adtya/configuration.nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

remove stuff

Browse source
This commit is contained in:
Adithya 2024-01-04 21:51:28 +05:30
parent af0e24278c
commit 66ea18a8c2
Signed by: adtya
GPG key ID: 48FC9915FFD326D0
50 changed files with 1 additions and 1444 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
flake.lock
View file

@ -1,28 +1,5 @@
{ {
"nodes": { "nodes": {
"adtyaxyz": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1703637505,
"narHash": "sha256-JmXTyG3RHYFUTWoFb/vXyDNPOUflo5w7ajHUwzlw6pA=",
"owner": "adtya",
"repo": "adtya.xyz",
"rev": "0f9e7f63d9e2a15cb2bcf7403933734cf8aafc08",
"type": "github"
},
"original": {
"owner": "adtya",
"repo": "adtya.xyz",
"type": "github"
}
},
"crane": { "crane": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -197,29 +174,6 @@
"type": "github" "type": "github"
} }
}, },
"if3": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1699207859,
"narHash": "sha256-7RGwx48zwI/ap3ZC70dCq/9zcWCU4yVTdI0wsInP3kk=",
"owner": "adtya",
"repo": "if3-docs",
"rev": "41750eaaaffef33b0d4ab89b1fc9d67a9903447b",
"type": "github"
},
"original": {
"owner": "adtya",
"repo": "if3-docs",
"type": "github"
}
},
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1703656108, "lastModified": 1703656108,
@ -408,16 +362,13 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"adtyaxyz": "adtyaxyz",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"if3": "if3",
"impermanence": "impermanence", "impermanence": "impermanence",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixvim": "nixvim", "nixvim": "nixvim"
"wiki": "wiki"
} }
}, },
"rust-overlay": { "rust-overlay": {
@ -474,29 +425,6 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"wiki": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1703638978,
"narHash": "sha256-/FaQY32CLkPtNoqUTKwcSkxL9xxh13QGwE5ySeVS34U=",
"owner": "adtya",
"repo": "wiki",
"rev": "f2dda6c9385168b0f992d6f05708c87bd97d552a",
"type": "github"
},
"original": {
"owner": "adtya",
"repo": "wiki",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

63
flake.nix
View file

@ -38,30 +38,6 @@
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
}; };
}; };
adtyaxyz = {
url = "github:adtya/adtya.xyz";
inputs = {
flake-utils.follows = "flake-utils";
nixpkgs.follows = "nixpkgs";
};
};
wiki = {
url = "github:adtya/wiki";
inputs = {
flake-utils.follows = "flake-utils";
nixpkgs.follows = "nixpkgs";
};
};
if3 = {
url = "github:adtya/if3-docs";
inputs = {
flake-utils.follows = "flake-utils";
nixpkgs.follows = "nixpkgs";
};
};
}; };
outputs = outputs =
@ -73,9 +49,6 @@
, lanzaboote , lanzaboote
, nixos-hardware , nixos-hardware
, nixvim , nixvim
, adtyaxyz
, wiki
, if3
, ,
} @ inputs: } @ inputs:
let let
@ -140,42 +113,6 @@
./hosts/rico0 ./hosts/rico0
]; ];
}; };
Rico1 = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux";
pkgs = import nixpkgs {
inherit system;
config = nixpkgs-config;
};
specialArgs = inputs // { inherit secrets; };
modules = [
{
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
}
nixos-hardware.nixosModules.raspberry-pi-4
./common
./hosts/rico1
];
};
Rico2 = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux";
pkgs = import nixpkgs {
inherit system;
config = nixpkgs-config;
};
specialArgs = inputs // { inherit secrets; };
modules = [
{
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
}
nixos-hardware.nixosModules.raspberry-pi-4
./common
./hosts/rico2
];
};
}; };
} }
// flake-utils.lib.eachDefaultSystem ( // flake-utils.lib.eachDefaultSystem (

1
hosts/rico0/network.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: { { lib, ... }: {
imports = [ ./wireguard.nix ];
networking = { networking = {
hostName = "Rico0"; hostName = "Rico0";

27
hosts/rico0/wireguard.nix
View file

@ -1,27 +0,0 @@
{ config
, secrets
, ...
}:
let
inherit (secrets.wireguard_config) peers;
in
{
networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wireguard = {
enable = true;
interfaces = {
wg0 = {
ips = [
"10.8.10.10/24"
"fdd9:69ae:9703::3/64"
];
listenPort = 51821;
privateKeyFile = "/etc/wireguard/private.key";
generatePrivateKeyFile = true;
peers = with peers; [
Proxy
];
};
};
};
}

7
hosts/rico1/containers/default.nix
View file

@ -1,7 +0,0 @@
_: {
imports = [ ];
virtualisation.oci-containers = {
backend = "podman";
};
}

30
hosts/rico1/default.nix
View file

@ -1,30 +0,0 @@
{ ... }: {
imports = [
./hardware
./programs
./services
./containers
./network.nix
./security.nix
];
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
LC_ALL = "en_US.UTF-8";
};
supportedLocales = [ "en_US.UTF-8/UTF-8" ];
};
time.timeZone = "Asia/Kolkata";
system.stateVersion = "23.11";
}

222
hosts/rico1/hardware/default.nix
View file

@ -1,222 +0,0 @@
{ lib, ... }: {
imports = [ ./filesystem.nix ./kernel.nix ];
hardware = {
raspberry-pi."4".apply-overlays-dtmerge.enable = lib.mkDefault true;
deviceTree = {
filter = "bcm2711-rpi-4*.dtb";
overlays = [
# Combined equivalent to:
# * https://github.com/raspberrypi/linux/blob/rpi-6.1.y/arch/arm/boot/dts/overlays/rpi-poe-overlay.dts
# * https://github.com/raspberrypi/linux/blob/rpi-6.1.y/arch/arm/boot/dts/overlays/rpi-poe-plus-overlay.dts
{
name = "rpi-poe-plus-overlay";
dtsText = ''
/*
* Overlay for the Raspberry Pi POE HAT.
*/
/dts-v1/;
/plugin/;
/ {
compatible = "brcm,bcm2711";
fragment@0 {
target-path = "/";
__overlay__ {
fan: pwm-fan {
compatible = "pwm-fan";
cooling-levels = <0 1 10 100 255>;
#cooling-cells = <2>;
pwms = <&fwpwm 0 80000>;
};
};
};
fragment@1 {
target = <&cpu_thermal>;
__overlay__ {
polling-delay = <2000>; /* milliseconds */
};
};
fragment@2 {
target = <&thermal_trips>;
__overlay__ {
trip0: trip0 {
temperature = <55000>;
hysteresis = <2000>;
type = "active";
};
trip1: trip1 {
temperature = <58000>;
hysteresis = <2000>;
type = "active";
};
trip2: trip2 {
temperature = <61000>;
hysteresis = <2000>;
type = "active";
};
trip3: trip3 {
temperature = <64000>;
hysteresis = <5000>;
type = "active";
};
};
};
fragment@3 {
target = <&cooling_maps>;
__overlay__ {
map0 {
trip = <&trip0>;
cooling-device = <&fan 0 1>;
};
map1 {
trip = <&trip1>;
cooling-device = <&fan 1 2>;
};
map2 {
trip = <&trip2>;
cooling-device = <&fan 2 3>;
};
map3 {
trip = <&trip3>;
cooling-device = <&fan 3 4>;
};
};
};
fragment@4 {
target-path = "/__overrides__";
params: __overlay__ {
poe_fan_temp0 = <&trip0>,"temperature:0";
poe_fan_temp0_hyst = <&trip0>,"hysteresis:0";
poe_fan_temp1 = <&trip1>,"temperature:0";
poe_fan_temp1_hyst = <&trip1>,"hysteresis:0";
poe_fan_temp2 = <&trip2>,"temperature:0";
poe_fan_temp2_hyst = <&trip2>,"hysteresis:0";
poe_fan_temp3 = <&trip3>,"temperature:0";
poe_fan_temp3_hyst = <&trip3>,"hysteresis:0";
poe_fan_i2c = <&fwpwm>,"status=disabled",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
};
fragment@5 {
target = <&firmware>;
__overlay__ {
fwpwm: pwm {
compatible = "raspberrypi,firmware-poe-pwm";
#pwm-cells = <2>;
};
};
};
fragment@6 {
target = <&i2c0>;
i2c_bus: __overlay__ {
#address-cells = <1>;
#size-cells = <0>;
poe_mfd: poe@51 {
compatible = "raspberrypi,poe-core";
reg = <0x51>;
status = "disabled";
poe_mfd_pwm: poe_pwm@f0 {
compatible = "raspberrypi,poe-pwm";
reg = <0xf0>;
status = "okay";
#pwm-cells = <2>;
};
};
};
};
fragment@7 {
target = <&i2c0if>;
__dormant__ {
status = "okay";
};
};
fragment@8 {
target = <&i2c0mux>;
__dormant__ {
status = "okay";
};
};
__overrides__ {
poe_fan_temp0 = <&trip0>,"temperature:0";
poe_fan_temp0_hyst = <&trip0>,"hysteresis:0";
poe_fan_temp1 = <&trip1>,"temperature:0";
poe_fan_temp1_hyst = <&trip1>,"hysteresis:0";
poe_fan_temp2 = <&trip2>,"temperature:0";
poe_fan_temp2_hyst = <&trip2>,"hysteresis:0";
poe_fan_temp3 = <&trip3>,"temperature:0";
poe_fan_temp3_hyst = <&trip3>,"hysteresis:0";
i2c = <0>, "+5+6",
<&fwpwm>,"status=disabled",
<&i2c_bus>,"status=okay",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
};
// SPDX-License-Identifier: (GPL-2.0 OR MIT)
// Overlay for the Raspberry Pi PoE+ HAT.
/ {
compatible = "brcm,bcm2711";
fragment@10 {
target-path = "/";
__overlay__ {
rpi_poe_power_supply: rpi-poe-power-supply {
compatible = "raspberrypi,rpi-poe-power-supply";
firmware = <&firmware>;
status = "okay";
};
};
};
fragment@11 {
target = <&poe_mfd>;
__overlay__ {
rpi-poe-power-supply@f2 {
compatible = "raspberrypi,rpi-poe-power-supply";
reg = <0xf2>;
status = "okay";
};
};
};
__overrides__ {
i2c = <0>, "+5+6",
<&fwpwm>,"status=disabled",
<&rpi_poe_power_supply>,"status=disabled",
<&i2c_bus>,"status=okay",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
};
&fan {
cooling-levels = <0 32 64 128 255>;
};
&params {
poe_fan_i2c = <&fwpwm>,"status=disabled",
<&rpi_poe_power_supply>,"status=disabled",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
'';
}
];
};
};
}

11
hosts/rico1/hardware/filesystem.nix
View file

@ -1,11 +0,0 @@
_: {
fileSystems."/" = {
device = "/dev/disk/by-partlabel/NIXOS_ROOT";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-partlabel/ESP";
fsType = "vfat";
};
}

5
hosts/rico1/hardware/kernel.nix
View file

@ -1,5 +0,0 @@
{ lib
, ...
}: {
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}

23
hosts/rico1/network.nix
View file

@ -1,23 +0,0 @@
{ lib, ... }: {
imports = [ ./wireguard.nix ];
networking = {
hostName = "Rico1";
networkmanager = {
enable = true;
dns = "systemd-resolved";
};
useDHCP = lib.mkDefault false;
};
services.resolved = {
enable = true;
extraConfig = ''
DNS=2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net
FallbackDNS=
DNSOverTLS=opportunistic
Domains=~.
'';
};
}

13
hosts/rico1/programs/default.nix
View file

@ -1,13 +0,0 @@
{ pkgs, ... }: {
imports = [
./neovim.nix
./starship.nix
./zsh.nix
];
programs.git.enable = true;
environment.systemPackages = with pkgs; [
git-crypt
];
}

8
hosts/rico1/programs/neovim.nix
View file

@ -1,8 +0,0 @@
_: {
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
};
}

8
hosts/rico1/programs/starship.nix
View file

@ -1,8 +0,0 @@
_: {
programs.starship = {
enable = true;
settings = {
add_newline = false;
};
};
}

10
hosts/rico1/programs/zsh.nix
View file

@ -1,10 +0,0 @@
_: {
programs = {
zsh = {
enable = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
};
};
environment.pathsToLink = [ "/share/zsh" ];
}

15
hosts/rico1/security.nix
View file

@ -1,15 +0,0 @@
_: {
security = {
apparmor = {
enable = true;
enableCache = true;
};
audit.enable = true;
auditd.enable = true;
sudo = {
wheelNeedsPassword = false;
};
polkit.enable = true;
rtkit.enable = true;
};
}

6
hosts/rico1/services/btrfs.nix
View file

@ -1,6 +0,0 @@
_: {
services.btrfs.autoScrub = {
enable = true;
interval = "weekly";
};
}

6
hosts/rico1/services/caddy.nix
View file

@ -1,6 +0,0 @@
{ secrets, ... }: {
services.caddy = {
enable = true;
inherit (secrets.caddy_config) email;
};
}

11
hosts/rico1/services/default.nix
View file

@ -1,11 +0,0 @@
{ ... }: {
imports = [
./btrfs.nix
./caddy.nix
./dendrite
./frpc.nix
./nats.nix
./postgresql.nix
./ssh.nix
];
}

118
hosts/rico1/services/dendrite/config.yaml
View file

@ -1,118 +0,0 @@
version: 2
global:
server_name: adtya.xyz
private_key: /etc/dendrite/matrix_key.pem
key_validity_period: 168h0m0s
database:
connection_string: postgresql://dendrite@localhost/dendrite?sslmode=disable
max_open_conns: 90
max_idle_conns: 5
conn_max_lifetime: -1
cache:
max_size_estimated: 1gb
max_age: 1h
well_known_server_name: "matrix.adtya.xyz:443"
well_known_client_name: "https://matrix.adtya.xyz:443"
trusted_third_party_id_servers:
- matrix.org
- vector.im
disable_federation: false
presence:
enable_inbound: false
enable_outbound: false
jetstream:
addresses:
- localhost:4222
disable_tls_validation: false
storage_path: /var/lib/dendrite/nats
topic_prefix: Dendrite
dns_cache:
enabled: true
cache_size: 256
cache_lifetime: "5m"
client_api:
registration_disabled: true
guests_disabled: true
registration_shared_secret: ""
enable_registration_captcha: false
recaptcha_public_key: ""
recaptcha_private_key: ""
recaptcha_bypass_secret: ""
# TURN server information that this homeserver should send to clients.
federation_api:
send_max_retries: 16
disable_tls_validation: false
disable_http_keepalives: false
key_perspectives:
- server_name: matrix.org
keys:
- key_id: ed25519:auto
public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
- key_id: ed25519:a_RXGa
public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
prefer_direct_fetch: false
media_api:
base_path: /var/lib/dendrite/media
max_file_size_bytes: 10485760
dynamic_thumbnails: false
max_thumbnail_generators: 10
thumbnail_sizes:
- width: 32
height: 32
method: crop
- width: 96
height: 96
method: crop
- width: 640
height: 480
method: scale
sync_api:
real_ip_header: X-Real-IP
search:
enabled: false
index_path: "/var/lib/dendrite/searchindex"
language: "en"
# Configuration for the User API.
user_api:
bcrypt_cost: 10
auto_join_rooms:
# - "#main:matrix.org"
tracing:
enabled: false
jaeger:
serviceName: ""
disabled: false
rpc_metrics: false
tags: []
sampler: null
reporter: null
headers: null
baggage_restrictions: null
throttler: null
logging:
- type: std
level: info
- type: file
level: info
params:
path: ./logs

45
hosts/rico1/services/dendrite/default.nix
View file

@ -1,45 +0,0 @@
{ pkgs, ... }: {
services = {
caddy.virtualHosts."matrix.adtya.xyz" = {
extraConfig = ''
reverse_proxy /_matrix/* 127.0.0.1:8008
reverse_proxy /_synapse/* 127.0.0.1:8008
reverse_proxy 127.0.0.1:8008
'';
};
frp.settings = {
"http.matrix.adtya.xyz" = {
type = "http";
custom_domains = "matrix.adtya.xyz";
local_port = 80;
proxy_protocol_version = "v2";
};
"https.matrix.adtya.xyz" = {
type = "https";
custom_domains = "matrix.adtya.xyz";
local_port = 443;
proxy_protocol_version = "v2";
};
};
};
systemd.services.dendrite = {
description = "Dendrite Matrix homeserver";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
DynamicUser = true;
StateDirectory = "dendrite";
WorkingDirectory = "/var/lib/dendrite";
RuntimeDirectory = "dendrite";
RuntimeDirectoryMode = "0700";
LimitNOFILE = 65535;
ExecStart = ''
${pkgs.dendrite}/bin/dendrite -http-bind-address 127.0.0.1:8008 -https-bind-address 127.0.0.1:8448 -config ${./config.yaml}
'';
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
};
};
}

19
hosts/rico1/services/frpc.nix
View file

@ -1,19 +0,0 @@
{ secrets, ... }: {
services.frp = {
enable = true;
role = "client";
settings = {
common = {
inherit (secrets.frp_config) server_addr token;
server_port = 7000;
authentication_method = "token";
};
"ssh.rico1" = {
type = "tcp";
local_port = 22;
remote_port = 6001;
};
};
};
}

6
hosts/rico1/services/nats.nix
View file

@ -1,6 +0,0 @@
_: {
services.nats = {
enable = true;
jetstream = true;
};
}

17
hosts/rico1/services/postgresql.nix
View file

@ -1,17 +0,0 @@
{ pkgs, ... }: {
services.postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
ensureDatabases = [ "dendrite" ];
ensureUsers = [
{
name = "dendrite";
ensureDBOwnership = true;
}
];
};
}

9
hosts/rico1/services/ssh.nix
View file

@ -1,9 +0,0 @@
_: {
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
}

27
hosts/rico1/wireguard.nix
View file

@ -1,27 +0,0 @@
{ config
, secrets
, ...
}:
let
inherit (secrets.wireguard_config) peers;
in
{
networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wireguard = {
enable = true;
interfaces = {
wg0 = {
ips = [
"10.8.10.11/24"
"fdd9:69ae:9703::4/64"
];
listenPort = 51821;
privateKeyFile = "/etc/wireguard/private.key";
generatePrivateKeyFile = true;
peers = with peers; [
Proxy
];
};
};
};
}

7
hosts/rico2/containers/default.nix
View file

@ -1,7 +0,0 @@
{ ... }: {
imports = [ ];
virtualisation.oci-containers = {
backend = "podman";
};
}

30
hosts/rico2/default.nix
View file

@ -1,30 +0,0 @@
{ ... }: {
imports = [
./hardware
./programs
./services
./containers
./network.nix
./security.nix
];
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
LC_ALL = "en_US.UTF-8";
};
supportedLocales = [ "en_US.UTF-8/UTF-8" ];
};
time.timeZone = "Asia/Kolkata";
system.stateVersion = "23.11";
}

222
hosts/rico2/hardware/default.nix
View file

@ -1,222 +0,0 @@
{ lib, ... }: {
imports = [ ./filesystem.nix ./kernel.nix ];
hardware = {
raspberry-pi."4".apply-overlays-dtmerge.enable = lib.mkDefault true;
deviceTree = {
filter = "bcm2711-rpi-4*.dtb";
overlays = [
# Combined equivalent to:
# * https://github.com/raspberrypi/linux/blob/rpi-6.1.y/arch/arm/boot/dts/overlays/rpi-poe-overlay.dts
# * https://github.com/raspberrypi/linux/blob/rpi-6.1.y/arch/arm/boot/dts/overlays/rpi-poe-plus-overlay.dts
{
name = "rpi-poe-plus-overlay";
dtsText = ''
/*
* Overlay for the Raspberry Pi POE HAT.
*/
/dts-v1/;
/plugin/;
/ {
compatible = "brcm,bcm2711";
fragment@0 {
target-path = "/";
__overlay__ {
fan: pwm-fan {
compatible = "pwm-fan";
cooling-levels = <0 1 10 100 255>;
#cooling-cells = <2>;
pwms = <&fwpwm 0 80000>;
};
};
};
fragment@1 {
target = <&cpu_thermal>;
__overlay__ {
polling-delay = <2000>; /* milliseconds */
};
};
fragment@2 {
target = <&thermal_trips>;
__overlay__ {
trip0: trip0 {
temperature = <55000>;
hysteresis = <2000>;
type = "active";
};
trip1: trip1 {
temperature = <58000>;
hysteresis = <2000>;
type = "active";
};
trip2: trip2 {
temperature = <61000>;
hysteresis = <2000>;
type = "active";
};
trip3: trip3 {
temperature = <64000>;
hysteresis = <5000>;
type = "active";
};
};
};
fragment@3 {
target = <&cooling_maps>;
__overlay__ {
map0 {
trip = <&trip0>;
cooling-device = <&fan 0 1>;
};
map1 {
trip = <&trip1>;
cooling-device = <&fan 1 2>;
};
map2 {
trip = <&trip2>;
cooling-device = <&fan 2 3>;
};
map3 {
trip = <&trip3>;
cooling-device = <&fan 3 4>;
};
};
};
fragment@4 {
target-path = "/__overrides__";
params: __overlay__ {
poe_fan_temp0 = <&trip0>,"temperature:0";
poe_fan_temp0_hyst = <&trip0>,"hysteresis:0";
poe_fan_temp1 = <&trip1>,"temperature:0";
poe_fan_temp1_hyst = <&trip1>,"hysteresis:0";
poe_fan_temp2 = <&trip2>,"temperature:0";
poe_fan_temp2_hyst = <&trip2>,"hysteresis:0";
poe_fan_temp3 = <&trip3>,"temperature:0";
poe_fan_temp3_hyst = <&trip3>,"hysteresis:0";
poe_fan_i2c = <&fwpwm>,"status=disabled",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
};
fragment@5 {
target = <&firmware>;
__overlay__ {
fwpwm: pwm {
compatible = "raspberrypi,firmware-poe-pwm";
#pwm-cells = <2>;
};
};
};
fragment@6 {
target = <&i2c0>;
i2c_bus: __overlay__ {
#address-cells = <1>;
#size-cells = <0>;
poe_mfd: poe@51 {
compatible = "raspberrypi,poe-core";
reg = <0x51>;
status = "disabled";
poe_mfd_pwm: poe_pwm@f0 {
compatible = "raspberrypi,poe-pwm";
reg = <0xf0>;
status = "okay";
#pwm-cells = <2>;
};
};
};
};
fragment@7 {
target = <&i2c0if>;
__dormant__ {
status = "okay";
};
};
fragment@8 {
target = <&i2c0mux>;
__dormant__ {
status = "okay";
};
};
__overrides__ {
poe_fan_temp0 = <&trip0>,"temperature:0";
poe_fan_temp0_hyst = <&trip0>,"hysteresis:0";
poe_fan_temp1 = <&trip1>,"temperature:0";
poe_fan_temp1_hyst = <&trip1>,"hysteresis:0";
poe_fan_temp2 = <&trip2>,"temperature:0";
poe_fan_temp2_hyst = <&trip2>,"hysteresis:0";
poe_fan_temp3 = <&trip3>,"temperature:0";
poe_fan_temp3_hyst = <&trip3>,"hysteresis:0";
i2c = <0>, "+5+6",
<&fwpwm>,"status=disabled",
<&i2c_bus>,"status=okay",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
};
// SPDX-License-Identifier: (GPL-2.0 OR MIT)
// Overlay for the Raspberry Pi PoE+ HAT.
/ {
compatible = "brcm,bcm2711";
fragment@10 {
target-path = "/";
__overlay__ {
rpi_poe_power_supply: rpi-poe-power-supply {
compatible = "raspberrypi,rpi-poe-power-supply";
firmware = <&firmware>;
status = "okay";
};
};
};
fragment@11 {
target = <&poe_mfd>;
__overlay__ {
rpi-poe-power-supply@f2 {
compatible = "raspberrypi,rpi-poe-power-supply";
reg = <0xf2>;
status = "okay";
};
};
};
__overrides__ {
i2c = <0>, "+5+6",
<&fwpwm>,"status=disabled",
<&rpi_poe_power_supply>,"status=disabled",
<&i2c_bus>,"status=okay",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
};
&fan {
cooling-levels = <0 32 64 128 255>;
};
&params {
poe_fan_i2c = <&fwpwm>,"status=disabled",
<&rpi_poe_power_supply>,"status=disabled",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
'';
}
];
};
};
}

11
hosts/rico2/hardware/filesystem.nix
View file

@ -1,11 +0,0 @@
_: {
fileSystems."/" = {
device = "/dev/disk/by-partlabel/NIXOS_ROOT";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-partlabel/ESP";
fsType = "vfat";
};
}

5
hosts/rico2/hardware/kernel.nix
View file

@ -1,5 +0,0 @@
{ lib
, ...
}: {
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}

23
hosts/rico2/network.nix
View file

@ -1,23 +0,0 @@
{ lib, ... }: {
imports = [ ./wireguard.nix ];
networking = {
hostName = "Rico2";
networkmanager = {
enable = true;
dns = "systemd-resolved";
};
useDHCP = lib.mkDefault false;
};
services.resolved = {
enable = true;
extraConfig = ''
DNS=2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net
FallbackDNS=
DNSOverTLS=opportunistic
Domains=~.
'';
};
}

13
hosts/rico2/programs/default.nix
View file

@ -1,13 +0,0 @@
{ pkgs, ... }: {
imports = [
./neovim.nix
./starship.nix
./zsh.nix
];
programs.git.enable = true;
environment.systemPackages = with pkgs; [
git-crypt
];
}

8
hosts/rico2/programs/neovim.nix
View file

@ -1,8 +0,0 @@
_: {
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
};
}

8
hosts/rico2/programs/starship.nix
View file

@ -1,8 +0,0 @@
_: {
programs.starship = {
enable = true;
settings = {
add_newline = false;
};
};
}

10
hosts/rico2/programs/zsh.nix
View file

@ -1,10 +0,0 @@
_: {
programs = {
zsh = {
enable = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
};
};
environment.pathsToLink = [ "/share/zsh" ];
}

15
hosts/rico2/security.nix
View file

@ -1,15 +0,0 @@
_: {
security = {
apparmor = {
enable = true;
enableCache = true;
};
audit.enable = true;
auditd.enable = true;
sudo = {
wheelNeedsPassword = false;
};
polkit.enable = true;
rtkit.enable = true;
};
}

68
hosts/rico2/services/adtya.xyz.nix
View file

@ -1,68 +0,0 @@
{ pkgs
, adtyaxyz
, ...
}:
let
inherit (pkgs) system;
in
{
services = {
caddy.virtualHosts."adtya.xyz" = {
serverAliases = [ "www.adtya.xyz" ];
extraConfig = ''
handle /.well-known/matrix/server {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.server": "matrix.adtya.xyz:443"}`
}
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.homeserver": {"base_url": "https://matrix.adtya.xyz:443"}}`
}
handle /.well-known/discord {
header Access-Control-Allow-Origin *
respond `dh=bd67bb4659b662a5ee2b1b043e7b3171b2cb44bd`
}
handle {
root * ${adtyaxyz.packages.${system}.default}/share/web
encode gzip
try_files {path} /index.html
file_server
}
'';
};
frp.settings = {
"http.adtya.xyz" = {
type = "http";
custom_domains = "adtya.xyz";
local_port = 80;
proxy_protocol_version = "v2";
};
"https.adtya.xyz" = {
type = "https";
custom_domains = "adtya.xyz";
local_port = 443;
proxy_protocol_version = "v2";
};
"http.www.adtya.xyz" = {
type = "http";
custom_domains = "www.adtya.xyz";
local_port = 80;
proxy_protocol_version = "v2";
};
"https.www.adtya.xyz" = {
type = "https";
custom_domains = "www.adtya.xyz";
local_port = 443;
proxy_protocol_version = "v2";
};
};
};
}

6
hosts/rico2/services/btrfs.nix
View file

@ -1,6 +0,0 @@
_: {
services.btrfs.autoScrub = {
enable = true;
interval = "weekly";
};
}

9
hosts/rico2/services/caddy.nix
View file

@ -1,9 +0,0 @@
{ config
, secrets
, ...
}: {
services.caddy = {
enable = true;
inherit (secrets.caddy_config) email;
};
}

13
hosts/rico2/services/default.nix
View file

@ -1,13 +0,0 @@
_: {
imports = [
./adtya.xyz.nix
./btrfs.nix
./caddy.nix
./frpc.nix
./if3.nix
./proofs.nix
./ssh.nix
./wiki.nix
];
}

19
hosts/rico2/services/frpc.nix
View file

@ -1,19 +0,0 @@
{ secrets, ... }: {
services.frp = {
enable = true;
role = "client";
settings = {
"common" = {
inherit (secrets.frp_config) server_addr token;
server_port = 7000;
authentication_method = "token";
};
"ssh.rico2" = {
type = "tcp";
local_port = 22;
remote_port = 6002;
};
};
};
}

37
hosts/rico2/services/if3.nix
View file

@ -1,37 +0,0 @@
{ pkgs
, if3
, ...
}:
let
inherit (pkgs) system;
in
{
services = {
caddy.virtualHosts = {
"if3.adtya.xyz" = {
extraConfig = ''
root * ${if3.packages.${system}.default}/share/web
encode gzip
try_files {path} /index.html
file_server
'';
};
};
frp.settings = {
"http.if3.adtya.xyz" = {
type = "http";
custom_domains = "if3.adtya.xyz";
local_port = 80;
proxy_protocol_version = "v2";
};
"https.if3.adtya.xyz" = {
type = "https";
custom_domains = "if3.adtya.xyz";
local_port = 443;
proxy_protocol_version = "v2";
};
};
};
}

30
hosts/rico2/services/proofs.nix
View file

@ -1,30 +0,0 @@
{ config
, secrets
, ...
}: {
services = {
caddy.virtualHosts = {
"proofs.adtya.xyz" = {
extraConfig = ''
redir https://keyoxide.org/hkp/${secrets.users.primary.pgpFingerprint}
'';
};
};
frp.settings = {
"http.proofs.adtya.xyz" = {
type = "http";
custom_domains = "proofs.adtya.xyz";
local_port = 80;
proxy_protocol_version = "v2";
};
"https.proofs.adtya.xyz" = {
type = "https";
custom_domains = "proofs.adtya.xyz";
local_port = 443;
proxy_protocol_version = "v2";
};
};
};
}

9
hosts/rico2/services/ssh.nix
View file

@ -1,9 +0,0 @@
_: {
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
}

37
hosts/rico2/services/wiki.nix
View file

@ -1,37 +0,0 @@
{ pkgs
, wiki
, ...
}:
let
inherit (pkgs) system;
in
{
services = {
caddy.virtualHosts = {
"wiki.adtya.xyz" = {
extraConfig = ''
root * ${wiki.packages.${system}.default}/share/web
encode gzip
try_files {path} /index.html
file_server
'';
};
};
frp.settings = {
"http.wiki.adtya.xyz" = {
type = "http";
custom_domains = "wiki.adtya.xyz";
local_port = 80;
proxy_protocol_version = "v2";
};
"https.wiki.adtya.xyz" = {
type = "https";
custom_domains = "wiki.adtya.xyz";
local_port = 443;
proxy_protocol_version = "v2";
};
};
};
}

27
hosts/rico2/wireguard.nix
View file

@ -1,27 +0,0 @@
{ config
, secrets
, ...
}:
let
inherit (secrets.wireguard_config) peers;
in
{
networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wireguard = {
enable = true;
interfaces = {
wg0 = {
ips = [
"10.8.10.12/24"
"fdd9:69ae:9703::5/64"
];
listenPort = 51821;
privateKeyFile = "/etc/wireguard/private.key";
generatePrivateKeyFile = true;
peers = with peers; [
Proxy
];
};
};
};
}

9
hosts/skipper/network.nix
View file

@ -1,16 +1,7 @@
{ lib, ... }: { { lib, ... }: {
imports = [ ./wireguard.nix ];
networking = { networking = {
hostName = "Skipper"; hostName = "Skipper";
extraHosts = ''
10.8.10.1 proxy
10.8.10.2 skipper
10.8.10.10 rico0
10.8.10.11 rico1
10.8.10.12 rico2
'';
networkmanager = { networkmanager = {
enable = true; enable = true;
dns = "systemd-resolved"; dns = "systemd-resolved";

27
hosts/skipper/wireguard.nix
View file

@ -1,27 +0,0 @@
{ config
, secrets
, ...
}:
let
inherit (secrets.wireguard_config) peers;
in
{
networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wireguard = {
enable = true;
interfaces = {
wg0 = {
ips = [
"10.8.10.2/24"
"fdd9:69ae:9703::2/64"
];
listenPort = 51821;
privateKeyFile = "/etc/wireguard/private.key";
generatePrivateKeyFile = true;
peers = with peers; [
Proxy
];
};
};
};
}

BIN
secrets.nix
View file

Binary file not shown.

21
secrets.nix.example
View file

@ -1,28 +1,7 @@
{ {
wireguard_config = {
peers = {
Proxy = {
name = "Proxy";
endpoint = "<ip:port>";
publicKey = "<peer public key>";
persistentKeepalive = 20;
allowedIPs = [
"x.x.x.x/xx"
"xxxx::/xx"
];
};
};
};
aria2_config = { aria2_config = {
rpc_secret = "<rpc secret for aria2>"; rpc_secret = "<rpc secret for aria2>";
}; };
frp_config = {
server_addr = "<ip addess of server running frps>";
token = "<secret token for frps <-> frpc connection>";
};
caddy_config = {
email = "<email for certificate generation>";
};
users = { users = {
root.hashedPassword = "<password hash of root user>"; root.hashedPassword = "<password hash of root user>";
primary = { primary = {