Compare commits

372 Commits

Author SHA1 Message Date
ab7a7c2ef3 Add blog
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-14 19:16:34 +01:00
289c649bc3 Add gitea runner image
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-14 17:25:42 +01:00
3b5d99fba5 80TiB
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-13 19:20:30 +00:00
9327ae07b5 Update grafana dashboards
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-11 13:03:53 +00:00
f3238b386f Add declarative attic cache
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-11 11:08:22 +01:00
90a9b8f6f8 Add authelia consent duration
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-11 08:38:00 +00:00
9764e4ebbf Add comentario
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-10 21:56:15 +01:00
bab9115537 Add nix-fast-build
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-10 20:19:11 +01:00
f960808cc7 Add workaround for wsl systemd bus issue
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-10 09:49:43 +00:00
24d31f6881 Add steam on jupiter
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-07 14:12:17 +01:00
1d3a3cc805 Lobotomize jupiter cpu
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-07 00:28:07 +01:00
2c3abfa403 Add grafana system & traefik dashboards
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-06 17:22:56 +01:00
4f3bf154c0 Fix substituter settings
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-05 12:31:41 +01:00
6ac95006cf Remove sish idle timeout
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-05 10:21:32 +00:00
987ecc4935 Fix duplicate trusted nix user
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-05 10:19:43 +00:00
0ceab452be Add attic
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-03 15:03:30 +01:00
dd34a05ee8 Silence uwsm
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-03 10:49:17 +00:00
35b9dd0cfc Remove elara sudo password
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-03 10:49:05 +00:00
cf0d77b4d9 Update nvf
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-03 07:53:08 +00:00
20b38b0467 Add sish tcp forwarding
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-01 16:33:35 +01:00
f7112f73d7 Fix installer completions
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-01 14:37:59 +01:00
8975de670a Update elara, jupiter
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-01 14:21:21 +01:00
77baa2640f Add git host cli tools
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-01 12:55:05 +01:00
8a21f9bbc7 Fix pinentry
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-31 18:16:41 +03:00
02fce06e94 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-31 13:06:33 +03:00
10ae9082ba Add nvf persistence
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-29 14:00:43 +00:00
85a62a84da Add hyprsunset
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-29 13:54:28 +00:00
6883541678 Update gpg pinentry
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-29 13:54:07 +00:00
2292c5663c Update nvf
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-29 13:32:11 +00:00
56b53752bd Disable toggleterm winbar
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-28 12:58:48 +00:00
ac06ba4fc6 Disable kitty window management
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-28 11:38:48 +00:00
332b981f9b Fix neovim wsl
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-28 11:38:30 +00:00
0ffc3e6df2 Update nvf
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-28 10:00:19 +00:00
641d97f793 Add nvf
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-27 10:29:05 +00:00
afe0298b1c Add zellij
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-26 11:41:55 +00:00
deb460989e Update nixos-wsl
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-26 07:11:49 +00:00
26fb9785b8 Update gitmodules
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-23 11:45:18 +03:00
1877efac1d Add some GUI tools on elara
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-20 14:45:53 +00:00
a3f6127cf8 Add cgroup v2 note
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-19 11:08:41 +00:00
af53af5630 Let's hope WSL is not against company policy
If you are looking at this, you know who you are

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-19 11:00:12 +00:00
cd4976e22d Disable hyprland animations on elara
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-18 21:14:01 +03:00
1550d6cdd4 Remove personal obsidian vault from elara
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-18 14:03:34 -04:00
334778287d Update elara drive
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-18 13:46:02 -04:00
dedbe814d5 Add hyper-v modules to installer
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-18 13:35:08 -04:00
9b9c38c265 Update install script
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-18 13:32:46 -04:00
fd78a2b3a2 Virtualize elara
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-18 13:07:20 -04:00
063d3e57b3 Update sas flake
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-18 12:15:02 +03:00
12c7181490 Optimize patching
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-18 11:46:33 +03:00
adf022169e Use docker base image pkg
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-18 11:11:12 +03:00
09fbf7150c Use overlay
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-17 21:24:31 +03:00
795ea28583 Flakify lib, sas
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-17 16:47:20 +03:00
4129589665 Disable fail2ban
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-17 10:59:13 +03:00
62bd6e557b Add klog
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-16 14:00:12 +03:00
bbe3219985 Add sonder
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-16 13:21:47 +03:00
f0554a6a61 Disable system-wide ssh agent
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-16 12:59:07 +03:00
197bfc447b Fix SSH identities bug
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-16 12:38:09 +03:00
37888fd991 Commit submodules
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-15 22:07:52 +03:00
7b93b1ac5b Add ncspot
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-15 14:33:36 +03:00
9792e6b05b Add elara keybinds
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-15 14:33:11 +03:00
a039938333 Add sas input
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-15 14:32:44 +03:00
573d3dccc2 Remove GitLab CI
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-15 14:30:55 +03:00
0665ded197 Reorganize secrets
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-15 09:58:03 +03:00
2da836953b Enable copilot on elara
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-13 10:45:19 +03:00
ca575c9a4c Add vscode smooth scrolling
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-13 10:21:40 +03:00
9159756011 Add spicetify
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-13 10:21:30 +03:00
1a1fe30c96 Switch secrets to SSH
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-11 17:12:03 +02:00
a9875aa0e0 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-11 17:10:45 +02:00
b18dba83a4 Fix steam-ln
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-09 20:24:18 +02:00
1234d7d455 Add lanzaboote
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-09 18:09:43 +02:00
6873ecc0df Add hugo vscode extension
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-04 11:56:50 +02:00
96da7fdb0c Update flake template
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-04 10:51:21 +02:00
027ecdf887 Edit Jellyfin library order
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-01 12:52:50 +01:00
300f2ff34f Add SAS ssh aliases
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-01 11:50:35 +01:00
d8f143db13 Update SAS tunnel implementation
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-01 11:37:16 +01:00
98dae8cb02 Update ssh keys
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-08-01 09:43:52 +01:00
9126dfed0d Fix gitea runner images
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-31 12:27:59 +01:00
4512cce3d4 Fix gitea runner registration
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-31 11:19:16 +01:00
f1593c2c56 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-31 00:42:01 +01:00
a11dd05dba Skip shader cache cleanup
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-30 16:02:31 +01:00
a430f1ddd8 Add personal ssh key on jupiter
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-30 11:38:33 +01:00
ab8feea39c Add hypridle
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-30 10:59:07 +01:00
ece2150e10 Increase oidcwarden stack size
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-30 10:26:43 +01:00
0c829b0bfb Fix nextcloud override
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-30 09:56:06 +01:00
cbb908a968 Increase transmission limits
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-30 09:39:23 +01:00
f1f1cf39b0 Add comentario
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-29 13:27:41 +01:00
bff2fca2eb Use makeWrapper
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-29 10:45:08 +01:00
7f9a1dcb66 Add gitlab known hosts
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-28 15:38:14 +01:00
084fda4ba6 Add traefik security headers, short url
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-28 11:59:19 +01:00
4e80c1a890 Soft update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-28 11:03:50 +01:00
3ba9ee6249 Add gaming performance tuning
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-27 02:49:08 +01:00
c4fafe3043 Clean up wivrn
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-26 20:46:35 +01:00
077ceb3c69 Add nginx-receiver
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-26 20:29:06 +01:00
095f1d063a Add proton-launch
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-26 15:29:16 +01:00
db63042d16 Use callPackage
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-26 15:00:32 +01:00
fe95d3271a Update jellyfin packages
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-26 14:53:07 +01:00
db6da46727 Add wivrn
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-26 14:25:58 +01:00
573037d2ef Add prismlauncher symlink
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-26 11:19:44 +01:00
b4640f8218 Add prismlauncher
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-26 11:01:08 +01:00
ce2f51e914 Fix steam-ln script
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-26 10:54:39 +01:00
d663b05527 Move steam config
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-26 10:30:39 +01:00
aaca09300e Add gamescope fixes
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-25 23:52:01 +01:00
453c8ecc65 Add gitea act runner
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-25 17:41:58 +01:00
d38be7625c Add gitea admin
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-25 15:24:27 +01:00
1f89f09159 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-25 15:24:15 +01:00
cec17c9bbf Format
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-25 11:56:16 +01:00
91187d92df Remove .vscode settings
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 17:07:57 +01:00
fca7206764 Cycle GPG Keys
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 16:59:00 +01:00
fa09a70b65 Remove SAS globalprotect
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 16:59:00 +01:00
b7c7023ff0 Use keyfiles
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 15:16:29 +01:00
247897643c Fix vps install script
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 13:35:52 +01:00
f691ed9bb9 Cycle app secrets
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 13:24:27 +01:00
b7161495a0 Cycle SMTP keys
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 11:50:23 +01:00
ce12d650d2 Cycle wireguard keys
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 11:37:38 +01:00
a8f05267bd Fix build
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 11:04:56 +01:00
9c48849e68 Revert "Update"
This reverts commit 13f24c6880.
2025-07-24 11:02:13 +01:00
15bf209e8c Refactor secrets
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 11:01:47 +01:00
ba55a766ec Add ghost archive
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-23 19:46:27 +01:00
0649e4f9df Add docker-mysql
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-23 18:54:45 +01:00
53e2f3106b Format
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-23 15:53:46 +01:00
13f24c6880 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-23 14:29:27 +01:00
bebe478a7b Allow RlsGroups
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-23 10:19:44 +01:00
f3ca552897 Soft update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-23 08:48:51 +01:00
129c59dd63 Fix himalia brightness
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-22 19:49:17 +01:00
18daa8bd89 Add iwlwifi patch
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-21 18:39:51 +01:00
4a2d99957b Fix jupiter bugs
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-20 20:21:06 +01:00
1587967488 Refactor flake patching/recursion
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-19 12:51:28 +01:00
a3d44b8b26 Fix prowlarr bug
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-18 00:14:01 +01:00
718ccc506f Fix atomic media moves
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-17 22:28:24 +01:00
3a110af1ec Add lore
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-17 21:49:47 +01:00
dca420751a Add jellyfin box set plugin
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-17 17:46:53 +01:00
752caa0321 Update transmission peer limit
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-17 17:10:02 +01:00
390602f562 Fix nvidia-patch TODO
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-17 09:15:10 +01:00
bb3b6856d6 Add littlelink
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-16 23:58:03 +01:00
453cde2a4b Add jellyfin opensubtitles
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-16 16:11:26 +01:00
03e53accae Add jellyseerr
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-16 12:26:27 +01:00
e087cdb630 Refactor docker shadowSetup
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-15 16:32:24 +01:00
31e7d625cf Make jellyfin script idempotent
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-15 11:01:34 +01:00
72ea51e1d9 Make arr scripts idempotent
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-15 00:20:09 +01:00
e2ee815d58 Add user-agent-string-switcher
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-14 16:46:27 +01:00
184aa4da8f Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-13 23:33:27 +01:00
8f965bbede Increase transmission download limit
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-10 20:43:12 +01:00
41b173c3d2 Add FIXME note
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-10 20:15:55 +01:00
3272063a43 Add recyclarr
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-10 19:38:19 +01:00
249f6fcac0 Clean up media names
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-10 12:20:48 +01:00
479af0caf5 Add radarr, sonarr volume mounts
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-10 10:28:21 +01:00
384f1b222f Add radarr, sonarr
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-09 21:36:43 +01:00
cb187f3518 Add tv app whitelist
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-09 20:00:57 +01:00
d60050c5d1 Update adguard tv whitelist
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-09 11:06:59 +01:00
a18ce54dc4 Add adguardhome
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-08 13:29:40 +01:00
4f3b71e2a0 Add temporary crun fix
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-07 09:23:01 +01:00
bf1c84c057 Add prowlarr
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-06 18:59:59 +01:00
5c098a8aa9 Remove init containers
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-06 12:20:45 +01:00
48d3ba5092 Refactor container working dirs
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-06 11:36:13 +01:00
bf49eac272 Add jellyfin
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-05 16:41:54 +01:00
e24997677d Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-04 18:12:51 +01:00
ad7ef2705d Add vscode remote dev extension
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-04 16:09:26 +01:00
6a029b66c3 Fix jupiter storage ACLs
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-04 11:26:03 +01:00
e5c699fcb0 Add jupiter transmission container
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-03 12:10:22 +01:00
33cd3bece9 Minor grep improvements
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-02 22:53:23 +01:00
7289e685ab Add transmission container
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-02 22:46:47 +01:00
48dce9157c Update ncspot keybind
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-02 15:54:52 +01:00
94d0f4e984 Move jupiter containers to mass storage
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-01 11:13:13 +01:00
f315e11ba1 Add jupiter btop config
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-01 10:08:22 +01:00
94500f51cd Add smartd
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-01 09:51:34 +01:00
88ef04def8 Add jupiter storage
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-01 01:30:15 +01:00
68e6eddd22 Update astal
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-30 00:39:34 +01:00
b8c43dc5d8 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-29 23:04:34 +01:00
ea2ab2101a Add shlink
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-29 12:56:19 +01:00
d617183438 Change vps wireguard port
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-26 09:14:18 +01:00
aca10fdc66 Cleanup
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-25 23:03:12 +01:00
b9d57d2d58 Clean up some XDG/UWSM details
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-24 10:13:05 +01:00
0ba22f6eea Declare firefox
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-24 09:08:43 +01:00
06a644bc35 Minify base docker image
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-16 11:56:53 +01:00
f68fdf9211 Clean up jupiter wireguard config
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-16 11:56:38 +01:00
f819c8c5e3 Add nextcloud
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-16 00:40:24 +01:00
6505f74ef3 Add yazi custom shell plugin
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-13 14:47:14 +01:00
000a8c64b4 Add uwsm launch alias
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-13 14:12:49 +01:00
ea0113c10a Add docker-mariadb
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-13 12:40:26 +01:00
58d4f9e8bb Fix obsidian tab indenting
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-12 16:41:28 +01:00
403cf00290 Add mpv cdda support
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-12 13:29:56 +01:00
aa47cdb954 Add linux-firmware-latest
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-12 13:12:24 +01:00
5abd8ef3b0 Increase download buffer
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-12 11:15:56 +01:00
548666f86c Add vaultwarden
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-12 08:40:43 +01:00
0b15c9c3fa Refactor custom options
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-12 08:40:40 +01:00
229169de0f Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-11 22:54:12 +01:00
d43ca1c8c1 Remove powertop & tlp
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-11 12:21:16 +01:00
adb09135ce Add aura farming
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-09 19:23:11 +01:00
34b625a402 Add rofi theme
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-09 12:59:05 +01:00
eeed06af5e Add mprocs
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-09 08:52:46 +01:00
880a2e1cfa Auto-hide mouse
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-08 15:58:47 +01:00
090ae66aa6 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-08 15:46:38 +01:00
8b23486d4a Add feh
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-08 13:41:01 +01:00
24ac4753eb Add ncspot theme
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-08 13:40:50 +01:00
c5d0933648 Add hyprpicker
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-08 12:04:32 +01:00
946b598054 Add CARGO_HOME
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-07 20:40:36 +01:00
b388794f40 Oxidize CLI
- Remove bashmount
- Remove unzip
- Add yazi
- Add ouch
- Add zoxide
- Add mediainfo

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-07 20:27:55 +01:00
515458d11f Add mpv
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-07 16:14:14 +01:00
c31bca3634 Update base container image
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-07 15:25:39 +01:00
b12fa0e811 Switch to uwsm
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-03 13:00:07 +01:00
1f44a8b6bc Add btrbk
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-02 11:40:37 +01:00
0481bc2785 Remove chromium
Google does not get to decide what extensions I can use

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-06-02 09:12:28 +01:00
53544429d3 Add ncspot
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-30 10:02:46 +01:00
e1e38ba336 Fix pipewire-pulse
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-30 01:17:59 +01:00
ba74461ed8 Add impermanence create option
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-30 00:13:21 +01:00
3a03406b99 Fix prometheus log level
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 20:57:40 +01:00
7bdf24a5ec Add easyeffects
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 20:57:33 +01:00
c0c1f06b09 Remove unneeded packages
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 20:57:29 +01:00
80e374ebc6 Add jupiter USB key
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 20:56:27 +01:00
fba4691ae0 Graduate eirene
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 19:05:37 +01:00
9273514e2a Remove unused tmpfiles
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:59:01 +01:00
52e3183244 Add outline
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:59:01 +01:00
bf82f4b52e Add sish
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:59:00 +01:00
3c09cf9f69 Add gitea
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:59:00 +01:00
1a445ab6fd Replace telegraf with node exporter
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:59:00 +01:00
3f1531fbd1 Clean up volumes
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:42 +01:00
dc5a91ebf7 Add grafana
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:42 +01:00
b3dd72de22 Format container configs
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:42 +01:00
e55135163d Fix traefik/authelia bugs
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:41 +01:00
6ed4c4917a Add authelia sso
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:41 +01:00
eb7fc4a122 Update traefik options
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:41 +01:00
10e0980f8f Nuke docker.io
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:41 +01:00
bdaac67bf2 Fix rootless podman permissions
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:41 +01:00
ad46eb6546 Clean up podman networks
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:41 +01:00
e9ffd4d839 Add authelia base
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:41 +01:00
881b18065a Clean up traefik routes
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:41 +01:00
4676201fce Format
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:41 +01:00
5566bc3677 Add ntfy
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:41 +01:00
98a44e8bf6 Add traefik
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:58:40 +01:00
b0bc3b5184 Add nginx & certbot
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:57:01 +01:00
4354a2149b Add dedicated jupiter ip
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:55:03 +01:00
a271e892c3 Add haproxy/mmproxy combo
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:55:03 +01:00
ae66cfd854 Add jupiter wireguard config
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:55:02 +01:00
28f86e0915 Add extra jupiter hostnames
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:55:02 +01:00
95b79ab224 Add jupiter vps
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:54:50 +01:00
d90ad86c16 Add jupiter base
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:53:57 +01:00
709ed4b9ac Expand rust toolchain
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 16:53:08 +01:00
8e30a685d3 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 15:46:36 +01:00
14377d7e1c Remove backup script compression
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-29 14:03:12 +01:00
457e1b0bf7 Add GU605C speaker fix
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-28 17:38:06 +01:00
cafcdbe7cc Add missing neededForBoot flag
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-26 14:32:51 +01:00
e362f8c6e0 Format
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-26 12:25:22 +01:00
4893d413c8 Add extra steam exclusions
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-26 12:01:19 +01:00
2cbbc0f768 Update elara host
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-26 11:58:33 +01:00
19285a264f Refactor persistence structure
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-26 11:47:21 +01:00
b631d466ff Add asusctl settings
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-25 21:18:28 +01:00
62671b894c Add special workspace
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-25 02:24:12 +01:00
1688be2abc Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-25 01:29:19 +01:00
d995698feb Add hyprland patches
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-25 01:27:07 +01:00
3610611615 Update astal widgets
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-24 21:38:35 +01:00
05f5576e1f Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-24 12:24:23 +01:00
c233b5a11a Update keybinds
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-22 17:01:46 +01:00
a2af7705ff Update display settings
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-22 11:04:34 +01:00
bea4f73c7a Update obsidian module
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-21 15:12:18 +01:00
cbcf4d2f66 Update default theme
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-21 12:35:15 +00:00
12c1bb0cd8 Turn eirene headless
mami tomoe reference

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-21 10:23:48 +01:00
b4e9b8c2dc Add himalia renderer priority
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-21 09:54:22 +01:00
d995375c16 Add himalia
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-21 00:39:38 +01:00
8346e89b9f Update theme engine
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-20 09:54:36 +01:00
ab1c9a4a78 Remove OBS declarative resolution
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-20 09:38:53 +01:00
1c554f1700 Update theme engine
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-20 09:07:45 +01:00
2f47f70d0b Increase boot timeout
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-14 10:43:17 +01:00
0bc4665b87 Add sas cacerts
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-13 11:55:49 +01:00
d07e77a577 Refactor sops default file path
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-13 11:03:09 +01:00
89401a72b7 Ignore lid on eirene
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-13 08:44:56 +01:00
855edc83f4 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-04-25 17:35:29 +03:00
8b2cebae3b Disable bootloader timeout
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-04-16 08:34:00 +01:00
3b87843d5b Update obsidian config
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-04-09 11:35:13 +01:00
345bb1fac1 Enable vscode blame
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-04-08 11:13:16 +01:00
2605ae9bc4 Add personal obsidian vault to elara
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-04-03 12:07:57 +01:00
de9c5481cb Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-04-01 11:16:26 +01:00
d928efb31e Add fakespot
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-31 11:08:43 +01:00
d39fcd50ab Add registry secrets
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-27 11:19:37 +00:00
586f478d7c Expand rust toolchain
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-27 11:19:37 +00:00
5d255bd05b Add smartmontools
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-25 16:04:57 +00:00
c98bc5a4c7 Add rquickshare
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-22 15:50:55 +00:00
e06443b99c Change darktable settings
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-22 15:36:30 +00:00
af0ce9b306 Update eirene display settings
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-21 10:22:21 +00:00
f340da73e2 Switch to nvidia-open
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-20 09:00:34 +00:00
6f639cbd8f Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-17 14:14:07 +00:00
8973cde998 Change mod key
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-17 09:06:05 +00:00
0cc1e79966 Add sas RSA key
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-14 10:17:32 +00:00
e4ff6f13b1 Fix dnsmasq
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-11 12:36:25 +00:00
9c22042983 Fix sas captive portal
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-11 12:04:13 +00:00
8846f664dc Add elara secondary display
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-11 10:33:13 +00:00
c0a098dcb2 Fix obsidian syncthing sync conflicts
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-10 18:59:06 +00:00
4d7e0d23aa Add sas private build flag
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-10 18:59:06 +00:00
7a3129ba5f Fix nvidia flickering
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-10 18:59:05 +00:00
7b46e959af Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-08 22:59:19 +00:00
e227cab2d7 Add fail2ban
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-07 10:15:37 +00:00
2cf48bf516 Add elara libvirt
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-06 08:55:32 +00:00
6d23f35b59 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-04 18:18:23 +00:00
6a593fcf3f Fix dnsmasq lack of servers
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-03 12:48:19 +00:00
c1fd2b0f21 Fix firefox policies bug
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-03 12:43:05 +00:00
9d19064874 Fix dnsmasq libvirt conflict
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-01 13:17:59 +00:00
d34fd0cd91 Fix zsh history bug
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-28 23:51:01 +00:00
725b238a1e Update impermanence config
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-28 23:31:19 +00:00
91104fc4b0 Refactor git credentials secrets
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-28 11:00:21 +00:00
d8374fe7b7 Remove some sas packages
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-27 09:50:37 +00:00
77b8dbfd76 Add manpages
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-27 09:48:05 +00:00
3444645ec9 Add sops-nix templates
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-26 13:52:03 +00:00
93c13d8537 Add temporary firefox policy fix
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-26 11:16:53 +00:00
a3dc4129d6 Add declarative ssh known hosts
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-25 12:28:22 +00:00
f843deafbe Add ethtool
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-25 10:38:33 +00:00
083b9055bc Fix theme store management
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-25 09:07:16 +00:00
c5dc372dca Add helvum
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-25 08:56:00 +00:00
64e802bd46 Fix nix builds from private repo
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-24 09:16:13 +00:00
0ae8128304 Refactor packages
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-23 23:52:29 +00:00
3360e7f8c3 Refactor some modules
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-22 23:46:19 +00:00
e0602dd1a0 Rename installer.key to keyfile
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-22 18:35:25 +00:00
8064aba0cd Fix ssh known_hosts conflict
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-22 18:33:55 +00:00
354e9937b6 Add git ssh key wrapper
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-22 00:12:17 +00:00
2202f2bae8 Add rust
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-22 00:09:19 +00:00
0235b1146f Update nix-develop and nix-direnv
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-21 09:19:44 +00:00
75a0a59c3d Fix theme init
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-20 15:41:27 +00:00
eadbccf2fa Add podman btrfs
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-20 15:28:48 +00:00
5c75205343 Fix bugs
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-20 11:43:33 +00:00
7737abc45e Unfuck secrets
Don't worry why all the commit hashes suddenly changed, it's fine.

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-19 13:06:35 +00:00
5f905e76c6 Disable auto-upgrade
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-19 12:26:19 +00:00
3d2a972ea3 Automate luks password during install
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-19 11:00:32 +00:00
0e8f5b3fbe Add obsidian home-manager module
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-18 11:28:14 +00:00
b03012abf8 Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-18 10:25:12 +00:00
fce62de41d Add dive podman config
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-17 12:21:39 +00:00
16ef0a2a6b Fix vscode nix formatter
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-17 09:24:41 +00:00
a0d7075e01 Add extra ip tools
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-17 09:10:35 +00:00
e631eab4dd Fix astal client monitoring
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-17 09:10:35 +00:00
c1ad0974f1 Add nurl
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-17 09:10:35 +00:00
223b3427e3 Remove obnoxious cache persistence
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-16 20:05:00 +00:00
eeb39db533 Add quadlet-nix
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-16 19:56:54 +00:00
0799ab4db7 Fix hyprland bind script
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-16 19:48:34 +00:00
2888bb8b72 Add treefmt
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-16 18:53:11 +00:00
22c82653dd Remove unused root packages
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-16 17:23:12 +00:00
aa04f12542 Change mod key
Fuck you Lenovo

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-16 17:21:19 +00:00
a467f953bb Update multi-display workspace handling
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-16 17:15:28 +00:00
7fa058293b Update update script
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-16 15:36:30 +00:00
5eb9766572 Remove disko format argument
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-16 11:14:10 +00:00
8a9d75808a Replace docker with podman
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-15 00:32:16 +00:00
04ec3ba23b Remove hardcoded gamescope resolution
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-14 20:42:32 +00:00
ce96ec6bf7 Add multi-monitor support
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-14 20:24:25 +00:00
c4d8cc951d Update hyprland card variable
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-14 19:34:54 +00:00
720dfba42e Deactivate plymouth
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-14 19:30:23 +00:00
6404435fbe Fix conflicting keybind
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-14 19:29:58 +00:00
b6635d01c2 Add onMonitorChange hyprland hook script
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-14 19:29:42 +00:00
3e67e2a299 Improve hyprland logging
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-14 19:29:07 +00:00
fd1cc6a4ff Fix dnsmasq libvirt conflict
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-14 19:28:45 +00:00
29910f19ab Fix eirene clipbook bookmarks
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-14 08:09:45 +00:00
a23e4c6908 Add split sas vpn tunneling
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-13 22:16:55 +00:00
9f1dd0001d Add dive
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-13 15:07:47 +00:00
e9833141ad Fix SSH known hosts handling
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-13 14:22:07 +00:00
c907cdeca6 Add clipbook
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-13 13:41:03 +00:00
97a042adcd Refactor vscode language handling
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-13 10:21:37 +00:00
05e04268da Add sas ssh server
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-12 11:43:00 +00:00
c4ab675582 Fix fugly git config
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-12 10:08:29 +00:00
36b08fbf81 Remove unused viya host
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-11 16:45:38 +00:00
54ec0d98cb Update
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-11 15:49:10 +00:00
76552af3af Add relative symlinks
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-10 16:56:54 +00:00
e16c26cd11 Enable elara rootless docker
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-10 16:34:45 +00:00
f94a7a5b55 Fix backup script
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-10 13:30:18 +00:00
73ae6a6a73 Add elara sas specialisation
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-10 13:30:18 +00:00
ad5039fc3c Rename networkmanager module
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-10 13:30:18 +00:00
b269139b70 Remove sudo delay
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-09 19:54:58 +00:00
418c3b5905 Add sas VPN systemd service
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-09 18:59:15 +00:00
4e3cab57bc Add sage
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-07 17:31:14 +00:00
bd174523f5 Add viya4-ark
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-31 13:06:51 +00:00
8692df6e2f Fix nix-direnv
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-31 10:31:24 +00:00
9917cecf15 Add nvidia-container-toolkit
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-31 09:55:01 +00:00
cd44264c2a Add viya hostname
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-31 09:11:33 +00:00
baae420d9e Add elara calicoctl
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-30 10:33:43 +00:00
c58bab44c5 Add ipcalc, unzip
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-30 10:33:00 +00:00
1ec76fbe5b Add vscode theme auto-switch
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-30 09:55:46 +00:00
a38f203f5d Update secrets
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-30 09:00:56 +00:00
e5747150bc Remove kubernetes
Fuck this arcane wizardry cluster bollocks piece of crap

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-29 16:34:47 +00:00
3c1cfbceb8 Add custom kubernetes module base
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-29 12:44:05 +00:00
574 changed files with 54921 additions and 9317 deletions

2
.gitattributes vendored
View File

@@ -1,2 +0,0 @@
**/wallpapers/*.jpg filter=lfs diff=lfs merge=lfs -text
**/wallpapers/*.png filter=lfs diff=lfs merge=lfs -text

7
.gitignore vendored Normal file
View File

@@ -0,0 +1,7 @@
# ---> Nix
# Ignore build outputs from performing a nix-build or `nix build` command
result
result-*
# Ignore automatically generated direnv output
.direnv

View File

@@ -1,27 +0,0 @@
stages:
- build
- test
variables:
GIT_SUBMODULE_STRATEGY: recursive
cache: &global_cache
key:
files:
- flake.lock
- flake.nix
paths:
- /nix/store
policy: pull-push
build:
image: nixos/nix
stage: build
timeout: 48h
cache:
<<: *global_cache
script:
- nix --experimental-features 'nix-command flakes' flake check --show-trace
include:
- template: Jobs/Secret-Detection.gitlab-ci.yml

18
.gitmodules vendored
View File

@@ -1,9 +1,9 @@
[submodule "submodules/nixpkgs"]
path = submodules/nixpkgs
url = git@github.com:karaolidis/nixpkgs.git
branch = integration
[submodule "submodules/home-manager"]
path = submodules/home-manager
url = git@github.com:karaolidis/home-manager.git
branch = integration
[submodule "secrets"]
path = submodules/secrets
url = git@karaolidis.com:karaolidis/nix-secrets.git
[submodule "sas"]
path = submodules/sas
url = git@karaolidis.com:karaolidis/nix-sas.git
[submodule "lib"]
path = submodules/lib
url = git@karaolidis.com:karaolidis/nix-lib.git

View File

@@ -16,16 +16,16 @@ NixOS dotfiles and configuration for various hosts and users.
- [`gui/`](./hosts/common/configs/user/gui): GUI-related settings.
- `<name>/`: Individual host configurations.
- `secrets/<namespace>/`: Global secrets for individual namespaces that apply across all hosts.
- [`overlays/`](./overlays/): Custom patches.
- [`lib/`](./lib): Nix library function definitions and utilities.
- [`scripts/`](./lib/scripts): Utility scripts for managing the repository.
- [`add-host.sh`](./lib/scripts/add-host.sh): Instantiate the keys for a new host configuration.
- [`remove-host.sh`](./lib/scripts/remove-host.sh): Remove references to a host.
- [`update-keys.sh`](./lib/scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
- [`update.sh`](./lib/scripts/update.sh): Update flake and all git submodules.
- [`packages/`](./packages/): Custom packages.
- [`submodules/`](./submodules): Flake forks used in the repository, such as [`nixpkgs`](https://github.com/NixOS/nixpkgs) and [`home-manager`](https://github.com/nix-community/home-manager).
- [`scripts/`](./scripts): Utility scripts for managing the repository.
- [`add-host.sh`](./scripts/add-host.sh): Instantiate the keys for a new host configuration.
- [`remove-host.sh`](./scripts/remove-host.sh): Remove references to a host.
- [`update-keys.sh`](./scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
- [`update.sh`](./scripts/update.sh): Update flake and all packages.
- [`cache.sh`](./scripts/cache.sh): Build all `nixosConfiguration`s and push them to `attic`.
Any `options.nix` files create custom option definitions when present.
@@ -34,7 +34,9 @@ Any `options.nix` files create custom option definitions when present.
Below is a table of all hosts, with links to their respective README files, which may provide further details and/or post-installation checklists.
| Host | README |
|-------------|----------------------------------------------------------|
| ------------- | ------------------------------------------------------------ |
| `installer` | [hosts/installer/README.md](./hosts/installer/README.md) |
| `eirene` | [hosts/eirene/README.md](./hosts/eirene/README.md) |
| `himalia` | [hosts/himalia/README.md](./hosts/himalia/README.md) |
| `elara` | [hosts/elara/README.md](./hosts/elara/README.md) |
| `jupiter` | [hosts/jupiter/README.md](./hosts/jupiter/README.md) |
| `jupiter-vps` | [hosts/jupiter-vps/README.md](./hosts/jupiter-vps/README.md) |

432
flake.lock generated
View File

@@ -10,11 +10,11 @@
]
},
"locked": {
"lastModified": 1736090999,
"narHash": "sha256-B5CJuHqfJrzPa7tObK0H9669/EClSHpa/P7B9EuvElU=",
"lastModified": 1756487002,
"narHash": "sha256-hN9RfNXy53qAkT68T+IYZpl68uE1uPOVMkw0MqC43KA=",
"owner": "aylur",
"repo": "ags",
"rev": "5527c3c07d92c11e04e7fd99d58429493dba7e3c",
"rev": "8ff792dba6cc82eed10e760f551075564dd0a407",
"type": "github"
},
"original": {
@@ -30,11 +30,11 @@
]
},
"locked": {
"lastModified": 1736497508,
"narHash": "sha256-murrCQMYKtZ8rkZ5O726ZCsCDee1l3ZdmV8yC9gRaIc=",
"lastModified": 1756474652,
"narHash": "sha256-iiBU6itpEqE0spXeNJ3uJTfioSyKYjt5bNepykpDXTE=",
"owner": "aylur",
"repo": "astal",
"rev": "ef4f95608481414053ecdbe4de29bd86fb452813",
"rev": "20bd8318e4136fbd3d4eb2d64dbabc3acbc915dd",
"type": "github"
},
"original": {
@@ -43,6 +43,21 @@
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1754269165,
"narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
"owner": "ipetkov",
"repo": "crane",
"rev": "444e81206df3f7d92780680e45858e31d2f07a08",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
@@ -50,48 +65,67 @@
]
},
"locked": {
"lastModified": 1736437680,
"narHash": "sha256-9Sy17XguKdEU9M5peTrkWSlI/O5IAqjHzdzxbXnc30g=",
"lastModified": 1746728054,
"narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
"owner": "nix-community",
"repo": "disko",
"rev": "4d5d07d37ff773338e40a92088f45f4f88e509c8",
"rev": "ff442f5d1425feb86344c028298548024f21256d",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "latest",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"revCount": 69,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-input-patcher": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"systems": [
"systems"
]
},
"locked": {
"lastModified": 1751871600,
"narHash": "sha256-I4/2ekJrbRMhOpKfzgnlrN45nQj9YQmZnoSeAaRa1SU=",
"owner": "jfly",
"repo": "flake-input-patcher",
"rev": "4ff068126d49829b106280738944bde91951d59d",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"owner": "jfly",
"repo": "flake-input-patcher",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nur",
"nixpkgs"
]
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"lastModified": 1754487366,
"narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
"type": "github"
},
"original": {
@@ -120,6 +154,28 @@
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -127,50 +183,156 @@
]
},
"locked": {
"lastModified": 1736504054,
"narHash": "sha256-Mb0aIdOIg5ge0Lju1zogdAcfklRciR8G0NY6R423oek=",
"owner": "karaolidis",
"lastModified": 1756579987,
"narHash": "sha256-duCce8zGsaMsrqqOmLOsuaV1PVIw/vXWnKuLKZClsGg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "baa0e7a14088ff1ed891afe4c6457faf40aa30a6",
"rev": "99a69bdf8a3c6bf038c4121e9c4b6e99706a187a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": [
"flake-compat"
],
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1754297745,
"narHash": "sha256-aD6/scLN3L4ZszmNbhhd3JQ9Pzv1ScYFphz14wHinfs=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "892cbdca865d6b42f9c0d222fe309f7720259855",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"lib": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": [
"treefmt-nix"
]
},
"locked": {
"lastModified": 1757531256,
"narHash": "sha256-aOqrRvKmHoPKVhEYgV/RbsMXYXy6W9Tt1uhGK3dWMlE=",
"ref": "refs/heads/main",
"rev": "be7b39f41a1137a68944fc73db5a24544e015eb6",
"revCount": 7,
"type": "git",
"url": "https://git.karaolidis.com/karaolidis/nix-lib.git"
},
"original": {
"type": "git",
"url": "https://git.karaolidis.com/karaolidis/nix-lib.git"
}
},
"mnw": {
"locked": {
"lastModified": 1748710831,
"narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=",
"owner": "Gerg-L",
"repo": "mnw",
"rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d",
"type": "github"
},
"original": {
"owner": "Gerg-L",
"repo": "mnw",
"type": "github"
}
},
"nixos-wsl": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1755774185,
"narHash": "sha256-XjKqiTA19mkoBkja0VOy90qp2gC1f2fGgsLb9m1lg5Q=",
"owner": "karaolidis",
"repo": "NixOS-WSL",
"rev": "b1f426697f62006b99fac0cc25a106626c78f874",
"type": "github"
},
"original": {
"owner": "karaolidis",
"ref": "integration",
"repo": "home-manager",
"ref": "extra-files",
"repo": "NixOS-WSL",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1738150270,
"narHash": "sha256-GkH7I9LW0aFklGc3YxjaBW7TtJy5aWHE0rPBUuz35Hk=",
"owner": "karaolidis",
"lastModified": 1756542300,
"narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e8e18ef6309d021fa600f5aa2665963d8cf76ab7",
"rev": "d7600c775f877cd87b4f5a831c28aa94137377aa",
"type": "github"
},
"original": {
"owner": "karaolidis",
"ref": "integration",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1753579242,
"narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nur": {
"inputs": {
"flake-parts": "flake-parts",
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix"
]
},
"locked": {
"lastModified": 1736500613,
"narHash": "sha256-OCEXlRyOIMzxrhmnzoX32e241A7+Z+zsuyR7i6AG608=",
"lastModified": 1756630008,
"narHash": "sha256-weZiVKbiWQzTifm6qCxzhxghEu5mbh9mWNUdkzOLCR0=",
"owner": "nix-community",
"repo": "NUR",
"rev": "d51e847f68700c38f850a62c2b3e728864a38cde",
"rev": "f6a5a7b60dd6065e78ef06390767e689ffa3c23f",
"type": "github"
},
"original": {
@@ -179,18 +341,187 @@
"type": "github"
}
},
"nvf": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"flake-parts": [
"flake-parts"
],
"mnw": "mnw",
"nixpkgs": [
"nixpkgs"
],
"systems": [
"systems"
]
},
"locked": {
"lastModified": 1755463179,
"narHash": "sha256-5Ggb1Mhf7ZlRgGi2puCa2PvWs6KbMnWBlW6KW7Vf79Y=",
"owner": "NotAShelf",
"repo": "nvf",
"rev": "03833118267ad32226b014b360692bdce9d6e082",
"type": "github"
},
"original": {
"owner": "NotAShelf",
"repo": "nvf",
"type": "github"
}
},
"nvidia-patch": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1756052001,
"narHash": "sha256-dlLqyHxqiFAoIwshKe9X3PzXcJ+up88Qb2JVQswFaNE=",
"owner": "icewind1991",
"repo": "nvidia-patch-nixos",
"rev": "780af7357d942fad2ddd9f325615a5f6ea7e37ee",
"type": "github"
},
"original": {
"owner": "icewind1991",
"repo": "nvidia-patch-nixos",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1750779888,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"quadlet-nix": {
"locked": {
"lastModified": 1754008153,
"narHash": "sha256-MYT1mDtSkiVg343agxgBFsnuNU3xS8vRy399JXX1Vw0=",
"owner": "SEIAROTg",
"repo": "quadlet-nix",
"rev": "1b2d27d460d8c7e4da5ba44ede463b427160b5c4",
"type": "github"
},
"original": {
"owner": "SEIAROTg",
"repo": "quadlet-nix",
"type": "github"
}
},
"root": {
"inputs": {
"ags": "ags",
"astal": "astal",
"disko": "disko",
"flake-compat": "flake-compat",
"flake-input-patcher": "flake-input-patcher",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"lib": "lib",
"nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs",
"nur": "nur",
"nvf": "nvf",
"nvidia-patch": "nvidia-patch",
"quadlet-nix": "quadlet-nix",
"sas": "sas",
"secrets": "secrets",
"sops-nix": "sops-nix",
"spicetify-nix": "spicetify-nix",
"systems": "systems"
"systems": "systems",
"treefmt-nix": "treefmt-nix"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1754189623,
"narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sas": {
"inputs": {
"lib": [
"lib"
],
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": [
"treefmt-nix"
]
},
"locked": {
"lastModified": 1757531894,
"narHash": "sha256-GwV3ES7n/2mwPeu8FGfViI6QfzbTrvNob3OZOsPQId0=",
"ref": "refs/heads/main",
"rev": "3d069983345ea83549c641dd3f8875e54aaf1c2b",
"revCount": 12,
"type": "git",
"url": "ssh://git@karaolidis.com/karaolidis/nix-sas.git"
},
"original": {
"type": "git",
"url": "ssh://git@karaolidis.com/karaolidis/nix-sas.git"
}
},
"secrets": {
"flake": false,
"locked": {
"lastModified": 1757873556,
"narHash": "sha256-WYrV46if1XsiQKOQEMNtHdAPeFDeu7YBdcoNSXc3sf8=",
"ref": "refs/heads/main",
"rev": "21ab0b0a59264b1da501f90725bf2c03e07ae941",
"revCount": 43,
"type": "git",
"url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git"
},
"original": {
"type": "git",
"url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git"
}
},
"sops-nix": {
@@ -200,11 +531,11 @@
]
},
"locked": {
"lastModified": 1736203741,
"narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
"lastModified": 1754988908,
"narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
"rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
"type": "github"
},
"original": {
@@ -215,7 +546,6 @@
},
"spicetify-nix": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
@@ -224,11 +554,11 @@
]
},
"locked": {
"lastModified": 1736482561,
"narHash": "sha256-f4hvN4MF26NIYeFA/H1sVW6KU5X9/jy9l95WrMsNUIU=",
"lastModified": 1756614537,
"narHash": "sha256-qyszmZO9CEKAlj5NBQo1AIIADm5Fgqs5ZggW1sU1TVo=",
"owner": "Gerg-L",
"repo": "spicetify-nix",
"rev": "77fb1ae39e0f5c60a7d0bd6ce078b9c56e3356cb",
"rev": "374eb5d97092b97f7aaafd58a2012943b388c0df",
"type": "github"
},
"original": {
@@ -248,7 +578,6 @@
},
"original": {
"owner": "nix-systems",
"ref": "main",
"repo": "default",
"type": "github"
}
@@ -256,16 +585,15 @@
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nur",
"nixpkgs"
]
},
"locked": {
"lastModified": 1733222881,
"narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
"lastModified": 1755934250,
"narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49717b5af6f80172275d47a418c9719a31a78b53",
"rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
"type": "github"
},
"original": {

244
flake.nix
View File

@@ -1,61 +1,109 @@
{
inputs = {
nixpkgs = {
# --- Official
# type = "github";
# owner = "NixOS";
# repo = "nixpkgs";
# ref = "master";
# --- Fork
type = "github";
owner = "karaolidis";
repo = "nixpkgs";
ref = "integration";
# --- Local
# url = "git+file:./submodules/nixpkgs";
};
# Configuration
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
home-manager = {
# --- Official
# type = "github";
# owner = "nix-community"
# repo = "home-manager";
# --- Fork
type = "github";
owner = "karaolidis";
repo = "home-manager";
ref = "integration";
# --- Local
# url = "git+file:./submodules/home-manager";
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
# Packages
nur = {
url = "github:nix-community/NUR";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-parts.follows = "flake-parts";
};
};
# DevOps
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
systems = {
type = "github";
owner = "nix-systems";
repo = "default";
ref = "main";
};
nur = {
url = "github:nix-community/NUR";
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
flake-input-patcher = {
url = "github:jfly/flake-input-patcher";
inputs = {
nixpkgs.follows = "nixpkgs";
systems.follows = "systems";
};
};
# Personal
lib = {
# FIXME: https://github.com/NixOS/nix/issues/12281
url = "git+https://git.karaolidis.com/karaolidis/nix-lib.git";
inputs = {
nixpkgs.follows = "nixpkgs";
treefmt-nix.follows = "treefmt-nix";
};
};
sas = {
# FIXME: https://github.com/NixOS/nix/issues/12281
url = "git+ssh://git@karaolidis.com/karaolidis/nix-sas.git";
inputs = {
nixpkgs.follows = "nixpkgs";
lib.follows = "lib";
treefmt-nix.follows = "treefmt-nix";
};
};
secrets = {
# FIXME: https://github.com/NixOS/nix/issues/12281
url = "git+ssh://git@karaolidis.com/karaolidis/nix-secrets.git";
flake = false;
};
# Hardware
disko = {
url = "github:nix-community/disko/latest";
inputs.nixpkgs.follows = "nixpkgs";
};
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
flake-parts.follows = "flake-parts";
};
};
nixos-wsl = {
url = "github:karaolidis/NixOS-WSL/extra-files";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
};
};
# Applications
nvf = {
url = "github:NotAShelf/nvf";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "flake-compat";
flake-parts.follows = "flake-parts";
systems.follows = "systems";
};
};
quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
nvidia-patch = {
url = "github:icewind1991/nvidia-patch-nixos";
inputs = {
nixpkgs.follows = "nixpkgs";
utils.follows = "flake-utils";
};
};
astal = {
@@ -78,49 +126,95 @@
systems.follows = "systems";
};
};
# Transitive Dependencies
systems.url = "github:nix-systems/default";
flake-parts.url = "github:hercules-ci/flake-parts";
flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
};
outputs =
{ self, nixpkgs, ... }@inputs:
{
nixosConfigurations = {
installer = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [ ./hosts/installer ];
specialArgs = { inherit inputs system; };
};
eirene = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [ ./hosts/eirene ];
specialArgs = { inherit inputs system; };
};
elara = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [ ./hosts/elara ];
specialArgs = { inherit inputs system; };
};
};
}
// inputs.flake-utils.lib.eachDefaultSystem (
unpatchedInputs:
let
patchInputs =
system:
let
pkgs = nixpkgs.legacyPackages.${system};
patcher = unpatchedInputs.flake-input-patcher.lib.${system};
patches = import ./patches.nix { inherit patcher; };
in
if patches != { } then patcher.patch unpatchedInputs patches else unpatchedInputs;
mkNixosConfiguration =
inputs: system: modules:
inputs.nixpkgs.lib.nixosSystem {
inherit system modules;
specialArgs = { inherit inputs system; };
};
in
{
devShells = {
bun = import ./hosts/common/shells/bun { inherit pkgs; };
c = import ./hosts/common/shells/c { inherit pkgs; };
go = import ./hosts/common/shells/go { inherit pkgs; };
java = import ./hosts/common/shells/java { inherit pkgs; };
nix = import ./hosts/common/shells/nix { inherit pkgs; };
nodejs = import ./hosts/common/shells/nodejs { inherit pkgs; };
python = import ./hosts/common/shells/python { inherit pkgs; };
overlays.default = import ./overlays;
}
// (
let
system = "x86_64-linux";
inputs = patchInputs system;
pkgs = import inputs.nixpkgs {
inherit system;
config.allowUnfree = true;
overlays = [
inputs.lib.overlays.default
inputs.self.overlays.default
];
};
formatter = pkgs.nixfmt-rfc-style;
}
treefmt = inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
in
{
nixosConfigurations = {
installer = mkNixosConfiguration inputs system [ ./hosts/installer ];
himalia = mkNixosConfiguration inputs system [ ./hosts/himalia ];
elara = mkNixosConfiguration inputs system [ ./hosts/elara ];
jupiter = mkNixosConfiguration inputs system [ ./hosts/jupiter ];
jupiter-vps = mkNixosConfiguration inputs system [ ./hosts/jupiter-vps ];
};
devShells.${system} = import ./hosts/common/shells { inherit pkgs; };
packages.${system} = import ./packages { inherit pkgs; };
formatter.${system} = treefmt.config.build.wrapper;
checks.${system} =
let
nixosConfigurations =
pkgs.lib.mapAttrs'
(
name: config:
pkgs.lib.nameValuePair "nixosConfiguration-${name}" config.config.system.build.toplevel
)
((pkgs.lib.filterAttrs (_: config: config.pkgs.system == system)) inputs.self.nixosConfigurations);
packages = pkgs.lib.mapAttrs' (
name: pkgs.lib.nameValuePair "package-${name}"
) inputs.self.packages.${system};
overlayPackages = pkgs.lib.mapAttrs' (n: pkgs.lib.nameValuePair "overlayPackage-${n}") (
import ./overlays/packages.nix { inherit pkgs; }
);
devShells = pkgs.lib.mapAttrs' (
name: pkgs.lib.nameValuePair "devShell-${name}"
) inputs.self.devShells.${system};
formatter.formatting = treefmt.config.build.check inputs.self;
in
nixosConfigurations // packages // overlayPackages // devShells // formatter;
}
);
}

4
hosts/.gitignore vendored
View File

@@ -1,2 +1,2 @@
*/secrets/ssh_host_ed25519_key
*/secrets/.decrypted~*
**/secrets/ssh_host_ed25519_key
**/secrets/.decrypted~*

View File

@@ -1,16 +0,0 @@
_backup_completion() {
local options=(
'-m[Partition to mount for backup]:partition:($(_partitions))'
'-b[Backup directory]:backup directory:_files -/'
)
local curcontext="$curcontext" state line
typeset -A opt_args
_partitions() {
lsblk -rno NAME | sed 's/^/\/dev\//'
}
_arguments -s $options
}
compdef _backup_completion backup

View File

@@ -1,64 +0,0 @@
if [[ "$EUID" -ne 0 ]]; then
echo "Please run the script as root."
exit 1
fi
usage() {
echo "Usage: $0 [-m partition] [-b backup_location]"
exit 1
}
cleanup() {
if [ -d "/persist.bak" ]; then btrfs -q subvolume delete "/persist.bak"; fi
if [ -n "$backup_location" ]; then rm -f "$backup_location.tmp"; fi
if [ -n "$mount_location" ]; then
if mount | grep -q "$mount_location"; then umount "$mount_location"; fi
if [ -d "$mount_location" ]; then rmdir "$mount_location"; fi
fi
}
partition=""
backup_location=""
mount_location=""
trap cleanup EXIT
while getopts "m:b:" opt; do
case "$opt" in
m) partition="$OPTARG" ;;
b) backup_location="$OPTARG" ;;
*) usage ;;
esac
done
if [ -n "$partition" ]; then
mount_location=$(mktemp -d /mnt/backup.XXXXXX)
echo "Mounting $partition at $mount_location..."
mount "$partition" "$mount_location"
fi
if [ -z "$mount_location" ]; then
if [[ "$backup_location" != /* ]]; then
backup_location="$(realpath "$backup_location")"
fi
else
if [[ "$backup_location" = /* ]]; then
echo "Error: When a partition is mounted, backup_location must be relative."
exit 1
fi
backup_location="$(realpath "$mount_location/$backup_location")"
fi
backup_location="$backup_location/$(hostname)-$(date +%Y-%m-%d-%H-%M-%S).btrfs.gz"
echo "Creating /persist snapshot..."
btrfs -q subvolume snapshot -r "/persist" "/persist.bak"
echo "Creating backup at $backup_location..."
btrfs -q send "/persist.bak" | gzip > "$backup_location.tmp"
mv "$backup_location.tmp" "$backup_location"
echo "Backup completed successfully!"

View File

@@ -1,20 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = [
(pkgs.writeShellApplication {
name = "backup";
runtimeInputs = with pkgs; [
btrfs-progs
coreutils-full
util-linux
];
text = builtins.readFile ./backup.sh;
})
];
home-manager.sharedModules = [
{
programs.zsh.initExtra = builtins.readFile ./backup.completion.zsh;
}
];
}

View File

@@ -8,15 +8,11 @@
};
};
environment.persistence."/persist"."/var/lib/bluetooth" = { };
environment.persistence."/persist/state"."/var/lib/bluetooth" = { };
systemd.services.bluetooth.after = [
config.environment.persistence."/persist"."/var/lib/bluetooth".mount
config.environment.persistence."/persist/state"."/var/lib/bluetooth".mount
];
home-manager.sharedModules = [
{
services.mpris-proxy.enable = config.services.pipewire.enable;
}
];
home-manager.sharedModules = [ { services.mpris-proxy.enable = config.services.pipewire.enable; } ];
}

View File

@@ -10,11 +10,8 @@
timeout = 1;
efi.canTouchEfiVariables = true;
};
initrd.systemd.enable = true;
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems = [
"btrfs"
"ntfs"
];
};
}

View File

@@ -0,0 +1,33 @@
{ ... }:
{
systemd.tmpfiles.rules = [
"d /persist/user.bak 0755 root root"
"d /persist/state.bak 0755 root root"
];
services.btrbk = {
ioSchedulingClass = "idle";
niceness = 19;
instances = {
persist-user = {
onCalendar = "hourly";
settings.volume."/persist" = {
subvolume = "user";
snapshot_dir = "user.bak";
snapshot_preserve_min = "latest";
snapshot_preserve = "48h 14d 4w 6m";
};
};
persist-state = {
onCalendar = "daily";
settings.volume."/persist" = {
subvolume = "state";
snapshot_dir = "state.bak";
snapshot_preserve_min = "latest";
snapshot_preserve = "7d 4w 3m";
};
};
};
};
}

View File

@@ -1,7 +1,14 @@
{ ... }:
{ pkgs, ... }:
{
boot = {
initrd.supportedFilesystems = [ "btrfs" ];
supportedFilesystems = [ "btrfs" ];
};
services.btrfs.autoScrub = {
enable = true;
interval = "weekly";
};
environment.systemPackages = with pkgs; [ compsize ];
}

View File

@@ -1,5 +0,0 @@
{ ... }:
{
# https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/
services.cloudflared.enable = true;
}

View File

@@ -1,4 +0,0 @@
{ ... }:
{
imports = [ ./options.nix ];
}

View File

@@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./cpu/options.nix
./impermanence/options.nix
];
}

View File

@@ -1,29 +0,0 @@
{ config, pkgs, ... }:
{
virtualisation.docker = {
enable = true;
enableOnBoot = false;
storageDriver = "btrfs";
daemon.settings = {
experimental = true;
ipv6 = true;
fixed-cidr-v6 = "fd00::/80";
};
autoPrune = {
enable = true;
flags = [ "--all" ];
};
};
environment = {
persistence."/persist"."/var/lib/docker" = { };
systemPackages = with pkgs; [ docker-compose ];
};
systemd = {
services.docker.after = [ config.environment.persistence."/persist"."/var/lib/docker".mount ];
sockets.docker.after = [ config.environment.persistence."/persist"."/var/lib/docker".mount ];
};
}

View File

@@ -1,5 +1,10 @@
{ ... }:
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
man-pages
man-pages-posix
];
documentation = {
enable = true;

View File

@@ -0,0 +1,14 @@
{ ... }:
{
environment.persistence."/persist/state"."/var/lib/fail2ban" = { };
services.fail2ban = {
enable = true;
bantime = "24h";
bantime-increment = {
enable = true;
maxtime = "720h";
overalljails = true;
};
};
}

View File

@@ -1,4 +0,0 @@
{ ... }:
{
programs.gnupg.agent.enable = true;
}

View File

@@ -1,48 +1,16 @@
{ config, pkgs, ... }:
{
imports = [ ./options.nix ];
boot.initrd.systemd = {
enable = true;
initrdBin = with pkgs; [
coreutils
util-linux
findutils
btrfs-progs
];
services.impermanence = {
description = "Rollback BTRFS subvolumes to a pristine state";
wantedBy = [ "initrd.target" ];
before = [ "sysroot.mount" ];
after = [
"cryptsetup.target"
"local-fs-pre.target"
];
unitConfig.DefaultDependencies = false;
serviceConfig.Type = "oneshot";
environment.DEVICE = config.environment.impermanence.device;
script = builtins.readFile ./scripts/wipe.sh;
};
};
# uuidgen -r | tr -d -
# https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/administration/systemd-state.section.md
# https://github.com/NixOS/nixpkgs/pull/286140/files
# https://git.eisfunke.com/config/nixos/-/blob/e65e1dc21d06d07b454005762b177ef151f8bfb6/nixos/machine-id.nix
sops.secrets."machineId".mode = "0444";
sops.secrets.machineId.mode = "0444";
environment = {
etc."machine-id".source = pkgs.runCommandLocal "machine-id-link" { } ''
ln -s ${config.sops.secrets."machineId".path} $out
'';
impermanence.enable = true;
persistence."/persist" = {
"/etc/nixos" = { };
"/var/lib/nixos" = { };
"/var/lib/systemd" = { };
"/var/log" = { };
};
etc.machine-id.source = pkgs.runCommandLocal "machine-id-link" { } ''
ln -s ${config.sops.secrets.machineId.path} $out
'';
};
}

View File

@@ -1,6 +1,7 @@
{
config,
lib,
pkgs,
utils,
...
}:
@@ -47,13 +48,17 @@ in
with lib;
with types;
{
impermanence.device = mkOption {
impermanence = {
enable = mkEnableOption "Impermanence";
device = mkOption {
type = str;
default = config.disko.devices.disk.main.content.partitions.root.content.name;
default = config.disko.devices.disk.main.content.partitions.root.content.content.device;
description = ''
LUKS BTRFS partition to wipe on boot.
'';
};
};
persistence =
let
@@ -116,6 +121,19 @@ in
type = str;
readOnly = true;
};
create = mkOption {
type = enum [
"none"
"file"
"directory"
];
default = "none";
description = ''
Whether to create the file or directory
in persistence if it does not exist.
'';
};
};
}
)
@@ -179,8 +197,31 @@ in
let
all = lib.lists.flatten (builtins.concatMap builtins.attrValues (builtins.attrValues cfg));
in
{
fileSystems = builtins.mapAttrs (_: _: { neededForBoot = true; }) cfg;
lib.mkIf config.environment.impermanence.enable {
boot.initrd.systemd = {
enable = true;
initrdBin = with pkgs; [
coreutils
util-linux
findutils
btrfs-progs
];
services.impermanence = {
description = "Rollback BTRFS subvolumes to a pristine state";
wantedBy = [ "initrd.target" ];
before = [ "sysroot.mount" ];
after = [
"cryptsetup.target"
"local-fs-pre.target"
];
unitConfig.DefaultDependencies = false;
serviceConfig.Type = "oneshot";
environment.DEVICE = config.environment.impermanence.device;
script = builtins.readFile ./scripts/wipe.sh;
};
};
systemd = {
mounts = builtins.map (c: {
@@ -192,11 +233,11 @@ in
unitConfig.ConditionPathExists = [ (lib.strings.escape [ " " ] c.source) ];
what = c.source;
where = c.target;
options = lib.strings.concatStringsSep "," ([
options = lib.strings.concatStringsSep "," [
"bind"
"X-fstrim.notrim"
"x-gvfs-hide"
]);
];
}) all;
services = builtins.listToAttrs (
@@ -229,6 +270,7 @@ in
source=${lib.strings.escapeShellArg c._sourceRoot}
target=${lib.strings.escapeShellArg c._targetRoot}
path=${lib.strings.escapeShellArg c.path}
create=${lib.strings.escapeShellArg c.create}
${builtins.readFile ./scripts/start.sh}
'';
@@ -236,6 +278,7 @@ in
source=${lib.strings.escapeShellArg c._sourceRoot}
target=${lib.strings.escapeShellArg c._targetRoot}
path=${lib.strings.escapeShellArg c.path}
create=${lib.strings.escapeShellArg c.create}
${builtins.readFile ./scripts/stop.sh}
'';
@@ -244,6 +287,19 @@ in
);
};
fileSystems = builtins.mapAttrs (_: _: { neededForBoot = true; }) cfg // {
"/persist".neededForBoot = true;
};
environment.persistence = {
"/persist/user"."/etc/nixos" = { };
"/persist/state" = {
"/var/lib/nixos" = { };
"/var/lib/systemd" = { };
"/var/log" = { };
};
};
assertions =
let
paths = builtins.map (c: c.path) all;

View File

@@ -1,19 +1,49 @@
echo "Starting impermanence mount with source: $source, target: $target, path: $path."
# shellcheck shell=bash
# shellcheck disable=SC2154
echo "Starting impermanence mount with source: $source, target: $target, path: $path, create: $create"
source_current="$source"
target_current="$target"
IFS='/' read -ra path_parts <<< "$path"
unset "path_parts[-1]"
IFS='/' read -ra parts <<< "$path"
leaf="${parts[-1]}"
for part in "${path_parts[@]}"; do
source_current="$source_current/$part"
target_current="$target_current/$part"
for part in "${parts[@]}"; do
source_current+="/$part"
target_current+="/$part"
if [[ ! -d "$source_current" ]]; then
if [[ -e "$source_current" ]]; then
read -r mode owner group <<< "$(stat -c '%a %u %g' "$source_current")"
if [[ -d "$source_current" ]]; then
install -d -m "$mode" -o "$owner" -g "$group" "$target_current"
continue
fi
if [[ "$part" != "$leaf" ]]; then
echo "Error: $source_current is not a directory, persistence for $path can not be applied."
exit 1
fi
install -m "$mode" -o "$owner" -g "$group" /dev/null "$target_current"
fi
if [[ "$create" == "none" ]]; then
break
fi
read -r mode owner group <<< "$(stat -c '%a %u %g' "$source_current")"
install -d -m "$mode" -o "$owner" -g "$group" "$target_current"
if [[ -e "$target_current" ]]; then
template="$target_current"
else
template="${source_current%/*}"
fi
read -r mode owner group <<< "$(stat -c '%a %u %g' "$template")"
if [[ "$part" == "$leaf" && "$create" == "file" ]]; then
install -m "$mode" -o "$owner" -g "$group" /dev/null "$source_current"
else
install -d -m "$mode" -o "$owner" -g "$group" "$source_current"
fi
done

View File

@@ -1,4 +1,7 @@
echo "Stopping impermanence mount with source: $source, target: $target, path: $path."
# shellcheck shell=bash
# shellcheck disable=SC2154
echo "Stopping impermanence mount with source: $source, target: $target, path: $path, create: $create"
source_current="$source"
target_current="$target"

View File

@@ -1,3 +1,5 @@
# shellcheck shell=bash
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
@@ -6,21 +8,27 @@ delete_subvolume_recursively() {
btrfs subvolume delete "$1"
}
if [[ -z "$DEVICE" ]]; then
echo "Error: DEVICE variable is not set."
exit 1
fi
mkdir -p /mnt/btrfs
mount "/dev/mapper/$DEVICE" /mnt/btrfs
mount "$DEVICE" /mnt/btrfs
if [[ -e /mnt/btrfs/@ ]]; then
mkdir -p /mnt/btrfs/@.bak
timestamp=$(date --date="@$(stat -c %Y /mnt/btrfs/@)" "+%Y-%m-%d_%H:%M:%S")
mv /mnt/btrfs/@ "/mnt/btrfs/@.bak/$timestamp"
timestamp=$(date --date="@$(stat -c %Y /mnt/btrfs/@)" "+%Y%m%dT%H%M")
base="@.$timestamp"
target="/mnt/btrfs/@.bak/$base"
if [[ -e "$target" ]]; then
i=1
while [[ -e "/mnt/btrfs/@.bak/${base}_$i" ]]; do
(( i++ ))
done
target="/mnt/btrfs/@.bak/${base}_$i"
fi
mv /mnt/btrfs/@ "$target"
fi
find /mnt/btrfs/@.bak/ -maxdepth 1 -mtime +14 | while IFS= read -r i; do
find /mnt/btrfs/@.bak/ -maxdepth 1 -mtime +7 | while IFS= read -r i; do
delete_subvolume_recursively "$i"
done

View File

@@ -1,52 +0,0 @@
{
config,
pkgs,
...
}:
{
imports = [
./options
./secrets
];
environment = {
persistence."/persist" = {
"/var/lib/containerd" = { };
"/var/lib/kubernetes" = { };
"/var/lib/kubelet" = { };
"/var/lib/etcd" = { };
};
etc."kubeconfig".source = config.services.kubernetes.kubeconfigs.admin;
systemPackages = with pkgs; [ kubectl ];
};
services = {
kubernetes = {
enable = true;
roles = [
"master"
"node"
];
};
};
systemd.services = {
kube-addon-manager.after = [
config.environment.persistence."/persist"."/var/lib/kubernetes".mount
];
kubelet.after = [
config.environment.persistence."/persist"."/var/lib/kubelet".mount
];
kube-apiserver.after = [
config.environment.persistence."/persist"."/var/lib/kubernetes".mount
];
etcd.after = [
config.environment.persistence."/persist"."/var/lib/etcd".mount
];
};
}

View File

@@ -1,70 +0,0 @@
{ ... }:
[
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "Role";
metadata = {
name = "system:kube-addon-manager";
namespace = "kube-system";
};
rules = [
{
apiGroups = [ "*" ];
resources = [ "*" ];
verbs = [ "*" ];
}
];
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "RoleBinding";
metadata = {
name = "system:kube-addon-manager";
namespace = "kube-system";
};
roleRef = {
apiGroup = "rbac.authorization.k8s.io";
kind = "Role";
name = "system:kube-addon-manager";
};
subjects = [
{
apiGroup = "rbac.authorization.k8s.io";
kind = "User";
name = "system:kube-addon-manager";
}
];
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRole";
metadata = {
name = "system:kube-addon-manager:cluster-lister";
};
rules = [
{
apiGroups = [ "*" ];
resources = [ "*" ];
verbs = [ "list" ];
}
];
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
name = "system:kube-addon-manager:cluster-lister";
};
roleRef = {
apiGroup = "rbac.authorization.k8s.io";
kind = "ClusterRole";
name = "system:kube-addon-manager:cluster-lister";
};
subjects = [
{
kind = "User";
name = "system:kube-addon-manager";
}
];
}
]

View File

@@ -1,206 +0,0 @@
{ config, ... }:
[
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
name = "create-csrs-for-bootstrapping";
};
subjects = [
{
kind = "Group";
name = "system:bootstrappers";
apiGroup = "rbac.authorization.k8s.io";
}
];
roleRef = {
kind = "ClusterRole";
name = "system:node-bootstrapper";
apiGroup = "rbac.authorization.k8s.io";
};
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
name = "auto-approve-csrs-for-group";
};
subjects = [
{
kind = "Group";
name = "system:bootstrappers";
apiGroup = "rbac.authorization.k8s.io";
}
];
roleRef = {
kind = "ClusterRole";
name = "system:certificates.k8s.io:certificatesigningrequests:nodeclient";
apiGroup = "rbac.authorization.k8s.io";
};
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
name = "auto-approve-renewals-for-nodes";
};
subjects = [
{
kind = "Group";
name = "system:nodes";
apiGroup = "rbac.authorization.k8s.io";
}
];
roleRef = {
kind = "ClusterRole";
name = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient";
apiGroup = "rbac.authorization.k8s.io";
};
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRole";
metadata = {
name = "kubelet-csr-approver";
};
rules = [
{
apiGroups = [ "certificates.k8s.io" ];
resources = [ "certificatesigningrequests" ];
verbs = [
"get"
"list"
"watch"
];
}
{
apiGroups = [ "coordination.k8s.io" ];
resources = [ "leases" ];
verbs = [
"create"
"get"
"update"
];
}
{
apiGroups = [ "certificates.k8s.io" ];
resources = [ "certificatesigningrequests/approval" ];
verbs = [ "update" ];
}
{
apiGroups = [ "certificates.k8s.io" ];
resourceNames = [ "kubernetes.io/kubelet-serving" ];
resources = [ "signers" ];
verbs = [ "approve" ];
}
{
apiGroups = [ "" ];
resources = [ "events" ];
verbs = [ "create" ];
}
];
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
name = "kubelet-csr-approver";
namespace = "kube-system";
};
roleRef = {
apiGroup = "rbac.authorization.k8s.io";
kind = "ClusterRole";
name = "kubelet-csr-approver";
};
subjects = [
{
kind = "ServiceAccount";
name = "kubelet-csr-approver";
namespace = "kube-system";
}
];
}
{
apiVersion = "v1";
kind = "ServiceAccount";
metadata = {
name = "kubelet-csr-approver";
namespace = "kube-system";
};
}
{
apiVersion = "apps/v1";
kind = "Deployment";
metadata = {
name = "kubelet-csr-approver";
namespace = "kube-system";
};
spec = {
replicas = 1;
selector = {
matchLabels = {
app = "kubelet-csr-approver";
};
};
template = {
metadata = {
labels = {
app = "kubelet-csr-approver";
};
};
spec = {
serviceAccountName = "kubelet-csr-approver";
containers = [
{
name = "kubelet-csr-approver";
image = "postfinance/kubelet-csr-approver:latest";
args = [
"-metrics-bind-address"
":8080"
"-health-probe-bind-address"
":8081"
];
livenessProbe = {
httpGet = {
path = "/healthz";
port = 8081;
};
};
resources = {
requests = {
cpu = "100m";
memory = "200Mi";
};
};
env = [
{
name = "PROVIDER_REGEX";
value = "^${config.networking.fqdnOrHostName}$";
}
{
name = "PROVIDER_IP_PREFIXES";
value = "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8,169.254.0.0/16,::1/128,fe80::/10,fc00::/7";
}
{
name = "MAX_EXPIRATION_SEC";
value = "31622400";
}
{
name = "BYPASS_DNS_RESOLUTION";
value = "true";
}
];
}
];
tolerations = [
{
effect = "NoSchedule";
key = "node-role.kubernetes.io/control-plane";
operator = "Equal";
}
];
};
};
};
}
]

View File

@@ -1,21 +0,0 @@
{ ... }:
[
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
name = "system:kube-apiserver:kubelet-api-admin";
};
roleRef = {
apiGroup = "rbac.authorization.k8s.io";
kind = "ClusterRole";
name = "system:kubelet-api-admin";
};
subjects = [
{
kind = "User";
name = "system:kube-apiserver";
}
];
}
]

View File

@@ -1,289 +0,0 @@
{ ... }:
[
{
apiVersion = "v1";
kind = "ServiceAccount";
metadata = {
labels = {
k8s-app = "metrics-server";
};
name = "metrics-server";
namespace = "kube-system";
};
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRole";
metadata = {
labels = {
k8s-app = "metrics-server";
"rbac.authorization.k8s.io/aggregate-to-admin" = "true";
"rbac.authorization.k8s.io/aggregate-to-edit" = "true";
"rbac.authorization.k8s.io/aggregate-to-view" = "true";
};
name = "system:aggregated-metrics-reader";
};
rules = [
{
apiGroups = [ "metrics.k8s.io" ];
resources = [
"pods"
"nodes"
];
verbs = [
"get"
"list"
"watch"
];
}
];
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRole";
metadata = {
labels = {
k8s-app = "metrics-server";
};
name = "system:metrics-server";
};
rules = [
{
apiGroups = [ "" ];
resources = [ "nodes/metrics" ];
verbs = [ "get" ];
}
{
apiGroups = [ "" ];
resources = [
"pods"
"nodes"
];
verbs = [
"get"
"list"
"watch"
];
}
];
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "RoleBinding";
metadata = {
labels = {
k8s-app = "metrics-server";
};
name = "metrics-server-auth-reader";
namespace = "kube-system";
};
roleRef = {
apiGroup = "rbac.authorization.k8s.io";
kind = "Role";
name = "extension-apiserver-authentication-reader";
};
subjects = [
{
kind = "ServiceAccount";
name = "metrics-server";
namespace = "kube-system";
}
];
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
labels = {
k8s-app = "metrics-server";
};
name = "metrics-server:system:auth-delegator";
};
roleRef = {
apiGroup = "rbac.authorization.k8s.io";
kind = "ClusterRole";
name = "system:auth-delegator";
};
subjects = [
{
kind = "ServiceAccount";
name = "metrics-server";
namespace = "kube-system";
}
];
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
labels = {
k8s-app = "metrics-server";
};
name = "system:metrics-server";
};
roleRef = {
apiGroup = "rbac.authorization.k8s.io";
kind = "ClusterRole";
name = "system:metrics-server";
};
subjects = [
{
kind = "ServiceAccount";
name = "metrics-server";
namespace = "kube-system";
}
];
}
{
apiVersion = "v1";
kind = "Service";
metadata = {
labels = {
k8s-app = "metrics-server";
};
name = "metrics-server";
namespace = "kube-system";
};
spec = {
ports = [
{
name = "https";
port = 443;
protocol = "TCP";
targetPort = "https";
}
];
selector = {
k8s-app = "metrics-server";
};
};
}
{
apiVersion = "apps/v1";
kind = "Deployment";
metadata = {
labels = {
k8s-app = "metrics-server";
};
name = "metrics-server";
namespace = "kube-system";
};
spec = {
selector = {
matchLabels = {
k8s-app = "metrics-server";
};
};
strategy = {
rollingUpdate = {
maxUnavailable = 0;
};
};
template = {
metadata = {
labels = {
k8s-app = "metrics-server";
};
};
spec = {
containers = [
{
args = [
"--cert-dir=/tmp"
"--secure-port=10250"
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname"
"--kubelet-use-node-status-port"
"--metric-resolution=15s"
];
image = "registry.k8s.io/metrics-server/metrics-server:v0.7.2";
imagePullPolicy = "IfNotPresent";
livenessProbe = {
failureThreshold = 3;
httpGet = {
path = "/livez";
port = "https";
scheme = "HTTPS";
};
periodSeconds = 10;
};
name = "metrics-server";
ports = [
{
containerPort = 10250;
name = "https";
protocol = "TCP";
}
];
readinessProbe = {
failureThreshold = 3;
httpGet = {
path = "/readyz";
port = "https";
scheme = "HTTPS";
};
initialDelaySeconds = 20;
periodSeconds = 10;
};
resources = {
requests = {
cpu = "100m";
memory = "200Mi";
};
};
securityContext = {
allowPrivilegeEscalation = false;
capabilities = {
drop = [ "ALL" ];
};
readOnlyRootFilesystem = true;
runAsNonRoot = true;
runAsUser = 1000;
seccompProfile = {
type = "RuntimeDefault";
};
};
volumeMounts = [
{
mountPath = "/tmp";
name = "tmp-dir";
}
];
}
];
nodeSelector = {
"kubernetes.io/os" = "linux";
};
priorityClassName = "system-cluster-critical";
serviceAccountName = "metrics-server";
volumes = [
{
emptyDir = { };
name = "tmp-dir";
}
];
};
};
};
}
{
apiVersion = "apiregistration.k8s.io/v1";
kind = "APIService";
metadata = {
labels = {
k8s-app = "metrics-server";
};
name = "v1beta1.metrics.k8s.io";
};
spec = {
group = "metrics.k8s.io";
groupPriorityMinimum = 100;
insecureSkipTLSVerify = true;
service = {
name = "metrics-server";
namespace = "kube-system";
};
version = "v1beta1";
versionPriority = 100;
};
}
]

View File

@@ -1,757 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.kubernetes;
in
{
options.services.kubernetes =
with lib;
with types;
let
mkCertOptions = name: {
key = mkOption {
description = "${name} key file.";
type = path;
};
crt = mkOption {
description = "${name} certificate file.";
type = path;
};
};
in
{
enable = mkEnableOption "kubernetes";
lib = mkOption {
description = "Kubernetes utility functions.";
type = raw;
readOnly = true;
default = {
mkKubeConfig =
name: ca: cert: key:
(pkgs.formats.json { }).generate "${name}-kubeconfig.json" {
apiVersion = "v1";
kind = "Config";
clusters = [
{
name = "local";
cluster = {
server = cfg.apiserver._address;
"certificate-authority" = ca;
};
}
];
users = [
{
inherit name;
user = {
"client-certificate" = cert;
"client-key" = key;
};
}
];
contexts = [
{
name = "local";
context = {
cluster = "local";
user = name;
};
}
];
current-context = "local";
};
};
};
roles = mkOption {
description = "Kubernetes role that this machine should take.";
type = listOf (enum [
"master"
"node"
]);
default = [
"master"
"node"
];
};
address = mkOption {
description = "Kubernetes master server address.";
type = str;
default = "localhost";
};
cidr = mkOption {
description = "Kubernetes cluster CIDR.";
type = str;
default = "10.0.0.0/24";
};
cas = {
kubernetes = mkCertOptions "Kubernetes CA";
frontProxy = mkCertOptions "Front Proxy CA";
etcd = mkCertOptions "ETCD CA";
};
certs = {
apiserver = {
server = mkCertOptions "Kubernetes API Server";
kubeletClient = mkCertOptions "Kubernetes API Server Kubelet Client";
etcdClient = mkCertOptions "Kubernetes API Server ETCD Client";
};
etcd = {
server = mkCertOptions "ETCD Server";
peer = mkCertOptions "ETCD Peer";
};
frontProxy = mkCertOptions "Front Proxy Client";
serviceAccount = {
public = mkOption {
description = "Service account public key file.";
type = path;
};
private = mkOption {
description = "Service account private key file.";
type = path;
};
};
accounts = {
scheduler = mkCertOptions "Kubernetes Scheduler";
controllerManager = mkCertOptions "Kubernetes Controller Manager";
addonManager = mkCertOptions "Kubernetes Addon Manager";
proxy = mkCertOptions "Kubernetes Proxy";
admin = mkCertOptions "Kubernetes Admin";
};
};
kubeconfigs = mkOption {
description = "Kubernetes kubeconfigs.";
type = attrsOf path;
default = { };
};
apiserver = {
_address = mkOption {
description = "Kubernetes API server address.";
internal = true;
type = str;
};
address = mkOption {
description = "Kubernetes API server listening address.";
type = str;
readOnly = true;
default = "0.0.0.0";
};
port = mkOption {
description = "Kubernetes API server listening port.";
type = port;
readOnly = true;
default = 6443;
};
bootstrapTokenFile = mkOption {
description = "Kubernetes API server bootstrap token file.";
type = path;
};
};
kubelet = {
address = mkOption {
description = "Kubernetes kubelet listening address.";
type = str;
readOnly = true;
default = "0.0.0.0";
};
port = mkOption {
description = "Kubernetes kubelet listening port.";
type = port;
readOnly = true;
default = 10250;
};
taints =
let
taintOptions =
{ name, ... }:
{
key = mkOption {
description = "Taint key.";
type = str;
default = name;
};
value = mkOption {
description = "Taint value.";
type = str;
};
effect = mkOption {
description = "Taint effect.";
type = enum [
"NoSchedule"
"PreferNoSchedule"
"NoExecute"
];
};
};
in
mkOption {
description = "Taints to apply to the node.";
type = attrsOf (submodule taintOptions);
default = { };
};
bootstrapToken = mkOption {
description = "Kubelet bootstrap token file.";
type = path;
};
seedImages = mkOption {
description = "Container images to preload on the system.";
type = listOf package;
default = [ ];
};
cidr = mkOption {
description = "Kubernetes pod CIDR.";
type = str;
default = "10.1.0.0/16";
};
};
scheduler = {
address = mkOption {
description = "Kubernetes scheduler listening address.";
type = str;
readOnly = true;
default = "127.0.0.1";
};
port = mkOption {
description = "Kubernetes scheduler listening port.";
type = port;
readOnly = true;
default = 10251;
};
};
controllerManager = {
address = mkOption {
description = "Kubernetes controller manager listening address.";
type = str;
readOnly = true;
default = "127.0.0.1";
};
port = mkOption {
description = "Kubernetes controller manager listening port.";
type = port;
readOnly = true;
default = 10252;
};
};
proxy = {
address = mkOption {
description = "Kubernetes proxy listening address.";
type = str;
readOnly = true;
default = "0.0.0.0";
};
};
addonManager = {
addons = mkOption {
description = "Kubernetes addons.";
type = attrsOf (coercedTo (attrs) (a: [ a ]) (listOf attrs));
default = { };
};
bootstrapAddons = mkOption {
description = "Kubernetes addons applied with cluster-admin permissions.";
type = attrsOf (coercedTo (attrs) (a: [ a ]) (listOf attrs));
default = { };
};
};
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
# master or node
{
services.kubernetes = {
apiserver._address = "https://${cfg.address}:${toString cfg.apiserver.port}";
kubeconfigs.admin =
cfg.lib.mkKubeConfig "admin" cfg.cas.kubernetes.crt cfg.certs.accounts.admin.crt
cfg.certs.accounts.admin.key;
addonManager.bootstrapAddons = {
addonManager = import ./addons/addon-manager { };
bootstrap = import ./addons/bootstrap { inherit config; };
kubeletApiAdmin = import ./addons/kubelet-api-admin { };
metricsServer = import ./addons/metrics-server { };
};
};
boot = {
kernel.sysctl = {
"net.bridge.bridge-nf-call-iptables" = 1;
"net.ipv4.ip_forward" = 1;
"net.bridge.bridge-nf-call-ip6tables" = 1;
};
kernelModules = [
"br_netfilter"
"overlay"
];
};
users = {
users.kubernetes = {
uid = config.ids.uids.kubernetes;
group = "kubernetes";
home = "/var/lib/kubernetes";
homeMode = "755";
createHome = true;
description = "Kubernetes user";
};
groups.kubernetes.gid = config.ids.gids.kubernetes;
};
systemd = {
targets.kubernetes = {
description = "Kubernetes";
wantedBy = [ "multi-user.target" ];
};
tmpfiles.rules = [
"d /opt/cni/bin 0755 root root -"
"d /run/kubernetes 0755 kubernetes kubernetes -"
];
services = {
kubelet =
let
kubeletConfig = (pkgs.formats.json { }).generate "config.json" ({
apiVersion = "kubelet.config.k8s.io/v1beta1";
kind = "KubeletConfiguration";
address = cfg.kubelet.address;
port = cfg.kubelet.port;
authentication = {
x509.clientCAFile = cfg.cas.kubernetes.crt;
webhook = {
enabled = true;
cacheTTL = "10s";
};
};
authorization.mode = "Webhook";
cgroupDriver = "systemd";
hairpinMode = "hairpin-veth";
registerNode = true;
containerRuntimeEndpoint = "unix:///run/containerd/containerd.sock";
failSwapOn = false;
memorySwap.swapBehavior = "LimitedSwap";
rotateCertificates = true;
serverTLSBootstrap = true;
featureGates = {
RotateKubeletServerCertificate = true;
NodeSwap = true;
};
healthzBindAddress = "127.0.0.1";
healthzPort = 10248;
});
taints = lib.strings.concatMapStringsSep "," (v: "${v.key}=${v.value}:${v.effect}") (
lib.attrsets.mapAttrsToList (n: v: v) cfg.kubelet.taints
);
generateKubeletBootstrapKubeconfig = lib.meta.getExe (
pkgs.writeShellApplication {
name = "kubelet-bootstrap-kubeconfig";
runtimeInputs = with pkgs; [ coreutils ];
text = ''
mkdir -p /etc/kubernetes
cat > /etc/kubernetes/bootstrap-kubeconfig <<EOF
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: ${cfg.cas.kubernetes.crt}
server: ${cfg.apiserver._address}
name: local
contexts:
- context:
cluster: local
user: kubelet-bootstrap
name: bootstrap
current-context: bootstrap
preferences: {}
users:
- name: kubelet-bootstrap
user:
token: $(<${cfg.kubelet.bootstrapToken})
EOF
'';
}
);
seedContainerImages = lib.meta.getExe (
pkgs.writeShellApplication {
name = "seed-container-images";
runtimeInputs = with pkgs; [
gzip
containerd
coreutils
];
text = ''
${lib.strings.concatMapStrings (img: ''
echo "Seeding container image: ${img}"
${
if (lib.hasSuffix "gz" img) then
''zcat "${img}" | ctr -n k8s.io image import -''
else
''cat "${img}" | ctr -n k8s.io image import -''
}
'') cfg.kubelet.seedImages}
'';
}
);
in
{
description = "Kubernetes Kubelet";
wantedBy = [ "kubernetes.target" ];
after = [
"network.target"
"containerd.service"
"kube-apisever.service"
];
path = with pkgs; [
kubernetes
coreutils
util-linux
git
openssh
iproute2
ethtool
iptables
socat
thin-provisioning-tools
];
preStart = ''
${generateKubeletBootstrapKubeconfig}
${seedContainerImages}
'';
script = lib.strings.concatStringsSep " " (
[
"kubelet"
"--config=${kubeletConfig}"
"--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubeconfig"
"--kubeconfig=/var/lib/kubelet/kubeconfig"
"--cert-dir=/var/lib/kubelet/pki"
"--hostname-override=${lib.strings.toLower config.networking.fqdnOrHostName}"
"--kubeconfig=/etc/kubernetes/bootstrap-kubeconfig"
"--pod-infra-container-image=pause"
"--root-dir=/var/lib/kubelet"
]
++ lib.lists.optional (taints != "") [
"--register-with-taints=${taints}"
]
);
serviceConfig = {
Slice = "kubernetes.slice";
CPUAccounting = true;
MemoryAccounting = true;
Restart = "on-failure";
RestartSec = "1000ms";
WorkingDirectory = "/var/lib/kubelet";
};
unitConfig.StartLimitIntervalSec = 0;
};
kube-proxy = {
description = "Kubernetes Proxy";
wantedBy = [ "kubernetes.target" ];
after = [ "kube-apiserver.service" ];
path = with pkgs; [
kubernetes
iptables
conntrack-tools
];
script = lib.strings.concatStringsSep " " [
"kube-proxy"
"--bind-address=${cfg.proxy.address}"
"--cluster-cidr=${cfg.kubelet.cidr}"
"--hostname-override=${lib.strings.toLower config.networking.fqdnOrHostName}"
"--kubeconfig=${
cfg.lib.mkKubeConfig "kube-proxy" cfg.cas.kubernetes.crt cfg.certs.accounts.proxy.crt
cfg.certs.accounts.proxy.key
}"
];
serviceConfig = {
Slice = "kubernetes.slice";
WorkingDirectory = "/var/lib/kubernetes";
Restart = "on-failure";
RestartSec = 5;
};
unitConfig.StartLimitIntervalSec = 0;
};
};
};
networking.firewall.enable = false;
}
# only master
(lib.mkIf (lib.all (m: m == "master") cfg.roles) {
services.kubernetes.kubelet.taints = {
unschedulable = {
value = "true";
effect = "NoSchedule";
};
"node-role.kubernetes.io/master" = {
value = "true";
effect = "NoSchedule";
};
};
})
# master
(lib.mkIf (lib.elem "master" cfg.roles) {
services = {
etcd = {
enable = true;
name = cfg.address;
keyFile = cfg.certs.etcd.server.key;
certFile = cfg.certs.etcd.server.crt;
trustedCaFile = cfg.cas.etcd.crt;
peerKeyFile = cfg.certs.etcd.peer.key;
peerCertFile = cfg.certs.etcd.peer.crt;
peerTrustedCaFile = cfg.cas.etcd.crt;
clientCertAuth = true;
peerClientCertAuth = true;
listenClientUrls = [ "https://0.0.0.0:2379" ];
listenPeerUrls = [ "https://0.0.0.0:2380" ];
advertiseClientUrls = [ "https://${cfg.address}:2379" ];
initialCluster = [ "${cfg.address}=https://${cfg.address}:2380" ];
initialAdvertisePeerUrls = [ "https://${cfg.address}:2380" ];
};
};
systemd.services = {
kube-apiserver = {
description = "Kubernetes API Server";
wantedBy = [ "kubernetes.target" ];
after = [ "network.target" ];
path = with pkgs; [ kubernetes ];
script = lib.strings.concatStringsSep " " [
"kube-apiserver"
"--allow-privileged=true"
"--authorization-mode=RBAC,Node"
"--bind-address=${cfg.apiserver.address}"
"--secure-port=${toString cfg.apiserver.port}"
"--client-ca-file=${cfg.cas.kubernetes.crt}"
"--tls-cert-file=${cfg.certs.apiserver.server.crt}"
"--tls-private-key-file=${cfg.certs.apiserver.server.key}"
"--enable-admission-plugins=${
lib.strings.concatStringsSep "," [
"NamespaceLifecycle"
"LimitRanger"
"ServiceAccount"
"ResourceQuota"
"DefaultStorageClass"
"DefaultTolerationSeconds"
"NodeRestriction"
]
}"
"--etcd-servers=${
lib.strings.concatStringsSep "," [
"https://${cfg.address}:2379"
"https://127.0.0.1:2379"
]
}"
"--etcd-cafile=${cfg.cas.etcd.crt}"
"--etcd-certfile=${cfg.certs.apiserver.etcdClient.crt}"
"--etcd-keyfile=${cfg.certs.apiserver.etcdClient.key}"
"--kubelet-certificate-authority=${cfg.cas.kubernetes.crt}"
"--kubelet-client-certificate=${cfg.certs.apiserver.kubeletClient.crt}"
"--kubelet-client-key=${cfg.certs.apiserver.kubeletClient.key}"
"--proxy-client-cert-file=${cfg.certs.frontProxy.crt}"
"--proxy-client-key-file=${cfg.certs.frontProxy.key}"
"--runtime-config=authentication.k8s.io/v1beta1=true"
"--api-audiences=api,https://kubernetes.default.svc"
"--service-account-issuer=https://kubernetes.default.svc"
"--service-account-signing-key-file=${cfg.certs.serviceAccount.private}"
"--service-account-key-file=${cfg.certs.serviceAccount.public}"
"--service-cluster-ip-range=${cfg.cidr}"
"--storage-backend=etcd3"
"--enable-bootstrap-token-auth=true"
"--token-auth-file=${cfg.apiserver.bootstrapTokenFile}"
"--requestheader-client-ca-file=${cfg.cas.frontProxy.crt}"
"--requestheader-allowed-names=front-proxy-client"
"--requestheader-extra-headers-prefix=X-Remote-Extra-"
"--requestheader-group-headers=X-Remote-Group"
"--requestheader-username-headers=X-Remote-User"
];
serviceConfig = {
Slice = "kubernetes.slice";
WorkingDirectory = "/var/lib/kubernetes";
User = "kubernetes";
Group = "kubernetes";
AmbientCapabilities = "cap_net_bind_service";
Restart = "on-failure";
RestartSec = 5;
};
unitConfig.StartLimitIntervalSec = 0;
};
kube-scheduler = {
description = "Kubernetes Scheduler";
wantedBy = [ "kubernetes.target" ];
after = [ "kube-apiserver.service" ];
path = with pkgs; [ kubernetes ];
script = lib.strings.concatStringsSep " " [
"kube-scheduler"
"--bind-address=${cfg.scheduler.address}"
"--secure-port=${toString cfg.scheduler.port}"
"--leader-elect=true"
"--kubeconfig=${
cfg.lib.mkKubeConfig "kube-scheduler" cfg.cas.kubernetes.crt cfg.certs.accounts.scheduler.crt
cfg.certs.accounts.scheduler.key
}"
];
serviceConfig = {
Slice = "kubernetes.slice";
WorkingDirectory = "/var/lib/kubernetes";
User = "kubernetes";
Group = "kubernetes";
Restart = "on-failure";
RestartSec = 5;
};
unitConfig.StartLimitIntervalSec = 0;
};
kube-controller-manager = {
description = "Kubernetes Controller Manager";
wantedBy = [ "kubernetes.target" ];
after = [ "kube-apiserver.service" ];
path = with pkgs; [ kubernetes ];
script = lib.strings.concatStringsSep " " [
"kube-controller-manager"
"--allocate-node-cidrs=true"
"--bind-address=${cfg.controllerManager.address}"
"--secure-port=${toString cfg.controllerManager.port}"
"--cluster-cidr=${cfg.kubelet.cidr}"
"--kubeconfig=${
cfg.lib.mkKubeConfig "kube-controller-manager" cfg.cas.kubernetes.crt
cfg.certs.accounts.controllerManager.crt
cfg.certs.accounts.controllerManager.key
}"
"--leader-elect=true"
"--root-ca-file=${cfg.cas.kubernetes.crt}"
"--service-account-private-key-file=${cfg.certs.serviceAccount.private}"
"--use-service-account-credentials"
"--client-ca-file=${cfg.cas.kubernetes.crt}"
"--cluster-signing-cert-file=${cfg.cas.kubernetes.crt}"
"--cluster-signing-key-file=${cfg.cas.kubernetes.key}"
"--requestheader-client-ca-file=${cfg.cas.frontProxy.crt}"
];
serviceConfig = {
Slice = "kubernetes.slice";
Restart = "on-failure";
RestartSec = 30;
WorkingDirectory = "/var/lib/kubernetes";
User = "kubernetes";
Group = "kubernetes";
};
unitConfig.StartLimitIntervalSec = 0;
};
kube-addon-manager =
let
mkAddons =
addons:
lib.attrsets.mapAttrsToList (
name: addon:
(pkgs.formats.json { }).generate "${name}.json" {
apiVersion = "v1";
kind = "List";
items = addon;
}
) addons;
in
{
description = "Kubernetes Addon Manager";
wantedBy = [ "kubernetes.target" ];
after = [ "kube-apiserver.service" ];
environment = {
ADDON_PATH = pkgs.runCommand "kube-addons" { } ''
mkdir -p $out
${lib.strings.concatMapStringsSep "\n" (a: "ln -s ${a} $out/${baseNameOf a}") (
mkAddons cfg.addonManager.addons
)}
'';
KUBECONFIG =
cfg.lib.mkKubeConfig "addon-manager" cfg.cas.kubernetes.crt cfg.certs.accounts.addonManager.crt
cfg.certs.accounts.addonManager.key;
};
path = with pkgs; [
kubernetes
gawk
];
preStart = ''
export KUBECONFIG=${cfg.kubeconfigs.admin}
kubectl apply -f ${lib.strings.concatStringsSep " \\\n -f " (mkAddons cfg.addonManager.bootstrapAddons)}
'';
script = "kube-addons";
serviceConfig = {
Slice = "kubernetes.slice";
PermissionsStartOnly = true;
WorkingDirectory = "/var/lib/kubernetes";
User = "kubernetes";
Group = "kubernetes";
Restart = "on-failure";
RestartSec = 10;
};
unitConfig.StartLimitIntervalSec = 0;
};
};
})
# node
(lib.mkIf (lib.elem "node" cfg.roles) {
virtualisation.containerd = {
enable = true;
settings = {
version = 2;
root = "/var/lib/containerd";
state = "/run/containerd";
oom_score = 0;
grpc.address = "/run/containerd/containerd.sock";
plugins."io.containerd.grpc.v1.cri" = {
containerd.runtimes.runc = {
runtime_type = "io.containerd.runc.v2";
options.SystemdCgroup = true;
};
};
};
};
})
]
);
}

View File

@@ -1,293 +0,0 @@
{ config, ... }:
{
sops.secrets = {
"kubernetes/ca/kubernetes/crt" = {
owner = "kubernetes";
group = "users";
mode = "0440";
};
"kubernetes/ca/kubernetes/key" = {
owner = "kubernetes";
group = "users";
mode = "0440";
};
"kubernetes/ca/front-proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/ca/front-proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/ca/etcd/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/ca/etcd/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/server/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/server/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/etcd-client/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/etcd-client/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/kubelet-client/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/kubelet-client/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/front-proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/front-proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/etcd/server/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/etcd/server/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/etcd/peer/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/etcd/peer/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/sa/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/sa/pub" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/scheduler/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/scheduler/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/controller-manager/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/controller-manager/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/addon-manager/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/addon-manager/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/admin/crt" = {
group = "kubernetes";
};
"kubernetes/cert/accounts/admin/key" = {
group = "kubernetes";
};
"kubernetes/token/kubelet-bootstrap/token" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/token/kubelet-bootstrap/csv" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
};
services.kubernetes = {
cas = {
kubernetes = {
key = config.sops.secrets."kubernetes/ca/kubernetes/key".path;
crt = config.sops.secrets."kubernetes/ca/kubernetes/crt".path;
};
frontProxy = {
key = config.sops.secrets."kubernetes/ca/front-proxy/key".path;
crt = config.sops.secrets."kubernetes/ca/front-proxy/crt".path;
};
etcd = {
key = config.sops.secrets."kubernetes/ca/etcd/key".path;
crt = config.sops.secrets."kubernetes/ca/etcd/crt".path;
};
};
certs = {
apiserver = {
server = {
key = config.sops.secrets."kubernetes/cert/apiserver/server/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/server/crt".path;
};
etcdClient = {
key = config.sops.secrets."kubernetes/cert/apiserver/etcd-client/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/etcd-client/crt".path;
};
kubeletClient = {
key = config.sops.secrets."kubernetes/cert/apiserver/kubelet-client/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/kubelet-client/crt".path;
};
};
etcd = {
server = {
key = config.sops.secrets."kubernetes/cert/etcd/server/key".path;
crt = config.sops.secrets."kubernetes/cert/etcd/server/crt".path;
};
peer = {
key = config.sops.secrets."kubernetes/cert/etcd/peer/key".path;
crt = config.sops.secrets."kubernetes/cert/etcd/peer/crt".path;
};
};
frontProxy = {
key = config.sops.secrets."kubernetes/cert/front-proxy/key".path;
crt = config.sops.secrets."kubernetes/cert/front-proxy/crt".path;
};
serviceAccount = {
private = config.sops.secrets."kubernetes/cert/sa/key".path;
public = config.sops.secrets."kubernetes/cert/sa/pub".path;
};
accounts = {
scheduler = {
key = config.sops.secrets."kubernetes/cert/accounts/scheduler/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/scheduler/crt".path;
};
controllerManager = {
key = config.sops.secrets."kubernetes/cert/accounts/controller-manager/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/controller-manager/crt".path;
};
addonManager = {
key = config.sops.secrets."kubernetes/cert/accounts/addon-manager/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/addon-manager/crt".path;
};
proxy = {
key = config.sops.secrets."kubernetes/cert/accounts/proxy/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/proxy/crt".path;
};
admin = {
key = config.sops.secrets."kubernetes/cert/accounts/admin/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/admin/crt".path;
};
};
};
kubelet.bootstrapToken = config.sops.secrets."kubernetes/token/kubelet-bootstrap/token".path;
apiserver.bootstrapTokenFile = config.sops.secrets."kubernetes/token/kubelet-bootstrap/csv".path;
};
systemd.services = {
kubelet.after = [ "sops-nix.service" ];
kube-apiserver.after = [ "sops-nix.service" ];
kube-controller-manager.after = [ "sops-nix.service" ];
kube-scheduler.after = [ "sops-nix.service" ];
kube-proxy.after = [ "sops-nix.service" ];
kube-addon-manager.after = [ "sops-nix.service" ];
etcd.after = [ "sops-nix.service" ];
};
}

View File

@@ -1,207 +0,0 @@
#!/usr/bin/env -S nix shell nixpkgs#openssl nixpkgs#yq-go nixpkgs#sops -c bash
set -o errexit
set -o pipefail
generate_ca() {
local target_dir=$1
local ca_name=$2
local ca_days=$3
local cn=$4
mkdir -p "${target_dir}"
local ca_key=${target_dir}/${ca_name}.key
local ca_cert=${target_dir}/${ca_name}.crt
openssl genrsa -out "${ca_key}" 2048
openssl req -x509 -new -nodes -key "${ca_key}" -days "${ca_days}" -out "${ca_cert}" -subj "/CN=${cn}"
}
generate_alt_names() {
local hosts=("$@")
local dns=0
local ip=0
local alt_names=""
for host in "${hosts[@]}"; do
if [[ ${host} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
alt_names="${alt_names}IP.${ip} = ${host}\n"
((ip++))
else
alt_names="${alt_names}DNS.${dns} = ${host}\n"
((dns++))
fi
done
echo -e "${alt_names}"
}
generate_cnf() {
local target_dir=$1
local cnf_name=$2
local cn=$3
local hosts=("${@:4}")
mkdir -p "${target_dir}"
local cnf_file=${target_dir}/${cnf_name}.cnf
cat <<EOF > "${cnf_file}"
[req]
prompt = no
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
$(generate_alt_names "${hosts[@]}")
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment,digitalSignature
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF
}
generate_crt() {
local target_dir=$1
local cert_name=$2
local cert_days=$3
local cn=$4
local o=$5
local ca_key=$6
local ca_cert=$7
local hosts=("${@:8}")
mkdir -p "${target_dir}"
local cert_key=${target_dir}/${cert_name}.key
local cert_csr=${target_dir}/${cert_name}.csr
local cert_cert=${target_dir}/${cert_name}.crt
openssl genrsa -out "${cert_key}" 2048
local subject="/CN=${cn}"
if [ -n "${o}" ]; then
subject="${subject}/O=${o}"
fi
if [ -n "${hosts}" ]; then
generate_cnf "${target_dir}" "${cert_name}" "${cn}" "${hosts[@]}"
openssl req -new -key "${cert_key}" -out "${cert_csr}" -subj "${subject}" -config "${target_dir}"/"${cert_name}".cnf
openssl x509 -req -in "${cert_csr}" -CA "${ca_cert}" -CAkey "${ca_key}" -CAcreateserial -out "${cert_cert}" -days "${cert_days}" -extfile "${target_dir}"/"${cert_name}".cnf -extensions v3_ext
else
openssl req -new -key "${cert_key}" -out "${cert_csr}" -subj "${subject}"
openssl x509 -req -in "${cert_csr}" -CA "${ca_cert}" -CAkey "${ca_key}" -CAcreateserial -out "${cert_cert}" -days "${cert_days}"
fi
}
generate_key_pair() {
local target_dir=$1
local key_name=$2
mkdir -p "${target_dir}"
local private_key=${target_dir}/${key_name}.key
local public_key=${target_dir}/${key_name}.pub
openssl genrsa -out "${private_key}" 2048
openssl rsa -in "${private_key}" -pubout -out "${public_key}"
}
generate_auth_token() {
local target_dir=$1
local token_name=$2
local user=$3
local id=$4
local groups=$5
mkdir -p "${target_dir}"
local token_file="${target_dir}/${token_name}.token"
local token_auth_file="${target_dir}/${token_name}.csv"
token="$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')"
echo "${token}" > "${token_file}"
echo "${token},${user},${id},\"${groups}\"" > "${token_auth_file}"
}
DEFAULT_CA_DAYS=3650
if [[ -z "$SOPS_AGE_KEY_FILE" ]]; then
echo "Please set the SOPS_AGE_KEY_FILE environment variable"
exit 1
fi
hostname=${1:-$(hostname)}
if [ -z "${hostname}" ]; then
echo "Usage: $0 [hostname]"
exit 1
fi
generate_ca out/ca kubernetes ${DEFAULT_CA_DAYS} kubernetes-ca ""
generate_ca out/ca front-proxy ${DEFAULT_CA_DAYS} kubernetes-front-proxy-ca ""
generate_ca out/ca etcd ${DEFAULT_CA_DAYS} etcd-ca ""
generate_crt out/cert/apiserver server ${DEFAULT_CA_DAYS} kube-apiserver "" out/ca/kubernetes.key out/ca/kubernetes.crt "kubernetes" "kubernetes.default" "kubernetes.default.svc" "kubernetes.default.svc.cluster" "kubernetes.default.svc.cluster.local" "localhost" "10.0.0.1" "127.0.0.1"
generate_crt out/cert/apiserver etcd-client ${DEFAULT_CA_DAYS} kube-apiserver-etcd-client "" out/ca/etcd.key out/ca/etcd.crt ""
generate_crt out/cert/apiserver kubelet-client ${DEFAULT_CA_DAYS} kube-apiserver-kubelet-client "" out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/etcd server ${DEFAULT_CA_DAYS} kube-etcd "" out/ca/etcd.key out/ca/etcd.crt "etcd.local" "etcd.cluster.local" "localhost" "127.0.0.1"
generate_crt out/cert/etcd peer ${DEFAULT_CA_DAYS} kube-etcd-peer "" out/ca/etcd.key out/ca/etcd.crt "etcd.local" "etcd.cluster.local" "localhost" "127.0.0.1"
generate_crt out/cert front-proxy ${DEFAULT_CA_DAYS} front-proxy-client "" out/ca/front-proxy.key out/ca/front-proxy.crt ""
generate_key_pair out/cert sa
generate_crt out/cert/accounts scheduler ${DEFAULT_CA_DAYS} system:kube-scheduler "" out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/accounts controller-manager ${DEFAULT_CA_DAYS} system:kube-controller-manager "" out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/accounts addon-manager ${DEFAULT_CA_DAYS} system:kube-addon-manager "" out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/accounts proxy ${DEFAULT_CA_DAYS} system:kube-proxy "" out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/accounts admin ${DEFAULT_CA_DAYS} kubernetes-admin system:masters out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/accounts users ${DEFAULT_CA_DAYS} kubernetes-users system:masters out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_auth_token out/token kubelet-bootstrap "kubelet-bootstrap" 10001 "system:bootstrappers"
sops_config="../../../../../$(hostname)/secrets/sops.yaml"
secrets_file="../../../../../$(hostname)/secrets/secrets.yaml"
decrypted_secrets_file="../../../../../$(hostname)/secrets/.decrypted~secrets.yaml"
sops -d "${secrets_file}" > "${decrypted_secrets_file}"
yq -i '
del(.kubernetes) |
.kubernetes.ca.kubernetes.crt = load_str("out/ca/kubernetes.crt") |
.kubernetes.ca.kubernetes.key = load_str("out/ca/kubernetes.key") |
.kubernetes.ca.front-proxy.crt = load_str("out/ca/front-proxy.crt") |
.kubernetes.ca.front-proxy.key = load_str("out/ca/front-proxy.key") |
.kubernetes.ca.etcd.crt = load_str("out/ca/etcd.crt") |
.kubernetes.ca.etcd.key = load_str("out/ca/etcd.key") |
.kubernetes.cert.apiserver.server.crt = load_str("out/cert/apiserver/server.crt") |
.kubernetes.cert.apiserver.server.key = load_str("out/cert/apiserver/server.key") |
.kubernetes.cert.apiserver.etcd-client.crt = load_str("out/cert/apiserver/etcd-client.crt") |
.kubernetes.cert.apiserver.etcd-client.key = load_str("out/cert/apiserver/etcd-client.key") |
.kubernetes.cert.apiserver.kubelet-client.crt = load_str("out/cert/apiserver/kubelet-client.crt") |
.kubernetes.cert.apiserver.kubelet-client.key = load_str("out/cert/apiserver/kubelet-client.key") |
.kubernetes.cert.etcd.server.crt = load_str("out/cert/etcd/server.crt") |
.kubernetes.cert.etcd.server.key = load_str("out/cert/etcd/server.key") |
.kubernetes.cert.etcd.peer.crt = load_str("out/cert/etcd/peer.crt") |
.kubernetes.cert.etcd.peer.key = load_str("out/cert/etcd/peer.key") |
.kubernetes.cert.front-proxy.crt = load_str("out/cert/front-proxy.crt") |
.kubernetes.cert.front-proxy.key = load_str("out/cert/front-proxy.key") |
.kubernetes.cert.sa.key = load_str("out/cert/sa.key") |
.kubernetes.cert.sa.pub = load_str("out/cert/sa.pub") |
.kubernetes.cert.accounts.scheduler.crt = load_str("out/cert/accounts/scheduler.crt") |
.kubernetes.cert.accounts.scheduler.key = load_str("out/cert/accounts/scheduler.key") |
.kubernetes.cert.accounts.controller-manager.crt = load_str("out/cert/accounts/controller-manager.crt") |
.kubernetes.cert.accounts.controller-manager.key = load_str("out/cert/accounts/controller-manager.key") |
.kubernetes.cert.accounts.addon-manager.crt = load_str("out/cert/accounts/addon-manager.crt") |
.kubernetes.cert.accounts.addon-manager.key = load_str("out/cert/accounts/addon-manager.key") |
.kubernetes.cert.accounts.proxy.crt = load_str("out/cert/accounts/proxy.crt") |
.kubernetes.cert.accounts.proxy.key = load_str("out/cert/accounts/proxy.key") |
.kubernetes.cert.accounts.admin.crt = load_str("out/cert/accounts/admin.crt") |
.kubernetes.cert.accounts.admin.key = load_str("out/cert/accounts/admin.key") |
.kubernetes.cert.accounts.users.crt = load_str("out/cert/accounts/users.crt") |
.kubernetes.cert.accounts.users.key = load_str("out/cert/accounts/users.key") |
.kubernetes.token.kubelet-bootstrap.token = load_str("out/token/kubelet-bootstrap.token") |
.kubernetes.token.kubelet-bootstrap.csv = load_str("out/token/kubelet-bootstrap.csv")
' "${decrypted_secrets_file}"
sops --config "${sops_config}" -e "${decrypted_secrets_file}" > "${secrets_file}"
rm -rf ${decrypted_secrets_file} out

View File

@@ -0,0 +1,22 @@
{
inputs,
lib,
pkgs,
...
}:
{
imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
environment = {
persistence."/persist/state"."/var/lib/sbctl" = { };
systemPackages = with pkgs; [ sbctl ];
};
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
}

View File

@@ -12,7 +12,10 @@
spiceUSBRedirection.enable = true;
};
systemd.services.libvirtd-network-default = {
systemd.services = {
libvirtd.after = [ "NetworkManager.service" ];
libvirtd-network-default = {
description = "Start Default Virtual Network for Libvirt";
script = "${config.virtualisation.libvirtd.package}/bin/virsh net-start default";
preStop = "${config.virtualisation.libvirtd.package}/bin/virsh net-destroy default";
@@ -23,6 +26,7 @@
wantedBy = [ "libvirtd.service" ];
after = [ "libvirtd.service" ];
};
};
environment = {
systemPackages = [ config.virtualisation.libvirtd.qemu.swtpm.package ];
@@ -32,7 +36,7 @@
"ovmf/edk2-i386-vars.fd".source =
"${config.virtualisation.libvirtd.qemu.package}/share/qemu/edk2-i386-vars.fd";
};
persistence."/persist"."/var/lib/libvirt" = { };
persistence."/persist/state"."/var/lib/libvirt" = { };
};
programs.virt-manager.enable = true;

View File

@@ -1,10 +0,0 @@
{ config, ... }:
{
networking.networkmanager.enable = true;
environment.persistence."/persist"."/etc/NetworkManager/system-connections" = { };
systemd.services.NetworkManager.after = [
config.environment.persistence."/persist"."/etc/NetworkManager/system-connections".mount
];
}

View File

@@ -0,0 +1,10 @@
{ config, ... }:
{
networking.networkmanager.enable = true;
environment.persistence."/persist/state"."/etc/NetworkManager/system-connections" = { };
systemd.services.NetworkManager.after = [
config.environment.persistence."/persist/state"."/etc/NetworkManager/system-connections".mount
];
}

View File

@@ -1,3 +1,5 @@
# shellcheck shell=bash
if [[ "${EUID}" -ne 0 ]]; then
echo "Please run the script as root."
exit 1
@@ -16,13 +18,8 @@ if [[ -e /mnt/btrfs && -n $(mountpoint -q /mnt/btrfs) ]]; then
exit 1
fi
if [[ -z "$DEVICE" ]]; then
echo "Error: DEVICE variable is not set."
exit 1
fi
mkdir -p /mnt/btrfs
mount "/dev/mapper/$DEVICE" /mnt/btrfs
mount "$DEVICE" /mnt/btrfs
if [[ -e /mnt/btrfs/@.bak ]]; then
if [[ -n "$(ls -A /mnt/btrfs/@.bak)" ]]; then

View File

@@ -8,6 +8,7 @@
iputils
jq
nix
sops
inputs.disko.packages.${system}.disko
];
text = builtins.readFile ./install.sh;
@@ -15,8 +16,6 @@
];
home-manager.sharedModules = [
{
programs.zsh.initExtra = builtins.readFile ./install.completion.zsh;
}
{ programs.zsh.initContent = builtins.readFile ./install.completion.zsh; }
];
}

View File

@@ -4,7 +4,7 @@ _nix-install_completion() {
'-m[Mode: 'install' or 'repair']:mode:(install repair)'
'-h[Host to configure]:host:($(_list_hosts))'
'-k[Key file to copy to user config]:key:($(_list_keys))'
'-p[LUKS password file to use for encryption]:password_file:_files'
'-s[Enroll secure boot keys on current device]'
'-c[Copy configuration to target]'
'-r[Reboot after completion]'
)
@@ -18,8 +18,8 @@ _nix-install_completion() {
_list_keys() {
local flake="$(realpath ${words[2]})"
if [[ -d "$flake/secrets" ]]; then
find "$flake/secrets" -type f -name 'key.txt' | sed -E 's|^.*/secrets/([^/]+)/key.txt$|\1|' | sort -u
if [[ -d "$flake/submodules/secrets/domains" ]]; then
find "$flake/submodules/secrets/domains" -type f -name 'key.txt' | sed -E 's|^.*/submodules/secrets/domains/([^/]+)/key.txt$|\1|' | sort -u
fi
}

View File

@@ -1,12 +1,14 @@
# shellcheck shell=bash
usage() {
echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-c] [-r]"
echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-s] [-c] [-r]"
echo
echo "Options:"
echo " flake Directory containing the flake.nix file."
echo " -m mode Mode: 'install' or 'repair'."
echo " -h host Host to configure."
echo " -k key Key file to copy to user config."
echo " -p password_file LUKS password file to use for encryption."
echo " -s Enroll secure boot keys on current device."
echo " -c Copy configuration to target."
echo " -r Reboot after completion."
exit 1
@@ -34,48 +36,37 @@ check_flake() {
}
check_host() {
if ! nix flake show --quiet --json "$flake" 2>/dev/null | jq -e ".nixosConfigurations[\"$host\"]" &>/dev/null; then
if ! nix flake show --allow-import-from-derivation --quiet --json "$flake" 2>/dev/null | jq -e ".nixosConfigurations[\"$host\"]" &>/dev/null; then
echo "Host '$host' not found in flake."
exit 1
fi
}
check_key() {
if [[ -n "$key" ]] && [[ ! -f "$flake/secrets/$key/key.txt" ]]; then
if [[ -n "$key" ]] && [[ ! -f "$flake/submodules/secrets/domains/$key/key.txt" ]]; then
echo "Key '$key' not found."
exit 1
fi
}
set_password_file() {
if [[ -n "$password_file" ]]; then
if [[ ! -f "$password_file" ]]; then
echo "LUKS key file '$password_file' not found."
exit 1
fi
ln -sf "$(realpath "$password_file")" /tmp/installer.key
else
echo "Enter password for LUKS encryption:"
IFS= read -r -s password
echo "Enter password again to confirm: "
IFS= read -r -s password_check
[ "$password" != "$password_check" ]
echo -n "$password" > /tmp/installer.key
unset password password_check
fi
SOPS_AGE_KEY_FILE="$flake/submodules/secrets/domains/$key/key.txt"
export SOPS_AGE_KEY_FILE
install -m 600 /dev/null /tmp/keyfile
sops --decrypt --extract "['luks']" "$flake/submodules/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
unset SOPS_AGE_KEY_FILE
}
prepare_disk() {
local disko_mode="$1"
mkdir -p /mnt
root=$(mktemp -d /mnt/install.XXXXXX)
disko -m "$disko_mode" --yes-wipe-all-disks --root-mountpoint "$root" "$flake/hosts/$host/format.nix" --arg device "\"$device\""
disko -m "$disko_mode" --yes-wipe-all-disks --root-mountpoint "$root" "$flake/hosts/$host/format.nix"
}
copy_keys() {
mkdir -p "$root/persist/etc/ssh"
cp "$flake/hosts/$host/secrets/ssh_host_ed25519_key" "$root/persist/etc/ssh/ssh_host_ed25519_key"
copy_sops_keys() {
mkdir -p "$root/persist/state/etc/ssh"
cp -f "$flake/submodules/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
for path in "$flake/hosts/$host/users"/*; do
if [[ -z "$key" ]]; then
@@ -84,90 +75,119 @@ copy_keys() {
local user
user=$(basename "$path")
mkdir -p "$root/persist/home/$user/.config/sops-nix"
cp "$flake/secrets/$key/key.txt" "$root/persist/home/$user/.config/sops-nix/key.txt"
chown -R "$(cat "$flake/hosts/$host/users/$user/uid"):100" "$root/persist/home/$user"
mkdir -p "$root/persist/state/home/$user/.config/sops-nix"
cp -f "$flake/submodules/secrets/domains/$key/key.txt" "$root/persist/state/home/$user/.config/sops-nix/key.txt"
owner=$(cat "$flake/hosts/$host/users/$user/uid")
group=100
chown "$owner:$group" \
"$root/persist/state/home/$user" \
"$root/persist/state/home/$user/.config" \
"$root/persist/state/home/$user/.config/sops-nix" \
"$root/persist/state/home/$user/.config/sops-nix/key.txt"
done
}
install() {
copy_secure_boot_keys() {
mkdir -p "$root/persist/state/var/lib/sbctl/keys"/{db,KEK,PK}
SOPS_AGE_KEY_FILE="$flake/submodules/secrets/domains/$key/key.txt"
export SOPS_AGE_KEY_FILE
sops --decrypt --extract "['guid']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
sops --decrypt --extract "['keys']['kek']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
sops --decrypt --extract "['keys']['kek']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
sops --decrypt --extract "['keys']['pk']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
sops --decrypt --extract "['keys']['pk']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
sops --decrypt --extract "['keys']['db']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
sops --decrypt --extract "['keys']['db']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/*
unset SOPS_AGE_KEY_FILE
mkdir -p "$root/var/lib/sbctl"
mount --bind -o X-fstrim.notrim,x-gvfs-hide "$root/persist/state/var/lib/sbctl" "$root/var/lib/sbctl"
}
install_nixos() {
nixos-install --root "$root" --flake "$flake#$host" --no-root-passwd
}
enroll_secure_boot() {
sbctl enroll-keys --microsoft
}
copy_config() {
echo "Copying configuration..."
rm -rf "$root/persist/etc/nixos"
cp -r "$flake" "$root/persist/etc/nixos"
}
finish() {
echo "Rebooting system..."
trap - EXIT
cleanup
reboot
mkdir -p "$root/persist/user/etc"
rm -rf "$root/persist/user/etc/nixos"
cp -r "$flake" "$root/persist/user/etc/nixos"
}
cleanup() {
rm -f /tmp/installer.key
if [[ -n "$host" && -n "$device" ]]; then disko -m "unmount" "$flake/hosts/$host/format.nix" --arg device "\"$device\""; fi
rm -f /tmp/keyfile
if [[ -d "$root" ]]; then umount "$root/var/lib/sbctl"; fi
if [[ -n "$host" ]]; then disko -m "unmount" "$flake/hosts/$host/format.nix"; fi
if [[ -d "$root" ]]; then rmdir "$root"; fi
}
check_root
check_network
main() {
check_root
check_network
if [[ "$#" -lt 1 ]]; then
usage
fi
if [[ "$#" -lt 1 ]]; then usage; fi
flake="$(realpath "$1")"
check_flake
shift
flake="$(realpath "$1")"
check_flake
shift
mode=""
host=""
key=""
password_file=""
copy_config_flag="false"
reboot_flag="false"
mode=""
host=""
key=""
enroll_secure_boot_flag="false"
copy_config_flag="false"
reboot_flag="false"
while getopts "m:h:k:p:cr" opt; do
while getopts "m:h:k:scr" opt; do
case "$opt" in
m) mode="$OPTARG" ;;
h) host="$OPTARG" ;;
k) key="$OPTARG" ;;
p) password_file="$OPTARG" ;;
s) enroll_secure_boot_flag="true" ;;
c) copy_config_flag="true" ;;
r) reboot_flag="true" ;;
*) usage ;;
esac
done
done
if [[ -z "$mode" || -z "$host" ]]; then
usage
fi
if [[ -z "$mode" || -z "$host" ]]; then usage; fi
check_host
check_key
until set_password_file; do echo "Passwords did not match, please try again."; done
check_host
check_key
set_password_file
device=$(grep -oP '(?<=device = ")[^"]+' "$flake/hosts/$host/default.nix")
case "$mode" in
install)
prepare_disk "destroy,format,mount"
copy_keys
install
if [[ "$copy_config_flag" == "true" ]]; then copy_config; fi
if [[ "$reboot_flag" == "true" ]]; then finish; fi
;;
repair)
prepare_disk "mount"
install
if [[ "$reboot_flag" == "true" ]]; then finish; fi
;;
case "$mode" in
install) prepare_disk "destroy,format,mount";;
repair) prepare_disk "mount";;
*)
echo "Invalid mode: $mode"
usage
;;
esac
esac
copy_sops_keys
copy_secure_boot_keys
install_nixos
[[ "$enroll_secure_boot_flag" == "true" ]] && enroll_secure_boot
[[ "$copy_config_flag" == "true" ]] && copy_config
cleanup
[[ "$reboot_flag" == "true" ]] && reboot
}
main "$@"

View File

@@ -1,7 +1,4 @@
{ ... }:
{
programs.nix-ld = {
enable = true;
libraries = [ ];
};
programs.nix-ld.enable = true;
}

View File

@@ -0,0 +1,4 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ nix-update ];
}

View File

@@ -1,25 +1,63 @@
{ config, inputs, ... }:
{
sops.secrets."nix/accessTokens/github" = {
sopsFile = ../../../../../secrets/personal/secrets.yaml;
config,
inputs,
lib,
...
}:
{
sops = {
secrets = {
"git/credentials/github.com/tokens/public".sopsFile =
"${inputs.secrets}/domains/personal/secrets.yaml";
"nix/cache/nix.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
};
templates = {
nix-access-tokens = {
content = ''
access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/tokens/public"}
'';
group = "users";
mode = "0440";
};
nix-netrc = {
content = ''
machine nix.karaolidis.com
password ${config.sops.placeholder."nix/cache/nix.karaolidis.com"}
'';
group = "users";
mode = "0440";
};
};
};
nix = {
settings = {
trusted-users = lib.mkAfter [ "@wheel" ];
use-xdg-base-directories = true;
experimental-features = [
"nix-command"
"flakes"
];
download-buffer-size = 524288000;
substituters = lib.mkBefore [ "https://nix.karaolidis.com/main" ];
trusted-public-keys = lib.mkBefore [
"nix.karaolidis.com:1yz1tIVLGDEOFC1p/uYtR4Sx+nIbdYDqsDv4kkV0uyk="
];
netrc-file = config.sops.templates.nix-netrc.path;
};
registry.self.flake = inputs.self;
channel.enable = false;
gc.automatic = true;
optimise.automatic = true;
registry.self.flake = inputs.self;
extraOptions = ''
!include ${config.sops.secrets."nix/accessTokens/github".path}
!include ${config.sops.templates.nix-access-tokens.path}
'';
};
}

View File

@@ -1,6 +1,7 @@
{ inputs, ... }:
{ system, ... }:
{
imports = [ inputs.nur.modules.nixos.default ];
nixpkgs.config.allowUnfree = true;
nixpkgs = {
hostPlatform = system;
config.allowUnfree = true;
};
}

View File

@@ -8,12 +8,16 @@
};
pulse.enable = true;
jack.enable = true;
extraConfig.pipewire-pulse = {
pulse.cmd = [
extraConfig.pipewire-pulse.pipewire-pulse = {
"pulse.cmd" = [
{
cmd = "load-module";
args = "module-switch-on-connect";
}
{
cmd = "load-module";
args = "module-combine-sink";
}
];
};
};

View File

@@ -0,0 +1,27 @@
{ pkgs, inputs, ... }:
{
imports = [ inputs.quadlet-nix.nixosModules.quadlet ];
virtualisation = {
podman.enable = true;
containers = {
enable = true;
storage.settings.storage.driver = "btrfs";
};
quadlet = {
enable = true;
autoEscape = true;
};
};
environment = {
persistence."/persist/state"."/var/lib/containers".create = "directory";
systemPackages = with pkgs; [
podman-compose
kompose
];
};
}

View File

@@ -0,0 +1,4 @@
{ ... }:
{
powerManagement.enable = true;
}

View File

@@ -1,5 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ powertop ];
powerManagement.powertop.enable = true;
}

View File

@@ -18,19 +18,19 @@
};
};
environment.persistence."/persist" = {
environment.persistence."/persist/state" = {
"/var/lib/cups/ppd" = { };
"/var/lib/cups/printers.conf" = { };
};
systemd = {
services.cups.after = [
config.environment.persistence."/persist"."/var/lib/cups/ppd".mount
config.environment.persistence."/persist"."/var/lib/cups/printers.conf".mount
config.environment.persistence."/persist/state"."/var/lib/cups/ppd".mount
config.environment.persistence."/persist/state"."/var/lib/cups/printers.conf".mount
];
sockets.cups.after = [
config.environment.persistence."/persist"."/var/lib/cups/ppd".mount
config.environment.persistence."/persist"."/var/lib/cups/printers.conf".mount
config.environment.persistence."/persist/state"."/var/lib/cups/ppd".mount
config.environment.persistence."/persist/state"."/var/lib/cups/printers.conf".mount
];
};
}

View File

@@ -0,0 +1,12 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
smartmontools
nvme-cli
];
services.smartd = {
enable = true;
defaults.autodetected = "-a -o on -n idle,10 -s (S/../.././02|L/../../7/04)";
};
}

View File

@@ -8,13 +8,27 @@
imports = [ inputs.sops-nix.nixosModules.sops ];
environment = {
persistence."/persist"."/etc/ssh/ssh_host_ed25519_key" = { };
systemPackages = with pkgs; [ sops ];
persistence."/persist/state"."/etc/ssh/ssh_host_ed25519_key" = { };
systemPackages = with pkgs; [
sops
age
ssh-to-age
];
};
sops.age = {
sops = {
defaultSopsFile = "${inputs.secrets}/hosts/${config.networking.hostName}/secrets.yaml";
age = {
generateKey = true;
sshKeyPaths = [ config.environment.persistence."/persist"."/etc/ssh/ssh_host_ed25519_key".source ];
keyFile = "/var/lib/sops-nix/key.txt";
sshKeyPaths =
if config.environment.impermanence.enable then
[ config.environment.persistence."/persist/state"."/etc/ssh/ssh_host_ed25519_key".source ]
else
[ "/etc/ssh/ssh_host_ed25519_key" ];
};
};
}

View File

@@ -1,12 +1,23 @@
{ ... }:
{ inputs, ... }:
{
programs.ssh = {
startAgent = true;
programs.ssh.knownHosts = {
installer.publicKeyFile = "${inputs.secrets}/hosts/installer/ssh_host_ed25519_key.pub";
elara.publicKeyFile = "${inputs.secrets}/hosts/elara/ssh_host_ed25519_key.pub";
himalia.publicKeyFile = "${inputs.secrets}/hosts/himalia/ssh_host_ed25519_key.pub";
knownHosts = {
installer.publicKeyFile = ../../../../installer/secrets/ssh_host_ed25519_key.pub;
eirene.publicKeyFile = ../../../../eirene/secrets/ssh_host_ed25519_key.pub;
elara.publicKeyFile = ../../../../elara/secrets/ssh_host_ed25519_key.pub;
jupiter = {
publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_host_ed25519_key.pub";
extraHostNames = [ "karaolidis.com" ];
};
jupiter-sish = {
publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_sish_ed25519_key.pub";
extraHostNames = [ "tunnel.karaolidis.com" ];
};
jupiter-vps = {
publicKeyFile = "${inputs.secrets}/hosts/jupiter-vps/ssh_host_ed25519_key.pub";
extraHostNames = [ "vps.karaolidis.com" ];
};
};
}

View File

@@ -0,0 +1,12 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ kitty.terminfo ];
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PrintMotd = false;
};
};
}

View File

@@ -0,0 +1,4 @@
{ ... }:
{
security.pam.services.sudo.nodelay = true;
}

View File

@@ -1,17 +1,4 @@
{ inputs, ... }:
{ ... }:
{
system = {
autoUpgrade = {
enable = true;
flake = inputs.self.outPath;
flags = [
"--update-input"
"nixpkgs"
"-L"
];
dates = "02:00";
};
stateVersion = "24.11";
};
system.stateVersion = "24.11";
}

View File

@@ -1,3 +1,5 @@
# shellcheck shell=bash
case "$2" in
connectivity-change)
if timezone=$(curl --fail https://ipapi.co/timezone); then

View File

@@ -1,12 +0,0 @@
{ ... }:
{
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
};
};
}

View File

@@ -1,10 +0,0 @@
{ ... }:
{
programs.tmux = {
enable = true;
clock24 = true;
historyLimit = 10000;
keyMode = "vi";
newSession = true;
};
}

View File

@@ -1,4 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ tree ];
}

View File

@@ -0,0 +1,8 @@
{ ... }:
{
services.upower = {
enable = true;
allowRiskyCriticalPowerAction = true;
criticalPowerAction = "Ignore";
};
}

View File

@@ -1,4 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ wget ];
}

View File

@@ -6,7 +6,9 @@
};
environment = {
persistence."/persist"."/var/lib/zsh" = { };
persistence."/persist/state"."/var/lib/zsh" = { };
pathsToLink = [ "/share/zsh" ];
};
systemd.tmpfiles.rules = [ "d /var/lib/zsh 0755 root root" ];
}

View File

@@ -1,23 +1,12 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ config, pkgs, ... }:
{
nixpkgs.overlays = [
(final: prev: {
android-tools = prev.android-tools.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches or [ ] ++ [ ./env-var-user-home.patch ];
});
})
];
programs.adb.enable = true;
services.gvfs.enable = true;
users.users.${user}.extraGroups = [ "adbusers" ];
environment.persistence."/persist" = {
environment.persistence."/persist/state" = {
"${home}/.local/share/android/adbkey" = { };
"${home}/.local/share/android/adbkey.pub" = { };
};

View File

@@ -0,0 +1,33 @@
{ user, home }:
{
config,
inputs,
pkgs,
...
}:
let
hmConfig = config.home-manager.users.${user};
in
{
home-manager.users.${user} = {
sops = {
secrets."nix/cache/nix.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
templates.attic = {
content = builtins.readFile (
(pkgs.formats.toml { }).generate "config.toml" {
default-server = "main";
servers."main" = {
endpoint = "https://nix.karaolidis.com/";
token = hmConfig.sops.placeholder."nix/cache/nix.karaolidis.com";
};
}
);
path = "${home}/.config/attic/config.toml";
};
};
home.packages = with pkgs; [ attic-client ];
};
}

View File

@@ -1,8 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ lib, pkgs, ... }:
{
home-manager.users.${user}.programs.bashmount.enable = true;
}

View File

@@ -1,13 +1,8 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ lib, pkgs, ... }:
{
users.users.${user}.extraGroups = [
"video"
"inputs"
];
home-manager.users.${user}.home.packages = with pkgs; [ brightnessctl ];
}

View File

@@ -1,12 +1,11 @@
{ user, home }:
{ lib, pkgs, ... }:
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ ... }:
{
home-manager.users.${user}.programs.btop = {
home-manager.users.${user} = {
programs.btop = {
enable = true;
settings = {
color_theme = "matugen";
theme_background = false;
presets = "";
vim_keys = true;
@@ -14,7 +13,22 @@
update_ms = 1000;
proc_tree = true;
cpu_single_graph = true;
disks_filter = "/ /nix /persist /cache";
disks_filter = "/ /nix /persist";
};
};
theme = {
template.".config/btop/themes/matugen.theme".source = ./theme.theme;
reloadExtraConfig = "${
lib.meta.getExe (
pkgs.writeShellApplication {
name = "reload-btop";
runtimeInputs = with pkgs; [ procps ];
text = "exec pkill btop -SIGUSR2";
}
)
} &";
};
};
}

View File

@@ -0,0 +1,19 @@
{ user, home }:
{
config,
lib,
pkgs,
...
}:
let
hmConfig = config.home-manager.users.${user};
in
{
home-manager.users.${user} = {
home.packages = with pkgs; [ dive ];
xdg.configFile."dive/config.yaml" = lib.mkIf (
config.virtualisation.podman.enable || hmConfig.services.podman.enable
) { source = (pkgs.formats.yaml { }).generate "config.yaml" { container-engine = "podman"; }; };
};
}

View File

@@ -1,55 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
rootless ? true,
}:
{
config,
lib,
pkgs,
...
}:
lib.mkMerge [
{
virtualisation.docker.rootless = {
enable = rootless;
setSocketVariable = true;
enableOnBoot = false;
storageDriver = "btrfs";
daemon.settings = {
experimental = true;
ipv6 = true;
fixed-cidr-v6 = "fd00::/80";
};
autoPrune = {
enable = true;
flags = [ "--all" ];
};
};
home-manager.users.${user}.home = {
packages = with pkgs; [ docker-compose ];
sessionVariables = {
DOCKER_CONFIG = "${home}/.config/docker";
};
};
}
(lib.mkIf rootless {
environment.persistence."/persist"."${home}/.local/share/docker" = { };
systemd.user = {
services.docker.after = [
config.environment.persistence."/persist"."${home}/.local/share/docker".mount
];
sockets.docker.after = [
config.environment.persistence."/persist"."${home}/.local/share/docker".mount
];
};
})
(lib.mkIf (!rootless) {
users.users.${user}.extraGroups = [ "docker" ];
})
]

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ ... }:
{
home-manager.users.${user}.programs.fastfetch.enable = true;

View File

@@ -1,8 +1,8 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ pkgs, ... }:
{
home-manager.users.${user}.home.packages = with pkgs; [ ffmpeg ];
home-manager.users.${user}.home.packages = with pkgs; [
ffmpeg
mediainfo
];
}

View File

@@ -1,3 +1,5 @@
# shellcheck shell=bash
git interpret-trailers --if-exists doNothing --trailer \
"Signed-off-by: $(git config user.name) <$(git config user.email)>" \
--in-place "$1"

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
lib,
@@ -44,5 +41,41 @@ in
);
};
};
home = {
packages = with pkgs; [
(pkgs.writeShellApplication {
name = "gh";
runtimeInputs = with pkgs; [ gh ];
text = builtins.readFile ./gh.sh;
})
(pkgs.writeShellApplication {
name = "glab";
runtimeInputs = with pkgs; [ glab ];
text = builtins.readFile ./glab.sh;
})
(pkgs.writeShellApplication {
name = "tea";
runtimeInputs = with pkgs; [ tea ];
text = builtins.readFile ./tea.sh;
})
];
sessionVariables = {
GITEA_HOST = "git.karaolidis.com";
GITEA_SSH_HOST = "karaolidis.com";
};
};
xdg.configFile = {
"gh/config.yml".source = (pkgs.formats.yaml { }).generate "config.yml" {
version = 1;
git_protocol = "ssh";
};
"glab-cli/config.yml".source = (pkgs.formats.yaml { }).generate "config.yml" {
git_protocol = "ssh";
};
};
};
}

View File

@@ -0,0 +1,8 @@
# shellcheck shell=bash
GH_HOST="${GH_HOST:-github.com}"
GH_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GH_HOST}#\1#p" "$HOME/.config/git/credentials")
export GH_TOKEN
exec gh "$@"

View File

@@ -0,0 +1,8 @@
# shellcheck shell=bash
GITLAB_HOST="${GITLAB_HOST:-gitlab.com}"
GITLAB_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GITLAB_HOST}#\1#p" "$HOME/.config/git/credentials")
export GITLAB_TOKEN
exec glab "$@"

View File

@@ -0,0 +1,13 @@
# shellcheck shell=bash
GITEA_HOST="${GITEA_HOST:-gitea.com}"
GITEA_SSH_HOST="${GITEA_SSH_HOST:-gitea.com}"
GITEA_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GITEA_HOST}#\1#p" "$HOME/.config/git/credentials")
GITEA_INSTANCE_URL="https://${GITEA_HOST}"
GITEA_INSTANCE_SSH_HOST="$GITEA_SSH_HOST"
export GITEA_TOKEN
export GITEA_INSTANCE_URL
export GITEA_INSTANCE_SSH_HOST
exec tea "$@"

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
lib,
@@ -23,6 +20,10 @@
enable = true;
defaultCacheTtl = 31536000;
maxCacheTtl = 31536000;
pinentry = {
package = pkgs.pinentry-all;
program = "pinentry-tty";
};
};
systemd.user = {

View File

@@ -1,3 +1,5 @@
# shellcheck shell=bash
install -d -m 700 "$GNUPGHOME"
KEYS="$HOME/.config/sops-nix/secrets/gpg"

View File

@@ -1,17 +1,17 @@
{ user, home }:
{
user ? throw "user argument is required",
home ? throw "home argument is required",
config,
inputs,
lib,
...
}:
{ config, inputs, ... }:
{
imports = [ inputs.home-manager.nixosModules.default ];
programs.dconf.enable = true;
home-manager = {
extraSpecialArgs = {
inherit inputs;
};
extraSpecialArgs = { inherit inputs; };
backupFileExtension = "bak";
useUserPackages = true;
useGlobalPkgs = true;
@@ -20,10 +20,16 @@
home.stateVersion = "24.11";
systemd.user.startServices = true;
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
nix.settings = {
inherit (config.nix.settings)
use-xdg-base-directories
experimental-features
download-buffer-size
substituters
trusted-public-keys
netrc-file
;
};
};
};
}

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ pkgs, ... }:
{
home-manager.users.${user}.home.packages = with pkgs; [ imagemagick ];

View File

@@ -0,0 +1,12 @@
{ user, home }:
{ pkgs, ... }:
{
home-manager.users.${user}.home.packages = with pkgs; [
iproute2
iptables
ipset
ethtool
tcpdump
ipcalc
];
}

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ ... }:
{
home-manager.users.${user}.programs.jq.enable = true;

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
lib,
@@ -9,52 +6,20 @@
...
}:
{
nixpkgs.overlays = [
(final: prev: {
k9s = prev.k9s.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches or [ ] ++ [ ./remove-splash.patch ];
});
})
];
environment.persistence = {
"/persist"."${home}/.kube" = { };
"/cache"."${home}/.kube/cache" = { };
"/persist/user"."${home}/.kube" = { };
"/persist/cache"."${home}/.kube/cache" = { };
};
users.users.${user}.extraGroups = [ "kubernetes" ];
sops.secrets = {
"kubernetes/cert/accounts/${user}/crt" = {
key = "kubernetes/cert/accounts/users/crt";
group = "users";
mode = "0440";
};
"kubernetes/cert/accounts/${user}/key" = {
key = "kubernetes/cert/accounts/users/key";
group = "users";
mode = "0440";
};
};
services.kubernetes.kubeconfigs.${user} =
config.services.kubernetes.lib.mkKubeConfig user config.sops.secrets."kubernetes/ca/kubernetes/crt".path
config.sops.secrets."kubernetes/cert/accounts/${user}/crt".path
config.sops.secrets."kubernetes/cert/accounts/${user}/key".path;
home-manager.users.${user} = {
home = {
packages = with pkgs; [
home.packages = with pkgs; [
kubectl
kustomize
kubernetes-helm
kompose
kind
];
file.".kube/local".source = config.services.kubernetes.kubeconfigs.${user};
};
programs = {
k9s = {
enable = true;
@@ -67,19 +32,20 @@
ui = {
skin = "matugen";
logoless = true;
splashless = true;
reactive = true;
};
};
};
zsh = {
initExtra = ''
initContent = ''
kubeswitch() {
local target="$HOME/.kube/$1"
local config="$HOME/.kube/config"
if [[ -f "$target" && "$target" != "$config" ]]; then
ln -sf "$target" "$config"
ln -srf "$target" "$config"
echo "Switched kube context to $1"
p10k reload
else
@@ -101,6 +67,6 @@
};
};
theme.template."${home}/.config/k9s/skins/matugen.yaml".source = ./theme.yaml;
theme.template.".config/k9s/skins/matugen.yaml".source = ./theme.yaml;
};
}

View File

@@ -1,123 +0,0 @@
diff --git a/internal/ui/splash.go b/internal/ui/splash.go
index bfe58e46..21683c53 100644
--- a/internal/ui/splash.go
+++ b/internal/ui/splash.go
@@ -3,14 +3,6 @@
package ui
-import (
- "fmt"
- "strings"
-
- "github.com/derailed/k9s/internal/config"
- "github.com/derailed/tview"
-)
-
// LogoSmall K9s small log.
var LogoSmall = []string{
` ____ __.________ `,
@@ -30,42 +22,3 @@ var LogoBig = []string{
`|____|__ \ /____//____ >\______ /_______ \___|`,
` \/ \/ \/ \/ `,
}
-
-// Splash represents a splash screen.
-type Splash struct {
- *tview.Flex
-}
-
-// NewSplash instantiates a new splash screen with product and company info.
-func NewSplash(styles *config.Styles, version string) *Splash {
- s := Splash{Flex: tview.NewFlex()}
- s.SetBackgroundColor(styles.BgColor())
-
- logo := tview.NewTextView()
- logo.SetDynamicColors(true)
- logo.SetTextAlign(tview.AlignCenter)
- s.layoutLogo(logo, styles)
-
- vers := tview.NewTextView()
- vers.SetDynamicColors(true)
- vers.SetTextAlign(tview.AlignCenter)
- s.layoutRev(vers, version, styles)
-
- s.SetDirection(tview.FlexRow)
- s.AddItem(logo, 10, 1, false)
- s.AddItem(vers, 1, 1, false)
-
- return &s
-}
-
-func (s *Splash) layoutLogo(t *tview.TextView, styles *config.Styles) {
- logo := strings.Join(LogoBig, fmt.Sprintf("\n[%s::b]", styles.Body().LogoColor))
- fmt.Fprintf(t, "%s[%s::b]%s\n",
- strings.Repeat("\n", 2),
- styles.Body().LogoColor,
- logo)
-}
-
-func (s *Splash) layoutRev(t *tview.TextView, rev string, styles *config.Styles) {
- fmt.Fprintf(t, "[%s::b]Revision [red::b]%s", styles.Body().FgColor, rev)
-}
diff --git a/internal/ui/splash_test.go b/internal/ui/splash_test.go
deleted file mode 100644
index 69b4b50d..00000000
--- a/internal/ui/splash_test.go
+++ /dev/null
@@ -1,22 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// Copyright Authors of K9s
-
-package ui_test
-
-import (
- "testing"
-
- "github.com/derailed/k9s/internal/config"
- "github.com/derailed/k9s/internal/ui"
- "github.com/stretchr/testify/assert"
-)
-
-func TestNewSplash(t *testing.T) {
- s := ui.NewSplash(config.NewStyles(), "bozo")
-
- x, y, w, h := s.GetRect()
- assert.Equal(t, 0, x)
- assert.Equal(t, 0, y)
- assert.Equal(t, 15, w)
- assert.Equal(t, 10, h)
-}
diff --git a/internal/view/app.go b/internal/view/app.go
index 4ac7e7c2..2b3a3fc5 100644
--- a/internal/view/app.go
+++ b/internal/view/app.go
@@ -35,7 +35,6 @@ import (
var ExitStatus = ""
const (
- splashDelay = 1 * time.Second
clusterRefresh = 15 * time.Second
clusterInfoWidth = 50
clusterInfoPad = 15
@@ -165,8 +164,7 @@ func (a *App) layout(ctx context.Context) {
}
main.AddItem(flash, 1, 1, false)
- a.Main.AddPage("main", main, true, false)
- a.Main.AddPage("splash", ui.NewSplash(a.Styles, a.version), true, true)
+ a.Main.AddPage("main", main, true, true)
a.toggleHeader(!a.Config.K9s.IsHeadless(), !a.Config.K9s.IsLogoless())
}
@@ -520,10 +518,7 @@ func (a *App) Run() error {
a.Resume()
go func() {
- <-time.After(splashDelay)
a.QueueUpdateDraw(func() {
- a.Main.SwitchToPage("main")
- // if command bar is already active, focus it
if a.CmdBuff().IsActive() {
a.SetFocus(a.Prompt())
}

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ pkgs, ... }:
{
home-manager.users.${user}.dconf.settings = {

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ pkgs, ... }:
{
home-manager.users.${user}.home.packages = with pkgs; [ lsof ];

View File

@@ -0,0 +1,5 @@
{ user, home }:
{ pkgs, ... }:
{
home-manager.users.${user}.home.packages = with pkgs; [ mprocs ];
}

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ pkgs, ... }:
{
home-manager.users.${user} = {

View File

@@ -0,0 +1,28 @@
{ user, home }:
{ lib, pkgs, ... }:
{
environment.persistence = {
"/persist/state"."${home}/.config/ncspot/userstate.cbor" = { };
"/persist/cache"."${home}/.cache/ncspot" = { };
};
home-manager.users.${user} = {
programs.ncspot.enable = true;
theme = {
template.".config/ncspot/config.toml".source = ./theme.toml;
reloadExtraConfig = "${
lib.meta.getExe (
pkgs.writeShellApplication {
name = "reload-ncspot";
runtimeInputs = with pkgs; [ netcat ];
text = ''
printf "reload\n" | nc -W 1 -U "''${XDG_RUNTIME_DIR:-/run/user/$UID}/ncspot/ncspot.sock"
'';
}
)
} &";
};
};
}

View File

@@ -0,0 +1,26 @@
use_nerdfont = true
volnorm = true
default_keybindings = true
library_tabs = [ "albums", "artists", "playlists", "browse" ]
[keybindings]
"Esc" = "back"
[theme]
background = "{{colors.surface.default.hex}}"
primary = "{{colors.on_surface.default.hex}}"
secondary = "{{colors.inverse_surface.default.hex}}"
title = "{{colors.primary.default.hex}}"
playing = "{{colors.primary.default.hex}}"
playing_bg = "{{colors.surface.default.hex}}"
highlight = "{{colors.on_primary.default.hex}}"
highlight_bg = "{{colors.primary.default.hex}}"
playing_selected = "{{colors.on_primary.default.hex}}"
error = "{{colors.on_error.default.hex}}"
error_bg = "{{colors.error.default.hex}}"
statusbar = "{{colors.primary.default.hex}}"
statusbar_progress = "{{colors.primary.default.hex}}"
statusbar_bg = "{{colors.surface.default.hex}}"
cmdline = "{{colors.on_surface.default.hex}}"
cmdline_bg = "{{colors.surface.default.hex}}"
search_match = "{{colors.tertiary.default.hex}}"

View File

@@ -1,25 +1,299 @@
{ user, home }:
{
user ? throw "user argument is required",
home ? throw "home argument is required",
inputs,
lib,
pkgs,
...
}:
{ ... }:
{
home-manager.users.${user}.programs = {
neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
vimdiffAlias = true;
extraConfig = ''
set tabstop=2
set shiftwidth=2
set expandtab
set smartindent
set mouse=
'';
environment.persistence = {
"/persist/state"."${home}/.local/share/nvf" = { };
"/persist/cache"."${home}/.cache/nvf" = { };
};
zsh.p10k.extraRightPromptElements = [ "vim_shell" ];
home-manager.users.${user} = {
imports = [ inputs.nvf.homeManagerModules.default ];
programs = {
nvf = {
enable = true;
defaultEditor = true;
settings = {
vim = {
enableLuaLoader = true;
viAlias = true;
vimAlias = true;
autocomplete = {
blink-cmp.enable = true;
};
binds = {
# hardtime-nvim.enable = true;
whichKey.enable = true;
};
clipboard = {
enable = true;
providers.wl-copy.enable = true;
registers = "unnamedplus";
};
comments = {
comment-nvim.enable = true;
};
# dashboard = {
# alpha.enable = true;
# };
filetree = {
neo-tree = {
enable = true;
setupOpts = {
git_status_async = true;
window.mappings = lib.generators.mkLuaInline ''
{
["<space>"] = "noop",
}
'';
};
};
};
# formatter = {
# conform-nvim.enable = true;
# };
git = {
enable = true;
# git-conflict.enable = true;
gitsigns.enable = true;
# neogit.enable = true;
};
languages = {
enableDAP = true;
enableFormat = true;
enableTreesitter = true;
enableExtraDiagnostics = true;
assembly.enable = true;
bash.enable = true;
clang.enable = true;
csharp.enable = true;
css.enable = true;
go.enable = true;
html.enable = true;
java.enable = true;
lua.enable = true;
markdown.enable = true;
nix = {
enable = true;
format.type = "nixfmt";
lsp.options.nil = {
nix = {
maxMemoryMB = null;
flake = {
autoArchive = true;
autoEvalInputs = true;
};
};
};
};
php.enable = true;
python.enable = true;
rust.enable = true;
sql.enable = true;
svelte.enable = true;
ts.enable = true;
yaml.enable = true;
};
lsp = {
enable = true;
formatOnSave = true;
# nvim-docs-view.enable = true;
# otter-nvim.enable = true;
# trouble.enable = true;
};
# minimap = {
# codewindow.enable = true;
# };
notify = {
nvim-notify.enable = true;
};
options = {
tabstop = 2;
shiftwidth = 2;
expandtab = true;
smartindent = true;
};
# projects = {
# project-nvim.enable = true;
# };
searchCase = "smart";
# snippets = {
# luasnip.enable = true;
# };
tabline = {
nvimBufferline = {
enable = true;
mappings.closeCurrent = "<leader>bd";
setupOpts.options = {
indicator.style = "icon";
show_close_icon = false;
show_buffer_close_icons = false;
};
};
};
telescope = {
enable = true;
setupOpts.defaults.file_ignore_patterns = [
"node_modules"
"%.venv/"
"%.git/"
"dist/"
"build/"
"target/"
"result/"
];
};
terminal = {
toggleterm = {
enable = true;
setupOpts.winbar.enabled = false;
};
};
treesitter = {
enable = true;
context.enable = true;
fold = true;
textobjects.enable = true;
};
ui = {
# breadcrumbs = {
# enable = true;
# navbuddy.enable = true;
# };
colorizer.enable = true;
# fastaction.enable = true;
# illuminate.enable = true;
};
undoFile.enable = true;
utility = {
# diffview-nvim.enable = true;
# icon-picker.enable = true;
# images = {
# img-clip.enable = true;
# };
# mkdir.enable = true;
motion = {
precognition.enable = true;
};
# nvim-biscuits.enable = true;
# smart-splits.enable = true;
surround.enable = true;
# undotree.enable = true;
# yazi-nvim.enable = true;
};
visuals = {
# cinnamon-nvim.enable = true;
# fidget-nvim.enable = true;
# highlight-undo.enable = true;
indent-blankline.enable = true;
nvim-cursorline.enable = true;
# nvim-scrollbar.enable = true;
nvim-web-devicons.enable = true;
};
keymaps = [
{
mode = [ "n" ];
key = "<C-b>";
action = "<C-b>zz";
silent = true;
noremap = true;
desc = "Page up and center";
}
{
mode = [ "n" ];
key = "<C-u>";
action = "<C-u>zz";
silent = true;
noremap = true;
desc = "Half-page up and center";
}
{
mode = [ "n" ];
key = "<C-d>";
action = "<C-d>zz";
silent = true;
noremap = true;
desc = "Half-page down and center";
}
{
mode = [ "n" ];
key = "<C-f>";
action = "<C-f>zz";
silent = true;
noremap = true;
desc = "Page down and center";
}
{
mode = [ "n" ];
key = "<leader>ww";
action = "<cmd>w<CR>";
silent = true;
desc = "Save";
}
{
mode = [ "n" ];
key = "<leader>wq";
action = "<cmd>wq<CR>";
silent = true;
desc = "Save & Quit";
}
{
mode = [ "n" ];
key = "<leader>ee";
action = "<cmd>Neotree toggle<CR>";
silent = true;
desc = "Toggle Neo-tree";
}
{
mode = [ "n" ];
key = "<leader>ef";
action = "<cmd>Neotree reveal<CR>";
silent = true;
desc = "Reveal file in Neo-tree";
}
];
};
};
};
zsh = {
p10k.extraRightPromptElements = [ "vim_shell" ];
shellAliases.v = "nvim";
};
};
};
}

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ ... }:
{
home-manager.users.${user}.programs.zsh.shellAliases.ncl = "sudo nix-cleanup";

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
lib,
inputs,
@@ -12,7 +9,7 @@
home-manager.users.${user}.programs.zsh = {
shellAliases.nd = "nix-develop";
initExtra =
initContent =
let
devShells = lib.strings.concatStringsSep " " (
lib.attrsets.mapAttrsToList (key: _: key) inputs.self.devShells.${system}
@@ -35,7 +32,16 @@
done
if [[ -z "$devshell" ]]; then
if [ ! -f flake.nix ]; then cp "${./template.nix}" flake.nix; fi
if [ ! -f flake.nix ]; then
cp "${./template.nix}" flake.nix
chmod 755 flake.nix
fi
if [ ! treefmt.nix ]; then
cp "${./treefmt.nix}" treefmt.nix
chmod 755 treefmt.nix
fi
nix develop -c "$SHELL"
else
nix develop self#"$devshell" -c "$SHELL"

View File

@@ -1,30 +1,31 @@
{
inputs = {
nixpkgs = {
type = "github";
owner = "karaolidis";
repo = "nixpkgs";
ref = "integration";
};
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils = {
url = "github:numtide/flake-utils";
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{ nixpkgs, ... }@inputs:
inputs.flake-utils.lib.eachDefaultSystem (
system:
inputs:
(
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
devShells.default = pkgs.mkShell {
packages = [ ];
system = "x86_64-linux";
pkgs = import inputs.nixpkgs {
inherit system;
config.allowUnfree = true;
};
formatter = pkgs.nixfmt-rfc-style;
treefmt = inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
in
{
devShells.${system}.default = pkgs.mkShell { packages = with pkgs; [ ]; };
formatter.${system} = treefmt.config.build.wrapper;
checks.formatting.${system} = treefmt.config.build.check inputs.self;
}
);
}

View File

@@ -0,0 +1,13 @@
{ ... }:
{
projectRootFile = "flake.nix";
programs = {
nixfmt = {
enable = true;
strict = true;
};
};
settings.global.excludes = [ ".envrc" ];
}

View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
lib,
pkgs,
@@ -10,19 +7,35 @@
...
}:
{
home-manager.users.${user} = {
programs = {
home-manager.users.${user}.programs = {
direnv = {
enable = true;
silent = true;
nix-direnv.enable = true;
enableZshIntegration = true;
config = {
global.warn_timeout = 0;
};
# https://github.com/direnv/direnv/wiki/Customizing-cache-location
stdlib = ''
declare -A direnv_layout_dirs
direnv_layout_dir() {
local hash path
echo "''${direnv_layout_dirs[$PWD]:=$(
hash="$(sha1sum - <<< "$PWD" | head -c40)"
path="''${PWD//[^a-zA-Z0-9]/-}"
echo "${home}/.cache/direnv/layouts/''${hash}''${path}"
)}"
}
'';
};
zsh = {
shellAliases.nde = "nix-direnv";
initExtra =
initContent =
let
devShells = lib.strings.concatStringsSep " " (
lib.attrsets.mapAttrsToList (key: _: key) inputs.self.devShells.${system}
@@ -36,7 +49,7 @@
while getopts "s:h" opt; do
case $opt in
s)
devshell=$OPTARG
devshell="$OPTARG"
;;
h)
hide=true
@@ -49,19 +62,33 @@
done
if [[ -z "$devshell" ]]; then
echo "use flake" > .envrc
if [ ! -f flake.nix ]; then cp "${../nix-develop/template.nix}" flake.nix; fi
if "$hide"; then
echo "use flake path:." > .envrc;
else
echo "use flake" > .envrc;
fi
if [ ! -f flake.nix ]; then
cp "${../nix-develop/template.nix}" flake.nix
chmod 755 flake.nix
fi
if [ ! -f treefmt.nix ]; then
cp "${../nix-develop/treefmt.nix}" treefmt.nix
chmod 755 treefmt.nix
fi
else
echo "use flake self#$devshell" > .envrc
fi
if hide && git rev-parse --is-inside-work-tree &>/dev/null; then
if "$hide" && git rev-parse --is-inside-work-tree &>/dev/null; then
local top
top=$(git rev-parse --show-toplevel)
top="$(git rev-parse --show-toplevel)"
if ! grep -q "^\.envrc$" "$top/.gitignore" "$top/.git/info/exclude"; then echo "$(realpath --relative-to="$top" .envrc)" >> "$top/.git/info/exclude"; fi
if [ -z "$devshell" ]; then
if ! grep -q "^flake.nix$" "$top/.gitignore" "$top/.git/info/exclude"; then echo "flake.nix" >> "$top/.git/info/exclude"; fi
if ! grep -q "^flake.lock$" "$top/.gitignore" "$top/.git/info/exclude"; then echo "flake.lock" >> "$top/.git/info/exclude"; fi
if ! grep -q "^treefmt.nix$" "$top/.gitignore" "$top/.git/info/exclude"; then echo "treefmt.nix" >> "$top/.git/info/exclude"; fi
fi
fi
@@ -84,30 +111,8 @@
};
};
# https://github.com/direnv/direnv/wiki/Customizing-cache-location
xdg.configFile = {
"direnv/direnvrc".text = ''
declare -A direnv_layout_dirs
direnv_layout_dir() {
local hash path
echo "''${direnv_layout_dirs[$PWD]:=$(
hash="$(sha1sum - <<< "$PWD" | head -c40)"
path="''${PWD//[^a-zA-Z0-9]/-}"
echo "${home}/.cache/direnv/layouts/''${hash}''${path}"
)}"
}
'';
"direnv/direnv.toml".source = (
(pkgs.formats.toml { }).generate "direnv.toml" {
global.warn_timeout = 0;
}
);
};
};
environment.persistence = {
"/persist"."${home}/.local/share/direnv/allow" = { };
"/cache"."${home}/.cache/direnv" = { };
"/persist/state"."${home}/.local/share/direnv/allow" = { };
"/persist/cache"."${home}/.cache/direnv" = { };
};
}

Some files were not shown because too many files have changed in this diff Show More