commit c45c7f26a44b392c67ec1894ce711da5db8af0e0 Author: Callum Leslie Date: Fri Aug 30 12:50:02 2024 +0100 initial commit diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..6c5e645 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,18 @@ +on: + pull_request: + push: +jobs: + ci: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: cachix/install-nix-action@v25 + with: + nix_path: nixpkgs=channel:nixos-unstable + - uses: DeterminateSystems/magic-nix-cache-action@v2 + - uses: cachix/cachix-action@v14 + with: + name: callumio-public + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + extraPullNames: nix-community, om + - run: nix run github:juspay/omnix -- ci run "." diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +result diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..d5ac243 --- /dev/null +++ b/flake.lock @@ -0,0 +1,759 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "devour-flake": { + "flake": false, + "locked": { + "lastModified": 1709858306, + "narHash": "sha256-Vey9n9hIlWiSAZ6CCTpkrL6jt4r2JvT2ik9wa2bjeC0=", + "owner": "srid", + "repo": "devour-flake", + "rev": "17b711b9deadbbc5629cb7d2b64cf86ae72af3fa", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "devour-flake", + "type": "github" + } + }, + "devshell": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722113426, + "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", + "owner": "numtide", + "repo": "devshell", + "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724895876, + "narHash": "sha256-GSqAwa00+vRuHbq9O/yRv7Ov7W/pcMLis3HmeHv8a+Q=", + "owner": "nix-community", + "repo": "disko", + "rev": "511388d837178979de66d14ca4a2ebd5f7991cd3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "revCount": 57, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "nixvim", + "neovim-nightly-overlay", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "nixvim", + "neovim-nightly-overlay", + "hercules-ci-effects", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": "gitignore", + "nixpkgs": [ + "nixvim", + "neovim-nightly-overlay", + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixvim", + "neovim-nightly-overlay", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724857454, + "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "git-hooks_2": { + "inputs": { + "flake-compat": [ + "nixvim", + "nixvim", + "flake-compat" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "nixvim", + "nixvim", + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724857454, + "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "nixvim", + "neovim-nightly-overlay", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixvim", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "hercules-ci-effects": { + "inputs": { + "flake-parts": "flake-parts_3", + "nixpkgs": [ + "nixvim", + "neovim-nightly-overlay", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724947644, + "narHash": "sha256-MHHrHasTngp7EYQOObHJ1a/IsRF+wodHqOckhH6uZbk=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "dba4367b9a9d9615456c430a6d6af716f6e84cef", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1720042825, + "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_3": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724435763, + "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "neovim-nightly-overlay": { + "inputs": { + "flake-compat": "flake-compat", + "flake-parts": "flake-parts_2", + "git-hooks": "git-hooks", + "hercules-ci-effects": "hercules-ci-effects", + "neovim-src": "neovim-src", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1724996444, + "narHash": "sha256-bgDfNsVPleUyx6vNr5INJTLfkLycNmL3yvSBv1OguLs=", + "owner": "nix-community", + "repo": "neovim-nightly-overlay", + "rev": "d0f68c980e3a0a3a8e63ccca93a01f87fb77937e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "neovim-nightly-overlay", + "type": "github" + } + }, + "neovim-src": { + "flake": false, + "locked": { + "lastModified": 1724970905, + "narHash": "sha256-6HqoxweeX3tQbchJpjUNiBKj/2P3oiQBR42B/QuB+a0=", + "owner": "neovim", + "repo": "neovim", + "rev": "4353996d0fa8e5872a334d68196d8088391960cf", + "type": "github" + }, + "original": { + "owner": "neovim", + "repo": "neovim", + "type": "github" + } + }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724561770, + "narHash": "sha256-zv8C9RNa86CIpyHwPIVO/k+5TfM8ZbjGwOOpTe1grls=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "ac5694a0b855a981e81b4d9f14052e3ff46ca39e", + "type": "github" + }, + "original": { + "owner": "lnl7", + "repo": "nix-darwin", + "type": "github" + } + }, + "nixinate": { + "inputs": { + "nixpkgs": [ + "unstable" + ] + }, + "locked": { + "lastModified": 1724970318, + "narHash": "sha256-LGsZmI5LcyjAcjiKU/LztUf2206OWGR5O03OAEzhP4Y=", + "owner": "callumio", + "repo": "nixinate", + "rev": "8bcfff29a6ae466100c64bec22cb7d8215eaa3a5", + "type": "github" + }, + "original": { + "owner": "callumio", + "repo": "nixinate", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1724855419, + "narHash": "sha256-WXHSyOF4nBX0cvHN3DfmEMcLOVdKH6tnMk9FQ8wTNRc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ae2fc9e0e42caaf3f068c1bfdc11c71734125e06", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1722555339, + "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1724840184, + "narHash": "sha256-RXftd9nVNpCKHEaiMhAWiZo3U/SEdRPF0zD7s7u50Oc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4f9cb71da3ec4f76fd406a0d87a1db491eda6870", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixvim": { + "inputs": { + "flake-parts": "flake-parts", + "neovim-nightly-overlay": "neovim-nightly-overlay", + "nixpkgs": [ + "unstable" + ], + "nixvim": "nixvim_2" + }, + "locked": { + "lastModified": 1725004186, + "narHash": "sha256-jJStfMyKX2wdJBOCi4Ws+LBEtCTqAXcBeViyLF98QHc=", + "owner": "callumio", + "repo": "nixvim", + "rev": "5bbc06e0db08193f5238a10a8e239370d77158b9", + "type": "github" + }, + "original": { + "owner": "callumio", + "repo": "nixvim", + "type": "github" + } + }, + "nixvim_2": { + "inputs": { + "devshell": "devshell", + "flake-compat": "flake-compat_3", + "flake-parts": [ + "nixvim", + "flake-parts" + ], + "git-hooks": "git-hooks_2", + "home-manager": "home-manager_3", + "nix-darwin": "nix-darwin", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ], + "nuschtosSearch": "nuschtosSearch", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1724968633, + "narHash": "sha256-eb2NCdLwfXL1MuTAkoDncSl2lCJwyylV5/NM1Ws2P/U=", + "owner": "nix-community", + "repo": "nixvim", + "rev": "2704133fe3ca616b22ed6685cc67180456eb4160", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixvim", + "type": "github" + } + }, + "nur": { + "locked": { + "lastModified": 1725012739, + "narHash": "sha256-fVf5QTrPZ6am93vP6nckzDLGWL9zuMh8dRoRtO61lZY=", + "owner": "nix-community", + "repo": "NUR", + "rev": "e5c4ddb026545819dbb9071f70160761c5098ce1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, + "nuschtosSearch": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724584782, + "narHash": "sha256-7FfHv7b1jwMPSu9SPY9hdxStk8E6EeSwzqdvV69U4BM=", + "owner": "NuschtOS", + "repo": "search", + "rev": "5a08d691de30b6fc28d58ce71a5e420f2694e087", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "repo": "search", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "devour-flake": "devour-flake", + "disko": "disko", + "home-manager": "home-manager_2", + "nixinate": "nixinate", + "nixpkgs": "nixpkgs", + "nixvim": "nixvim", + "nur": "nur", + "unstable": "unstable", + "utils": "utils" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724833132, + "narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "3ffd842a5f50f435d3e603312eefa4790db46af5", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "unstable": { + "locked": { + "lastModified": 1724819573, + "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "utils": { + "inputs": { + "flake-utils": "flake-utils_2" + }, + "locked": { + "lastModified": 1722363685, + "narHash": "sha256-XCf2PIAT6lH7BwytgioPmVf/wkzXjSKScC4KzcZgb64=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "6b10f51ff73a66bb29f3bc8151a59d217713f496", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..0c96bc9 --- /dev/null +++ b/flake.nix @@ -0,0 +1,115 @@ +{ + description = "C's Nix-Config"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + + nixinate = { + url = "github:callumio/nixinate"; + inputs.nixpkgs.follows = "unstable"; + }; + + devour-flake = { + url = "github:srid/devour-flake"; + flake = false; + }; + + nixvim = { + url = "github:callumio/nixvim"; + inputs.nixpkgs.follows = "unstable"; + }; + + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + + # i don't need darwin!!! + inputs.darwin.follows = ""; + }; + + utils.url = "github:gytis-ivaskevicius/flake-utils-plus"; + + home-manager = { + url = "github:nix-community/home-manager/release-24.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + #omnix-flake.url = "github:juspay/omnix?dir=nix/om"; + + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nur.url = "github:nix-community/NUR"; + }; + + outputs = { + self, + disko, + nixpkgs, + nixinate, + utils, + nur, + home-manager, + ... + } @ inputs: let + inherit (utils.lib) mkApp; + mods = import ./modules {inherit utils;}; + hosts = import ./hosts {inherit utils;}; + overlay = import ./overlays {inherit inputs;}; + in + with mods.nixosModules; + utils.lib.mkFlake { + inherit self inputs; + inherit (mods) nixosModules; + inherit (hosts) hosts; + supportedSystems = ["x86_64-linux" "aarch64-linux"]; + channelsConfig.allowUnfree = true; + channelsConfig.allowBroken = false; + + channels.nixpkgs.overlaysBuilder = channels: [ + (final: prev: { + inherit (channels) unstable; + }) + ]; + + channels.unstable.overlaysBuilder = channels: [ + (final: prev: { + jellyfin-ffmpeg = prev.jellyfin-ffmpeg.override { + ffmpeg_6-full = prev.ffmpeg_6-full.override { + withMfx = false; + withVpl = true; + }; + }; + }) + ]; + + sharedOverlays = [ + overlay + nur.overlay + ]; + + hostDefaults.modules = [home-manager.nixosModules.home-manager inputs.agenix.nixosModules.default] ++ mods.sharedModules; + + hostDefaults.extraArgs = { + inherit inputs; + }; + + outputsBuilder = channels: + with channels.nixpkgs; { + defaultPackage = nixvim; + packages = utils.lib.exportPackages self.overlays channels; + + formatter = alejandra; + devShell = mkShell { + packages = [just git nixvim cachix jq devour-flake agenix]; + }; + }; + overlays = utils.lib.exportOverlays { + inherit (self) pkgs inputs; + }; + apps.x86_64-linux = (nixinate.nixinate.x86_64-linux self).nixinate; + }; +} diff --git a/hosts/artemis/default.nix b/hosts/artemis/default.nix new file mode 100644 index 0000000..fd01edd --- /dev/null +++ b/hosts/artemis/default.nix @@ -0,0 +1,6 @@ +{ + modules = [./hardware-configuration.nix]; + extraArgs = {}; + specialArgs = {}; + system = "x86_64-linux"; +} diff --git a/hosts/artemis/hardware-configuration.nix b/hosts/artemis/hardware-configuration.nix new file mode 100644 index 0000000..2437cb0 --- /dev/null +++ b/hosts/artemis/hardware-configuration.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [(modulesPath + "/installer/scan/not-detected.nix")]; + + boot = { + initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "rtsx_pci_sdmmc"]; + initrd.kernelModules = []; + kernelModules = ["kvm-intel"]; + extraModulePackages = []; + }; + + #boot.kernelPackages = pkgs.linuxPackages_latest; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/5488764f-a50a-4ea2-ac8d-bfe565199018"; + fsType = "ext4"; + }; + + swapDevices = []; + + networking.useDHCP = lib.mkDefault true; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/default.nix b/hosts/default.nix new file mode 100644 index 0000000..7dc82c3 --- /dev/null +++ b/hosts/default.nix @@ -0,0 +1,6 @@ +{utils}: let + hosts = utils.lib.exportModules [ + # ./artemis + ./hermes + ]; +in {inherit hosts;} diff --git a/hosts/hermes/configuration.nix b/hosts/hermes/configuration.nix new file mode 100644 index 0000000..623095a --- /dev/null +++ b/hosts/hermes/configuration.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: let + inherit (inputs.self.nixosModules) keys; +in { + services.remote-deploy = { + enable = true; + host = "media.cleslie.uk"; + port = 62480; + keys = keys.c; + buildOn = "local"; + }; + + time.timeZone = "Europe/London"; + + users.users.media = { + isNormalUser = true; + extraGroups = ["wheel" "multimedia"]; + openssh.authorizedKeys.keys = keys.c; + packages = with pkgs; [ + tree + nixvim + ]; + }; + + environment.systemPackages = with pkgs; [ + wget + tree + ]; +} diff --git a/hosts/hermes/containers.nix b/hosts/hermes/containers.nix new file mode 100644 index 0000000..0e92ab1 --- /dev/null +++ b/hosts/hermes/containers.nix @@ -0,0 +1,44 @@ +{ + virtualisation = { + podman.enable = true; + podman.dockerCompat = true; + oci-containers.backend = "podman"; + oci-containers.containers = { + flaresolverr = { + #image = "ghcr.io/flaresolverr/flaresolverr:latest"; + #image = "ghcr.io/flaresolverr/flaresolverr:pr-1282"; + image = "docker.io/alexfozor/flaresolverr:pr-1300"; + autoStart = true; + ports = ["127.0.0.1:8191:8191"]; + environment = { + LOG_LEVEL = "debug"; + }; + }; + tdarr = { + image = "ghcr.io/haveagitgat/tdarr"; + autoStart = true; + ports = ["0.0.0.0:8265:8265" "127.0.0.1:8266:8266"]; + volumes = [ + "/var/lib/tdarr/server:/app/server" + "/var/lib/tdarr/configs:/app/configs" + "/var/lib/tdarr/logs:/app/logs" + "/var/lib/media/library:/media" + "/tmp:/temp" + ]; + environment = { + serverIP = "0.0.0.0"; + serverPort = "8266"; + webUIPort = "8265"; + internalNode = "true"; + inContainer = "true"; + ffmpegVersion = "6"; + nodeName = "internal"; + TZ = "Europe/London"; + PUID = "1000"; + PGID = "994"; + }; + extraOptions = ["--device=/dev/dri:/dev/dri" "--network=bridge"]; + }; + }; + }; +} diff --git a/hosts/hermes/default.nix b/hosts/hermes/default.nix new file mode 100644 index 0000000..074c149 --- /dev/null +++ b/hosts/hermes/default.nix @@ -0,0 +1,15 @@ +{ + modules = [ + ./hardware-configuration.nix + ./configuration.nix + ./fail2ban.nix + ./containers.nix + ./networking.nix + ./ssh.nix + ./media.nix + ]; + extraArgs = {}; + specialArgs = {}; + system = "x86_64-linux"; + channelName = "unstable"; +} diff --git a/hosts/hermes/fail2ban.nix b/hosts/hermes/fail2ban.nix new file mode 100644 index 0000000..5780c9d --- /dev/null +++ b/hosts/hermes/fail2ban.nix @@ -0,0 +1,106 @@ +{pkgs, ...}: { + services.fail2ban = { + enable = true; + jails = { + sshd.settings = {enabled = false;}; + radarr.settings = { + enabled = true; + filter = "arr"; + action = '' + iptables-allports + ''; + logpath = "/var/lib/radarr/.config/Radarr/logs/radarr.txt"; + backend = "auto"; + maxretry = 4; + bantime = "52w"; + findtime = "52w"; + chain = "FORWARD"; + }; + sonarr.settings = { + enabled = true; + filter = "arr"; + action = '' + iptables-allports + ''; + logpath = "/var/lib/sonarr/.config/NzbDrone/logs/sonarr.txt"; + backend = "auto"; + maxretry = 4; + bantime = "52w"; + findtime = "52w"; + chain = "FORWARD"; + }; + + prowlarr.settings = { + enabled = true; + filter = "arr"; + action = '' + iptables-allports + ''; + logpath = "/var/lib/prowlarr/logs/prowlarr.txt"; + backend = "auto"; + maxretry = 4; + bantime = "52w"; + findtime = "52w"; + chain = "FORWARD"; + }; + + jellyseerr.settings = { + enabled = true; + filter = "jellyseerr"; + action = '' + iptables-allports + ''; + logpath = "/var/lib/jellyseerr/logs/overseer*.log"; + backend = "auto"; + maxretry = 4; + bantime = "52w"; + findtime = "52w"; + chain = "FORWARD"; + }; + + jellyfin.settings = { + enabled = true; + filter = "jellyfin"; + action = '' + iptables-allports + ''; + logpath = "/var/lib/jellyfin/log/log*.log"; + backend = "auto"; + maxretry = 4; + bantime = "52w"; + findtime = "52w"; + chain = "FORWARD"; + }; + }; + }; + environment.etc = { + "fail2ban/filter.d/arr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [INCLUDES] + before = common.conf + + [Definition] + datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S\.%%f\| + failregex = ^\s*Warn\|Auth\|Auth-Failure ip username '[^']+' + ignoreregex = + ''); + + "fail2ban/filter.d/jellyseerr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [INCLUDES] + before = common.conf + + [Definition] + failregex = ^.*\[warn\]\[API\]: Failed sign-in attempt using invalid Overseerr password {"ip":"","email": + ^.*\[warn\]\[Auth\]: Failed login attempt from user with incorrect Jellyfin credentials {"account":{"ip":"","email": + ignoreregex = + ''); + + "fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [INCLUDES] + before = common.conf + + [Definition] + failregex = ^.*Authentication request for .* has been denied \(IP: ""\)\. + ignoreregex = + ''); + }; +} diff --git a/hosts/hermes/hardware-configuration.nix b/hosts/hermes/hardware-configuration.nix new file mode 100644 index 0000000..18edee1 --- /dev/null +++ b/hosts/hermes/hardware-configuration.nix @@ -0,0 +1,39 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + boot = { + initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; + initrd.kernelModules = []; + kernelModules = ["kvm-intel"]; + kernelParams = [ + "i915.enable_guc=2" + ]; + extraModulePackages = []; + }; + + #boot.kernelPackages = pkgs.linuxPackages_latest; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/c2f5061f-7577-4947-ba1d-f1ba12ec3271"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/57CE-8609"; + fsType = "vfat"; + options = ["fmask=0077" "dmask=0077"]; + }; + + swapDevices = []; + + networking.useDHCP = lib.mkDefault true; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/hermes/media.nix b/hosts/hermes/media.nix new file mode 100644 index 0000000..7739332 --- /dev/null +++ b/hosts/hermes/media.nix @@ -0,0 +1,148 @@ +{ + pkgs, + config, + lib, + ... +}: let + mediaDir = "/var/lib/media"; +in { + users = { + groups.multimedia = {gid = 994;}; + users."root".extraGroups = ["multimedia"]; + users."media".extraGroups = ["multimedia"]; + }; + + systemd.tmpfiles.rules = [ + "d ${mediaDir} 0775 - multimedia - -" + + "d ${mediaDir}/torrents 0775 - multimedia -" + "d ${mediaDir}/torrents/Downloads 0775 - multimedia -" + + "d ${mediaDir}/usenet 0775 - multimedia -" + "d ${mediaDir}/usenet/Downloads 0775 - multimedia -" + "d ${mediaDir}/usenet/Done 0775 - multimedia -" + + "d ${mediaDir}/library/Movies 0775 - multimedia - -" + "d ${mediaDir}/library/TV 0775 - multimedia - -" + "d ${mediaDir}/library/Music 0775 - multimedia - -" + + "d /var/lib/tdarr 0775 - multimedia - " + "d /var/lib/tdarr/server 0775 - multimedia - " + "d /var/lib/tdarr/configs 0775 - multimedia - " + "d /var/lib/tdarr/logs 0775 - multimedia - " + ]; + + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;}; + }; + + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver + intel-vaapi-driver # previously vaapiIntel + vaapiVdpau + libvdpau-va-gl + intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) + vpl-gpu-rt # QSV on 11th gen or newer + #intel-media-sdk # QSV up to 11th gen + ]; + }; + + services = { + caddy = { + enable = true; + email = "acme@cleslie.uk"; + virtualHosts = { + "media.cleslie.uk".extraConfig = '' + redir /radarr /radarr/ + redir /sonarr /sonarr/ + redir /lidarr /lidarr/ + redir /bazarr /bazarr/ + redir /prowlarr /prowlarr/ + redir /tdarr /tdarr/ + redir /deluge /deluge/ + reverse_proxy /radarr/* 127.0.0.1:7878 + reverse_proxy /sonarr/* 127.0.0.1:8989 + reverse_proxy /lidarr/* 127.0.0.1:8686 + reverse_proxy /bazarr/* 127.0.0.1:6767 + reverse_proxy /prowlarr/* 127.0.0.1:9696 + reverse_proxy /tdarr/* http://127.0.0.1:8265 { + header_up Host {host} + header_up X-Real-IP {remote} + header_up X-Forwarded-For {remote} + } + route /deluge/* { + uri strip_prefix deluge + reverse_proxy 127.0.0.1:8112 { + header_up X-Real-IP {remote} + header_up X-Deluge-Base "/deluge" + + } + } + ''; + "watch.cleslie.uk".extraConfig = '' + reverse_proxy http://localhost:8096 + ''; + "request.cleslie.uk".extraConfig = '' + reverse_proxy http://localhost:5055 + ''; + }; + }; + + homepage-dashboard = { + enable = false; + }; + + jellyfin = { + enable = true; + package = pkgs.jellyfin; + group = "multimedia"; + openFirewall = false; + }; + jellyseerr = { + enable = true; + openFirewall = false; + }; + sonarr = { + enable = true; + group = "multimedia"; + openFirewall = false; + }; + radarr = { + enable = true; + group = "multimedia"; + openFirewall = false; + }; + bazarr = { + enable = true; + group = "multimedia"; + openFirewall = false; + }; + prowlarr = { + enable = true; + openFirewall = false; + }; + deluge = { + enable = true; + group = "multimedia"; + web.enable = true; + web.openFirewall = false; + dataDir = "${mediaDir}/torrents"; + declarative = true; + config = { + enabled_plugins = ["Label"]; + outgoing_interface = "wg1"; + allow_remote = true; + openFirewall = false; + sequential_download = true; + }; + authFile = pkgs.writeTextFile { + name = "deluge-auth"; + text = '' + localclient::10 + ''; + }; + }; + }; +} diff --git a/hosts/hermes/networking.nix b/hosts/hermes/networking.nix new file mode 100644 index 0000000..f20c35e --- /dev/null +++ b/hosts/hermes/networking.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: { + networking.hostName = "hermes"; + networking = { + enableIPv6 = false; + firewall.allowedTCPPorts = [80 443 8265]; + firewall.checkReversePath = false; + iproute2.enable = true; + iproute2.rttablesExtraConfig = '' + 200 vpn + ''; + wg-quick.interfaces.wg1 = { + configFile = config.age.secrets.wg-conf.path; + table = "vpn"; + }; + }; +} diff --git a/hosts/hermes/ssh.nix b/hosts/hermes/ssh.nix new file mode 100644 index 0000000..6e7ddbc --- /dev/null +++ b/hosts/hermes/ssh.nix @@ -0,0 +1,15 @@ +{ + services = { + openssh = { + enable = true; + ports = [62480]; + settings.PasswordAuthentication = false; + settings.PermitRootLogin = "no"; + }; + endlessh-go = { + enable = true; + port = 22; + openFirewall = true; + }; + }; +} diff --git a/justfile b/justfile new file mode 100644 index 0000000..2f24fab --- /dev/null +++ b/justfile @@ -0,0 +1,19 @@ +default: + just --list + +alias r := rebuild +alias v := vim +alias u := update +alias c := cache + +rebuild: + sudo nixos-rebuild switch --flake .# + +vim: + nix flake lock --update-input nixvim + +update: + nix flake update + +cache: + devour-flake . | cachix push callumio-public diff --git a/modules/boot.nix b/modules/boot.nix new file mode 100644 index 0000000..b5aa799 --- /dev/null +++ b/modules/boot.nix @@ -0,0 +1,7 @@ +{...}: { + boot.loader = { + efi.canTouchEfiVariables = true; + systemd-boot.enable = true; + }; + system.stateVersion = "24.05"; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..f8a8af0 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,17 @@ +{utils}: let + nixosModules = utils.lib.exportModules [ + ./nix.nix + ./hm.nix + ./boot.nix + ./deploy.nix + ./keys.nix + ./secret.nix + ]; + sharedModules = with nixosModules; [ + nix + hm + boot + deploy + secret + ]; +in {inherit nixosModules sharedModules;} diff --git a/modules/deploy.nix b/modules/deploy.nix new file mode 100644 index 0000000..9406898 --- /dev/null +++ b/modules/deploy.nix @@ -0,0 +1,74 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; let + cfg = config.services.remote-deploy; +in { + options.services.remote-deploy = { + enable = mkEnableOption "Enable remote deployment with nixinate."; + host = mkOption { + type = types.str; + description = "Hostname to connect to."; + }; + user = mkOption { + type = types.str; + default = "deploy"; + description = "Username for deploy account."; + }; + group = mkOption { + type = types.str; + default = "deploy"; + description = "Group for deploy account."; + }; + keys = mkOption { + type = types.listOf types.str; + description = "Authorised SSH keys for deployment"; + }; + port = mkOption { + type = types.port; + default = 22; + description = "SSH port to use."; + }; + buildOn = mkOption { + type = types.enum ["local" "remote"]; + default = "local"; + description = "Where to build the config."; + }; + + substituteOnTarget = mkOption { + type = types.bool; + default = true; + description = "Substitute closures and paths from remote"; + }; + }; + config = mkIf cfg.enable { + _module.args = { + nixinate = { + inherit (cfg) host buildOn port substituteOnTarget; + sshUser = cfg.user; + }; + }; + users.groups."${cfg.group}" = {}; + users.users."${cfg.user}" = { + isSystemUser = true; + shell = pkgs.bash; + inherit (cfg) group; + openssh.authorizedKeys.keys = cfg.keys; + }; + nix.settings.trusted-users = [cfg.user]; + security.sudo.extraRules = [ + { + groups = [cfg.group]; + commands = [ + { + command = "ALL"; + options = ["NOPASSWD"]; + } + ]; + } + ]; + }; +} diff --git a/modules/hm.nix b/modules/hm.nix new file mode 100644 index 0000000..ea61073 --- /dev/null +++ b/modules/hm.nix @@ -0,0 +1,4 @@ +{pkgs, ...}: { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; +} diff --git a/modules/keys.nix b/modules/keys.nix new file mode 100644 index 0000000..0eb10e3 --- /dev/null +++ b/modules/keys.nix @@ -0,0 +1,5 @@ +{ + c = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDStMNZgO26AhBz+GkwkMnnDL7nfhOblEMz+bXVaDM3M ssh@cleslie.uk" + ]; +} diff --git a/modules/nix.nix b/modules/nix.nix new file mode 100644 index 0000000..379244e --- /dev/null +++ b/modules/nix.nix @@ -0,0 +1,18 @@ +{ + nix = { + extraOptions = "gc-keep-outputs = true"; + settings = { + experimental-features = ["nix-command" "flakes"]; + + substituters = [ + "https://nix-community.cachix.org" + "https://callumio-public.cachix.org" + ]; + + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "callumio-public.cachix.org-1:VucOSl7vh44GdqcILwMIeHlI0ufuAnHAl8cO1U/7yhg=" + ]; + }; + }; +} diff --git a/modules/secret.nix b/modules/secret.nix new file mode 100644 index 0000000..06ad9f4 --- /dev/null +++ b/modules/secret.nix @@ -0,0 +1,3 @@ +{ + imports = [../secrets/secrets-configuration.nix]; +} diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..16a563f --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,5 @@ +{inputs, ...}: _final: prev: { + nixvim = inputs.nixvim.packages.${prev.system}.default; + devour-flake = prev.callPackage inputs.devour-flake {}; + agenix = inputs.agenix.packages.${prev.system}.default; +} diff --git a/secrets/secrets-configuration.nix b/secrets/secrets-configuration.nix new file mode 100644 index 0000000..96c2c1c --- /dev/null +++ b/secrets/secrets-configuration.nix @@ -0,0 +1,5 @@ +{ + age.secrets."wg-conf" = { + file = ./wg-conf.age; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..251f280 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,10 @@ +let + keys = import ../modules/keys.nix; + systems = { + hermes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnmnOWpdewwytd15JcnJvJWbIE8hcMu/pp1TPqsvdol"; + artemis = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILERlCL5ZwP/mmtBNAMtLrUwEDy+tOprUWUmsGBRlTCF"; + }; + allSystems = builtins.attrValues systems; +in { + "wg-conf.age".publicKeys = keys.c ++ [systems.hermes]; +} diff --git a/secrets/wg-conf.age b/secrets/wg-conf.age new file mode 100644 index 0000000..fceaf28 --- /dev/null +++ b/secrets/wg-conf.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 /RyXeg XctPskEC5nKQwQ92umIwfryLtDqmgZihaMtkeOw7RxM +H2gVqcepTLHsnbiAZRPftpxZDGmptg8fGuweyFoAhRY +-> ssh-ed25519 aSaoJQ HtQ5MYtdlvwor5K5cB7uk+c535NoORJEM6NfYWRE6Vc +7/LiMkQp4Kg/+xnnkpOD7A/ecKmkSCz4S9DqvHBpxyE +--- nUlb1sy20HiTPwOXexW1tJpbZsLbV/tOkGIyzp8Hu4M +#* 껿Xd :i][2SiUNUڋ>r=4B]+xK-`M$+󼞯z`\+ u›&Y=A>5mT($*%[XP:F) x B߅Kl3.}=gg Rdk AbfT#WK{޾@tA:S8FDŽK̅Q"(Psa0ؿG">8JsEjBtfˋ<[DmzK'Z]Eϸ'㬒}WVd?Xx! ?ؚ \ No newline at end of file