m'
export LESS_TERMCAP_md=$'\e[1;32m'
export LESS_TERMCAP_me=$'\e[0m'
export LESS_TERMCAP_se=$'\e[0m'
export LESS_TERMCAP_so=$'\e[01;33m'
export LESS_TERMCAP_ue=$'\e[0m'
export LESS_TERMCAP_us=$'\e[1;4;31m'
'';
};
programs.zsh = {
enable = true;
enableAutosuggestions = true;
enableCompletion = true;
enableSyntaxHighlighting = true;
autocd = true;
dotDir = ".config/zsh";
shellAliases = {
ls = "exa -l";
la = "exa -la";
mpf = "mpv --profile=fast";
mps = "mpv --profile=slow";
ec = "emacsclient -t";
ecc = "emacsclient -c";
mkdir = "mkdir -pv";
nupd = "update-nix";
nupg = "upgrade-nix";
suspend = "systemctl suspend";
sysuse = "systemctl --user";
myip = "curl icanhazip.com";
};
initExtra = ''
macchina
'';
};
}

177
flake.lock Normal file
View file

@ -0,0 +1,177 @@
{
"nodes": {
"extra-container": {
"inputs": {
"flake-utils": [
"nix-bitcoin",
"flake-utils"
],
"nixpkgs": [
"nix-bitcoin",
"nixpkgs"
]
},
"locked": {
"lastModified": 1671802034,
"narHash": "sha256-mkv2u5nQJEV3KlWiopkt/gMz0OM4nmEXSfzkSw6welQ=",
"owner": "erikarvstedt",
"repo": "extra-container",
"rev": "e34f0cca15f6f0f2e598dad0b329196d0dab6d4f",
"type": "github"
},
"original": {
"owner": "erikarvstedt",
"repo": "extra-container",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1674771519,
"narHash": "sha256-U0W3S1nX6yEvLh3Vq70EORbmXecAKXfmEfCfaA4A+I8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "bb4b25b302dbf0f527f190461b080b5262871756",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "master",
"repo": "home-manager",
"type": "github"
}
},
"nix-bitcoin": {
"inputs": {
"extra-container": "extra-container",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
},
"locked": {
"lastModified": 1673175426,
"narHash": "sha256-kMaXo7VDVZPUoKsJ1aJI2owBsbE4RevFEHoI045bXII=",
"owner": "fort-nix",
"repo": "nix-bitcoin",
"rev": "dfeff7b17b0c231fa9d0c7415045547671d980f6",
"type": "github"
},
"original": {
"owner": "fort-nix",
"ref": "release",
"repo": "nix-bitcoin",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1672844754,
"narHash": "sha256-o26WabuHABQsaHxxmIrR3AQRqDFUEdLckLXkVCpIjSU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e9ade2c8240e00a4784fac282a502efff2786bdc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1672756850,
"narHash": "sha256-Smbq3+fitwA13qsTMeaaurv09/KVbZfW7m7lINwzDGA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "298add347c2bbce14020fcb54051f517c391196b",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable_2": {
"locked": {
"lastModified": 1674641431,
"narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1674781052,
"narHash": "sha256-nseKFXRvmZ+BDAeWQtsiad+5MnvI/M2Ak9iAWzooWBw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cc4bb87f5457ba06af9ae57ee4328a49ce674b1b",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
"nix-bitcoin": "nix-bitcoin",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable_2"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

45
flake.nix Normal file
View file

@ -0,0 +1,45 @@
{
description = "The Flake";
inputs = {
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
home-manager = {
url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-bitcoin = {
url = "github:fort-nix/nix-bitcoin/release";
};
};
outputs = { nixpkgs, nixpkgs-unstable, home-manager, nix-bitcoin, ... }:
let
system = "x86_64-linux";
username = "chris";
pkgsForSystem = import nixpkgs {
inherit system;
config = { allowUnfree = true; };
};
lib = nixpkgs.lib;
# unstable = nixpkgs;
in {
nixosConfigurations = {
shen = lib.nixosSystem {
inherit system;
pkgs = pkgsForSystem;
modules = [
./system/configuration.nix
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.chris = import ./chris/home.nix;
}
];
};
};
};
}

6
scripts/update-nix Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh
currentdir=$(pwd)
cd ~/conf
nix flake update
nix flake lock
cd $currentdir

5
scripts/upgrade-nix Executable file
View file

@ -0,0 +1,5 @@
#!/bin/sh
currentdir=$(pwd)
cd ~/conf
nixos-rebuild --use-remote-sudo switch --verbose --impure --flake .#
cd $currentdir

390
system/configuration.nix Normal file
View file

@ -0,0 +1,390 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, lib, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
nix = {
extraOptions = "experimental-features = nix-command flakes";
package = pkgs.nixFlakes;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 20d";
};
settings = {
auto-optimise-store = true;
};
};
system.autoUpgrade = {
enable = true;
dates = "02:00";
allowReboot = true;
flake = "${config.users.users.chris.home}/conf";
flags = [ "--update-input" "nixpkgs" "--commit-lock-file" ];
};
nixpkgs.config.allowUnFree = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "shen"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
time.timeZone = "America/Chicago";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Enable CUPS to print documents.
services.printing = {
enable = true;
drivers = [pkgs.gutenprint];
browsing = true;
listenAddresses = [ "*:631" ]; # Not 100% sure this is needed and you might want to restrict to the local network
allowFrom = [ "all" ]; # this gives access to anyone on the interface you might want to limit it see the official documentation
defaultShared = true; # If you want
extraConf = ''
DefaultEncryption Never
'';
};
services.avahi = {
enable = true;
publish.enable = true;
publish.userServices = true;
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
vaapiIntel
vaapiVdpau
libvdpau-va-gl
rocm-opencl-icd
rocm-opencl-runtime
amdvlk
];
driSupport = lib.mkDefault true;
driSupport32Bit = lib.mkDefault true;
#extraPackages32 = with pkgs; [
# driversi686linux.amdvlk
#];
};
environment.variables.AMD_VULKAN_ICD = lib.mkDefault "RADV";
environment.homeBinInPath = true;
programs.fish.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.users.chris = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
yt-dlp
bat
ripgrep
ffmpeg-full
rsync
dutree
tmux
git
samba
exa
jq
fd
bc
sysstat
procs
btop
htop
#nvtop
glxinfo
vulkan-tools
pciutils
blesh
];
virtualisation.docker.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.fstrim.enable = true;
# CADDY
services.caddy = {
enable = true;
extraConfig = ''
(matrix-well-known-header) {
# Headers
header Access-Control-Allow-Origin "*"
header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
header Content-Type "application/json"
}
'';
virtualHosts = {
"bitwarden.tfcconnection.org".extraConfig = ''
reverse_proxy localhost:9898
encode gzip
'';
};
virtualHosts = {
"staff.tfcconnection.org".extraConfig = ''
encode gzip
reverse_proxy localhost:8080
redir /.well-known/carddav /remote.php/carddav 301
redir /.well-known/caldav /remote.php/caldav 301
header {
Strict-Transport-Security "max-age=15768000; includeSubDomains; reload;"
Access-Control-Allow-Origin *
Referrer-Policy no-referrer-when-downgrade
}
redir /.well-known/oidc-configuration /apps/oidc/openid-configuration 301
'';
};
virtualHosts = {
"office.tfcconnection.org".extraConfig = ''
encode gzip
@collabora {
path /hosting/discovery # WOPI discovery URL
path /hosting/capabilities # Show capabilities as json
path /cool/* # Main websocket, uploads/downloads, presentations
path /cool/adminws # Main websocket, uploads/downloads, presentations
path /browser # Main websocket, uploads/downloads, presentations
}
reverse_proxy https://127.0.0.1:9980 {
transport http {
tls_insecure_skip_verify
}
}
'';
};
virtualHosts = {
"table.tfcconnection.org".extraConfig = ''
reverse_proxy localhost:8181
'';
};
virtualHosts = {
"app.tfcconnection.org".extraConfig = ''
reverse_proxy localhost:8686
'';
};
virtualHosts = {
"test.tfcconnection.org".extraConfig = ''
reverse_proxy localhost:8880
'';
};
virtualHosts = {
"n8n.tfcconnection.org".extraConfig = ''
reverse_proxy localhost:5678
header {
Access-Control-Allow-Origin *
}
'';
};
virtualHosts = {
"videosdani.tfcconnection.org".extraConfig = ''
@live {
protocol rtmps
}
reverse_proxy 172.16.1.7:9000
reverse_proxy @live 172.16.1.7:1935
'';
};
virtualHosts = {
"streamdani.tfcconnection.org".extraConfig = ''
reverse_proxy 172.16.1.7:1935
'';
};
virtualHosts = {
"tbl.tfcconnection.org".extraConfig = ''
reverse_proxy localhost:9180
'';
};
virtualHosts = {
"ytdl.tfcconnection.org".extraConfig = ''
reverse_proxy localhost:8686
'';
};
virtualHosts = {
"mail.tfcconnection.org".extraConfig = ''
reverse_proxy localhost:8443
'';
};
virtualHosts = {
"data.tfcconnection.org".extraConfig = ''
reverse_proxy localhost:8055
'';
};
virtualHosts = {
"photos.tfcconnection.org".extraConfig = ''
reverse_proxy localhost:2342
'';
};
virtualHosts = {
"new.tfcconnection.org".extraConfig = ''
encode gzip
root * /srv/tfcconnection
file_server
header {
Access-Control-Allow-Origin *
}
'';
};
virtualHosts = {
"tfcconnection.org".extraConfig = ''
encode gzip
root * /srv/tfcconnection
file_server
header {
Access-Control-Allow-Origin *
}
handle /.well-known/matrix/server {
import matrix-well-known-header
respond `{"m.server":"matrix.tfcconnection.org"}`
}
handle /.well-known/matrix/client {
import matrix-well-known-header
respond `{"m.homeserver":{"base_url":"https://matrix.tfcconnection.org"},"m.identity_server":{"base_url":"https://identity.matrix.org"},"im.vector.riot.jitsi": {
"preferredDomain": "jitsi.tfcconnection.org"
}}`
}
'';
};
virtualHosts = {
"www.tfcconnection.org".extraConfig = ''
encode gzip
root * /srv/tfcconnection
file_server
header {
Access-Control-Allow-Origin *
}
'';
};
virtualHosts = {
"plausible.tfcconnection.org".extraConfig = ''
encode gzip
reverse_proxy 127.0.0.1:8000
'';
};
virtualHosts = {
"sd.tfcconnection.org".extraConfig = ''
encode gzip
reverse_proxy 172.16.1.7:7860
header {
Access-Control-Allow-Origin *
}
'';
};
};
systemd.services = {
nextcloud-cron = {
enable = true;
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.docker}/bin/docker exec -u www-data -d nextcloud-app-1 php cron.php";
};
};
nextcloud-push = {
enable = true;
serviceConfig = {
Environment = "PORT=7867";
ExecStart = "${pkgs.docker}/bin/docker exec -u www-data -d nextcloud-app-1 /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push /var/www/html/config/config.php";
};
};
nextcloud-previews = {
enable = true;
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.docker}/bin/docker exec -u www-data -d nextcloud-app-1 php occ preview:pre-generate";
};
};
};
systemd.timers = {
nextcloud-cron = {
enable = true;
partOf = ["nextcloud-cron.service"];
timerConfig = {
OnStartupSec = "2min";
OnUnitActiveSec = "5min";
Unit = "nextcloud-cron.service";
};
wantedBy = [ "timers.target" ];
};
nextcloud-previews = {
enable = true;
partOf = ["nextcloud-previews.service"];
timerConfig = {
OnCalendar = "*-*-* 00:00:30";
Unit = "nextcloud-previews.service";
};
wantedBy = [ "timers.target" ];
};
};
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

45
system/hardware-configuration.nix Normal file
View file

@ -0,0 +1,45 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "amdgpu" ];
boot.kernelModules = [ "kvm-intel" "radeon.si_support=0" "amdgpu.si_support=1" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/33a4619f-a37c-4ab8-a6ea-fdf612b45657";
fsType = "btrfs";
options = [ "subvol=@" "noatime" "nodiratime" "compress=zstd" ];
};
fileSystems."/storage" =
{ device = "/dev/disk/by-label/STORAGE";
fsType = "btrfs";
options = [ "noatime" "nodiratime" "compress=zstd" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/515E-CB13";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/764d7116-eba7-4404-b175-be756a7e53f6"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}