derped/nixos
1
0
Fork 0
Code Releases Activity

Fresh repo without sensitive data.

Browse source
This commit is contained in:
Kevin Baensch 2019-02-26 13:44:40 +01:00
commit 9003080a64
44 changed files with 2039 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
config/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }:
let
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
in {
imports = [
./etc.nix
./locale.nix
./networking.nix
./nix.nix
./users.nix
./zsh.nix
] ++ (if cfg.conf.networking.hostName != "Ophanim" then [./fonts.nix] else [./security.nix]);
}

18
config/etc.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }:
{
environment.etc = {
"i3/config".source = ./etc/i3/config;
"i3/py3status".source = ./etc/i3/py3status;
"mpv/input.conf".source = ./etc/mpv/input.conf;
"mpv/mpv.conf".source = ./etc/mpv/mpv.conf;
"youtube-dl.conf".source = ./etc/youtube-dl.conf;
};
environment.variables = {
EDITOR="emacsclient -ca nano";
NIXPKGS_ALLOW_UNFREE="1";
WINEDLLOVERRIDES="winemenubuilder.exe=d";
LC_CTYPE="zh_CN.UTF-8";
};
}

15
config/etc/gitconfig Normal file
View file

@ -0,0 +1,15 @@
[user]
name = derped
email = derped@ophanim.de
[alias]
get = clone --recursive
blame = -w -M
update = !git pull && git submodule update --init --recursive
comma = commit --amend
uncommit = reset --soft HEAD^
pr = !"pr() { git fetch origin pull/$1/head:pr-$1; git checkout pr-$1; }; pr"
pru = !"pr() { git fetch upstream pull/$1/head:pr-$1; git checkout pr-$1; }; pr"
backport = cherry-pick -x
reset-pr = reset --hard FETCH_HEAD
publish = !git pull && git push

279
config/etc/i3/config Normal file
View file

@ -0,0 +1,279 @@
# i3 config file (v4)
#
# Please see http://i3wm.org/docs/userguide.html for a complete reference!
### INIT xfce session stuff ###
exec redshift-gtk -l 51.0504:13.7373
### START USER CONFIG ###
set $mod Mod4
workspace "HDMI" output HDMI1
workspace_auto_back_and_forth yes
new_window pixel
hide_edge_borders both
exec setxkbmap de
#exec compton -f
exec feh --bg-scale Pictures/wallpaper.jpg
#exec pulseaudio -D
#exec fcitx
#exec env=LC_CTYPE=zh_CN.UTF-8 emacs --daemon
#exec conky -c $HOME/.my_little_conky/.conkyrc
#exec xsnow -nosanta -norudolf -notrees
#exec $LOCK
### END USER CONFIG ###
### START USER PROGRAMMS ###
### END USER PROGRAMMS ###
### START SYSKEY BINDSYM ###
bindsym XF86AudioPlay exec playerctl play
bindsym XF86AudioPause exec playerctl pause
bindsym XF86AudioNext exec playerctl next
bindsym XF86AudioPrev exec playerctl previous
bindsym $mod+Mod1+space exec playerctl play-pause
bindsym $mod+Mod1+Right exec playerctl next
bindsym $mod+Mod1+Left exec playerctl previous
bindsym $mod+Shift+w sticky toggle
### END SYSKEY BINDSYM ###
### START BINDSYM ###
bindsym $mod+b border toggle
bindsym $mod+m bar mode toggle
bindsym $mod+y move container to output left
bindsym $mod+x move container to output right
bindsym $mod+Shift+y move workspace to output left
bindsym $mod+Shift+x move workspace to output right
bindsym $mod+minus exec amixer -c 0 sset Master 1%-
bindsym $mod+plus exec amixer -c 0 sset Master 1%+
bindsym $mod+Mod1+minus exec amixer -D pulse sset Master 1%-
bindsym $mod+Mod1+plus exec amixer -D pulse sset Master 1%+
bindsym $mod+Shift+minus exec xbacklight -5
bindsym $mod+Shift+plus exec xbacklight +5
bindsym $mod+Ctrl+0 exec xbacklight -set 0
bindsym $mod+Ctrl+1 exec xbacklight -set 10
bindsym $mod+Ctrl+2 exec xbacklight -set 20
bindsym $mod+Ctrl+3 exec xbacklight -set 30
bindsym $mod+Ctrl+4 exec xbacklight -set 40
bindsym $mod+Ctrl+5 exec xbacklight -set 50
bindsym $mod+Ctrl+6 exec xbacklight -set 60
bindsym $mod+Ctrl+7 exec xbacklight -set 70
bindsym $mod+Ctrl+8 exec xbacklight -set 80
bindsym $mod+Ctrl+9 exec xbacklight -set 90
bindsym $mod+p move scratchpad
bindsym $mod+Shift+p scratchpad show
bindsym --release $mod+Shift+S exec scrot
bindsym --release $mod+Ctrl+S exec "scrot --select"
bindsym $mod+o exec pcmanfm
### END BINDSYM ###
### START MODES ###
mode "ACPI Events" {
bindsym p exec systemctl poweroff; mode "default"
bindsym h exec systemctl hibernate; mode "default"
bindsym s exec systemctl suspend; mode "default"
bindsym r exec systemctl reboot; mode "default"
bindsym h exec systemctl halt; mode "default"
bindsym e exec systemctl exit; mode "default"
bindsym l exec $LOCK; mode "default"
bindsym Return mode "default"
bindsym Escape mode "default"
}
mode "Power Mode"{
bindsym s exec xbacklight -set 5; exec rfkill block all ; exec xset -b +dpms; mode "default"
bindsym p exec xbacklight -set 100; exec rfkill unblock all; exec xset -dpms; mode "default"
bindsym Return mode "default"
bindsym Escape mode "default"
}
mode "No Keybinds" {
bindsym $mod+Shift+Escape mode "default"
}
bindsym $mod+F12 mode "ACPI Events"
bindsym $mod+F11 mode "No Keybinds"
bindsym $mod+F10 mode "Power Mode"
### END MODES ###
# Font for window titles. Will also be used by the bar unless a different font
# is used in the bar {} block below.
#font pango:monospace 8
#font pango:System San Francisco Display 8
# This font is widely installed, provides lots of unicode glyphs, right-to-left
# text rendering and scalability on retina/hidpi displays (thanks to pango).
font pango:DejaVu Sans Mono 8
# Before i3 v4.8, we used to recommend this one as the default:
# font -misc-fixed-medium-r-normal--13-120-75-75-C-70-iso10646-1
# The font above is very space-efficient, that is, it looks good, sharp and
# clear in small sizes. However, its unicode glyph coverage is limited, the old
# X core fonts rendering does not support right-to-left and this being a bitmap
# font, it doesnt scale on retina/hidpi displays.
# Use Mouse+$mod to drag floating windows to their wanted position
floating_modifier $mod
# start a terminal
bindsym $mod+Shift+Return exec emacsclient -c
bindsym $mod+Return exec gnome-terminal
# kill focused window
bindsym $mod+Shift+q kill
# start dmenu (a program launcher)
#bindsym $mod+d exec rofi -show run -lines 3 -eh 2 -width 100 -padding 330 -opacity "85" -config ~/.config/rofi.cfg -font "System San Francisco Display 12"
bindsym $mod++d exec dmenu_run -fn 'Droid Sans Mono-8'
# There also is the (new) i3-dmenu-desktop which only displays applications
# shipping a .desktop file. It is a wrapper around dmenu, so you need that
# installed.
# bindsym $mod+d exec --no-startup-id i3-dmenu-desktop
# change focus
bindsym $mod+j focus left
bindsym $mod+k focus down
bindsym $mod+l focus up
bindsym $mod+odiaeresis focus right
#bindsym $mod+semicolon focus right
# alternatively, you can use the cursor keys:
bindsym $mod+Left focus left
bindsym $mod+Down focus down
bindsym $mod+Up focus up
bindsym $mod+Right focus right
# move focused window
bindsym $mod+Shift+j move left
bindsym $mod+Shift+k move down
bindsym $mod+Shift+l move up
bindsym $mod+Shift+odiaeresis move right
#bindsym $mod+Shift+semicolon1 move right
# alternatively, you can use the cursor keys:
bindsym $mod+Shift+Left move left
bindsym $mod+Shift+Down move down
bindsym $mod+Shift+Up move up
bindsym $mod+Shift+Right move right
# split in horizontal orientation
bindsym $mod+h split h
# split in vertical orientation
bindsym $mod+v split v
# enter fullscreen mode for the focused container
bindsym $mod+f fullscreen toggle
# change container layout (stacked, tabbed, toggle split)
bindsym $mod+s layout stacking
bindsym $mod+w layout tabbed
bindsym $mod+e layout toggle split
# toggle tiling / floating
bindsym $mod+Shift+space floating toggle
# change focus between tiling / floating windows
bindsym $mod+space focus mode_toggle
# focus the parent container
bindsym $mod+a focus parent
# focus the child container
#bindsym $mod+d focus child
# switch to workspace
bindsym $mod+1 workspace 1
bindsym $mod+2 workspace 2
bindsym $mod+3 workspace 3
bindsym $mod+4 workspace 4
bindsym $mod+5 workspace 5
bindsym $mod+6 workspace 6
bindsym $mod+7 workspace 7
bindsym $mod+8 workspace 8
bindsym $mod+9 workspace 9
bindsym $mod+0 workspace 10
# move focused container to workspace
bindsym $mod+Shift+1 move container to workspace 1
bindsym $mod+Shift+2 move container to workspace 2
bindsym $mod+Shift+3 move container to workspace 3
bindsym $mod+Shift+4 move container to workspace 4
bindsym $mod+Shift+5 move container to workspace 5
bindsym $mod+Shift+6 move container to workspace 6
bindsym $mod+Shift+7 move container to workspace 7
bindsym $mod+Shift+8 move container to workspace 8
bindsym $mod+Shift+9 move container to workspace 9
bindsym $mod+Shift+0 move container to workspace 10
# reload the configuration file
bindsym $mod+Shift+c reload
# restart i3 inplace (preserves your layout/session, can be used to upgrade i3)
bindsym $mod+Shift+r restart
# exit i3 (logs you out of your X session)
bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -b 'Yes, exit i3' 'i3-msg exit'"
# resize window (you can also use the mouse for that)
mode "resize" {
# These bindings trigger as soon as you enter the resize mode
# Pressing left will shrink the windows width.
# Pressing right will grow the windows width.
# Pressing up will shrink the windows height.
# Pressing down will grow the windows height.
bindsym j resize shrink width 10 px or 10 ppt
bindsym k resize grow height 10 px or 10 ppt
bindsym l resize shrink height 10 px or 10 ppt
bindsym semicolon resize grow width 10 px or 10 ppt
# same bindings, but for the arrow keys
bindsym Left resize shrink width 10 px or 10 ppt
bindsym Down resize grow height 10 px or 10 ppt
bindsym Up resize shrink height 10 px or 10 ppt
bindsym Right resize grow width 10 px or 10 ppt
# back to normal: Enter or Escape
bindsym Return mode "default"
bindsym Escape mode "default"
}
bindsym $mod+r mode "resize"
# Start i3bar to display a workspace bar (plus the system information i3status
# finds out, if available)
bar {
position top
status_command py3status -c /etc/i3/py3status
# status_command i3status
colors {
separator #586e75
background #002b36
statusline #aea79f
focused_workspace #586e75 #586e75 #ffffff
active_workspace #073642 #073642 #ffffff
inactive_workspace #002b36 #002b36 #aea79f
urgent_workspace #77216f #77216f #ffffff
}
}
client.focused #008666 #000000 #ffffff
client.focused_inactive #000000 #222222 #ffffff
client.unfocused #002b36 #333333 #ffffff #ffffff
client.urgent #aa0000 y#990000 #ffffff
#client.focused #586e75 #586e75 #fdf6e3 #268bd2
#client.focused_inactive #073642 #073642 #93a1a1 #002b36
#client.unfocused #002b36 #002b36 #586e75 #002b36
#client.urgent #dc322f #dc322f #fdf6e3 #dc322f

79
config/etc/i3/py3status Normal file
View file

@ -0,0 +1,79 @@
# i3status configuration file.
# see "man i3status" for documentation.
# It is important that this file is edited as UTF-8.
# The following line should contain a sharp s:
# ß
# If the above line is not correctly displayed, fix your editor first!
general {
# output_format = "dzen2"
colors = true
interval = 1
}
order += "group network"
order += "disk /"
order += "dpms"
order += "load"
order += "volume_status"
order += "group tz"
group network {
format = "{output}"
button_next = 1
button_previous = 2
wireless _first_ {
format_up = "W: (%quality at %essid) %ip"
format_down = "W: down"
}
ethernet _first_ {
# if you use %speed, i3status requires root privileges
format_up = "E: %ip (%speed)"
format_down = "E: down"
}
}
group tz {
format = "{output}"
button_next = 1
button_previous = 2
tztime local {
format = "GER %Y-%m-%d %H:%M:%S"
timezone = "Europe/Berlin"
}
tztime PRC {
format = "PRC %Y-%m-%d %H:%M:%S"
timezone = "Asia/Shanghai"
}
tztime UTC {
format = "UTC %Y-%m-%d %H:%M:%S"
timezone = "Etc/UTC"
}
tztime PST {
format = "PST %Y-%m-%d %H:%M:%S"
timezone = "PST8PDT"
}
uptime {
format = "{weeks}:{days}:{hours}:{minutes}:{seconds}"
}
}
volume_status {
button_up = 4
button_down = 5
button_mute = 2
}
load {
format = "%1min"
}
disk "/" {
format = "%avail"
}

9
config/etc/mpv/input.conf Normal file
View file

@ -0,0 +1,9 @@
ALT+LEFT add video-pan-x -0.01
ALT+DOWN add video-pan-y +0.01
ALT+UP add video-pan-y -0.01
ALT+RIGHT add video-pan-x +0.01
ALT++ add video-zoom +0.1
ALT+- add video-zoom -0.1
ALT+0 cycle video-unscaled
ALT+m vf add mirror
MOUSE_BTN1 quit

180
config/etc/mpv/mpv.conf Normal file
View file

@ -0,0 +1,180 @@
###########
# General #
###########
input-ipc-server=/tmp/mpvsocket # listen for IPC on this socket
load-stats-overlay=yes # use local stats.lua
#save-position-on-quit # handled by a script
fs
no-border # no window title bar
msg-module # prepend module name to log messages
msg-color # color log messages on terminal
#term-osd-bar # display a progress bar on the terminal
use-filedir-conf # look for additional config files in the directory of the opened file
#pause # no autoplay
keep-open # keep the player open when a file's end is reached
autofit-larger=100%x95% # resize window in case it's larger than W%xH% of the screen
#cursor-autohide-fs-only # don't autohide the cursor in window mode, only fullscreen
#input-media-keys=no # enable/disable OSX media keys
cursor-autohide=1000 # autohide the curser after 1s
prefetch-playlist=yes
load-unsafe-playlists=yes
force-seekable=yes
screenshot-format=png
screenshot-png-compression=9
screenshot-template='~/Desktop/%F (%P) %n'
hls-bitrate=max # use max quality for HLS streams
[ytdl-desktop]
profile-desc=cond:is_desktop()
ytdl-format=bestvideo[height<=?1080]+bestaudio/best
[ytdl-laptop]
profile-desc=cond:is_laptop()
ytdl-format=bestvideo[height<=?1080][fps<=?30][vcodec!=?vp9][protocol!=http_dash_segments]+bestaudio/best
[default]
#########c
# Cache #
#########
# Configure the cache to be really big (multiple GBs)
# We have a lot of memory, so why not use it for something
cache=auto
cache-default=4000000 # size in KB
cache-backbuffer=250000 # size in KB
demuxer-max-bytes=1147483647 # ~1 GiB in bytes
demuxer-seekable-cache=yes
#############
# OSD / OSC #
#############
osc=no
#osd-level=1 # enable osd and display --osd-status-msg on interaction
#osd-duration=2500 # hide the osd after x ms
osd-status-msg='${time-pos} / ${duration}${?percent-pos: (${percent-pos}%)}${?frame-drop-count:${!frame-drop-count==0: Dropped: ${frame-drop-count}}}\n${?chapter:Chapter: ${chapter}}'
#osd-font='Source Sans Pro'
osd-font-size=32
osd-color='#CCFFFFFF' # ARGB format
osd-border-color='#DD322640' # ARGB format
#osd-shadow-offset=1 # pixel width for osd text and progress bar
#osd-bar-align-y=0 # progress bar y alignment (-1 top, 0 centered, 1 bottom)
#osd-border-size=2 # size for osd text and progress bar
#osd-bar-h=2 # height of osd bar as a fractional percentage of your screen height
#osd-bar-w=60 # width of " " "
#############
# Subtitles #
#############
sub-auto=fuzzy # external subs don't have to match the file name exactly to autoload
sub-file-paths-append=ass # search for external subs in these relative subdirectories
sub-file-paths-append=srt
sub-file-paths-append=sub
sub-file-paths-append=subs
sub-file-paths-append=subtitles
sub-file-paths-append=ENG
sub-file-paths-append=CHI
demuxer-mkv-subtitle-preroll # try to correctly show embedded subs when seeking
embeddedfonts=yes # use embedded fonts for SSA/ASS subs
sub-fix-timing=no # do not try to fix gaps (which might make it worse in some cases)
sub-ass-force-style=Kerning=yes # allows you to override style parameters of ASS scripts
sub-use-margins
sub-ass-force-margins
# the following options only apply to subtitles without own styling (i.e. not ASS but e.g. SRT)
sub-font="Source Sans Pro Semibold"
sub-font-size=36
sub-color="#FFFFFFFF"
sub-border-color="#FF262626"
sub-border-size=3.2
sub-shadow-offset=1
sub-shadow-color="#33000000"
sub-spacing=0.5
#############
# Languages #
#############
slang=enm,en,eng,de,deu,ger # automatically select these subtitles (decreasing priority)
alang=ja,jp,jpn,en,eng,de,deu,ger # automatically select these audio tracks (decreasing priority)
#########
# Audio #
#########
ao=pulse,alsa,jack
audio-file-auto=fuzzy # external audio doesn't has to match the file name exactly to autoload
audio-pitch-correction=yes # automatically insert scaletempo when playing with higher speed
volume-max=200 # maximum volume in %, everything above 100 results in amplification
volume=70 # default volume, 100 = unchanged
audio-channels=stereo
################
# Video Output #
################
# Active VOs (and some other options) are set conditionally
# See here for more information: https://github.com/wm4/mpv-scripts/blob/master/auto-profiles.lua
# on_battery(), is_laptop() and is_dektop() are my own additional functions imported from scripts/auto-profiles-functions.lua
# Defaults for all profiles
profile=opengl-hq
vo=gpu
hwdec=vaapi-copy
vd-lavc-threads = 2
video-aspect=16:9
interpolation
video-sync=display-resample
deband=no
deinterlace=no
vf=lavfi="gradfun"
#scale=ewa_lanczossharp
scale=catmull_rom
cscale=spline64
dscale=mitchell
#dscale-param1=
#dscale-param2=
tscale=sinc
scale-antiring=0
cscale-antiring=0
dither-depth=auto
correct-downscaling=yes
sigmoid-upscaling=yes
opengl-early-flush=no
opengl-pbo=no # "yes" may cause mpv to crash: https://github.com/mpv-player/mpv/issues/4988
#icc-profile=~/.config/mpv/sufrace.icc
###################################
# Protocol Specific Configuration #
###################################
[protocol.https]
cache=yes
user-agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:57.0) Gecko/20100101 Firefox/58.0'
[protocol.http]
cache=yes
user-agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:57.0) Gecko/20100101 Firefox/58.0'
[extension.flac]
video-aspect=no
########################
# Plugin Configuration #
########################

10
config/etc/youtube-dl.conf Normal file
View file

@ -0,0 +1,10 @@
########################
# /etc/youtube-dl.conf #
########################
--add-metadata
--all-subs
--embed-subs
--embed-thumbnail
--audio-quality 0
-f best
-o '%(playlist_index)s - %(title)s.%(ext)s'

27
config/fonts.nix Normal file
View file

@ -0,0 +1,27 @@
{ pkgs, config, ... }:
{
fonts = {
enableFontDir = true;
enableGhostscriptFonts = true;
fontconfig = {
enable = true;
ultimate.enable = true;
includeUserConf = false;
};
fonts = with pkgs; [
corefonts # Microsoft free fonts
dejavu_fonts
inconsolata # monospaced
noto-fonts-cjk
powerline-fonts
source-han-sans-japanese
source-han-sans-korean
source-han-sans-simplified-chinese
source-han-sans-traditional-chinese
symbola
ubuntu_font_family
wqy_microhei
];
};
}

13
config/locale.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, lib, pkgs, ... }:
{
i18n = {
consoleKeyMap = "de";
defaultLocale = "en_US.UTF-8";
inputMethod = {
enabled = if config.services.xserver.enable then "fcitx" else null;
fcitx.engines = with pkgs.fcitx-engines; [ chewing mozc ];
};
};
}

16
config/networking.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
let
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
in {
networking = {
hostName = cfg.conf.networking.hostName;
# should probably add some etc file for this....
firewall = {
enable = true;
allowPing = cfg.conf.networking.firewall.allowPing;
allowedUDPPorts = cfg.conf.networking.firewall.allowedUDPPorts;
allowedTCPPorts = cfg.conf.networking.firewall.allowedTCPPorts;
};
};
}

21
config/nix.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, pkgs, ... }:
{
nix = {
maxJobs = 4;
buildCores = 1;
autoOptimiseStore = true;
sshServe.enable = false;
#sshServe.keys = [];
useSandbox = true;
extraOptions = ''
build-timeout = 86400 # 24 hours
'';
trustedBinaryCaches = [
"http://cache.nixos.org"
];
binaryCaches = [
"http://cache.nixos.org"
];
};
}

9
config/security.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, lib, pkgs, ... }:
{
security = {
audit.enable = true;
auditd.enable = true;
hideProcessInformation = true;
};
}

27
config/users.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, lib, pkgs, ... }:
let
cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix");
in {
users = {
mutableUsers = false;
users.derped = {
isNormalUser = true;
home = "/home/derped";
createHome = true;
description = "";
group = "derped";
extraGroups = [ "audio" "wheel" "network" ] ++ (if cfg.conf.networking.hostName != "Ophanim" then ["input" "cups" "lp"] else []);
uid = 1337;
shell = "/run/current-system/sw/bin/zsh";
passwordFile = "/secret/derped";
openssh.authorizedKeys.keyFiles = (if cfg.conf.networking.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
};
groups.derped = {
name = "derped";
gid = 1337;
members = [ "derped" ];
};
};
}

15
config/zsh.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, lib, pkgs, ... }:
{
programs.zsh = {
enable = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
ohMyZsh = {
enable = true;
plugins = [ "git" "python" "man" ];
theme = "gentoo";
};
};
}

13
configuration.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, lib, pkgs, ... }:
let
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
in {
imports = [
cfg.confPath
./config/default.nix
./pkgs/nixpkgs.nix
./pkgs/pkgsets.nix
./services/default.nix
];
}

20
machines/Leviathan/Leviathan.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, pkgs, ... }:
let
cfg = import ./configuration.nix;
in {
imports = [
./hardware-configuration.nix
];
services = {
udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput"
'';
};
environment.systemPackages = with pkgs; [ xdiskusage ];
system.stateVersion = "18.09";
}

26
machines/Leviathan/configuration.nix Normal file
View file

@ -0,0 +1,26 @@
{
confPath = ./Leviathan.nix;
pkgs = [
"base"
"emacs"
"haskell"
"python3"
"rustpkgs"
"xpkgs"
];
services = [
../../services/openssh.nix
../../services/xserver.nix
];
conf = {
allowUnfree = true;
networking = {
hostName = "Leviathan";
firewall = {
allowPing = true;
allowedUDPPorts = [ 22 ];
allowedTCPPorts = [];
};
};
};
}

65
machines/Leviathan/hardware-configuration.nix Normal file
View file

@ -0,0 +1,65 @@
{ config, lib, pkgs, ... }:
{
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
cleanTmpDir = true;
kernelPackages = pkgs.linuxPackages_4_19;
initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "firewire_ohci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
kernelModules = [ "kvm-intel" "wl" ];
extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
};
hardware = {
cpu.intel.updateMicrocode = true;
enableAllFirmware = true;
enableKSM = true;
opengl = {
driSupport = true;
extraPackages = with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ];
driSupport32Bit = true;
extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ];
};
pulseaudio = {
enable = true;
support32Bit = true;
package = pkgs.pulseaudioFull;
zeroconf.discovery.enable = false;
extraClientConf = ''
autospawn = no
'';
};
bluetooth = {
enable = true;
powerOnBoot = true;
};
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4f0a49f8-04f6-437c-ad5d-b0a82a7251ef";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2860-11F4";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/c50ad046-8bfd-4248-8195-7a0d370b641f"; }
];
powerManagement = {
enable = true;
cpuFreqGovernor = "powersave";
};
time.timeZone = "Europe/Berlin";
}

21
machines/Lilim/Lilim.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, lib, pkgs, ... }:
let
cfg = import ./configuration.nix;
in {
imports = [
./hardware-configuration.nix
];
services = {
gnome3.gnome-terminal-server.enable = true;
udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput"
'';
};
environment.systemPackages = with pkgs; [ surface-firmware xdiskusage ];
system.stateVersion = "18.09";
}

30
machines/Lilim/configuration.nix Normal file
View file

@ -0,0 +1,30 @@
{
confPath = ./Lilim.nix;
pkgs = [
"base"
"emacs"
"extra"
"cpp"
"haskell"
"mailutils"
"python3"
"rustpkgs"
"xpkgs"
];
services = [
../../services/xserver.nix
../../services/udev.nix
../../services/cups.nix
];
conf = {
allowUnfree = true;
networking = {
hostName = "Lilim";
firewall = {
allowPing = true;
allowedUDPPorts = [];
allowedTCPPorts = [];
};
};
};
}

66
machines/Lilim/hardware-configuration.nix Normal file
View file

@ -0,0 +1,66 @@
{ config, lib, pkgs, ... }:
let
surfacepkgs = import <linux-surface> {};
in {
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
cleanTmpDir = true;
# kernelPackages = pkgs.linuxPackages_surface;
kernelPackages = surfacepkgs.linuxPackages_surface;
initrd.kernelModules = [ "hid-multitouch" ];
initrd.availableKernelModules = [ "hid-microsoft" "hid-multitouch" "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
kernelModules = [ "kvm-intel" "hid-microsoft" "hid-multitouch" "uinput" ];
extraModulePackages = [ ];
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/8c3a5a07-9ee1-4154-9f3f-6abc379073aa";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/D2A2-C705";
fsType = "vfat";
};
swapDevices = [ ];
hardware = {
firmware = with pkgs; [ firmwareLinuxNonfree surface-firmware ];
cpu.intel.updateMicrocode = true;
enableAllFirmware = true;
enableKSM = true;
opengl = {
driSupport = true;
extraPackages = with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ];
driSupport32Bit = true;
extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ];
};
pulseaudio = {
enable = true;
support32Bit = true;
package = pkgs.pulseaudioFull;
zeroconf.discovery.enable = false;
extraClientConf = ''
autospawn = no
'';
};
bluetooth = {
enable = true;
powerOnBoot = true;
};
};
powerManagement = {
enable = true;
cpuFreqGovernor = "powersave";
};
time.timeZone = "Europe/Berlin";
}

29
machines/Ophanim/Ophanim.nix Normal file
View file

@ -0,0 +1,29 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
];
system.autoUpgrade.enable = false;
# services.vsftp = {
# enable = true;
# ssl_sslv3 = true;
# forceLocalDataSSL = true;
# writeEnable = false;
# userlist = [];
# };
services.haveged.enable = true;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09";
}

27
machines/Ophanim/configuration.nix Normal file
View file

@ -0,0 +1,27 @@
{
confPath = ./Ophanim.nix;
pkgs = [
"base"
"emacs"
"server"
];
services = [
../../services/gitea.nix
../../services/hydra.nix
../../services/mailserver.nix
../../services/mariaDB.nix
../../services/nginx.nix
../../services/openssh.nix
];
conf = {
allowUnfree = true;
networking = {
hostName = "Ophanim";
firewall = {
allowPing = false;
allowedUDPPorts = [ 22 80 443 ];
allowedTCPPorts = [ 80 443 5222 5269 ];
};
};
};
}

28
machines/Ophanim/hardware-configuration.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
];
boot = {
initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
kernelPackages = pkgs.linuxPackages_latest;
kernelModules = [ ];
extraModulePackages = [ ];
loader.grub = {
enable = true;
version = 2;
device = "/dev/sda"; # or "nodev" for efi only
};
};
time.timeZone = "Europe/Berlin";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/fa0c2ff3-59f9-4c00-8153-c2c2ef0f0e84";
fsType = "ext4";
};
swapDevices = [ ];
}

15
pkgs/flat-remix/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ stdenv, fetchFromGitHub, gtk-engine-murrine }:
stdenv.mkDerivation {
version = "1.0";
name = "Flat-Remix-GTK";
src = fetchFromGitHub {
owner = "daniruiz";
repo = "Flat-Remix-GTK";
rev = "39fec3cb2da83a7959e2637365c1e61643bf9ae9";
sha256 = "0rfv75w9yr8drc3x9g4iz2cb88ixy1lqbflvmb7farw4dz74fk5f";
fetchSubmodules = true;
};
makeFlags = [ "PREFIX=$(out)" ];
propagatedUserEnvPkgs = [ gtk-engine-murrine ];
}

18
pkgs/nixpkgs.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }:
{
nixpkgs.config = {
allowUnfree = true;
mpv.vaapiSupport = true;
packageOverrides = pkgs: rec {
mu-git = pkgs.callPackage ./mu-git/default.nix {};
theme_flat-remix = pkgs.callPackage ./flat-remix/default.nix {};
theme_sddm_midnight = pkgs.callPackage ./sddm_midnight/default.nix {};
firmware_surface = pkgs.callPackage ./firmware_surface/default.nix {};
linux_surface = pkgs.callPackage ./linux_surface/default.nix {};
linuxPackages_surface = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_surface);
xdiskusage = pkgs.callPackage ./xdiskusage/default.nix {};
};
};
}

262
pkgs/pkgsets.nix Normal file
View file

@ -0,0 +1,262 @@
{ stable ? import <nixos-stable>,
unstable ? import <nixos-unstable>,
gitpkgs ? import /nixpkgs/default.nix,
config, lib, pkgs, ... }:
let
cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix");
optPkgs = with lib; package: pkgstring: if elem pkgstring cfg.pkgs then package else [];
gitpkgs = import /nixpkgs/default.nix {};
# Programms I'm likely to want on every machine and/or may execute as root
base = with pkgs; [
alsaUtils
ccze
cksfv
cryptsetup
dhcpcd
dnsutils
git
gnupg
gptfdisk
home-manager
htop
hwinfo
indent
iptables
lrzip
lshw
macchanger
mkpasswd
netcat
nix-index
nix-plugins
nix-prefetch-git
nix-serve
nix-update-source
nix-zsh-completions
nixbang
nixops
nmap
nox
ntfs3g
oh-my-zsh
openssl
p7zip
pciutils
psmisc
rfkill
rsync
sl
sysvtools
telnet
traceroute
tree
unrar
unzipNLS
usbutils
vim
vulnix
wget
whois
wirelesstools
wpa_supplicant
zip
zlib
zsh
];
emacs = gitpkgs.emacsWithPackages (epkgs: with epkgs; [
/* Theming */
solarized-theme color-theme-sanityinc-tomorrow moe-theme powerline moody minions
/*General Stuff */
rainbow-delimiters # color parenthesis by indentation
color-identifiers-mode
/* Python */
company-jedi pylint melpaStablePackages.elpy
/* Git support */
magit
emms # multimedia support
wsd-mode
plantuml-mode
/* Other Stuff, not yet sorted */
transmission
org-plus-contrib orgit ox-gfm ox-rst
eclim
auto-complete
pkgs.aspell pkgs.aspellDicts.en pkgs.aspellDicts.de
use-package diminish bind-key
smartparens
evil-surround evil-indent-textobject evil-cleverparens avy undo-tree
cdlatex # for math expressions
helm
/* LaTeX */ auctex helm-bibtex cdlatex
markdown-mode
flycheck
pkgs.ledger
yaml-mode
company
/* C/C++ */ clang-format irony company-irony company-irony-c-headers flycheck-irony
/* Haskell */ haskell-mode flycheck-haskell
/* Org */ org org-ref pdf-tools org-bullets org-caldav
/* Rust */ rust-mode flycheck-rust racer
/* mail */ messages-are-flowing
/* Nix */ nix-buffer nix-mode nixos-options company-nixos-options nix-sandbox
paganini-theme
spaceline # modeline beautification
winum eyebrowse # window management
auto-compile
/* Maxima */ pkgs.maxima
visual-fill-column
web-mode
melpaStablePackages.idris-mode helm-idris
]);
extra = with pkgs; [
transmission
texlive.combined.scheme-full
];
mailutils = with pkgs; [
fetchmail
imagemagick
isync
mu-git
pandoc
postfix
];
cpp = with pkgs; [
clang
cmake
gcc
global
irony-server
];
haskell = pkgs.haskellPackages.ghcWithPackages (pkgs: with pkgs; [
mtl
random
]);
java = with pkgs; [
openjdk11
(with pkgs.eclipses; eclipseWithPlugins {
eclipse = eclipse-platform;
jvmArgs = [ "-Xmx2048m" ];
plugins = [
plugins.color-theme
plugins.emacsplus
plugins.checkstyle
];
})
];
python3 = gitpkgs.python3Full.withPackages(ps: with ps; [
GitPython
bpython
configparser
django
elpy
emoji
epc
numpy
opencv3
paho-mqtt
pep8
pillow
pip
plotly
pyflakes
pygame_sdl2
pylama
pylint
pyopengl
pyproj
requests
schedule
scipy
selenium
telegram
tkinter
toolz
virtualenv
# flask
# flask-common
# flask-compress
# flask-cors
# flask-limiter
# flask-pymongo
# flask-restful
# flask-restplus
# flask_assets
# flask_elastic
# flask_login
# flask_mail
# flask_marshmallow
# flask_migrate
# flask_oauthlib
# flask_principal
# flask_script
# flask_sqlalchemy
# flask_testing
# flask_wtf
# flaskbabel
/* temporarily fix python stuff */
py3status pytz tzlocal
]);
rustpkgs = with pkgs; [
rustup
carnix
rustracer
];
server = with pkgs; [
audit
letsencrypt
php
simp_le
];
uniProgs = with pkgs; [
qucs
];
xpkgs = with pkgs; [
feh
scrot
theme_flat-remix
theme_sddm_midnight
gnome3.dconf
gnome3.gnome-terminal
gnome3.gvfs
pcmanfm
pavucontrol
xclip
xlibs.xkill
xorg.xbacklight
xdiskusage
];
in {
environment.systemPackages = base
++ (optPkgs [emacs] "emacs")
++ (optPkgs extra "extra")
++ (optPkgs mailutils "mailutils")
++ (optPkgs cpp "cpp")
++ (optPkgs [haskell] "haskell")
++ (optPkgs java "java")
++ (optPkgs [python3] "python3")
++ (optPkgs rustpkgs "rustpkgs")
++ (optPkgs server "server")
++ (optPkgs uniProgs "uniProgs")
++ (optPkgs xpkgs "xpkgs");
services.emacs = {
enable = (lib.elem "emacs" cfg.pkgs);
install = (lib.elem "emacs" cfg.pkgs);
package = emacs;
};
}

30
pkgs/sddm_midnight/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ stdenv, fetchFromGitHub, qtstyleplugin-kvantum-qt4 }:
stdenv.mkDerivation {
name = "sddm_midnight";
version = 1.0;
src = fetchFromGitHub {
owner = "Rokin05";
repo = "midnight-kde";
rev = "1a4771146a8d6f3b45b1da32877495c9e562d193";
sha256 = "10br96pf4dppk9nk7yvf7h9zja40k4c6rhwmqcaxxcjlhpvjmhkj";
};
buildInputs = [ qtstyleplugin-kvantum-qt4 ];
patchPhase = ''
substituteInPlace sddm/themes/Midnight/Main.qml --replace /usr $out
'';
installPhase = ''
mkdir -p $out/share
cp -R \
"aurorae" \
"color-schemes" \
"Kvantum" \
"plasma" \
"sddm" \
"$out/share"
'';
}

13
pkgs/xdiskusage/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ stdenv, fetchurl, fltk }:
stdenv.mkDerivation rec {
name = "xdiskusage";
version = "1.51";
buildInputs = [ fltk ];
src = fetchurl {
url = "http://xdiskusage.sourceforge.net/${name}-${version}.tgz";
sha256 = "1il9200a2yd6023sbmixspvhj4ip6frm8sczjk5zk68j65zl9ckg";
};
}

9
services/cups.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, lib, pkgs, ... }:
{
services.printing = {
enable = true;
startWhenNeeded = true;
drivers = with pkgs; [ gutenprint hplip splix samsung-unified-linux-driver ];
};
}

7
services/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, lib, pkgs, ... }:
let
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
in {
imports = cfg.services;
}

8
services/ejabberd.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
services.ejabberd = {
enable = true;
imagemagick = true;
};
}

69
services/fail2ban.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, lib, pkgs, ... }:
# mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix
{
services.fail2ban = {
enable = true;
jails = {
DEFAULT = ''
bantime = 3600
logpath = /var/log/auth.log
'';
ssh = ''
enabled = true
filter = sshd
maxretry = 4
action = iptables[name=SSH, port=ssh, protocol=tcp]
'';
sshd-ddos = ''
enabled = true
filter = sshd-ddos
maxretry = 2
action = iptables[name=ssh, port=ssh, protocol=tcp]
'';
postfix = ''
enabled = true
filter = postfix
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
'';
postfix-sasl = ''
enabled = true
filter = postfix-sasl
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
'';
postfix-ddos = ''
enabled = true
filter = postfix-ddos
maxretry = 3
action = iptables[name=postfix, port=submission, protocol=tcp]
bantime = 7200
'';
nginx-req-limit = ''
enabled = true
filter = nginx-req-limit
maxretry = 10
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
findtime = 600
bantime = 7200
''
};
};
environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = ''
[Definition]
failregex = lost connection after EHLO from \S+\[<HOST>\]
'';
environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = ''
[Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST>
'';
# Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
}

36
services/gitea.nix Normal file
View file

@ -0,0 +1,36 @@
{ stdenv, conf, pkgs, ... }:
{
services.gitea = {
enable = true;
user = "git";
cookieSecure = true;
domain = "git.ophanim.de";
rootUrl = "http://git.ophanim.de/";
database = {
type = "mysql";
user = "git";
name = "gitea";
passwordFile = "/secret/gitea";
};
extraConfig = ''
[repository]
DISABLE_HTTP_GIT = true
USE_COMPAT_SSH_URI = true
[security]
INSTALL_LOCK = true
COOKIE_USERNAME = gitea_username
COOKIE_REMEMBER_NAME = gitea_userauth
[service]
DISABLE_REGISTRATION = true
'';
};
users.users.git = {
isNormalUser = true;
home = "/var/lib/gitea";
createHome = true;
};
}

29
services/hydra.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, pkgs, ... }:
# hydra user needs to be manually crated
# sudo -u hydra -s
# hydra-create-user $USERNAME --password $PASSWORD --role admin
{
# also take a look at ../conf/nix.nix
nix.buildMachines = [
{
hostName = "localhost";
system = "x86_64-linux";
supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
maxJobs = 8;
}
];
services.hydra = {
enable = true;
hydraURL = "https://builder.ophanim.de"; # externally visible URL
listenHost = "localhost";
port = 3001;
minimumDiskFree = 15;
minimumDiskFreeEvaluator = 15;
notificationSender = "hydra@mail.ophanim.de"; # e-mail of hydra service
useSubstitutes = true;
debugServer = false;
};
}

38
services/mailserver.nix Normal file
View file

@ -0,0 +1,38 @@
{ lib, config, pkgs, ... }:
{
imports = [
./mailserver/default.nix
];
mailserver = rec {
enable = true;
fqdn = "mail.ophanim.de";
domains = [ "ophanim.de" ];
loginAccounts = {
"derped@ophanim.de" = {
hashedPassword = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/derped.mail));
};
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = 1;
certificateFile = "/var/lib/acme/" + fqdn + "/fullchain.pem";
keyFile = "/var/lib/acme/" + fqdn + "/key.pem";
#dhParamBitLength = 4096; # this doesn't exist???
# Enable IMAP and POP3
enableImap = true;
enablePop3 = true;
enableImapSsl = true;
enablePop3Ssl = true;
# Enable the ManageSieve protocol
enableManageSieve = true;
# whether to scan inbound emails for viruses (note that this requires at least
# 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
virusScanning = false;
};
}

27
services/mariaDB.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, pkgs, ... }:
let
nextcloudpwd = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/nextcloud_db));
giteapwd = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/gitea));
in {
services.mysql = {
enable = true;
package = pkgs.mariadb;
initialDatabases = [ {
name = "nextcloud";
schema = pkgs.writeText "nextcloud.sql"
''
create user if not exists 'nextcloud'@'localhost' identified by ${nextcloudpwd};
grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by ${nextcloudpwd};
'';
}
{
name = "gitea";
schema = pkgs.writeText "gitea.sql"
''
create user if not exists 'git'@'localhost' identified by ${giteapwd};
grant all privileges on gitea.* to 'git'@'localhost' identified by ${giteapwd};
'';
} ];
};
}

27
services/nextcloud.nix Normal file
View file

@ -0,0 +1,27 @@
{ conf, pkgs, ... }:
{
services.nextcloud = {
enable = true;
home = "/var/lib/nextcloud";
hostName = "storage.ophanim.de";
https = true;
maxUploadSize = "1024M";
config = {
adminuser = "derped";
adminpassFile = "/secret/nextcloud_admin";
dbtype = "mysql";
dbhost = "localhost";
dbport = "3306";
dbuser = "nextcloud";
dbpassFile = "/secret/nextcloud_db";
dbname = "nextcloud";
dbtableprefix = "oc_";
};
caching = {
apcu = true;
memcached = true;
redis = false;
};
};
}

286
services/nginx.nix Normal file
View file

@ -0,0 +1,286 @@
##############################################################################################
# Includes: #
# - Nginx + SSL config #
# - Gitea #
# - Nextcloud #
# - Heavily based on: https://gist.github.com/schneefux/22b75d2bd3e4e754ba1684f1d1e93271 #
# - Mail ssl root #
##############################################################################################
{ conf, lib, pkgs, ... }:
let
gitpkgs = import /nixpkgs/default.nix {};
in {
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
sslCiphers = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
virtualHosts = {
"ophanim.de" = {
enableACME = true;
forceSSL = true;
root = "/var/www";
};
"builder.ophanim.de" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
location / {
proxy_pass http://127.0.0.1:3001;
proxy_set_header Host $http_host;
proxy_set_header REMOTE_ADDR $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
'';
};
"mail.ophanim.de" = {
enableACME = true;
forceSSL = true;
root = "/var/www";
};
"storage.ophanim.de" = {
enableACME = true;
forceSSL = true;
root = "${gitpkgs.nextcloud}";
locations = {
"/robots.txt" = {
extraConfig = ''
allow all;
log_not_found off;
access_log off;
'';
};
"~ ^/(?:\.htaccess|config|db_structure\.xml|README)" = {
extraConfig = "deny all;";
};
"/" = {
extraConfig = ''
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
'';
};
"~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/)" = {
extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_modifier1 14;
uwsgi_hide_header X-Frame-Options;
uwsgi_hide_header X-XSS-Protection;
uwsgi_hide_header X-Content-Type-Options;
uwsgi_hide_header X-Robots-Tag;
uwsgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
uwsgi_pass unix:/run/uwsgi/php.sock;
'';
};
"~* \.(?:css|js)$" = {
extraConfig = ''
add_header Cache-Control "public, max-age=7200";
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
access_log off;
'';
};
"~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" = {
extraConfig = ''
access_log off;
'';
};
"^~ /data" = {
extraConfig = ''
internal;
'';
};
"^~ /apps" = {
extraConfig = ''
alias /var/lib/nextcloud/apps;
'';
};
};
### Settings for new nextcloud module.... does not work yet???
# locations = {
# "= /robots.txt" = {
# priority = 100;
# extraConfig = ''
# allow all;
# log_not_found off;
# access_log off;
# '';
# };
# "/" = {
# priority = 200;
# extraConfig = "rewrite ^ /index.php$uri;";
# };
# "~ ^/store-apps" = {
# priority = 201;
# extraConfig = "root /var/lib/nextcloud;";
# };
# "= /.well-known/carddav" = {
# priority = 210;
# extraConfig = "return 301 $scheme://$host/remote.php/dav;";
# };
# "= /.well-known/caldav" = {
# priority = 210;
# extraConfig = "return 301 $scheme://$host/remote.php/dav;";
# };
# "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/" = {
# priority = 300;
# extraConfig = "deny all;";
# };
# "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
# priority = 300;
# extraConfig = "deny all;";
# };
# "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\\.php(?:$|/)" = {
# priority = 500;
# extraConfig = ''
# include ${pkgs.nginxMainline}/conf/fastcgi.conf;
# fastcgi_split_path_info ^(.+\.php)(/.*)$;
# fastcgi_param PATH_INFO $fastcgi_path_info;
# fastcgi_param HTTPS on;
# fastcgi_param modHeadersAvailable true;
# fastcgi_param front_controller_active true;
# fastcgi_pass unix:/run/phpfpm/nextcloud;
# fastcgi_intercept_errors on;
# fastcgi_request_buffering off;
# fastcgi_read_timeout 120s;
# '';
# };
# "~ ^/(?:updater|ocs-provider)(?:$|/)".extraConfig = ''
# try_files $uri/ =404;
# index index.php;
# '';
# "~ \\.(?:css|js|woff|svg|gif)$".extraConfig = ''
# try_files $uri /index.php$uri$is_args$args;
# add_header Cache-Control "public, max-age=15778463";
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# add_header X-Robots-Tag none;
# add_header X-Download-Options noopen;
# add_header X-Permitted-Cross-Domain-Policies none;
# access_log off;
# '';
# "~ \\.(?:png|html|ttf|ico|jpg|jpeg)$".extraConfig = ''
# try_files $uri /index.php$uri$is_args$args;
# access_log off;
# '';
# };
# extraConfig = ''
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# add_header X-Robots-Tag none;
# add_header X-Download-Options noopen;
# add_header X-Permitted-Cross-Domain-Policies none;
# error_page 403 /core/templates/403.php;
# error_page 404 /core/templates/404.php;
# client_max_body_size 1024M;
# fastcgi_buffers 64 4K;
# gzip on;
# gzip_vary on;
# gzip_comp_level 4;
# gzip_min_length 256;
# gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
# gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# '';
};
"git.ophanim.de" = {
enableACME = true;
forceSSL = true;
root = "/var/lib/gitea/public";
extraConfig = ''
location / {
try_files maintain.html $uri $uri/index.html @node;
}
location @node {
client_max_body_size 0;
proxy_pass http://localhost:3000;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
proxy_redirect off;
proxy_read_timeout 120;
}
'';
};
};
};
# Nextcloud system cron
users.users.nginx.useDefaultShell = true;
systemd.services.nextcloudcron = {
description = "Nextcloud cron";
after = [ "network.target" ];
script = ''
${pkgs.php}/bin/php ${gitpkgs.nextcloud}/cron.php
${gitpkgs.nextcloud-news-updater}/bin/nextcloud-news-updater -t 2 -i 30 --mode singlerun ${gitpkgs.nextcloud}
'';
environment = { NEXTCLOUD_CONFIG_DIR = "/var/lib/nextcloud/config"; };
serviceConfig.User = "nginx";
};
systemd.timers.nextcloudcron = {
enable = true;
description = "Nextcloud cron timer";
wantedBy = [ "timers.target" ];
partOf = [ "Nextcloudcron.service" ];
timerConfig = {
RandomizedDelaySec = "5min";
OnCalendar = "*-*-* *:00,30:00"; # every 1/2h
Persistent = true;
};
};
services.uwsgi = {
enable = true;
user = "nginx";
group = "nginx";
instance = {
type = "emperor";
vassals = {
php = {
type = "normal";
socket = "/run/uwsgi/php.sock";
master = true;
vacuum = true;
processes = 16;
cheaper = 1;
php-sapi-name = "apache"; # opcode caching tweak
php-allowed-ext = [ ".php" ".inc" ];
socket-modifier1 = 14;
php-index = "index.php";
php-set = "date.timezone=Europe/Berlin";
env = [
"NEXTCLOUD_CONFIG_DIR=/var/lib/nextcloud/config"
];
plugins = [ "php" ];
};
};
};
plugins = [ "php" ];
};
}

14
services/openssh.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }:
{
services.openssh = {
enable = true;
startWhenNeeded = true;
challengeResponseAuthentication = false;
passwordAuthentication = false;
permitRootLogin = "no";
extraConfig = ''
AllowUsers derped git
'';
};
}

30
services/prosody.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, pkgs, ... }:
{
services.prosody = {
enable = true;
admins = [ "derped@ophanim.de" ];
allowRegistration = false;
extraConfig = ''
use_libevent = true
s2s_require_encryption = true
c2s_require_encryption = true
'';
extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"];
# modules.legacyauth = false;
ssl.cert = "/var/lib/acme/ophanim.de/fullchain.pem";
ssl.key = "/var/lib/acme/ophanim.de/key.pem";
virtualHosts = {
localhost = {
domain = "localhost";
enabled = true;
};
"ophanim.de" = {
domain = "ophanim.de";
enabled = true;
};
};
};
}

32
services/udev.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
{
services.udev.extraRules = ''
Valve USB devices
SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", TAG+="uaccess", TAG+="udev-acl"
# Steam Controller udev write access
KERNEL=="uinput", SUBSYSTEM=="misc", TAG+="uaccess", TAG+="udev-acl"
# Valve HID devices over USB hidraw
KERNEL=="hidraw*", ATTRS{idVendor}=="28de", TAG+="uaccess", TAG+="udev-acl"
# Valve HID devices over bluetooth hidraw
KERNEL=="hidraw*", KERNELS=="*28DE:*", TAG+="uaccess", TAG+="udev-acl"
# DualShock 4 over USB hidraw
KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="05c4", TAG+="uaccess", TAG+="udev-acl"
# DualShock 4 wireless adapter over USB hidraw
KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="0ba0", TAG+="uaccess", TAG+="udev-acl"
# DualShock 4 Slim over USB hidraw
KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="09cc", TAG+="uaccess", TAG+="udev-acl"
# DualShock 4 over bluetooth hidraw
KERNEL=="hidraw*", KERNELS=="*054C:05C4*", TAG+="uaccess", TAG+="udev-acl"
# DualShock 4 Slim over bluetooth hidraw
KERNEL=="hidraw*", KERNELS=="*054C:09CC*", TAG+="uaccess", TAG+="udev-acl"
'';
}

32
services/xserver.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
{
services.gnome3.gvfs.enable = true;
services.xserver = {
enable = true;
layout = "de";
videoDrivers = [ "intel" ];
windowManager = {
i3 = {
enable = true;
configFile = ../config/etc/i3/config;
extraPackages = with pkgs; [
dmenu
file
i3lock
i3status
];
};
default = "i3";
};
# add switch for Lilim
libinput = {
enable = true;
tapping = true;
disableWhileTyping = false;
naturalScrolling = false;
horizontalScrolling =true;
};
dpi = 192;
};
}