noa/nixconf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixconf/hosts/nuos/configuration.nix
Noa Aarts 6de609324c
remove borked key
2025-11-12 16:06:54 +01:00

466 lines
13 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
modulesPath,
pkgs,
inputs,
lib,
config,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
inputs.home-manager.nixosModules.default
./disk-config.nix
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/profiles/qemu-guest.nix")
./home-assistant.nix
./nginx.nix
../../common
];
# LOVE me some blob
hardware.enableRedistributableFirmware = true;
hardware.enableAllFirmware = true;
networking = {
hostName = "nuOS"; # Define your hostname.
networkmanager.enable = true; # Easiest to use and most distros use this by default.
};
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Define a user account. Don't forget to set a password with passwd.
users.defaultUserShell = pkgs.zsh;
users.groups.disqalculate = { };
users.users = {
disqalculate = {
isSystemUser = true;
group = "disqalculate";
};
noa = {
isNormalUser = true;
extraGroups = [
"networkmanager"
"wheel"
"docker"
"libvirt"
];
hashedPassword = "$6$rounds=512400$g/s4dcRttXi4ux6c$Z6pKnhJXcWxv0TBSMtvJu5.piETdUBSgBVN7oDPKiQV.lbTYz1r.0XQLwMYxzcvaaX0DL6Iw/SEUTiC2M50wC/";
openssh.authorizedKeys.keys = import ../../common/ssh-keys.nix;
};
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment = {
systemPackages = with pkgs; [
git
zsh
];
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
programs.zsh.enable = true;
home-manager = {
extraSpecialArgs = {
inherit inputs;
};
users = {
"noa" = (import ../../common/home) {
enableFlut = true;
};
"root" = import ./root.nix;
};
};
systemd.timers."update-from-flake" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 05:00:00";
Persistent = true;
};
};
nix = {
settings = {
builders-use-substitutes = true;
};
};
systemd.services =
let
ap =
{
lib,
appimageTools,
fetchurl,
nix-update-script,
extraPackages ? [ ],
}:
let
pname = "archipelago";
version = "0.6.2";
src = fetchurl {
url = "https://github.com/ArchipelagoMW/Archipelago/releases/download/${version}/Archipelago_${version}_linux-x86_64.AppImage";
hash = "sha256-DdlfHb8iTCfTGGBUYQeELYh2NF/2GcamtuJzeYb2A5M=";
};
appimageContents = appimageTools.extractType2 { inherit pname version src; };
in
appimageTools.wrapType2 {
inherit pname version src;
extraPkgs =
pkgs:
[
pkgs.xsel
pkgs.xclip
pkgs.mtdev
]
++ extraPackages;
extraInstallCommands = ''
install -Dm444 ${appimageContents}/archipelago.desktop -t $out/share/applications
substituteInPlace $out/share/applications/archipelago.desktop \
--replace-fail 'opt/Archipelago/ArchipelagoLauncher' "archipelago"
cp -r ${appimageContents}/usr/share/icons $out/share
'';
passthru.updateScript = nix-update-script { };
meta = {
description = "Multi-Game Randomizer and Server";
homepage = "https://archipelago.gg";
changelog = "https://github.com/ArchipelagoMW/Archipelago/releases/tag/${version}";
license = lib.licenses.mit;
mainProgram = "archipelago";
maintainers = with lib.maintainers; [ pyrox0 ];
platforms = lib.platforms.linux;
};
};
archipelago = pkgs.callPackage ap { };
world = "AP_78826017969466809374.zip";
in
{
"archipelago" =
let
script = pkgs.writeShellScript "archipelago-server" ''
${archipelago}/bin/archipelago MultiServer -- /home/noa/Archipelago/output/${world}
'';
in
{
enable = false;
serviceConfig = {
Type = "simple";
User = "noa";
ExecStart = "${script}";
BindPaths = [
"/home/noa/Archipelago"
"/home/noa/.local/share/Archipelago/"
];
Restart = "always";
};
wants = [
"network-online.target"
];
after = [
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;
};
"update-from-flake" = {
path = with pkgs; [
git
];
serviceConfig = {
Type = "exec";
User = "root";
ExecStart = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --flake github:itepastra/nixconf";
ExecStopPost = ''shutdown -r +5 "Preparing update finished, rebooting..."'';
};
wants = [
"network-online.target"
];
after = [
"network-online.target"
];
restartIfChanged = false;
};
"flurry" = {
enable = (import ./toggles.nix).enableFlurry;
description = "Pixelflut server";
serviceConfig = {
ExecStart = "${
inputs.flurry.packages.${pkgs.system}.default.overrideAttrs (
finalAttrs: previousAttrs: {
patches = [
(pkgs.fetchpatch2 {
name = "flurry-server-config.patch";
url = "https://github.com/itepastra/flurry/commit/db6019fd1a9b363b090f2fc093d0267a37c0d6ff.patch";
hash = "sha256-EoIjx2kN8hDrN7vLc4FyWp7JqOHIgYFR1V3NVdoDtsw=";
})
];
}
)
}/bin/flurry";
ExecStop = "pkill flurry";
Restart = "on-failure";
};
wants = [
"network-online.target"
];
after = [
"network-online.target"
];
wantedBy = [ "default.target" ];
};
"disqalculate" = {
enable = true;
wants = [
"network-online.target"
];
after = [
"network-online.target"
];
wantedBy = [ "default.target" ];
restartTriggers = [ inputs.disqalculate.packages.${pkgs.system}.default ];
serviceConfig = {
Type = "simple";
ExecStart = "${inputs.disqalculate.packages.${pkgs.system}.default}/bin/disqalculate";
ExecStop = "${pkgs.busybox}/bin/pkill disqalculate";
RuntimeDirectory = "disqalculate";
RootDirectory = "/run/disqalculate";
User = "disqalculate";
NoNewPrivileges = true;
ProtectHome = true;
ProtectProc = "noaccess";
ProcSubset = "pid";
ProtectClock = true;
ProtectKernelLogs = true;
ProtectSystem = "strict";
ProtectHostname = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
RestrictAddressFamilies = "AF_INET";
ProtectKernelTunables = true;
RestrictNamespaces = true;
CapabilityBoundingSet = "";
EnvironmentFile = config.age.secrets."discord/disqalculate".path;
BindReadOnlyPaths = [
"/nix/store"
"/etc/ssl"
"/etc/static/ssl"
"/etc/resolv.conf"
"/bin/sh"
];
Restart = "always";
RestartSec = 10;
TimeoutStopSec = 10;
};
unitConfig = {
StartLimitInterval = 400;
StartLimitBurst = 30;
};
};
};
virtualisation = {
docker = {
enable = true;
};
libvirtd = {
enable = true;
qemu = {
package = pkgs.qemu_kvm;
runAsRoot = true;
swtpm.enable = true;
};
};
};
age = {
identityPaths = [ "${config.users.users.noa.home}/.ssh/id_ed25519" ];
secrets = {
"secrets/token-flurry".file = ../../secrets/github/flurry.age;
"secrets/token-anstml".file = ../../secrets/github/anstml.age;
"secrets/token-nixconf".file = ../../secrets/github/nixconf.age;
"discord/disqalculate".file = ../../secrets/discord/disqalculate.age;
"factorio/solrunners".file = ../../secrets/factorio/solrunners.age;
"authentik/env".file = ../../secrets/authentik/env.age;
"rsecrets/radicale" = {
file = ../../secrets/radicale/htpasswd.age;
owner = "radicale";
group = "radicale";
};
};
};
services = {
factorio = {
enable = true;
# package = pkgs.factorio-headless.override {
# versionsJson = ./versions.json;
# };
package = pkgs.factorio-headless;
openFirewall = true;
public = true;
nonBlockingSaving = true;
game-name = "Solrunners - Space Age";
description = "Running from the sun into space";
admins = [ "itepastra" ];
extraSettingsFile = config.age.secrets."factorio/solrunners".path;
};
openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
};
forgejo = {
enable = false;
settings = {
DEFAULT = {
APP_NAME = "OaGit";
APP_SLOGAN = "Noa's personal git";
RUN_MODE = "dev";
};
server = {
DOMAIN = "git.geenit.nl";
HTTP_PORT = 2929;
ROOT_URL = "https://git.geenit.nl";
};
service.DISABLE_REGISTRATION = true;
};
database = {
type = "postgres";
};
};
radicale = {
enable = true;
settings = {
server.hosts = [ "[::1]:29341" ];
auth = {
type = "htpasswd";
htpasswd_filename = config.age.secrets."rsecrets/radicale".path;
htpasswd_encryption = "bcrypt";
};
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "noa@voorwaarts.nl";
certs = lib.mkMerge [
({
"noa.voorwaarts.nl".extraDomainNames = [
"images.noa.voorwaarts.nl"
"maintenance.noa.voorwaarts.nl"
"map.noa.voorwaarts.nl"
];
"git.geenit.nl" = { };
"itepastra.nl".extraDomainNames = [
"locked.itepastra.nl"
"calendar.itepastra.nl"
"home.itepastra.nl"
]
++ [
(lib.mkIf (import ./toggles.nix).enableFlurry "flurry.itepastra.nl")
];
})
(lib.mkIf (import ./toggles.nix).enableQubitQuilt {
"qq.geenit.nl" = { };
})
];
};
stylix = {
enable = true;
autoEnable = true;
base16Scheme = "${pkgs.base16-schemes}/share/themes/dracula.yaml";
targets.plymouth.enable = false;
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
22 # ssh
80 # http
443 # https
8443 # nifi
7791 # flurry
25565 # minecraft
24454 # minecraft (voice)
22000 # syncthing
38281 # archipelago
];
networking.firewall.allowedUDPPorts = [
22 # ssh
80 # http
443 # https
22000 # syncthing
21027 # syncthing
];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.05"; # Did you read the comment?
}
Reference in a new issue View git blame Copy permalink