commit 9003080a64f50292574402b1391f692cf3382108 Author: derped Date: Tue Feb 26 13:44:40 2019 +0100 Fresh repo without sensitive data. diff --git a/config/default.nix b/config/default.nix new file mode 100644 index 0000000..331fe6c --- /dev/null +++ b/config/default.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +let + cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix"); +in { + imports = [ + ./etc.nix + ./locale.nix + ./networking.nix + ./nix.nix + ./users.nix + ./zsh.nix + ] ++ (if cfg.conf.networking.hostName != "Ophanim" then [./fonts.nix] else [./security.nix]); +} diff --git a/config/etc.nix b/config/etc.nix new file mode 100644 index 0000000..818814f --- /dev/null +++ b/config/etc.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +{ + environment.etc = { + "i3/config".source = ./etc/i3/config; + "i3/py3status".source = ./etc/i3/py3status; + "mpv/input.conf".source = ./etc/mpv/input.conf; + "mpv/mpv.conf".source = ./etc/mpv/mpv.conf; + "youtube-dl.conf".source = ./etc/youtube-dl.conf; + }; + + environment.variables = { + EDITOR="emacsclient -ca nano"; + NIXPKGS_ALLOW_UNFREE="1"; + WINEDLLOVERRIDES="winemenubuilder.exe=d"; + LC_CTYPE="zh_CN.UTF-8"; + }; +} diff --git a/config/etc/gitconfig b/config/etc/gitconfig new file mode 100644 index 0000000..11ee9fd --- /dev/null +++ b/config/etc/gitconfig @@ -0,0 +1,15 @@ +[user] + name = derped + email = derped@ophanim.de + +[alias] + get = clone --recursive + blame = -w -M + update = !git pull && git submodule update --init --recursive + comma = commit --amend + uncommit = reset --soft HEAD^ + pr = !"pr() { git fetch origin pull/$1/head:pr-$1; git checkout pr-$1; }; pr" + pru = !"pr() { git fetch upstream pull/$1/head:pr-$1; git checkout pr-$1; }; pr" + backport = cherry-pick -x + reset-pr = reset --hard FETCH_HEAD + publish = !git pull && git push diff --git a/config/etc/i3/config b/config/etc/i3/config new file mode 100644 index 0000000..c276129 --- /dev/null +++ b/config/etc/i3/config @@ -0,0 +1,279 @@ +# i3 config file (v4) +# +# Please see http://i3wm.org/docs/userguide.html for a complete reference! + +### INIT xfce session stuff ### +exec redshift-gtk -l 51.0504:13.7373 + +### START USER CONFIG ### +set $mod Mod4 +workspace "HDMI" output HDMI1 +workspace_auto_back_and_forth yes +new_window pixel +hide_edge_borders both + +exec setxkbmap de +#exec compton -f +exec feh --bg-scale Pictures/wallpaper.jpg +#exec pulseaudio -D +#exec fcitx +#exec env=LC_CTYPE=zh_CN.UTF-8 emacs --daemon +#exec conky -c $HOME/.my_little_conky/.conkyrc +#exec xsnow -nosanta -norudolf -notrees +#exec $LOCK + +### END USER CONFIG ### + +### START USER PROGRAMMS ### + +### END USER PROGRAMMS ### + +### START SYSKEY BINDSYM ### + +bindsym XF86AudioPlay exec playerctl play +bindsym XF86AudioPause exec playerctl pause +bindsym XF86AudioNext exec playerctl next +bindsym XF86AudioPrev exec playerctl previous + +bindsym $mod+Mod1+space exec playerctl play-pause +bindsym $mod+Mod1+Right exec playerctl next +bindsym $mod+Mod1+Left exec playerctl previous + +bindsym $mod+Shift+w sticky toggle +### END SYSKEY BINDSYM ### + + +### START BINDSYM ### + +bindsym $mod+b border toggle +bindsym $mod+m bar mode toggle +bindsym $mod+y move container to output left +bindsym $mod+x move container to output right +bindsym $mod+Shift+y move workspace to output left +bindsym $mod+Shift+x move workspace to output right +bindsym $mod+minus exec amixer -c 0 sset Master 1%- +bindsym $mod+plus exec amixer -c 0 sset Master 1%+ +bindsym $mod+Mod1+minus exec amixer -D pulse sset Master 1%- +bindsym $mod+Mod1+plus exec amixer -D pulse sset Master 1%+ +bindsym $mod+Shift+minus exec xbacklight -5 +bindsym $mod+Shift+plus exec xbacklight +5 +bindsym $mod+Ctrl+0 exec xbacklight -set 0 +bindsym $mod+Ctrl+1 exec xbacklight -set 10 +bindsym $mod+Ctrl+2 exec xbacklight -set 20 +bindsym $mod+Ctrl+3 exec xbacklight -set 30 +bindsym $mod+Ctrl+4 exec xbacklight -set 40 +bindsym $mod+Ctrl+5 exec xbacklight -set 50 +bindsym $mod+Ctrl+6 exec xbacklight -set 60 +bindsym $mod+Ctrl+7 exec xbacklight -set 70 +bindsym $mod+Ctrl+8 exec xbacklight -set 80 +bindsym $mod+Ctrl+9 exec xbacklight -set 90 +bindsym $mod+p move scratchpad +bindsym $mod+Shift+p scratchpad show +bindsym --release $mod+Shift+S exec scrot +bindsym --release $mod+Ctrl+S exec "scrot --select" +bindsym $mod+o exec pcmanfm + + +### END BINDSYM ### + +### START MODES ### + +mode "ACPI Events" { + bindsym p exec systemctl poweroff; mode "default" + bindsym h exec systemctl hibernate; mode "default" + bindsym s exec systemctl suspend; mode "default" + bindsym r exec systemctl reboot; mode "default" + bindsym h exec systemctl halt; mode "default" + bindsym e exec systemctl exit; mode "default" + bindsym l exec $LOCK; mode "default" + + bindsym Return mode "default" + bindsym Escape mode "default" +} + +mode "Power Mode"{ + bindsym s exec xbacklight -set 5; exec rfkill block all ; exec xset -b +dpms; mode "default" + bindsym p exec xbacklight -set 100; exec rfkill unblock all; exec xset -dpms; mode "default" + + bindsym Return mode "default" + bindsym Escape mode "default" +} + +mode "No Keybinds" { + bindsym $mod+Shift+Escape mode "default" +} + +bindsym $mod+F12 mode "ACPI Events" +bindsym $mod+F11 mode "No Keybinds" +bindsym $mod+F10 mode "Power Mode" + +### END MODES ### + +# Font for window titles. Will also be used by the bar unless a different font +# is used in the bar {} block below. +#font pango:monospace 8 +#font pango:System San Francisco Display 8 + +# This font is widely installed, provides lots of unicode glyphs, right-to-left +# text rendering and scalability on retina/hidpi displays (thanks to pango). +font pango:DejaVu Sans Mono 8 + +# Before i3 v4.8, we used to recommend this one as the default: +# font -misc-fixed-medium-r-normal--13-120-75-75-C-70-iso10646-1 +# The font above is very space-efficient, that is, it looks good, sharp and +# clear in small sizes. However, its unicode glyph coverage is limited, the old +# X core fonts rendering does not support right-to-left and this being a bitmap +# font, it doesn’t scale on retina/hidpi displays. + +# Use Mouse+$mod to drag floating windows to their wanted position +floating_modifier $mod + +# start a terminal +bindsym $mod+Shift+Return exec emacsclient -c +bindsym $mod+Return exec gnome-terminal + +# kill focused window +bindsym $mod+Shift+q kill + +# start dmenu (a program launcher) +#bindsym $mod+d exec rofi -show run -lines 3 -eh 2 -width 100 -padding 330 -opacity "85" -config ~/.config/rofi.cfg -font "System San Francisco Display 12" +bindsym $mod++d exec dmenu_run -fn 'Droid Sans Mono-8' +# There also is the (new) i3-dmenu-desktop which only displays applications +# shipping a .desktop file. It is a wrapper around dmenu, so you need that +# installed. +# bindsym $mod+d exec --no-startup-id i3-dmenu-desktop + +# change focus +bindsym $mod+j focus left +bindsym $mod+k focus down +bindsym $mod+l focus up +bindsym $mod+odiaeresis focus right +#bindsym $mod+semicolon focus right + +# alternatively, you can use the cursor keys: +bindsym $mod+Left focus left +bindsym $mod+Down focus down +bindsym $mod+Up focus up +bindsym $mod+Right focus right + +# move focused window +bindsym $mod+Shift+j move left +bindsym $mod+Shift+k move down +bindsym $mod+Shift+l move up +bindsym $mod+Shift+odiaeresis move right +#bindsym $mod+Shift+semicolon1 move right + +# alternatively, you can use the cursor keys: +bindsym $mod+Shift+Left move left +bindsym $mod+Shift+Down move down +bindsym $mod+Shift+Up move up +bindsym $mod+Shift+Right move right + +# split in horizontal orientation +bindsym $mod+h split h + +# split in vertical orientation +bindsym $mod+v split v + +# enter fullscreen mode for the focused container +bindsym $mod+f fullscreen toggle + +# change container layout (stacked, tabbed, toggle split) +bindsym $mod+s layout stacking +bindsym $mod+w layout tabbed +bindsym $mod+e layout toggle split + +# toggle tiling / floating +bindsym $mod+Shift+space floating toggle + +# change focus between tiling / floating windows +bindsym $mod+space focus mode_toggle + +# focus the parent container +bindsym $mod+a focus parent + +# focus the child container +#bindsym $mod+d focus child + +# switch to workspace +bindsym $mod+1 workspace 1 +bindsym $mod+2 workspace 2 +bindsym $mod+3 workspace 3 +bindsym $mod+4 workspace 4 +bindsym $mod+5 workspace 5 +bindsym $mod+6 workspace 6 +bindsym $mod+7 workspace 7 +bindsym $mod+8 workspace 8 +bindsym $mod+9 workspace 9 +bindsym $mod+0 workspace 10 + +# move focused container to workspace +bindsym $mod+Shift+1 move container to workspace 1 +bindsym $mod+Shift+2 move container to workspace 2 +bindsym $mod+Shift+3 move container to workspace 3 +bindsym $mod+Shift+4 move container to workspace 4 +bindsym $mod+Shift+5 move container to workspace 5 +bindsym $mod+Shift+6 move container to workspace 6 +bindsym $mod+Shift+7 move container to workspace 7 +bindsym $mod+Shift+8 move container to workspace 8 +bindsym $mod+Shift+9 move container to workspace 9 +bindsym $mod+Shift+0 move container to workspace 10 + +# reload the configuration file +bindsym $mod+Shift+c reload +# restart i3 inplace (preserves your layout/session, can be used to upgrade i3) +bindsym $mod+Shift+r restart +# exit i3 (logs you out of your X session) +bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -b 'Yes, exit i3' 'i3-msg exit'" + +# resize window (you can also use the mouse for that) +mode "resize" { + # These bindings trigger as soon as you enter the resize mode + + # Pressing left will shrink the window’s width. + # Pressing right will grow the window’s width. + # Pressing up will shrink the window’s height. + # Pressing down will grow the window’s height. + bindsym j resize shrink width 10 px or 10 ppt + bindsym k resize grow height 10 px or 10 ppt + bindsym l resize shrink height 10 px or 10 ppt + bindsym semicolon resize grow width 10 px or 10 ppt + + # same bindings, but for the arrow keys + bindsym Left resize shrink width 10 px or 10 ppt + bindsym Down resize grow height 10 px or 10 ppt + bindsym Up resize shrink height 10 px or 10 ppt + bindsym Right resize grow width 10 px or 10 ppt + + # back to normal: Enter or Escape + bindsym Return mode "default" + bindsym Escape mode "default" +} + +bindsym $mod+r mode "resize" + +# Start i3bar to display a workspace bar (plus the system information i3status +# finds out, if available) +bar { + position top + status_command py3status -c /etc/i3/py3status + # status_command i3status + colors { + separator #586e75 + background #002b36 + statusline #aea79f + focused_workspace #586e75 #586e75 #ffffff + active_workspace #073642 #073642 #ffffff + inactive_workspace #002b36 #002b36 #aea79f + urgent_workspace #77216f #77216f #ffffff + } +} +client.focused #008666 #000000 #ffffff +client.focused_inactive #000000 #222222 #ffffff +client.unfocused #002b36 #333333 #ffffff #ffffff +client.urgent #aa0000 y#990000 #ffffff + +#client.focused #586e75 #586e75 #fdf6e3 #268bd2 +#client.focused_inactive #073642 #073642 #93a1a1 #002b36 +#client.unfocused #002b36 #002b36 #586e75 #002b36 +#client.urgent #dc322f #dc322f #fdf6e3 #dc322f diff --git a/config/etc/i3/py3status b/config/etc/i3/py3status new file mode 100644 index 0000000..2d257cf --- /dev/null +++ b/config/etc/i3/py3status @@ -0,0 +1,79 @@ +# i3status configuration file. +# see "man i3status" for documentation. + +# It is important that this file is edited as UTF-8. +# The following line should contain a sharp s: +# ß +# If the above line is not correctly displayed, fix your editor first! + +general { +# output_format = "dzen2" + colors = true + interval = 1 + +} + +order += "group network" +order += "disk /" +order += "dpms" +order += "load" +order += "volume_status" +order += "group tz" + +group network { + format = "{output}" + button_next = 1 + button_previous = 2 + wireless _first_ { + format_up = "W: (%quality at %essid) %ip" + format_down = "W: down" + } + + ethernet _first_ { + # if you use %speed, i3status requires root privileges + format_up = "E: %ip (%speed)" + format_down = "E: down" + } +} + +group tz { + format = "{output}" + button_next = 1 + button_previous = 2 + tztime local { + format = "GER %Y-%m-%d %H:%M:%S" + timezone = "Europe/Berlin" + } + + tztime PRC { + format = "PRC %Y-%m-%d %H:%M:%S" + timezone = "Asia/Shanghai" + } + + tztime UTC { + format = "UTC %Y-%m-%d %H:%M:%S" + timezone = "Etc/UTC" + } + + tztime PST { + format = "PST %Y-%m-%d %H:%M:%S" + timezone = "PST8PDT" + } + uptime { + format = "{weeks}:{days}:{hours}:{minutes}:{seconds}" + } +} + +volume_status { + button_up = 4 + button_down = 5 + button_mute = 2 +} + +load { + format = "%1min" +} + +disk "/" { + format = "%avail" +} diff --git a/config/etc/mpv/input.conf b/config/etc/mpv/input.conf new file mode 100644 index 0000000..7e15c8e --- /dev/null +++ b/config/etc/mpv/input.conf @@ -0,0 +1,9 @@ +ALT+LEFT add video-pan-x -0.01 +ALT+DOWN add video-pan-y +0.01 +ALT+UP add video-pan-y -0.01 +ALT+RIGHT add video-pan-x +0.01 +ALT++ add video-zoom +0.1 +ALT+- add video-zoom -0.1 +ALT+0 cycle video-unscaled +ALT+m vf add mirror +MOUSE_BTN1 quit diff --git a/config/etc/mpv/mpv.conf b/config/etc/mpv/mpv.conf new file mode 100644 index 0000000..343d3e5 --- /dev/null +++ b/config/etc/mpv/mpv.conf @@ -0,0 +1,180 @@ +########### +# General # +########### + +input-ipc-server=/tmp/mpvsocket # listen for IPC on this socket +load-stats-overlay=yes # use local stats.lua +#save-position-on-quit # handled by a script + +fs +no-border # no window title bar +msg-module # prepend module name to log messages +msg-color # color log messages on terminal +#term-osd-bar # display a progress bar on the terminal +use-filedir-conf # look for additional config files in the directory of the opened file +#pause # no autoplay +keep-open # keep the player open when a file's end is reached +autofit-larger=100%x95% # resize window in case it's larger than W%xH% of the screen +#cursor-autohide-fs-only # don't autohide the cursor in window mode, only fullscreen +#input-media-keys=no # enable/disable OSX media keys +cursor-autohide=1000 # autohide the curser after 1s +prefetch-playlist=yes +load-unsafe-playlists=yes +force-seekable=yes + +screenshot-format=png +screenshot-png-compression=9 +screenshot-template='~/Desktop/%F (%P) %n' + +hls-bitrate=max # use max quality for HLS streams + +[ytdl-desktop] +profile-desc=cond:is_desktop() +ytdl-format=bestvideo[height<=?1080]+bestaudio/best + +[ytdl-laptop] +profile-desc=cond:is_laptop() +ytdl-format=bestvideo[height<=?1080][fps<=?30][vcodec!=?vp9][protocol!=http_dash_segments]+bestaudio/best + +[default] + + +#########c +# Cache # +######### + +# Configure the cache to be really big (multiple GBs) +# We have a lot of memory, so why not use it for something + +cache=auto +cache-default=4000000 # size in KB +cache-backbuffer=250000 # size in KB +demuxer-max-bytes=1147483647 # ~1 GiB in bytes +demuxer-seekable-cache=yes + +############# +# OSD / OSC # +############# + +osc=no + +#osd-level=1 # enable osd and display --osd-status-msg on interaction +#osd-duration=2500 # hide the osd after x ms +osd-status-msg='${time-pos} / ${duration}${?percent-pos: (${percent-pos}%)}${?frame-drop-count:${!frame-drop-count==0: Dropped: ${frame-drop-count}}}\n${?chapter:Chapter: ${chapter}}' + +#osd-font='Source Sans Pro' +osd-font-size=32 +osd-color='#CCFFFFFF' # ARGB format +osd-border-color='#DD322640' # ARGB format +#osd-shadow-offset=1 # pixel width for osd text and progress bar +#osd-bar-align-y=0 # progress bar y alignment (-1 top, 0 centered, 1 bottom) +#osd-border-size=2 # size for osd text and progress bar +#osd-bar-h=2 # height of osd bar as a fractional percentage of your screen height +#osd-bar-w=60 # width of " " " + + +############# +# Subtitles # +############# + +sub-auto=fuzzy # external subs don't have to match the file name exactly to autoload +sub-file-paths-append=ass # search for external subs in these relative subdirectories +sub-file-paths-append=srt +sub-file-paths-append=sub +sub-file-paths-append=subs +sub-file-paths-append=subtitles +sub-file-paths-append=ENG +sub-file-paths-append=CHI + +demuxer-mkv-subtitle-preroll # try to correctly show embedded subs when seeking +embeddedfonts=yes # use embedded fonts for SSA/ASS subs +sub-fix-timing=no # do not try to fix gaps (which might make it worse in some cases) +sub-ass-force-style=Kerning=yes # allows you to override style parameters of ASS scripts +sub-use-margins +sub-ass-force-margins + +# the following options only apply to subtitles without own styling (i.e. not ASS but e.g. SRT) +sub-font="Source Sans Pro Semibold" +sub-font-size=36 +sub-color="#FFFFFFFF" +sub-border-color="#FF262626" +sub-border-size=3.2 +sub-shadow-offset=1 +sub-shadow-color="#33000000" +sub-spacing=0.5 + + +############# +# Languages # +############# + +slang=enm,en,eng,de,deu,ger # automatically select these subtitles (decreasing priority) +alang=ja,jp,jpn,en,eng,de,deu,ger # automatically select these audio tracks (decreasing priority) + + +######### +# Audio # +######### + +ao=pulse,alsa,jack +audio-file-auto=fuzzy # external audio doesn't has to match the file name exactly to autoload +audio-pitch-correction=yes # automatically insert scaletempo when playing with higher speed +volume-max=200 # maximum volume in %, everything above 100 results in amplification +volume=70 # default volume, 100 = unchanged +audio-channels=stereo + +################ +# Video Output # +################ + +# Active VOs (and some other options) are set conditionally +# See here for more information: https://github.com/wm4/mpv-scripts/blob/master/auto-profiles.lua +# on_battery(), is_laptop() and is_dektop() are my own additional functions imported from scripts/auto-profiles-functions.lua + +# Defaults for all profiles +profile=opengl-hq +vo=gpu +hwdec=vaapi-copy +vd-lavc-threads = 2 +video-aspect=16:9 +interpolation +video-sync=display-resample +deband=no +deinterlace=no +vf=lavfi="gradfun" +#scale=ewa_lanczossharp +scale=catmull_rom +cscale=spline64 +dscale=mitchell +#dscale-param1= +#dscale-param2= +tscale=sinc +scale-antiring=0 +cscale-antiring=0 +dither-depth=auto +correct-downscaling=yes +sigmoid-upscaling=yes +opengl-early-flush=no +opengl-pbo=no # "yes" may cause mpv to crash: https://github.com/mpv-player/mpv/issues/4988 +#icc-profile=~/.config/mpv/sufrace.icc + + +################################### +# Protocol Specific Configuration # +################################### + +[protocol.https] +cache=yes +user-agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:57.0) Gecko/20100101 Firefox/58.0' + +[protocol.http] +cache=yes +user-agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:57.0) Gecko/20100101 Firefox/58.0' + +[extension.flac] +video-aspect=no + + +######################## +# Plugin Configuration # +######################## diff --git a/config/etc/youtube-dl.conf b/config/etc/youtube-dl.conf new file mode 100644 index 0000000..077a3c0 --- /dev/null +++ b/config/etc/youtube-dl.conf @@ -0,0 +1,10 @@ +######################## +# /etc/youtube-dl.conf # +######################## +--add-metadata +--all-subs +--embed-subs +--embed-thumbnail +--audio-quality 0 +-f best +-o '%(playlist_index)s - %(title)s.%(ext)s' \ No newline at end of file diff --git a/config/fonts.nix b/config/fonts.nix new file mode 100644 index 0000000..9cd5e03 --- /dev/null +++ b/config/fonts.nix @@ -0,0 +1,27 @@ +{ pkgs, config, ... }: + +{ + fonts = { + enableFontDir = true; + enableGhostscriptFonts = true; + fontconfig = { + enable = true; + ultimate.enable = true; + includeUserConf = false; + }; + fonts = with pkgs; [ + corefonts # Microsoft free fonts + dejavu_fonts + inconsolata # monospaced + noto-fonts-cjk + powerline-fonts + source-han-sans-japanese + source-han-sans-korean + source-han-sans-simplified-chinese + source-han-sans-traditional-chinese + symbola + ubuntu_font_family + wqy_microhei + ]; + }; +} diff --git a/config/locale.nix b/config/locale.nix new file mode 100644 index 0000000..d2171ee --- /dev/null +++ b/config/locale.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: + +{ + i18n = { + consoleKeyMap = "de"; + defaultLocale = "en_US.UTF-8"; + + inputMethod = { + enabled = if config.services.xserver.enable then "fcitx" else null; + fcitx.engines = with pkgs.fcitx-engines; [ chewing mozc ]; + }; + }; +} diff --git a/config/networking.nix b/config/networking.nix new file mode 100644 index 0000000..d84a07c --- /dev/null +++ b/config/networking.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +let + cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix"); +in { + networking = { + hostName = cfg.conf.networking.hostName; + # should probably add some etc file for this.... + firewall = { + enable = true; + allowPing = cfg.conf.networking.firewall.allowPing; + allowedUDPPorts = cfg.conf.networking.firewall.allowedUDPPorts; + allowedTCPPorts = cfg.conf.networking.firewall.allowedTCPPorts; + }; + }; +} diff --git a/config/nix.nix b/config/nix.nix new file mode 100644 index 0000000..189245f --- /dev/null +++ b/config/nix.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + nix = { + maxJobs = 4; + buildCores = 1; + autoOptimiseStore = true; + sshServe.enable = false; + #sshServe.keys = []; + useSandbox = true; + extraOptions = '' + build-timeout = 86400 # 24 hours + ''; + trustedBinaryCaches = [ + "http://cache.nixos.org" + ]; + binaryCaches = [ + "http://cache.nixos.org" + ]; + }; +} diff --git a/config/security.nix b/config/security.nix new file mode 100644 index 0000000..b1c36d9 --- /dev/null +++ b/config/security.nix @@ -0,0 +1,9 @@ +{ config, lib, pkgs, ... }: + +{ + security = { + audit.enable = true; + auditd.enable = true; + hideProcessInformation = true; + }; +} diff --git a/config/users.nix b/config/users.nix new file mode 100644 index 0000000..2db311c --- /dev/null +++ b/config/users.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +let + cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix"); +in { + users = { + mutableUsers = false; + users.derped = { + isNormalUser = true; + home = "/home/derped"; + createHome = true; + description = ""; + group = "derped"; + extraGroups = [ "audio" "wheel" "network" ] ++ (if cfg.conf.networking.hostName != "Ophanim" then ["input" "cups" "lp"] else []); + uid = 1337; + shell = "/run/current-system/sw/bin/zsh"; + passwordFile = "/secret/derped"; + openssh.authorizedKeys.keyFiles = (if cfg.conf.networking.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]); + }; + + groups.derped = { + name = "derped"; + gid = 1337; + members = [ "derped" ]; + }; + }; +} diff --git a/config/zsh.nix b/config/zsh.nix new file mode 100644 index 0000000..56adc07 --- /dev/null +++ b/config/zsh.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: + +{ + programs.zsh = { + enable = true; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + ohMyZsh = { + enable = true; + plugins = [ "git" "python" "man" ]; + theme = "gentoo"; + }; + }; +} + diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..fa8fc01 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: + +let + cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix"); +in { + imports = [ + cfg.confPath + ./config/default.nix + ./pkgs/nixpkgs.nix + ./pkgs/pkgsets.nix + ./services/default.nix + ]; +} diff --git a/machines/Leviathan/Leviathan.nix b/machines/Leviathan/Leviathan.nix new file mode 100644 index 0000000..470313d --- /dev/null +++ b/machines/Leviathan/Leviathan.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +let + cfg = import ./configuration.nix; +in { + imports = [ + ./hardware-configuration.nix + ]; + + services = { + udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666" + KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput" + ''; + }; + + environment.systemPackages = with pkgs; [ xdiskusage ]; + + system.stateVersion = "18.09"; +} diff --git a/machines/Leviathan/configuration.nix b/machines/Leviathan/configuration.nix new file mode 100644 index 0000000..0efcb06 --- /dev/null +++ b/machines/Leviathan/configuration.nix @@ -0,0 +1,26 @@ +{ + confPath = ./Leviathan.nix; + pkgs = [ + "base" + "emacs" + "haskell" + "python3" + "rustpkgs" + "xpkgs" + ]; + services = [ + ../../services/openssh.nix + ../../services/xserver.nix + ]; + conf = { + allowUnfree = true; + networking = { + hostName = "Leviathan"; + firewall = { + allowPing = true; + allowedUDPPorts = [ 22 ]; + allowedTCPPorts = []; + }; + }; + }; +} diff --git a/machines/Leviathan/hardware-configuration.nix b/machines/Leviathan/hardware-configuration.nix new file mode 100644 index 0000000..36a7444 --- /dev/null +++ b/machines/Leviathan/hardware-configuration.nix @@ -0,0 +1,65 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + + ]; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + cleanTmpDir = true; + kernelPackages = pkgs.linuxPackages_4_19; + initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "firewire_ohci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ]; + kernelModules = [ "kvm-intel" "wl" ]; + extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ]; + }; + + hardware = { + cpu.intel.updateMicrocode = true; + enableAllFirmware = true; + enableKSM = true; + opengl = { + driSupport = true; + extraPackages = with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]; + driSupport32Bit = true; + extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]; + }; + + pulseaudio = { + enable = true; + support32Bit = true; + package = pkgs.pulseaudioFull; + zeroconf.discovery.enable = false; + extraClientConf = '' + autospawn = no + ''; + }; + + bluetooth = { + enable = true; + powerOnBoot = true; + }; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4f0a49f8-04f6-437c-ad5d-b0a82a7251ef"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/2860-11F4"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/c50ad046-8bfd-4248-8195-7a0d370b641f"; } + ]; + + powerManagement = { + enable = true; + cpuFreqGovernor = "powersave"; + }; + + time.timeZone = "Europe/Berlin"; +} diff --git a/machines/Lilim/Lilim.nix b/machines/Lilim/Lilim.nix new file mode 100644 index 0000000..1d51419 --- /dev/null +++ b/machines/Lilim/Lilim.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +let + cfg = import ./configuration.nix; +in { + imports = [ + ./hardware-configuration.nix + ]; + + services = { + gnome3.gnome-terminal-server.enable = true; + udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666" + KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput" + ''; + }; + + environment.systemPackages = with pkgs; [ surface-firmware xdiskusage ]; + + system.stateVersion = "18.09"; +} diff --git a/machines/Lilim/configuration.nix b/machines/Lilim/configuration.nix new file mode 100644 index 0000000..c6ca10a --- /dev/null +++ b/machines/Lilim/configuration.nix @@ -0,0 +1,30 @@ +{ + confPath = ./Lilim.nix; + pkgs = [ + "base" + "emacs" + "extra" + "cpp" + "haskell" + "mailutils" + "python3" + "rustpkgs" + "xpkgs" + ]; + services = [ + ../../services/xserver.nix + ../../services/udev.nix + ../../services/cups.nix + ]; + conf = { + allowUnfree = true; + networking = { + hostName = "Lilim"; + firewall = { + allowPing = true; + allowedUDPPorts = []; + allowedTCPPorts = []; + }; + }; + }; +} diff --git a/machines/Lilim/hardware-configuration.nix b/machines/Lilim/hardware-configuration.nix new file mode 100644 index 0000000..ec565e9 --- /dev/null +++ b/machines/Lilim/hardware-configuration.nix @@ -0,0 +1,66 @@ +{ config, lib, pkgs, ... }: + +let + surfacepkgs = import {}; +in { + imports = [ ]; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + cleanTmpDir = true; +# kernelPackages = pkgs.linuxPackages_surface; + kernelPackages = surfacepkgs.linuxPackages_surface; + initrd.kernelModules = [ "hid-multitouch" ]; + initrd.availableKernelModules = [ "hid-microsoft" "hid-multitouch" "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + kernelModules = [ "kvm-intel" "hid-microsoft" "hid-multitouch" "uinput" ]; + extraModulePackages = [ ]; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/8c3a5a07-9ee1-4154-9f3f-6abc379073aa"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/D2A2-C705"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + hardware = { + firmware = with pkgs; [ firmwareLinuxNonfree surface-firmware ]; + cpu.intel.updateMicrocode = true; + enableAllFirmware = true; + enableKSM = true; + opengl = { + driSupport = true; + extraPackages = with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]; + driSupport32Bit = true; + extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]; + }; + + pulseaudio = { + enable = true; + support32Bit = true; + package = pkgs.pulseaudioFull; + zeroconf.discovery.enable = false; + extraClientConf = '' + autospawn = no + ''; + }; + + bluetooth = { + enable = true; + powerOnBoot = true; + }; + }; + + powerManagement = { + enable = true; + cpuFreqGovernor = "powersave"; + }; + + time.timeZone = "Europe/Berlin"; +} diff --git a/machines/Ophanim/Ophanim.nix b/machines/Ophanim/Ophanim.nix new file mode 100644 index 0000000..bc38374 --- /dev/null +++ b/machines/Ophanim/Ophanim.nix @@ -0,0 +1,29 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ]; + + system.autoUpgrade.enable = false; + +# services.vsftp = { +# enable = true; +# ssl_sslv3 = true; +# forceLocalDataSSL = true; +# writeEnable = false; +# userlist = []; +# }; + services.haveged.enable = true; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "18.09"; + +} diff --git a/machines/Ophanim/configuration.nix b/machines/Ophanim/configuration.nix new file mode 100644 index 0000000..73d8d8c --- /dev/null +++ b/machines/Ophanim/configuration.nix @@ -0,0 +1,27 @@ +{ + confPath = ./Ophanim.nix; + pkgs = [ + "base" + "emacs" + "server" + ]; + services = [ + ../../services/gitea.nix + ../../services/hydra.nix + ../../services/mailserver.nix + ../../services/mariaDB.nix + ../../services/nginx.nix + ../../services/openssh.nix + ]; + conf = { + allowUnfree = true; + networking = { + hostName = "Ophanim"; + firewall = { + allowPing = false; + allowedUDPPorts = [ 22 80 443 ]; + allowedTCPPorts = [ 80 443 5222 5269 ]; + }; + }; + }; +} diff --git a/machines/Ophanim/hardware-configuration.nix b/machines/Ophanim/hardware-configuration.nix new file mode 100644 index 0000000..83fc558 --- /dev/null +++ b/machines/Ophanim/hardware-configuration.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot = { + initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + kernelPackages = pkgs.linuxPackages_latest; + kernelModules = [ ]; + extraModulePackages = [ ]; + loader.grub = { + enable = true; + version = 2; + device = "/dev/sda"; # or "nodev" for efi only + }; + }; + + time.timeZone = "Europe/Berlin"; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/fa0c2ff3-59f9-4c00-8153-c2c2ef0f0e84"; + fsType = "ext4"; + }; + + swapDevices = [ ]; +} diff --git a/pkgs/flat-remix/default.nix b/pkgs/flat-remix/default.nix new file mode 100644 index 0000000..5b2dc25 --- /dev/null +++ b/pkgs/flat-remix/default.nix @@ -0,0 +1,15 @@ +{ stdenv, fetchFromGitHub, gtk-engine-murrine }: + +stdenv.mkDerivation { + version = "1.0"; + name = "Flat-Remix-GTK"; + src = fetchFromGitHub { + owner = "daniruiz"; + repo = "Flat-Remix-GTK"; + rev = "39fec3cb2da83a7959e2637365c1e61643bf9ae9"; + sha256 = "0rfv75w9yr8drc3x9g4iz2cb88ixy1lqbflvmb7farw4dz74fk5f"; + fetchSubmodules = true; + }; + makeFlags = [ "PREFIX=$(out)" ]; + propagatedUserEnvPkgs = [ gtk-engine-murrine ]; +} diff --git a/pkgs/nixpkgs.nix b/pkgs/nixpkgs.nix new file mode 100644 index 0000000..fce47e0 --- /dev/null +++ b/pkgs/nixpkgs.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + mpv.vaapiSupport = true; + + packageOverrides = pkgs: rec { + mu-git = pkgs.callPackage ./mu-git/default.nix {}; + theme_flat-remix = pkgs.callPackage ./flat-remix/default.nix {}; + theme_sddm_midnight = pkgs.callPackage ./sddm_midnight/default.nix {}; + firmware_surface = pkgs.callPackage ./firmware_surface/default.nix {}; + linux_surface = pkgs.callPackage ./linux_surface/default.nix {}; + linuxPackages_surface = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_surface); + xdiskusage = pkgs.callPackage ./xdiskusage/default.nix {}; + }; + }; +} diff --git a/pkgs/pkgsets.nix b/pkgs/pkgsets.nix new file mode 100644 index 0000000..fb6a7a6 --- /dev/null +++ b/pkgs/pkgsets.nix @@ -0,0 +1,262 @@ +{ stable ? import , + unstable ? import , + gitpkgs ? import /nixpkgs/default.nix, + config, lib, pkgs, ... }: + +let + cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix"); + optPkgs = with lib; package: pkgstring: if elem pkgstring cfg.pkgs then package else []; + gitpkgs = import /nixpkgs/default.nix {}; + + # Programms I'm likely to want on every machine and/or may execute as root + base = with pkgs; [ + alsaUtils + ccze + cksfv + cryptsetup + dhcpcd + dnsutils + git + gnupg + gptfdisk + home-manager + htop + hwinfo + indent + iptables + lrzip + lshw + macchanger + mkpasswd + netcat + nix-index + nix-plugins + nix-prefetch-git + nix-serve + nix-update-source + nix-zsh-completions + nixbang + nixops + nmap + nox + ntfs3g + oh-my-zsh + openssl + p7zip + pciutils + psmisc + rfkill + rsync + sl + sysvtools + telnet + traceroute + tree + unrar + unzipNLS + usbutils + vim + vulnix + wget + whois + wirelesstools + wpa_supplicant + zip + zlib + zsh + ]; + + emacs = gitpkgs.emacsWithPackages (epkgs: with epkgs; [ + /* Theming */ + solarized-theme color-theme-sanityinc-tomorrow moe-theme powerline moody minions + /*General Stuff */ + rainbow-delimiters # color parenthesis by indentation + color-identifiers-mode + /* Python */ + company-jedi pylint melpaStablePackages.elpy + /* Git support */ + magit + emms # multimedia support + wsd-mode + plantuml-mode + /* Other Stuff, not yet sorted */ + transmission + org-plus-contrib orgit ox-gfm ox-rst + eclim + auto-complete + pkgs.aspell pkgs.aspellDicts.en pkgs.aspellDicts.de + use-package diminish bind-key + smartparens + evil-surround evil-indent-textobject evil-cleverparens avy undo-tree + cdlatex # for math expressions + helm + /* LaTeX */ auctex helm-bibtex cdlatex + markdown-mode + flycheck + pkgs.ledger + yaml-mode + company + /* C/C++ */ clang-format irony company-irony company-irony-c-headers flycheck-irony + /* Haskell */ haskell-mode flycheck-haskell + /* Org */ org org-ref pdf-tools org-bullets org-caldav + /* Rust */ rust-mode flycheck-rust racer + /* mail */ messages-are-flowing + /* Nix */ nix-buffer nix-mode nixos-options company-nixos-options nix-sandbox + paganini-theme + spaceline # modeline beautification + winum eyebrowse # window management + auto-compile + /* Maxima */ pkgs.maxima + visual-fill-column + web-mode + melpaStablePackages.idris-mode helm-idris + ]); + + extra = with pkgs; [ + transmission + texlive.combined.scheme-full + ]; + + mailutils = with pkgs; [ + fetchmail + imagemagick + isync + mu-git + pandoc + postfix + ]; + + cpp = with pkgs; [ + clang + cmake + gcc + global + irony-server + ]; + + haskell = pkgs.haskellPackages.ghcWithPackages (pkgs: with pkgs; [ + mtl + random + ]); + + java = with pkgs; [ + openjdk11 + (with pkgs.eclipses; eclipseWithPlugins { + eclipse = eclipse-platform; + jvmArgs = [ "-Xmx2048m" ]; + plugins = [ + plugins.color-theme + plugins.emacsplus + plugins.checkstyle + ]; + }) + ]; + + python3 = gitpkgs.python3Full.withPackages(ps: with ps; [ + GitPython + bpython + configparser + django + elpy + emoji + epc + numpy + opencv3 + paho-mqtt + pep8 + pillow + pip + plotly + pyflakes + pygame_sdl2 + pylama + pylint + pyopengl + pyproj + requests + schedule + scipy + selenium + telegram + tkinter + toolz + virtualenv +# flask +# flask-common +# flask-compress +# flask-cors +# flask-limiter +# flask-pymongo +# flask-restful +# flask-restplus +# flask_assets +# flask_elastic +# flask_login +# flask_mail +# flask_marshmallow +# flask_migrate +# flask_oauthlib +# flask_principal +# flask_script +# flask_sqlalchemy +# flask_testing +# flask_wtf +# flaskbabel + /* temporarily fix python stuff */ + py3status pytz tzlocal + + ]); + + rustpkgs = with pkgs; [ + rustup + carnix + rustracer + ]; + + server = with pkgs; [ + audit + letsencrypt + php + simp_le + ]; + + uniProgs = with pkgs; [ + qucs + ]; + + xpkgs = with pkgs; [ + feh + scrot + theme_flat-remix + theme_sddm_midnight + gnome3.dconf + gnome3.gnome-terminal + gnome3.gvfs + pcmanfm + pavucontrol + xclip + xlibs.xkill + xorg.xbacklight + xdiskusage + ]; + +in { + environment.systemPackages = base + ++ (optPkgs [emacs] "emacs") + ++ (optPkgs extra "extra") + ++ (optPkgs mailutils "mailutils") + ++ (optPkgs cpp "cpp") + ++ (optPkgs [haskell] "haskell") + ++ (optPkgs java "java") + ++ (optPkgs [python3] "python3") + ++ (optPkgs rustpkgs "rustpkgs") + ++ (optPkgs server "server") + ++ (optPkgs uniProgs "uniProgs") + ++ (optPkgs xpkgs "xpkgs"); + + services.emacs = { + enable = (lib.elem "emacs" cfg.pkgs); + install = (lib.elem "emacs" cfg.pkgs); + package = emacs; + }; +} diff --git a/pkgs/sddm_midnight/default.nix b/pkgs/sddm_midnight/default.nix new file mode 100644 index 0000000..d03ea82 --- /dev/null +++ b/pkgs/sddm_midnight/default.nix @@ -0,0 +1,30 @@ +{ stdenv, fetchFromGitHub, qtstyleplugin-kvantum-qt4 }: + +stdenv.mkDerivation { + name = "sddm_midnight"; + version = 1.0; + + src = fetchFromGitHub { + owner = "Rokin05"; + repo = "midnight-kde"; + rev = "1a4771146a8d6f3b45b1da32877495c9e562d193"; + sha256 = "10br96pf4dppk9nk7yvf7h9zja40k4c6rhwmqcaxxcjlhpvjmhkj"; + }; + + buildInputs = [ qtstyleplugin-kvantum-qt4 ]; + + patchPhase = '' + substituteInPlace sddm/themes/Midnight/Main.qml --replace /usr $out + ''; + + installPhase = '' + mkdir -p $out/share + cp -R \ + "aurorae" \ + "color-schemes" \ + "Kvantum" \ + "plasma" \ + "sddm" \ + "$out/share" + ''; +} diff --git a/pkgs/xdiskusage/default.nix b/pkgs/xdiskusage/default.nix new file mode 100644 index 0000000..17a425f --- /dev/null +++ b/pkgs/xdiskusage/default.nix @@ -0,0 +1,13 @@ +{ stdenv, fetchurl, fltk }: + +stdenv.mkDerivation rec { + name = "xdiskusage"; + version = "1.51"; + + buildInputs = [ fltk ]; + + src = fetchurl { + url = "http://xdiskusage.sourceforge.net/${name}-${version}.tgz"; + sha256 = "1il9200a2yd6023sbmixspvhj4ip6frm8sczjk5zk68j65zl9ckg"; + }; +} diff --git a/services/cups.nix b/services/cups.nix new file mode 100644 index 0000000..20104bb --- /dev/null +++ b/services/cups.nix @@ -0,0 +1,9 @@ +{ config, lib, pkgs, ... }: + +{ + services.printing = { + enable = true; + startWhenNeeded = true; + drivers = with pkgs; [ gutenprint hplip splix samsung-unified-linux-driver ]; + }; +} diff --git a/services/default.nix b/services/default.nix new file mode 100644 index 0000000..11c88fd --- /dev/null +++ b/services/default.nix @@ -0,0 +1,7 @@ +{ config, lib, pkgs, ... }: + +let + cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix"); +in { + imports = cfg.services; +} diff --git a/services/ejabberd.nix b/services/ejabberd.nix new file mode 100644 index 0000000..bac4444 --- /dev/null +++ b/services/ejabberd.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: + +{ + services.ejabberd = { + enable = true; + imagemagick = true; + }; +} diff --git a/services/fail2ban.nix b/services/fail2ban.nix new file mode 100644 index 0000000..f6d06de --- /dev/null +++ b/services/fail2ban.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +# mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix +{ + services.fail2ban = { + enable = true; + jails = { + DEFAULT = '' + bantime = 3600 + logpath = /var/log/auth.log + ''; + + ssh = '' + enabled = true + filter = sshd + maxretry = 4 + action = iptables[name=SSH, port=ssh, protocol=tcp] + ''; + sshd-ddos = '' + enabled = true + filter = sshd-ddos + maxretry = 2 + action = iptables[name=ssh, port=ssh, protocol=tcp] + ''; + + postfix = '' + enabled = true + filter = postfix + maxretry = 3 + action = iptables[name=postfix, port=smtp, protocol=tcp] + ''; + postfix-sasl = '' + enabled = true + filter = postfix-sasl + maxretry = 3 + action = iptables[name=postfix, port=smtp, protocol=tcp] + ''; + postfix-ddos = '' + enabled = true + filter = postfix-ddos + maxretry = 3 + action = iptables[name=postfix, port=submission, protocol=tcp] + bantime = 7200 + ''; + + nginx-req-limit = '' + enabled = true + filter = nginx-req-limit + maxretry = 10 + action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] + findtime = 600 + bantime = 7200 + '' + }; + }; + + environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = '' + [Definition] + failregex = lost connection after EHLO from \S+\[\] + ''; + + environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = '' + [Definition] + failregex = limiting requests, excess:.* by zone.*client: + ''; + + # Limit stack size to reduce memory usage + systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; +} diff --git a/services/gitea.nix b/services/gitea.nix new file mode 100644 index 0000000..dca1c4b --- /dev/null +++ b/services/gitea.nix @@ -0,0 +1,36 @@ +{ stdenv, conf, pkgs, ... }: + +{ + services.gitea = { + enable = true; + user = "git"; + cookieSecure = true; + domain = "git.ophanim.de"; + rootUrl = "http://git.ophanim.de/"; + database = { + type = "mysql"; + user = "git"; + name = "gitea"; + passwordFile = "/secret/gitea"; + }; + extraConfig = '' + [repository] + DISABLE_HTTP_GIT = true + USE_COMPAT_SSH_URI = true + + [security] + INSTALL_LOCK = true + COOKIE_USERNAME = gitea_username + COOKIE_REMEMBER_NAME = gitea_userauth + + [service] + DISABLE_REGISTRATION = true + ''; + }; + + users.users.git = { + isNormalUser = true; + home = "/var/lib/gitea"; + createHome = true; + }; +} diff --git a/services/hydra.nix b/services/hydra.nix new file mode 100644 index 0000000..4c93f62 --- /dev/null +++ b/services/hydra.nix @@ -0,0 +1,29 @@ +{ config, pkgs, ... }: + +# hydra user needs to be manually crated +# sudo -u hydra -s +# hydra-create-user $USERNAME --password $PASSWORD --role admin + +{ + # also take a look at ../conf/nix.nix + nix.buildMachines = [ + { + hostName = "localhost"; + system = "x86_64-linux"; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + maxJobs = 8; + } + ]; + + services.hydra = { + enable = true; + hydraURL = "https://builder.ophanim.de"; # externally visible URL + listenHost = "localhost"; + port = 3001; + minimumDiskFree = 15; + minimumDiskFreeEvaluator = 15; + notificationSender = "hydra@mail.ophanim.de"; # e-mail of hydra service + useSubstitutes = true; + debugServer = false; + }; +} diff --git a/services/mailserver.nix b/services/mailserver.nix new file mode 100644 index 0000000..699db07 --- /dev/null +++ b/services/mailserver.nix @@ -0,0 +1,38 @@ +{ lib, config, pkgs, ... }: + +{ + imports = [ + ./mailserver/default.nix + ]; + + mailserver = rec { + enable = true; + fqdn = "mail.ophanim.de"; + domains = [ "ophanim.de" ]; + loginAccounts = { + "derped@ophanim.de" = { + hashedPassword = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/derped.mail)); + }; + }; + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = 1; + certificateFile = "/var/lib/acme/" + fqdn + "/fullchain.pem"; + keyFile = "/var/lib/acme/" + fqdn + "/key.pem"; + + #dhParamBitLength = 4096; # this doesn't exist??? + + # Enable IMAP and POP3 + enableImap = true; + enablePop3 = true; + enableImapSsl = true; + enablePop3Ssl = true; + + # Enable the ManageSieve protocol + enableManageSieve = true; + + # whether to scan inbound emails for viruses (note that this requires at least + # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) + virusScanning = false; + }; +} diff --git a/services/mariaDB.nix b/services/mariaDB.nix new file mode 100644 index 0000000..ade9a80 --- /dev/null +++ b/services/mariaDB.nix @@ -0,0 +1,27 @@ +{ config, pkgs, ... }: + +let + nextcloudpwd = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/nextcloud_db)); + giteapwd = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/gitea)); +in { + services.mysql = { + enable = true; + package = pkgs.mariadb; + initialDatabases = [ { + name = "nextcloud"; + schema = pkgs.writeText "nextcloud.sql" + '' + create user if not exists 'nextcloud'@'localhost' identified by ${nextcloudpwd}; + grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by ${nextcloudpwd}; + ''; + } + { + name = "gitea"; + schema = pkgs.writeText "gitea.sql" + '' + create user if not exists 'git'@'localhost' identified by ${giteapwd}; + grant all privileges on gitea.* to 'git'@'localhost' identified by ${giteapwd}; + ''; + } ]; + }; +} diff --git a/services/nextcloud.nix b/services/nextcloud.nix new file mode 100644 index 0000000..fff88a7 --- /dev/null +++ b/services/nextcloud.nix @@ -0,0 +1,27 @@ +{ conf, pkgs, ... }: + +{ + services.nextcloud = { + enable = true; + home = "/var/lib/nextcloud"; + hostName = "storage.ophanim.de"; + https = true; + maxUploadSize = "1024M"; + config = { + adminuser = "derped"; + adminpassFile = "/secret/nextcloud_admin"; + dbtype = "mysql"; + dbhost = "localhost"; + dbport = "3306"; + dbuser = "nextcloud"; + dbpassFile = "/secret/nextcloud_db"; + dbname = "nextcloud"; + dbtableprefix = "oc_"; + }; + caching = { + apcu = true; + memcached = true; + redis = false; + }; + }; +} diff --git a/services/nginx.nix b/services/nginx.nix new file mode 100644 index 0000000..a5a7181 --- /dev/null +++ b/services/nginx.nix @@ -0,0 +1,286 @@ +############################################################################################## +# Includes: # +# - Nginx + SSL config # +# - Gitea # +# - Nextcloud # +# - Heavily based on: https://gist.github.com/schneefux/22b75d2bd3e4e754ba1684f1d1e93271 # +# - Mail ssl root # +############################################################################################## + +{ conf, lib, pkgs, ... }: + +let + gitpkgs = import /nixpkgs/default.nix {}; +in { + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + sslCiphers = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; + virtualHosts = { + "ophanim.de" = { + enableACME = true; + forceSSL = true; + root = "/var/www"; + }; + "builder.ophanim.de" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + location / { + proxy_pass http://127.0.0.1:3001; + proxy_set_header Host $http_host; + proxy_set_header REMOTE_ADDR $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } + ''; + }; + "mail.ophanim.de" = { + enableACME = true; + forceSSL = true; + root = "/var/www"; + }; + "storage.ophanim.de" = { + enableACME = true; + forceSSL = true; + root = "${gitpkgs.nextcloud}"; + locations = { + "/robots.txt" = { + extraConfig = '' + allow all; + log_not_found off; + access_log off; + ''; + }; + + "~ ^/(?:\.htaccess|config|db_structure\.xml|README)" = { + extraConfig = "deny all;"; + }; + + "/" = { + extraConfig = '' + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ =404; + ''; + }; + + "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/)" = { + extraConfig = '' + include ${pkgs.nginx}/conf/uwsgi_params; + uwsgi_modifier1 14; + uwsgi_hide_header X-Frame-Options; + uwsgi_hide_header X-XSS-Protection; + uwsgi_hide_header X-Content-Type-Options; + uwsgi_hide_header X-Robots-Tag; + uwsgi_param MOD_X_ACCEL_REDIRECT_ENABLED on; + uwsgi_pass unix:/run/uwsgi/php.sock; + ''; + }; + + "~* \.(?:css|js)$" = { + extraConfig = '' + add_header Cache-Control "public, max-age=7200"; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + access_log off; + ''; + }; + + "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" = { + extraConfig = '' + access_log off; + ''; + }; + + "^~ /data" = { + extraConfig = '' + internal; + ''; + }; + + "^~ /apps" = { + extraConfig = '' + alias /var/lib/nextcloud/apps; + ''; + }; + }; + +### Settings for new nextcloud module.... does not work yet??? +# locations = { +# "= /robots.txt" = { +# priority = 100; +# extraConfig = '' +# allow all; +# log_not_found off; +# access_log off; +# ''; +# }; +# "/" = { +# priority = 200; +# extraConfig = "rewrite ^ /index.php$uri;"; +# }; +# "~ ^/store-apps" = { +# priority = 201; +# extraConfig = "root /var/lib/nextcloud;"; +# }; +# "= /.well-known/carddav" = { +# priority = 210; +# extraConfig = "return 301 $scheme://$host/remote.php/dav;"; +# }; +# "= /.well-known/caldav" = { +# priority = 210; +# extraConfig = "return 301 $scheme://$host/remote.php/dav;"; +# }; +# "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/" = { +# priority = 300; +# extraConfig = "deny all;"; +# }; +# "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = { +# priority = 300; +# extraConfig = "deny all;"; +# }; +# "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\\.php(?:$|/)" = { +# priority = 500; +# extraConfig = '' +# include ${pkgs.nginxMainline}/conf/fastcgi.conf; +# fastcgi_split_path_info ^(.+\.php)(/.*)$; +# fastcgi_param PATH_INFO $fastcgi_path_info; +# fastcgi_param HTTPS on; +# fastcgi_param modHeadersAvailable true; +# fastcgi_param front_controller_active true; +# fastcgi_pass unix:/run/phpfpm/nextcloud; +# fastcgi_intercept_errors on; +# fastcgi_request_buffering off; +# fastcgi_read_timeout 120s; +# ''; +# }; +# "~ ^/(?:updater|ocs-provider)(?:$|/)".extraConfig = '' +# try_files $uri/ =404; +# index index.php; +# ''; +# "~ \\.(?:css|js|woff|svg|gif)$".extraConfig = '' +# try_files $uri /index.php$uri$is_args$args; +# add_header Cache-Control "public, max-age=15778463"; +# add_header X-Content-Type-Options nosniff; +# add_header X-XSS-Protection "1; mode=block"; +# add_header X-Robots-Tag none; +# add_header X-Download-Options noopen; +# add_header X-Permitted-Cross-Domain-Policies none; +# access_log off; +# ''; +# "~ \\.(?:png|html|ttf|ico|jpg|jpeg)$".extraConfig = '' +# try_files $uri /index.php$uri$is_args$args; +# access_log off; +# ''; +# }; +# extraConfig = '' +# add_header X-Content-Type-Options nosniff; +# add_header X-XSS-Protection "1; mode=block"; +# add_header X-Robots-Tag none; +# add_header X-Download-Options noopen; +# add_header X-Permitted-Cross-Domain-Policies none; +# error_page 403 /core/templates/403.php; +# error_page 404 /core/templates/404.php; +# client_max_body_size 1024M; +# fastcgi_buffers 64 4K; +# gzip on; +# gzip_vary on; +# gzip_comp_level 4; +# gzip_min_length 256; +# gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; +# gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; +# ''; + }; + "git.ophanim.de" = { + enableACME = true; + forceSSL = true; + root = "/var/lib/gitea/public"; + extraConfig = '' + location / { + try_files maintain.html $uri $uri/index.html @node; + } + + location @node { + client_max_body_size 0; + proxy_pass http://localhost:3000; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_max_temp_file_size 0; + proxy_redirect off; + proxy_read_timeout 120; + } + ''; + }; + }; + }; + + # Nextcloud system cron + users.users.nginx.useDefaultShell = true; + systemd.services.nextcloudcron = { + description = "Nextcloud cron"; + after = [ "network.target" ]; + script = '' + ${pkgs.php}/bin/php ${gitpkgs.nextcloud}/cron.php + ${gitpkgs.nextcloud-news-updater}/bin/nextcloud-news-updater -t 2 -i 30 --mode singlerun ${gitpkgs.nextcloud} + ''; + environment = { NEXTCLOUD_CONFIG_DIR = "/var/lib/nextcloud/config"; }; + serviceConfig.User = "nginx"; + }; + systemd.timers.nextcloudcron = { + enable = true; + description = "Nextcloud cron timer"; + wantedBy = [ "timers.target" ]; + partOf = [ "Nextcloudcron.service" ]; + timerConfig = { + RandomizedDelaySec = "5min"; + OnCalendar = "*-*-* *:00,30:00"; # every 1/2h + Persistent = true; + }; + }; + + services.uwsgi = { + enable = true; + user = "nginx"; + group = "nginx"; + instance = { + type = "emperor"; + vassals = { + php = { + type = "normal"; + socket = "/run/uwsgi/php.sock"; + master = true; + vacuum = true; + + processes = 16; + cheaper = 1; + php-sapi-name = "apache"; # opcode caching tweak + + php-allowed-ext = [ ".php" ".inc" ]; + socket-modifier1 = 14; + php-index = "index.php"; + + php-set = "date.timezone=Europe/Berlin"; + env = [ + "NEXTCLOUD_CONFIG_DIR=/var/lib/nextcloud/config" + ]; + plugins = [ "php" ]; + }; + }; + }; + plugins = [ "php" ]; + }; +} diff --git a/services/openssh.nix b/services/openssh.nix new file mode 100644 index 0000000..013a638 --- /dev/null +++ b/services/openssh.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +{ + services.openssh = { + enable = true; + startWhenNeeded = true; + challengeResponseAuthentication = false; + passwordAuthentication = false; + permitRootLogin = "no"; + extraConfig = '' + AllowUsers derped git + ''; + }; +} diff --git a/services/prosody.nix b/services/prosody.nix new file mode 100644 index 0000000..6ce5c6c --- /dev/null +++ b/services/prosody.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: + +{ + services.prosody = { + enable = true; + admins = [ "derped@ophanim.de" ]; + allowRegistration = false; + extraConfig = '' + use_libevent = true + s2s_require_encryption = true + c2s_require_encryption = true + ''; + + extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"]; + +# modules.legacyauth = false; + ssl.cert = "/var/lib/acme/ophanim.de/fullchain.pem"; + ssl.key = "/var/lib/acme/ophanim.de/key.pem"; + virtualHosts = { + localhost = { + domain = "localhost"; + enabled = true; + }; + "ophanim.de" = { + domain = "ophanim.de"; + enabled = true; + }; + }; + }; +} diff --git a/services/udev.nix b/services/udev.nix new file mode 100644 index 0000000..5c0fdab --- /dev/null +++ b/services/udev.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +{ + services.udev.extraRules = '' + Valve USB devices +SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", TAG+="uaccess", TAG+="udev-acl" + +# Steam Controller udev write access +KERNEL=="uinput", SUBSYSTEM=="misc", TAG+="uaccess", TAG+="udev-acl" + +# Valve HID devices over USB hidraw +KERNEL=="hidraw*", ATTRS{idVendor}=="28de", TAG+="uaccess", TAG+="udev-acl" + +# Valve HID devices over bluetooth hidraw +KERNEL=="hidraw*", KERNELS=="*28DE:*", TAG+="uaccess", TAG+="udev-acl" + +# DualShock 4 over USB hidraw +KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="05c4", TAG+="uaccess", TAG+="udev-acl" + +# DualShock 4 wireless adapter over USB hidraw +KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="0ba0", TAG+="uaccess", TAG+="udev-acl" + +# DualShock 4 Slim over USB hidraw +KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="09cc", TAG+="uaccess", TAG+="udev-acl" + +# DualShock 4 over bluetooth hidraw +KERNEL=="hidraw*", KERNELS=="*054C:05C4*", TAG+="uaccess", TAG+="udev-acl" + +# DualShock 4 Slim over bluetooth hidraw +KERNEL=="hidraw*", KERNELS=="*054C:09CC*", TAG+="uaccess", TAG+="udev-acl" +''; +} diff --git a/services/xserver.nix b/services/xserver.nix new file mode 100644 index 0000000..0e4bca9 --- /dev/null +++ b/services/xserver.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +{ + services.gnome3.gvfs.enable = true; + services.xserver = { + enable = true; + layout = "de"; + videoDrivers = [ "intel" ]; + windowManager = { + i3 = { + enable = true; + configFile = ../config/etc/i3/config; + extraPackages = with pkgs; [ + dmenu + file + i3lock + i3status + ]; + }; + default = "i3"; + }; + # add switch for Lilim + libinput = { + enable = true; + tapping = true; + disableWhileTyping = false; + naturalScrolling = false; + horizontalScrolling =true; + }; + dpi = 192; + }; +}