diff options
Diffstat (limited to '')
29 files changed, 782 insertions, 621 deletions
diff --git a/configurations/eonwe/default.nix b/configurations/eonwe/default.nix index f1a56e6..f718135 100644 --- a/configurations/eonwe/default.nix +++ b/configurations/eonwe/default.nix @@ -12,6 +12,7 @@ with lib; ark.enable = true; wireguard.client.enable = true; + wireguard-ng.client.enable = false; syncthing.enable = true; @@ -52,8 +53,8 @@ with lib; mapShaders = map (args: toString (pkgs.fetchurl args)); cfl-prediction = mapShaders [ { - url = "https://raw.githubusercontent.com/Artoriuz/glsl-chroma-from-luma-prediction/471c65dd3915d39e7ef69957ab63e006125fbb88/CfL_Prediction.glsl"; - sha256 = "sha256-Mgb1KqF1EPPzR3SCVr9S4XzVmZkYEEFIHSp59RZ9wq8="; + url = "https://raw.githubusercontent.com/Artoriuz/glsl-chroma-from-luma-prediction/9fdd0bc68cd8ae42a8072a7d5d098f118daa4293/CfL_Prediction.glsl"; + sha256 = "sha256-RK3baWkL0mZwcx+utsHfiiX1mY1jxEOg7/kNsNJvEPc="; } ]; ravu-lite-ar-r4 = mapShaders [ @@ -64,8 +65,8 @@ with lib; ]; ssimdownscaler = mapShaders [ { - url = "https://gist.githubusercontent.com/igv/36508af3ffc84410fe39761d6969be10/raw/575d13567bbe3caa778310bd3b2a4c516c445039/SSimDownscaler.glsl"; - sha256 = "sha256-AEq2wv/Nxo9g6Y5e4I9aIin0plTcMqBG43FuOxbnR1w="; + url = "https://gist.githubusercontent.com/igv/36508af3ffc84410fe39761d6969be10/raw/38992bce7f9ff844f800820df0908692b65bb74a/SSimDownscaler.glsl"; + sha256 = "sha256-9G9HEKFi0XBYudgu2GEFiLDATXvgfO9r8qjEB3go+AQ="; } ]; in @@ -151,6 +152,8 @@ with lib; }; }; + programs.corectrl.enable = true; + services = { displayManager = { sddm.enable = lib.mkForce false; @@ -325,6 +328,8 @@ with lib; memoryPercent = 25; }; + my.extraGroups = [ "corectrl" ]; + users = { users.builder = { isSystemUser = true; diff --git a/configurations/eonwe/ollama.nix b/configurations/eonwe/ollama.nix index 69fa9fd..806885b 100644 --- a/configurations/eonwe/ollama.nix +++ b/configurations/eonwe/ollama.nix @@ -3,7 +3,6 @@ lib, ... }: - { ark.directories = [ config.services.ollama.home @@ -16,7 +15,11 @@ bookmarks = [ { name = "Ollama"; - url = "http://127.0.0.1:11435"; + url = "http://eonwe.shire.net:11435"; + } + { + name = "Open WebUI"; + url = "http://eonwe.shire.net:11436"; } ]; } @@ -24,7 +27,7 @@ services = { ollama = { - enable = false; + enable = true; host = "0.0.0.0"; port = 11434; @@ -33,52 +36,62 @@ group = "ollama"; acceleration = "rocm"; - rocmOverrideGfx = "10.3.0"; + rocmOverrideGfx = "11.0.0"; environmentVariables.OLLAMA_ORIGINS = lib.concatStringsSep "," [ - "http://127.0.0.1:11435" + "http://eonwe.shire.net:11434" "http://eonwe.shire.net:11435" - "http://eonwe:11435" - "http://localhost:11435" + "http://eonwe.shire.net:11436" ]; openFirewall = true; }; + nextjs-ollama-llm-ui = { + enable = true; + + hostname = "0.0.0.0"; + port = 11435; + + ollamaUrl = "http://eonwe.shire.net:11434"; + }; + open-webui = { - enable = false; + enable = true; + + host = "0.0.0.0"; port = 11436; + environment = { ANONYMIZED_TELEMETRY = "False"; DO_NOT_TRACK = "True"; ENABLE_SIGNUP = "False"; - OLLAMA_BASE_URL = "http://127.0.0.1:11434"; + OLLAMA_BASE_URL = "http://eonwe.shire.net:11434"; SCARF_NO_ANALYTICS = "True"; WEBUI_AUTH = "False"; WEBUI_URL = "http://eonwe.shire.net:11436"; }; - }; - nextjs-ollama-llm-ui = { - enable = false; - - hostname = "0.0.0.0"; - port = 11435; - - ollamaUrl = "http://127.0.0.1:11434"; + openFirewall = true; }; }; - systemd.services = { - ollama = { - serviceConfig = { - StateDirectory = lib.mkForce config.services.ollama.home; - DynamicUser = lib.mkForce false; - User = config.services.ollama.user; - Group = config.services.ollama.group; - }; - }; + systemd.services.ollama.serviceConfig = { + StateDirectory = lib.mkForce config.services.ollama.home; + DynamicUser = lib.mkForce false; + User = config.services.ollama.user; + Group = config.services.ollama.group; + }; - nextjs-ollama-llm-ui.serviceConfig.CacheDirectory = "nextjs-ollama-llm-ui"; + users = { + users.ollama = { + isSystemUser = true; + group = "ollama"; + inherit (config.services.ollama) home; + uid = 241; # Reuses a removed ID from Nixpkgs. + }; + groups.ollama.gid = 241; }; + + my.extraGroups = [ "ollama" ]; } diff --git a/configurations/tulkas/default.nix b/configurations/tulkas/default.nix index c4ab860..5946ea8 100644 --- a/configurations/tulkas/default.nix +++ b/configurations/tulkas/default.nix @@ -5,6 +5,10 @@ with lib; nixfiles.modules = { wireguard.client.enable = true; + wireguard-ng.server.enable = true; + + unbound-ng.enable = true; + unbound-ng.domain = "shire.local"; }; services.qemuGuest.enable = true; diff --git a/configurations/varda/default.nix b/configurations/varda/default.nix index a63db61..c12c811 100644 --- a/configurations/varda/default.nix +++ b/configurations/varda/default.nix @@ -8,7 +8,7 @@ with lib; sing-box.enable = true; - games.minecraft.server.enable = true; + games.minecraft.server.enable = false; }; boot = { diff --git a/flake.lock b/flake.lock index e2be2b8..c4ee276 100644 --- a/flake.lock +++ b/flake.lock @@ -51,39 +51,6 @@ "type": "github" } }, - "aquamarine": { - "inputs": { - "hyprutils": [ - "hyprland", - "hyprutils" - ], - "hyprwayland-scanner": [ - "hyprland", - "hyprwayland-scanner" - ], - "nixpkgs": [ - "hyprland", - "nixpkgs" - ], - "systems": [ - "hyprland", - "systems" - ] - }, - "locked": { - "lastModified": 1731774881, - "narHash": "sha256-1Dxryiw8u2ejntxrrv3sMtIE8WHKxmlN4KeH+uMGbmc=", - "owner": "hyprwm", - "repo": "aquamarine", - "rev": "b31a6a4da8199ae3489057db7d36069a70749a56", - "type": "github" - }, - "original": { - "owner": "hyprwm", - "repo": "aquamarine", - "type": "github" - } - }, "arkenfox": { "inputs": { "flake-compat": [ @@ -262,11 +229,11 @@ ] }, "locked": { - "lastModified": 1732742778, - "narHash": "sha256-i+Uw8VOHzQe9YdNwKRbzvaPWLE07tYVqUDzSFTXhRgk=", + "lastModified": 1734343412, + "narHash": "sha256-b7G8oFp0Nj01BYUJ6ENC9Qf/HsYAIZvN9k/p0Kg/PFU=", "owner": "nix-community", "repo": "disko", - "rev": "341482e2f4d888e3f60cae1c12c3df896e7230d8", + "rev": "a08bfe06b39e94eec98dd089a2c1b18af01fef19", "type": "github" }, "original": { @@ -285,11 +252,11 @@ ] }, "locked": { - "lastModified": 1726867691, - "narHash": "sha256-IK3r16N9pizf53AipOmrcrcyjVsPJwC4PI5hIqEyKwQ=", + "lastModified": 1733919067, + "narHash": "sha256-ZsL5pKwEDhcZhVJh+3IwgHus7kSW/N8qOlBscwB6BCI=", "owner": "nix-community", "repo": "dns.nix", - "rev": "a3196708a56dee76186a9415c187473b94e6cbae", + "rev": "a23f43f9762aa96d3e35c8eeefa7610bd0cdf456", "type": "github" }, "original": { @@ -300,11 +267,11 @@ }, "flake-compat": { "locked": { - "lastModified": 1732722421, - "narHash": "sha256-HRJ/18p+WoXpWJkcdsk9St5ZiukCqSDgbOGFa8Okehg=", + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9ed2ac151eada2306ca8c418ebd97807bb08f6ac", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "type": "github" }, "original": { @@ -318,11 +285,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "type": "github" }, "original": { @@ -400,11 +367,11 @@ ] }, "locked": { - "lastModified": 1732021966, - "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", + "lastModified": 1734379367, + "narHash": "sha256-Keu8z5VgT5gnCF4pmB+g7XZFftHpfl4qOn7nqBcywdE=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", + "rev": "0bb4be58f21ff38fc3cdbd6c778eb67db97f0b99", "type": "github" }, "original": { @@ -437,16 +404,16 @@ "gnome-shell": { "flake": false, "locked": { - "lastModified": 1713702291, - "narHash": "sha256-zYP1ehjtcV8fo+c+JFfkAqktZ384Y+y779fzmR9lQAU=", + "lastModified": 1732369855, + "narHash": "sha256-JhUWbcYPjHO3Xs3x9/Z9RuqXbcp5yhPluGjwsdE2GMg=", "owner": "GNOME", "repo": "gnome-shell", - "rev": "0d0aadf013f78a7f7f1dc984d0d812971864b934", + "rev": "dadd58f630eeea41d645ee225a63f719390829dc", "type": "github" }, "original": { "owner": "GNOME", - "ref": "46.1", + "ref": "47.2", "repo": "gnome-shell", "type": "github" } @@ -458,11 +425,11 @@ ] }, "locked": { - "lastModified": 1732482255, - "narHash": "sha256-GUffLwzawz5WRVfWaWCg78n/HrBJrOG7QadFY6rtV8A=", + "lastModified": 1734344598, + "narHash": "sha256-wNX3hsScqDdqKWOO87wETUEi7a/QlPVgpC/Lh5rFOuA=", "owner": "nix-community", "repo": "home-manager", - "rev": "a9953635d7f34e7358d5189751110f87e3ac17da", + "rev": "83ecd50915a09dca928971139d3a102377a8d242", "type": "github" }, "original": { @@ -474,11 +441,11 @@ "homelab-svg-assets": { "flake": false, "locked": { - "lastModified": 1732477017, - "narHash": "sha256-HMfTbHfs2F4v3B6/f41Hn/R7H2/YKxL+NurVy4SyfHI=", + "lastModified": 1733409874, + "narHash": "sha256-Q9QMq9dXIjvJB7YSE3DU5W2eOAPQxjBRKYmNvk+ZnFo=", "owner": "loganmarchione", "repo": "homelab-svg-assets", - "rev": "f1d8b8b097a243ebdc60d62b104eb8c1890c3447", + "rev": "f084a7da8dc72f44edcd8c21dd8650b5f781734c", "type": "github" }, "original": { @@ -487,175 +454,13 @@ "type": "github" } }, - "hyprcursor": { - "inputs": { - "hyprlang": [ - "hyprland", - "hyprlang" - ], - "nixpkgs": [ - "hyprland", - "nixpkgs" - ], - "systems": [ - "hyprland", - "systems" - ] - }, - "locked": { - "lastModified": 1728669738, - "narHash": "sha256-EDNAU9AYcx8OupUzbTbWE1d3HYdeG0wO6Msg3iL1muk=", - "owner": "hyprwm", - "repo": "hyprcursor", - "rev": "0264e698149fcb857a66a53018157b41f8d97bb0", - "type": "github" - }, - "original": { - "owner": "hyprwm", - "repo": "hyprcursor", - "type": "github" - } - }, - "hyprland": { - "inputs": { - "aquamarine": "aquamarine", - "hyprcursor": "hyprcursor", - "hyprland-protocols": "hyprland-protocols", - "hyprlang": "hyprlang", - "hyprutils": "hyprutils", - "hyprwayland-scanner": "hyprwayland-scanner", - "nixpkgs": "nixpkgs", - "pre-commit-hooks": [ - "git-hooks" - ], - "systems": "systems_3", - "xdph": "xdph" - }, - "locked": { - "lastModified": 1732737540, - "narHash": "sha256-ORogf5yeqxar+fMJek+rpUgfnCOYcoeomvczo/tYOcE=", - "owner": "hyprwm", - "repo": "Hyprland", - "rev": "5329298b522e3cc1201894909443775b00aeb336", - "type": "github" - }, - "original": { - "owner": "hyprwm", - "repo": "Hyprland", - "type": "github" - } - }, - "hyprland-protocols": { - "inputs": { - "nixpkgs": [ - "hyprland", - "nixpkgs" - ], - "systems": [ - "hyprland", - "systems" - ] - }, - "locked": { - "lastModified": 1728345020, - "narHash": "sha256-xGbkc7U/Roe0/Cv3iKlzijIaFBNguasI31ynL2IlEoM=", - "owner": "hyprwm", - "repo": "hyprland-protocols", - "rev": "a7c183800e74f337753de186522b9017a07a8cee", - "type": "github" - }, - "original": { - "owner": "hyprwm", - "repo": "hyprland-protocols", - "type": "github" - } - }, - "hyprlang": { - "inputs": { - "hyprutils": [ - "hyprland", - "hyprutils" - ], - "nixpkgs": [ - "hyprland", - "nixpkgs" - ], - "systems": [ - "hyprland", - "systems" - ] - }, - "locked": { - "lastModified": 1728168612, - "narHash": "sha256-AnB1KfiXINmuiW7BALYrKqcjCnsLZPifhb/7BsfPbns=", - "owner": "hyprwm", - "repo": "hyprlang", - "rev": "f054f2e44d6a0b74607a6bc0f52dba337a3db38e", - "type": "github" - }, - "original": { - "owner": "hyprwm", - "repo": "hyprlang", - "type": "github" - } - }, - "hyprutils": { - "inputs": { - "nixpkgs": [ - "hyprland", - "nixpkgs" - ], - "systems": [ - "hyprland", - "systems" - ] - }, - "locked": { - "lastModified": 1731702627, - "narHash": "sha256-+JeO9gevnXannQxMfR5xzZtF4sYmSlWkX/BPmPx0mWk=", - "owner": "hyprwm", - "repo": "hyprutils", - "rev": "e911361a687753bbbdfe3b6a9eab755ecaf1d9e1", - "type": "github" - }, - "original": { - "owner": "hyprwm", - "repo": "hyprutils", - "type": "github" - } - }, - "hyprwayland-scanner": { - "inputs": { - "nixpkgs": [ - "hyprland", - "nixpkgs" - ], - "systems": [ - "hyprland", - "systems" - ] - }, - "locked": { - "lastModified": 1726874836, - "narHash": "sha256-VKR0sf0PSNCB0wPHVKSAn41mCNVCnegWmgkrneKDhHM=", - "owner": "hyprwm", - "repo": "hyprwayland-scanner", - "rev": "500c81a9e1a76760371049a8d99e008ea77aa59e", - "type": "github" - }, - "original": { - "owner": "hyprwm", - "repo": "hyprwayland-scanner", - "type": "github" - } - }, "impermanence": { "locked": { - "lastModified": 1731242966, - "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", + "lastModified": 1734200366, + "narHash": "sha256-0NursoP4BUdnc+wy+Mq3icHkXu/RgP1Sjo0MJxV2+Dw=", "owner": "nix-community", "repo": "impermanence", - "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", + "rev": "c6323585fa0035d780e3d8906eb1b24b65d19a48", "type": "github" }, "original": { @@ -667,11 +472,11 @@ "infuse": { "flake": false, "locked": { - "lastModified": 1729644337, - "narHash": "sha256-4XPDTUvV8dfuf9GzKg2/r7j7lMELRAwKKFx3ecQObeg=", + "lastModified": 1732860261, + "narHash": "sha256-xGOVrmZgsi5qAEFrPelsC7DE1Kd9+EJ2oY/gCKD4Diw=", "ref": "refs/heads/trunk", - "rev": "786657a2cf262c3cdce08f64dd4857655f18f166", - "revCount": 40, + "rev": "0005869a31b879b57cfc9b216c8cf7f3c710579c", + "revCount": 41, "type": "git", "url": "https://codeberg.org/amjoseph/infuse.nix" }, @@ -692,11 +497,11 @@ "nixpkgs-24_05": "nixpkgs-24_05" }, "locked": { - "lastModified": 1722877200, - "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=", + "lastModified": 1734370678, + "narHash": "sha256-a8zkti1QM5Oxkdfnzr/NjrFlyqI36/kYV/X8G1jOmB4=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", + "rev": "c43d8c4a3ce84a7bebd110b06e69365484db6208", "type": "gitlab" }, "original": { @@ -718,11 +523,11 @@ ] }, "locked": { - "lastModified": 1732688645, - "narHash": "sha256-SQBVnfTAhVmNs5mKjoe942GykhAh9RQbcqScK9XlsWM=", + "lastModified": 1734314370, + "narHash": "sha256-9PhjDAAuXP4tuJg+kM1AozKwBFyHHJ8ZqhQD+peqGtg=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "6adec7f87f6c1d455f89f57bd697740bd6dc88fa", + "rev": "616634de04e87b621bc3d495af114c4e9c6ccd36", "type": "github" }, "original": { @@ -738,11 +543,11 @@ ] }, "locked": { - "lastModified": 1732519917, - "narHash": "sha256-AGXhwHdJV0q/WNgqwrR2zriubLr785b02FphaBtyt1Q=", + "lastModified": 1734234111, + "narHash": "sha256-icEMqBt4HtGH52PU5FHidgBrNJvOfXH6VQKNtnD1aw8=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "f4a5ca5771ba9ca31ad24a62c8d511a405303436", + "rev": "311d6cf3ad3f56cb051ffab1f480b2909b3f754d", "type": "github" }, "original": { @@ -765,11 +570,11 @@ ] }, "locked": { - "lastModified": 1732192922, - "narHash": "sha256-xQO/3I99TFdiXTN5VoS28NpbNlCQWQUvxmPQHlfkzmU=", + "lastModified": 1734266385, + "narHash": "sha256-k9P9Sa6jw/Xre8UDp7Ukk75h4Tcq8ZrK+nz6A2MC1IM=", "owner": "oddlama", "repo": "nix-topology", - "rev": "2b107e98bbde932a363874e0ef5b1739a932bbc5", + "rev": "ba6f61e594a85eabebf1c8f373923b59b3b07448", "type": "github" }, "original": { @@ -780,11 +585,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1732483221, - "narHash": "sha256-kF6rDeCshoCgmQz+7uiuPdREVFuzhIorGOoPXMalL2U=", + "lastModified": 1734352517, + "narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "45348ad6fb8ac0e8415f6e5e96efe47dd7f39405", + "rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd", "type": "github" }, "original": { @@ -795,27 +600,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1731676054, - "narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=", + "lastModified": 1734126203, + "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add", + "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-24_05": { "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "lastModified": 1731797254, + "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59", "type": "github" }, "original": { @@ -842,23 +647,23 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1730504152, - "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "lastModified": 1733096140, + "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" } }, "nixpkgs-master": { "locked": { - "lastModified": 1732743468, - "narHash": "sha256-HYLN8b8QqN/ot4GkxfrFd+04oxF2/HtoGxydsIktARc=", + "lastModified": 1734389326, + "narHash": "sha256-YPjF7N9G9tGjnm630FVaLojjpl+OnWao+UqhprZ29dQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b5ad44e06e9d105ee44eb8fd099d2f7533300460", + "rev": "6ea67fde4864ca2ab720f946e4af74ab2b73e5b9", "type": "github" }, "original": { @@ -870,11 +675,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1732741259, - "narHash": "sha256-TmL2rRy84nHhuO2Aqqpy2Wemby3LJGaD7hYzb9PlKqQ=", + "lastModified": 1734284970, + "narHash": "sha256-iPXIDT8Rth+fJ9VpeZMu9wgdEEhrUrn77uYNcmtw3s0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "adeae0fec1591618e7f1dafeb17573f44cad725f", + "rev": "6903830d1075f13346be0ea9611ae6ef50a472d6", "type": "github" }, "original": { @@ -884,22 +689,6 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1732617236, - "narHash": "sha256-PYkz6U0bSEaEB1al7O1XsqVNeSNS+s3NVclJw7YC43w=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "af51545ec9a44eadf3fe3547610a5cdd882bc34e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nmap-vulners": { "flake": false, "locked": { @@ -946,7 +735,6 @@ "git-hooks": "git-hooks", "home-manager": "home-manager", "homelab-svg-assets": "homelab-svg-assets", - "hyprland": "hyprland", "impermanence": "impermanence", "infuse": "infuse", "mailserver": "mailserver", @@ -954,7 +742,7 @@ "nix-index-database": "nix-index-database", "nix-topology": "nix-topology", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "nixpkgs-amneziawg": "nixpkgs-amneziawg", "nixpkgs-master": "nixpkgs-master", "nixpkgs-stable": "nixpkgs-stable", @@ -972,11 +760,11 @@ ] }, "locked": { - "lastModified": 1732736067, - "narHash": "sha256-kYp/+aE8cEhW2F8Jrxrc8nVbjA3O3AUtWzrMc7CF2CU=", + "lastModified": 1734311023, + "narHash": "sha256-NpiSmBZ4usbCuucwLWKX8TypbP+KfKZB5GOJevdp2rM=", "owner": "nix-community", "repo": "srvos", - "rev": "122dc2d4ee9843dba6f8d4e9fb9b9e7f3cf7eb28", + "rev": "528f3ec754231bd6dc0113cd3010f66513e957f4", "type": "github" }, "original": { @@ -1002,17 +790,17 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems_4", + "systems": "systems_3", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-tmux": "tinted-tmux" }, "locked": { - "lastModified": 1732608183, - "narHash": "sha256-T5k5ill+PNIEW6KuS4CpUacMtZNJe2J2q5eBOF4xWuU=", + "lastModified": 1734110168, + "narHash": "sha256-Q0eeLYn45ErXlqGQyXmLLHGe1mqnUiK0Y9wZRa1SNFI=", "owner": "danth", "repo": "stylix", - "rev": "7689e621f87bce7b6ab1925dfd70ad1f4c80f334", + "rev": "a9e3779949925ef22f5a215c5f49cf520dea30b1", "type": "github" }, "original": { @@ -1053,21 +841,6 @@ }, "systems_3": { "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_4": { - "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "owner": "nix-systems", @@ -1144,11 +917,11 @@ ] }, "locked": { - "lastModified": 1732672419, - "narHash": "sha256-lWTckUrhvGYTJId+mI9F2/bHXrNHrkdvzyy6xNzITUY=", + "lastModified": 1734314392, + "narHash": "sha256-EydUadS7omV3SO/4TLeMkLT2JUugvPEtvBoAF43ggWU=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "c10eb0e26ca40bdc952b4d89aee9d0e9b673eb09", + "rev": "4ef033412f0732794077fcc25af4f79f097ad1e1", "type": "github" }, "original": { @@ -1156,47 +929,6 @@ "repo": "nix-vscode-extensions", "type": "github" } - }, - "xdph": { - "inputs": { - "hyprland-protocols": [ - "hyprland", - "hyprland-protocols" - ], - "hyprlang": [ - "hyprland", - "hyprlang" - ], - "hyprutils": [ - "hyprland", - "hyprutils" - ], - "hyprwayland-scanner": [ - "hyprland", - "hyprwayland-scanner" - ], - "nixpkgs": [ - "hyprland", - "nixpkgs" - ], - "systems": [ - "hyprland", - "systems" - ] - }, - "locked": { - "lastModified": 1731703417, - "narHash": "sha256-rheDc/7C+yI+QspYr9J2z9kQ5P9F4ATapI7qyFAe1XA=", - "owner": "hyprwm", - "repo": "xdg-desktop-portal-hyprland", - "rev": "8070f36deec723de71e7557441acb17e478204d3", - "type": "github" - }, - "original": { - "owner": "hyprwm", - "repo": "xdg-desktop-portal-hyprland", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 27411e5..67180ca 100644 --- a/flake.nix +++ b/flake.nix @@ -32,14 +32,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - hyprland = { - url = "github:hyprwm/Hyprland"; - inputs = { - # nixpkgs.follows = "nixpkgs"; # Disabled in favor of cache. - pre-commit-hooks.follows = "git-hooks"; - }; - }; - stylix = { url = "github:danth/stylix"; inputs = { diff --git a/lib/my.nix b/lib/my.nix index b60d980..3a8058e 100644 --- a/lib/my.nix +++ b/lib/my.nix @@ -51,78 +51,6 @@ with lib; isHeadless = mkConfigurationTypeOption "headless"; isHeadful = mkConfigurationTypeOption "headful"; isOther = mkConfigurationTypeOption "other"; - - ipv4 = { - address = mkOption { - description = "The machine's public IPv4 address."; - type = nullOr str; - default = null; - }; - prefixLength = mkOption { - description = "The machine's public IPv4 prefix length."; - type = nullOr int; - default = null; - }; - gatewayAddress = mkOption { - description = "The machine's public IPv4 gateway address."; - type = nullOr str; - default = null; - }; - }; - ipv6 = { - address = mkOption { - description = "The machine's public IPv6 address."; - type = nullOr str; - default = null; - }; - prefixLength = mkOption { - description = "The machine's public IPv6 prefix length."; - type = nullOr int; - default = null; - }; - gatewayAddress = mkOption { - description = "The machine's public IPv6 gateway address."; - type = nullOr str; - default = null; - }; - }; - - wireguard = { - ipv4.address = mkOption { - description = "The machine's internal IPv4 addresses."; - type = nullOr str; - default = null; - }; - ipv6.address = mkOption { - description = "The machine's internal IPv6 addresses."; - type = nullOr str; - default = null; - }; - publicKey = mkOption { - description = "The machine's public key."; - type = nullOr str; - default = null; - }; - }; - - # TODO Automate filling of this from the NSD service module. - # Right now I need to copy domain definitions from there to here - # manually. - # - # Something like taking `config.services.nsd.zones[$domain]` and - # filtering for actual subdomains. We can remove this option - # altogether then. - domains = mkOption { - description = "External domains that resolve to this address."; - type = listOf str; - default = [ ]; - }; - - syncthing.id = mkOption { - description = "Syncthing ID."; - type = nullOr str; - default = null; - }; }; } ) @@ -252,6 +180,12 @@ with lib; "lidarr.${shire}" ]; syncthing.id = "@SYNCTHING_ID@"; + + wireguard-ng = { + ipv4.address = "10.70.1.2"; + ipv6.address = "fd70::1:2"; + publicKey = "@PUBLIC_KEY@"; + }; }; # VPS in Russia. @@ -275,6 +209,12 @@ with lib; ipv6.address = "fd69::0:4"; publicKey = "@PUBLIC_KEY@"; }; + + wireguard-ng = { + ipv4.address = "10.70.0.1"; + ipv6.address = "fd70::0:1"; + publicKey = "@PUBLIC_KEY@"; + }; }; # A beefy desktop: 7950x/rx6750xt/128GB. @@ -289,6 +229,12 @@ with lib; publicKey = "@PUBLIC_KEY@"; }; syncthing.id = "@SYNCTHING_ID@"; + + wireguard-ng = { + ipv4.address = "10.70.3.1"; + ipv6.address = "fd70::3:1"; + publicKey = "@PUBLIC_KEY@"; + }; }; # ThinkPad X1 Nano Gen 3. @@ -303,6 +249,12 @@ with lib; publicKey = "@PUBLIC_KEY@"; }; syncthing.id = "@SYNCTHING_ID@"; + + wgireguard-ng = { + ipv4.address = "10.70.4.1"; + ipv6.address = "fd70::4:1"; + publicKey = "@PUBLIC_KEY@"; + }; }; # Google Pixel 7a w/ GrapheneOS. @@ -314,6 +266,12 @@ with lib; publicKey = "@PUBLIC_KEY@"; }; syncthing.id = "@SYNCTHING_ID@"; + + wireguard-ng = { + ipv4.address = "10.70.5.1"; + ipv6.address = "fd70::5:1"; + publicKey = "@PUBLIC_KEY@"; + }; }; }; }; diff --git a/modules/acme.nix b/modules/acme.nix index 6a75818..9a2f3f1 100644 --- a/modules/acme.nix +++ b/modules/acme.nix @@ -5,11 +5,14 @@ let in { imports = [ - (mkAliasOptionModule [ "certs" ] [ - "security" - "acme" - "certs" - ]) + (mkAliasOptionModule + [ "certs" ] + [ + "security" + "acme" + "certs" + ] + ) ]; options.nixfiles.modules.acme = { diff --git a/modules/chromium.nix b/modules/chromium.nix index c7842d5..bc34ecd 100644 --- a/modules/chromium.nix +++ b/modules/chromium.nix @@ -18,10 +18,11 @@ in programs.chromium = { enable = true; - package = pkgs.ungoogled-chromium; + # package = pkgs.ungoogled-chromium; extensions = [ { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin + { id = "nkbihfbeogaeaoehlefnkodbefgpgknn"; } # MetaMask ]; }; }; diff --git a/modules/common/ark.nix b/modules/common/ark.nix index ba3056b..007e209 100644 --- a/modules/common/ark.nix +++ b/modules/common/ark.nix @@ -10,11 +10,14 @@ in { imports = [ inputs.impermanence.nixosModules.impermanence - (lib.mkAliasOptionModule [ "ark" ] [ - "nixfiles" - "modules" - "ark" - ]) + (lib.mkAliasOptionModule + [ "ark" ] + [ + "nixfiles" + "modules" + "ark" + ] + ) ]; options.nixfiles.modules.ark = diff --git a/modules/common/home-manager.nix b/modules/common/home-manager.nix index f3e8143..118fc0e 100644 --- a/modules/common/home-manager.nix +++ b/modules/common/home-manager.nix @@ -7,11 +7,14 @@ { imports = [ inputs.home-manager.nixosModule - (lib.mkAliasOptionModule [ "hm" ] [ - "home-manager" - "users" - lib.my.username - ]) + (lib.mkAliasOptionModule + [ "hm" ] + [ + "home-manager" + "users" + lib.my.username + ] + ) ]; hm = { diff --git a/modules/common/networking.nix b/modules/common/networking.nix index 468bd8b..2e9c218 100644 --- a/modules/common/networking.nix +++ b/modules/common/networking.nix @@ -7,9 +7,12 @@ }: let cfg = config.nixfiles.modules.common.networking; + + interface = "eth0"; # This assumes `usePredictableInterfaceNames` is false. in { - options.nixfiles.modules.common.networking.onlyDefault = lib.mkEnableOption "custom networking settings"; + options.nixfiles.modules.common.networking.onlyDefault = + lib.mkEnableOption "custom networking settings"; config = lib.mkIf (!cfg.onlyDefault) { ark.directories = @@ -31,20 +34,6 @@ in "::1" = lib.mkForce [ ]; }; - # There's no way[1] to configure DNS server priority in - # systemd-resolved. The only solution for dealing with a broken VPN - # connection is to delete /etc/systemd/resolved.conf and restart the - # systemd-resolved service. Otherwise I'll just end up with a random - # server from the list most of the time because systemd-resolved - # "conveniently" will manage server priority for me... - # - # [1]: https://askubuntu.com/questions/1116732/how-do-i-list-dns-server-order-in-systemd-resolve - # [2]: https://github.com/systemd/systemd/issues/6076 - nameservers = with lib.my.configurations.manwe.wireguard; [ - ipv6.address - ipv4.address - ]; - useDHCP = false; nftables.enable = true; @@ -62,45 +51,46 @@ in logRefusedUnicastsOnly = false; logReversePathDrops = false; }; + + usePredictableInterfaceNames = false; } - ( - let - interface = "eth0"; # This assumes `usePredictableInterfaceNames` is false. - in - lib.mkIf (lib.hasAttr "ipv4" this && lib.hasAttr "ipv6" this) { - usePredictableInterfaceNames = false; # NOTE This can break something! - interfaces.${interface} = { - ipv4.addresses = - with this.ipv4; - lib.optional (lib.isString address && lib.isInt prefixLength) { - inherit address prefixLength; - }; - - ipv6.addresses = - with this.ipv6; - lib.optional (lib.isString address && lib.isInt prefixLength) { - inherit address prefixLength; - }; + (lib.mkIf (lib.hasAttr "ipv4" this) { + interfaces.${interface}.ipv4.addresses = + with this.ipv4; + lib.optional (lib.isString address && lib.isInt prefixLength) { + inherit address prefixLength; + }; + defaultGateway = + with this.ipv4; + lib.mkIf (lib.isString gatewayAddress) { + inherit interface; + address = gatewayAddress; }; - defaultGateway = - with this.ipv4; - lib.mkIf (lib.isString gatewayAddress) { - inherit interface; - address = gatewayAddress; - }; - defaultGateway6 = - with this.ipv6; - lib.mkIf (lib.isString gatewayAddress) { - inherit interface; - address = gatewayAddress; - }; - } - ) + }) + (lib.mkIf (lib.hasAttr "ipv6" this) { + interfaces.${interface}.ipv6.addresses = + with this.ipv6; + lib.optional (lib.isString address && lib.isInt prefixLength) { + inherit address prefixLength; + }; + defaultGateway6 = + with this.ipv6; + lib.mkIf (lib.isString gatewayAddress) { + inherit interface; + address = gatewayAddress; + }; + }) + (lib.mkIf this.isHeadless { + nameservers = with lib.my.configurations.manwe.wireguard; [ + ipv6.address + ipv4.address + ]; + }) (lib.mkIf this.isHeadful { networkmanager = { enable = true; - plugins = lib.mkForce [ ]; wifi.backend = "iwd"; + dns = "none"; }; wireless = { @@ -109,15 +99,49 @@ in userControlled.enable = true; allowAuxiliaryImperativeNetworks = true; }; + + resolvconf.extraConfig = '' + append_nameservers='127.0.0.1' + ''; }) ]; - services.resolved = { - llmnr = "false"; - dnsovertls = "opportunistic"; - dnssec = "allow-downgrade"; - fallbackDns = lib.dns.mkDoT lib.dns.const.quad9.ecs; - }; + services = lib.mkMerge [ + (lib.mkIf this.isHeadless { + resolved = { + enable = true; + llmnr = "false"; + dnsovertls = "opportunistic"; + dnssec = "allow-downgrade"; + fallbackDns = lib.dns.mkDoT lib.dns.const.quad9.ecs; + }; + }) + (lib.mkIf this.isHeadful { + resolved.enable = false; + + dnscrypt-proxy2 = { + enable = true; + settings = { + ipv4_servers = true; + ipv6_servers = false; + dnscrypt_servers = true; + doh_servers = true; + odoh_servers = false; + require_dnssec = true; + require_nolog = true; + require_nofilter = true; + + disabled_server_names = [ + "cloudflare" + "cloudflare-ipv6" + ]; + + cache = true; + cache_size = lib.pow 2 13; + }; + }; + }) + ]; environment = { shellAliases = lib.listToAttrs ( diff --git a/modules/common/nix.nix b/modules/common/nix.nix index 09d57ed..2054185 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -72,6 +72,11 @@ in keep-going = true; + experimental-features = [ + "fetch-tree" + "pipe-operators" + ]; + trusted-users = [ my.username ]; substituters = [ @@ -83,6 +88,9 @@ in trusted-public-keys = [ "cache.tvl.su:kjc6KOMupXc1vHVufJUoDUYeLzbwSr9abcAKdn/U1Jk=" ]; + + # https://github.com/NixOS/nix/issues/6901 + fallback = true; }; }; diff --git a/modules/common/secrets.nix b/modules/common/secrets.nix index 03a2eeb..77dee44 100644 --- a/modules/common/secrets.nix +++ b/modules/common/secrets.nix @@ -10,10 +10,13 @@ with lib; { imports = [ inputs.agenix.nixosModules.default - (mkAliasOptionModule [ "secrets" ] [ - "age" - "secrets" - ]) + (mkAliasOptionModule + [ "secrets" ] + [ + "age" + "secrets" + ] + ) ]; config = { @@ -23,7 +26,10 @@ with lib; else map (attr: attr.path) (filter (attr: attr.type == my.ssh.type) config.services.openssh.hostKeys); - environment.systemPackages = with pkgs; [ agenix ]; + environment.systemPackages = with pkgs; [ + age + agenix + ]; nixpkgs.overlays = [ inputs.agenix.overlays.default ]; }; diff --git a/modules/common/stylix.nix b/modules/common/stylix.nix index f1e0417..f17cb4c 100644 --- a/modules/common/stylix.nix +++ b/modules/common/stylix.nix @@ -10,11 +10,14 @@ with lib; { imports = [ inputs.stylix.nixosModules.stylix - (mkAliasOptionModule [ "colors" ] [ - "lib" - "stylix" - "colors" - ]) + (mkAliasOptionModule + [ "colors" ] + [ + "lib" + "stylix" + "colors" + ] + ) ]; options.nixfiles.modules.common.stylix.fonts.extraPackages = mkOption { diff --git a/modules/common/users.nix b/modules/common/users.nix index b8aca28..e0811b7 100644 --- a/modules/common/users.nix +++ b/modules/common/users.nix @@ -5,11 +5,14 @@ let in { imports = [ - (mkAliasOptionModule [ "my" ] [ - "users" - "users" - my.username - ]) + (mkAliasOptionModule + [ "my" ] + [ + "users" + "users" + my.username + ] + ) ]; ark.directories = [ home ]; diff --git a/modules/emacs/default.nix b/modules/emacs/default.nix index 455f710..71bc24c 100644 --- a/modules/emacs/default.nix +++ b/modules/emacs/default.nix @@ -231,9 +231,8 @@ in (mu4e-drafts-folder . "/${name}/${folders.drafts}") (mu4e-trash-folder . "/${name}/${folders.trash}") (mu4e-refile-folder . "/${name}/Archive") - ${ - optionalString (signature.showSignature != "none") - ''(mu4e-compose-signature . "${replaceStrings [ "\n" ] [ "\\n" ] signature.text}")'' + ${optionalString (signature.showSignature != "none") + ''(mu4e-compose-signature . "${replaceStrings [ "\n" ] [ "\\n" ] signature.text}")'' } (+mu4e-personal-addresses . (${personalAddresses}))) t) diff --git a/modules/firefox/default.nix b/modules/firefox/default.nix index 4b04c40..ee45434 100644 --- a/modules/firefox/default.nix +++ b/modules/firefox/default.nix @@ -536,6 +536,7 @@ in "media.autoplay.blocking_policy" = 2; "media.autoplay.default" = 5; "media.hardwaremediakeys.enabled" = false; + "media.videocontrols.picture-in-picture.video-toggle.enabled" = false; "reader.parse-on-load.enabled" = false; "toolkit.legacyUserProfileCustomizations.stylesheets" = true; }; diff --git a/modules/hyprland.nix b/modules/hyprland.nix index cab01b6..c7f574a 100644 --- a/modules/hyprland.nix +++ b/modules/hyprland.nix @@ -1,6 +1,5 @@ { config, - inputs, lib, ... }: @@ -128,16 +127,5 @@ in }; programs.hyprland.enable = true; - - nixpkgs.overlays = [ inputs.hyprland.overlays.default ]; - - nix.settings = { - substituters = [ - "https://hyprland.cachix.org" - ]; - trusted-public-keys = [ - "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" - ]; - }; }; } diff --git a/modules/ipfs.nix b/modules/ipfs.nix index 25f7fce..80a43b6 100644 --- a/modules/ipfs.nix +++ b/modules/ipfs.nix @@ -175,7 +175,8 @@ in "api.${cfg.domain}" = { locations = { "/".proxyPass = "http://kubo_api"; - "~ ^/$".return = "301 http${optionalString config.nixfiles.modules.acme.enable "s"}://api.${cfg.domain}/webui"; + "~ ^/$".return = + "301 http${optionalString config.nixfiles.modules.acme.enable "s"}://api.${cfg.domain}/webui"; }; extraConfig = libNginx.config.internalOnly; }; diff --git a/modules/password-store.nix b/modules/password-store.nix index e5cd756..886afb6 100644 --- a/modules/password-store.nix +++ b/modules/password-store.nix @@ -9,7 +9,8 @@ let cfg = config.nixfiles.modules.password-store; in { - options.nixfiles.modules.password-store.enable = mkEnableOption "the standard UNIX password manager"; + options.nixfiles.modules.password-store.enable = + mkEnableOption "the standard UNIX password manager"; config = mkIf cfg.enable { hm.programs = { diff --git a/modules/plausible.nix b/modules/plausible.nix index c5b66c3..89729fd 100644 --- a/modules/plausible.nix +++ b/modules/plausible.nix @@ -80,12 +80,12 @@ in services.plausible = { enable = true; - adminUser = { - name = "admin"; - email = "admin@${my.domain.shire}"; - passwordFile = config.secrets.plausible-admin-password.path; - activate = false; - }; + # adminUser = { + # name = "admin"; + # email = "admin@${my.domain.shire}"; + # passwordFile = config.secrets.plausible-admin-password.path; + # activate = false; + # }; mail = { email = "admin+plausible@${my.domain.shire}"; diff --git a/modules/profiles/dev/default.nix b/modules/profiles/dev/default.nix index 4d85168..af151a1 100644 --- a/modules/profiles/dev/default.nix +++ b/modules/profiles/dev/default.nix @@ -11,7 +11,8 @@ in { imports = attrValues (modulesIn ./.); - options.nixfiles.modules.profiles.dev.enable = mkEnableOption "Catch-all profile for stuff related to software development and etc."; + options.nixfiles.modules.profiles.dev.enable = + mkEnableOption "Catch-all profile for stuff related to software development and etc."; config = mkIf cfg.enable { nixfiles.modules = { diff --git a/modules/syncthing.nix b/modules/syncthing.nix index e61c080..d239aa4 100644 --- a/modules/syncthing.nix +++ b/modules/syncthing.nix @@ -79,7 +79,7 @@ in devices = mapAttrs ( name: attr: - mkIf (attr.syncthing.id != null && hasAttr "wireguard" attr) { + mkIf (hasAttr "syncthing" attr && hasAttr "wireguard" attr) { inherit (attr.syncthing) id; compression = "always"; introducer = false; @@ -98,7 +98,7 @@ in f: attrNames ( filterAttrs ( - _: attr: (attr.hostname != this.hostname) && (attr.syncthing.id != null) && f attr + _: attr: attr.hostname != this.hostname && hasAttr "syncthing" attr && f attr ) my.configurations ); all = filterDevices (_: true); @@ -111,7 +111,7 @@ in }; trashcan = { type = "trashcan"; - params.cleanoutDays = "7"; + params.cleanouctDays = "7"; }; in with config.hm.xdg.userDirs; diff --git a/modules/unbound-ng.nix b/modules/unbound-ng.nix new file mode 100644 index 0000000..3d3c6da --- /dev/null +++ b/modules/unbound-ng.nix @@ -0,0 +1,185 @@ +{ + config, + inputs, + lib, + pkgs, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.unbound-ng; +in +{ + options.nixfiles.modules.unbound-ng = { + enable = mkEnableOption "Unbound"; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = config.networking.domain; + }; + }; + + config = mkIf cfg.enable { + ark.directories = [ config.services.unbound.stateDir ]; + + nixfiles.modules.redis.enable = true; + + services = { + unbound = { + enable = true; + + package = pkgs.unbound-with-systemd.override { + withRedis = true; + withTFO = true; + }; + + checkconf = true; + settings = { + server = { + module-config = ''"respip validator iterator"''; + + interface = with this.wireguard-ng; [ + "127.0.0.1" + "::1" + ipv4.address + ipv6.address + ]; + + local-zone = concatLists ( + mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations + ); + local-data = concatLists ( + mapAttrsToList ( + hostname: + let + domain = "${hostname}.${cfg.domain}"; + in + attr: + (optionals (hasAttr "wireguard-ng" attr) ( + with attr.wireguard-ng; + [ + "\"${domain} 604800 IN A ${ipv4.address}\"" + "\"${domain} 604800 IN AAAA ${ipv6.address}\"" + "\"${domain}. A ${ipv4.address}\"" + "\"${domain}. AAAA ${ipv6.address}\"" + ] + ++ (optionals (hasAttr "domains" attr) ( + concatMap (domain: [ + "\"${domain}. A ${ipv4.address}\"" + "\"${domain}. AAAA ${ipv6.address}\"" + ]) attr.domains + )) + )) + ) my.configurations + ); + local-data-ptr = concatLists ( + mapAttrsToList ( + hostname: + let + domain = "${hostname}.${cfg.domain}"; + in + attr: + (optionals (hasAttr "wireguard-ng" attr) ( + with attr.wireguard-ng; + [ + "\"${ipv4.address} ${domain}\"" + "\"${ipv6.address} ${domain}\"" + ] + ++ (optionals (hasAttr "domains" attr) ( + concatMap (domain: [ + "\"${ipv4.address} ${domain}\"" + "\"${ipv6.address} ${domain}\"" + ]) attr.domains + )) + )) + ) my.configurations + ); + + private-domain = map (domain: "${domain}.") [ + cfg.domain + "local" + ]; + private-address = with config.nixfiles.modules.wireguard-ng; [ + ipv4.subnet + ipv6.subnet + ]; + + access-control = with config.nixfiles.modules.wireguard-ng; [ + "0.0.0.0/0 refuse" + "::/0 refuse" + "127.0.0.0/8 allow" + "::1/128 allow" + "${ipv4.subnet} allow" + "${ipv6.subnet} allow" + ]; + + cache-min-ttl = 0; + + serve-expired = true; + serve-expired-reply-ttl = 0; + + prefetch = true; + prefetch-key = true; + + hide-identity = true; + hide-version = true; + + extended-statistics = true; + + log-replies = false; + log-tag-queryreply = false; + log-local-actions = false; + + verbosity = 0; + }; + + forward-zone = [ + { + name = "."; + forward-tls-upstream = true; + forward-addr = dns.mkDoT dns.const.quad9.ecs; + } + ]; + + cachedb = with config.services.redis.servers.default; { + backend = "redis"; + redis-server-host = bind; + redis-server-port = port; + }; + + rpz = { + name = "hagezi.pro"; + zonefile = "hagezi.pro"; + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"; + }; + }; + + enableRootTrustAnchor = true; + + localControlSocketPath = "/run/unbound/unbound.socket"; + }; + + prometheus.exporters.unbound = { + enable = true; + listenAddress = mkDefault this.wireguard-ng.ipv4.address; + port = 9167; + inherit (config.services.unbound) group user; + unbound.host = "unix://${config.services.unbound.localControlSocketPath}"; + }; + }; + + boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3; + + topology = with cfg; { + nodes.${this.hostname}.services.unbound = { + name = "Unbound"; + icon = "${inputs.homelab-svg-assets}/assets/unbound.svg"; + details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") ( + filter (i: i != "127.0.0.1" && i != "::1") config.services.unbound.settings.server.interface + ); + }; + }; + }; +} diff --git a/modules/unbound.nix b/modules/unbound.nix index e837f89..b8de321 100644 --- a/modules/unbound.nix +++ b/modules/unbound.nix @@ -65,10 +65,12 @@ in "\"${domain}. A ${ipv4.address}\"" "\"${domain}. AAAA ${ipv6.address}\"" ] - ++ concatMap (domain: [ - "\"${domain}. A ${ipv4.address}\"" - "\"${domain}. AAAA ${ipv6.address}\"" - ]) attr.domains + ++ (optionals (hasAttr "domains" attr) ( + concatMap (domain: [ + "\"${domain}. A ${ipv4.address}\"" + "\"${domain}. AAAA ${ipv6.address}\"" + ]) attr.domains + )) )) ) my.configurations ); @@ -85,10 +87,12 @@ in "\"${ipv4.address} ${domain}\"" "\"${ipv6.address} ${domain}\"" ] - ++ concatMap (domain: [ - "\"${ipv4.address} ${domain}\"" - "\"${ipv6.address} ${domain}\"" - ]) attr.domains + ++ (optionals (hasAttr "domains" attr) ( + concatMap (domain: [ + "\"${ipv4.address} ${domain}\"" + "\"${ipv6.address} ${domain}\"" + ]) attr.domains + )) )) ) my.configurations ); diff --git a/modules/wireguard-ng.nix b/modules/wireguard-ng.nix new file mode 100644 index 0000000..5374a71 --- /dev/null +++ b/modules/wireguard-ng.nix @@ -0,0 +1,255 @@ +{ + config, + inputs, + lib, + pkgs, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.wireguard-ng; + + DNSSetup = optionalString config.services.resolved.enable ( + let + resolvectl = "${config.systemd.package}/bin/resolvectl"; + in + '' + ${resolvectl} dns ${cfg.interface} ${cfg.server.ipv6.address} ${cfg.server.ipv4.address} + ${resolvectl} domain ${cfg.interface} local ${my.domain.shire} + ${resolvectl} dnssec ${cfg.interface} no + ${resolvectl} dnsovertls ${cfg.interface} no + '' + ); +in +{ + options.nixfiles.modules.wireguard-ng = { + client = { + enable = mkEnableOption "WireGuard client"; + + enableTrafficRouting = mkOption { + description = "Whether to enable traffic routing through the sever."; + type = with types; bool; + # default = !this.isHeadless; + default = false; + }; + }; + + server = { + enable = mkEnableOption "WireGuard server"; + + ipv4.address = mkOption { + description = "IPv4 address to bind to."; + type = with types; str; + default = my.configurations.tulkas.wireguard-ng.ipv4.address; + }; + + ipv6.address = mkOption { + description = "IPv4 address to bind to."; + type = with types; str; + default = my.configurations.tulkas.wireguard-ng.ipv6.address; + }; + + address = mkOption { + description = "Endpoint address to use"; + type = with types; str; + default = my.configurations.tulkas.ipv4.address; + }; + + port = mkOption { + description = "Endpoint port to use."; + type = with types; int; + default = 7070; + }; + + publicKey = mkOption { + description = "Server's public key."; + type = with types; str; + default = my.configurations.tulkas.wireguard.publicKey; + }; + + peers = mkOption { + description = "List of peers."; + type = with types; listOf attrs; + default = + mapAttrsToList + ( + _: attr: with attr; { + inherit (wireguard-ng) publicKey; + allowedIPs = with wireguard-ng; [ + "${ipv6.address}/128" + "${ipv4.address}/32" + ]; + } + ) + ( + filterAttrs ( + _: attr: attr.hostname != this.hostname && hasAttr "wireguard-ng" attr + ) my.configurations + ); + }; + }; + + interface = mkOption { + description = "Name of the interface to use WireGuard with."; + type = with types; str; + default = "wg70"; + }; + + ipv4.subnet = mkOption { + description = "CIDR notation for the IPv4 subnet to use over WireGuard."; + type = with types; str; + default = "10.70.0.0/16"; + }; + + ipv6.subnet = mkOption { + description = "CIDR notation for the IPv6 subnet to use over WireGuard."; + type = with types; str; + default = "fd70::/16"; + }; + }; + + config = + { + assertions = [ + { + assertion = config.security.sudo.enable; + message = "Sudo is not enabled."; + } + { + assertion = any (x: x == "wheel") config.my.extraGroups; + message = ''User is not in the "wheel" group.''; + } + ]; + } + // mkMerge [ + (mkIf (cfg.client.enable || cfg.server.enable) { + secrets."wireguard-private-key-${this.hostname}".file = + "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; + + networking.firewall.trustedInterfaces = [ cfg.interface ]; + + topology = with cfg; { + nodes.${this.hostname}.interfaces.${interface} = { + network = interface; + icon = "interfaces.wireguard"; + }; + }; + }) + (mkIf cfg.client.enable { + networking.wg-quick.interfaces.${cfg.interface} = mkMerge [ + (with this.wireguard-ng; { + privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; + address = [ + "${ipv4.address}/16" + "${ipv6.address}/16" + ]; + }) + (with cfg.server; { + peers = [ + { + inherit publicKey; + endpoint = "${address}:${toString port}"; + allowedIPs = + if cfg.client.enableTrafficRouting then + [ + "::/0" + "0.0.0.0/0" + ] + else + [ + cfg.ipv6.subnet + cfg.ipv4.subnet + ]; + } + ]; + dns = [ + ipv6.address + ipv4.address + ]; + postUp = DNSSetup; + }) + ]; + + environment.systemPackages = with pkgs; [ + (writeShellApplication { + name = "wg-toggle-ng"; + runtimeInputs = [ + iproute2 + jq + ]; + text = '' + ip46() { + sudo ip -4 "$@" + sudo ip -6 "$@" + } + + fwmark=$(sudo awg show ${cfg.interface} fwmark) || exit + if ip -j rule list lookup "$fwmark" | jq -e 'length > 0' >/dev/null; then + ip46 rule del lookup main suppress_prefixlength 0 + ip46 rule del lookup "$fwmark" + else + ip46 rule add not fwmark "$fwmark" lookup "$fwmark" + ip46 rule add lookup main suppress_prefixlength 0 + fi + ''; + }) + ]; + }) + (mkIf cfg.server.enable { + networking = { + wireguard = { + enable = true; + interfaces.${cfg.interface} = with cfg.server; { + privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; + ips = [ + "${ipv6.address}/16" + "${ipv4.address}/16" + ]; + listenPort = port; + inherit peers; + postSetup = DNSSetup; + allowedIPsAsRoutes = false; + }; + }; + + nat = { + enable = true; + enableIPv6 = true; + + externalInterface = mkDefault "eth0"; + + internalInterfaces = [ cfg.interface ]; + internalIPs = [ cfg.ipv4.subnet ]; + internalIPv6s = [ cfg.ipv6.subnet ]; + }; + + firewall.allowedUDPPorts = [ cfg.server.port ]; + }; + + services.prometheus.exporters.wireguard = { + enable = true; + listenAddress = mkDefault this.wireguard-ng.ipv4.address; + withRemoteIp = true; + port = 9586; + }; + + topology = with cfg; { + networks = { + ${interface} = { + name = interface; + cidrv4 = ipv4.subnet; + cidrv6 = ipv6.subnet; + icon = "interfaces.wireguard"; + }; + }; + + nodes.${this.hostname}.interfaces.${interface}.physicalConnections = + mapAttrsToList (name: _: config.lib.topology.mkConnection name interface) + ( + filterAttrs (n: v: !v.isOther && n != this.hostname && hasAttr "wireguard-ng" v) my.configurations + ); + }; + }) + ]; +} diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 5138946..633ec5b 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -10,7 +10,7 @@ with lib; let cfg = config.nixfiles.modules.wireguard; - DNSSetup = + DNSSetup = optionalString config.services.resolved.enable ( let resolvectl = "${config.systemd.package}/bin/resolvectl"; in @@ -19,14 +19,19 @@ let ${resolvectl} domain ${cfg.interface} local ${my.domain.shire} ${resolvectl} dnssec ${cfg.interface} no ${resolvectl} dnsovertls ${cfg.interface} no - ''; + '' + ); extraOptions = { - jc = 228; - jmin = 42; - jmax = 420; - s1 = 69; - s2 = 96; + jc = 23; + jmin = 58; + jmax = 1021; + s1 = 49; + s2 = 87; + h1 = 1264154357; + h2 = 462401493; + h3 = 737329836; + h4 = 1039929807; }; in { @@ -137,7 +142,8 @@ in } // mkMerge [ (mkIf (cfg.client.enable || cfg.server.enable) { - secrets."wireguard-private-key-${this.hostname}".file = "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; + secrets."wireguard-private-key-${this.hostname}".file = + "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; networking.firewall.trustedInterfaces = [ cfg.interface ]; diff --git a/overlays.nix b/overlays.nix index da6161a..71735cc 100644 --- a/overlays.nix +++ b/overlays.nix @@ -1,5 +1,4 @@ { - inputs, lib, ... }: @@ -102,42 +101,5 @@ ''; }; }; - - # TODO Can this be infused? - linuxPackages_latest = - _: - prev.linuxPackages_latest.extend ( - self: _: { - amneziawg = - inputs.nixpkgs-amneziawg.legacyPackages.${final.system}.linuxPackages_latest.amneziawg.override - { - inherit (self) kernel; - }; - } - ); - linuxPackages_hardened = - _: - prev.linuxPackages_hardened.extend ( - self: _: { - amneziawg = - inputs.nixpkgs-amneziawg.legacyPackages.${final.system}.linuxPackages_hardened.amneziawg.override - { - inherit (self) kernel; - }; - } - ); - linuxPackages_xanmod_latest = - _: - prev.linuxPackages_xanmod_latest.extend ( - self: _: { - amneziawg = - inputs.nixpkgs-amneziawg.legacyPackages.${final.system}.linuxPackages_xanmod_latest.amneziawg.override - { - inherit (self) kernel; - }; - } - ); - amneziawg-go = _: inputs.nixpkgs-amneziawg.legacyPackages.${final.system}.amneziawg-go; - amneziawg-tools = _: inputs.nixpkgs-amneziawg.legacyPackages.${final.system}.amneziawg-tools; }; } |