From 0ef23d4501592a192ba020a2ac34abb1a3d8fc5e Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sat, 11 Mar 2023 12:51:58 +0300 Subject: 2023-03-11 --- darwinConfigurations/mairon/default.nix | 25 ++------- flake.lock | 98 +++++++++++++++------------------ flake.nix | 30 ---------- modules/common/beets.nix | 73 ------------------------ modules/common/common/nix/default.nix | 1 - modules/common/default.nix | 1 - modules/common/emacs/default.nix | 5 +- modules/common/git.nix | 2 + modules/common/openconnect.nix | 83 ---------------------------- modules/nixos/beets.nix | 73 ++++++++++++++++++++++++ modules/nixos/default.nix | 3 + modules/nixos/k3s.nix | 29 ++++++++++ modules/nixos/murmur.nix | 28 ++++++++++ modules/nixos/profiles/headful.nix | 22 ++++---- nixosConfigurations/eonwe/default.nix | 18 +++--- nixosConfigurations/manwe/default.nix | 31 +++++++++++ nixosConfigurations/varda/default.nix | 12 +--- readme.org | 28 +++------- 18 files changed, 251 insertions(+), 311 deletions(-) delete mode 100644 modules/common/beets.nix delete mode 100644 modules/common/openconnect.nix create mode 100644 modules/nixos/beets.nix create mode 100644 modules/nixos/k3s.nix create mode 100644 modules/nixos/murmur.nix diff --git a/darwinConfigurations/mairon/default.nix b/darwinConfigurations/mairon/default.nix index 2fc9b39..9687120 100644 --- a/darwinConfigurations/mairon/default.nix +++ b/darwinConfigurations/mairon/default.nix @@ -1,26 +1,13 @@ -{ - lib, - pkgs, - this, - ... -}: +{lib, ...}: with lib; { nixfiles.modules.vscode.enable = true; # TODO Make this per-directory/per-remote. - hm = { - home.packages = with pkgs; [ - ansible - ansible-lint - logcli - ]; - - programs.git = { - userName = mkForce "Firstname Lastname"; - userEmail = mkForce "username@work.com"; - signing.key = mkForce "@PGP_KEY@"; - extraConfig."url \"git@gitlab.services.work.com:\"".insteadOf = "work:"; - }; + hm.programs.git = { + userName = mkForce "Firstname Lastname"; + userEmail = mkForce "username@work.com"; + signing.key = mkForce "@PGP_KEY@"; + extraConfig."url \"git@gitlab.services.work.com:\"".insteadOf = "work:"; }; networking = { diff --git a/flake.lock b/flake.lock index b13d15f..3f35797 100644 --- a/flake.lock +++ b/flake.lock @@ -299,11 +299,11 @@ ] }, "locked": { - "lastModified": 1676599101, - "narHash": "sha256-CKS6UsOGhoNxGDBt9wyFiWHvtng/+BMAJ4G8ahhe1DE=", + "lastModified": 1677969766, + "narHash": "sha256-AIp/ZYZMNLDZR/H7iiAlaGpu4lcXsVt9JQpBlf43HRY=", "owner": "ryantm", "repo": "agenix", - "rev": "de657061b13cf329c57a1a9730a5049a971b40b3", + "rev": "03b51fe8e459a946c4b88dcfb6446e45efb2c24e", "type": "github" }, "original": { @@ -332,17 +332,18 @@ "97.0": "97.0", "98.0": "98.0", "99.0": "99.0", + "flake-compat": "flake-compat", "master": "master", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1676708317, - "narHash": "sha256-QqJqtLcDPFGhOg1v9EJzs2H7G/g3IKtewnhRgNpKy5U=", + "lastModified": 1676881905, + "narHash": "sha256-Im/KQhk3fJouLmIjUQnEU88mJTwqo9QBx9x2KHARyHo=", "owner": "dwarfmaster", "repo": "arkenfox-nixos", - "rev": "fd696871bf40bb7c4c8b3994124d66a459850780", + "rev": "b44010831ee47f80327e4f17c3a21e86d3bea8fa", "type": "github" }, "original": { @@ -430,31 +431,23 @@ "type": "github" } }, - "emacs-overlay": { - "inputs": { - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ] - }, + "flake-compat": { + "flake": false, "locked": { - "lastModified": 1676830175, - "narHash": "sha256-y3Z7+FRPPln6Ok3Grhp0puC8vMMvE7JrKRsZKixw7o4=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "ea14c62958d96e0f7cfead9d09e097b1891bf7c4", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { - "owner": "nix-community", - "ref": "master", - "repo": "emacs-overlay", + "owner": "edolstra", + "repo": "flake-compat", "type": "github" } }, - "flake-compat": { + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1673956053, @@ -535,11 +528,11 @@ ] }, "locked": { - "lastModified": 1676367705, - "narHash": "sha256-un5UbRat9TwruyImtwUGcKF823rCEp4fQxnsaLFL7CM=", + "lastModified": 1678271387, + "narHash": "sha256-H2dv/i1LRlunRtrESirELzfPWdlG/6ElDB1ksO529H4=", "owner": "nix-community", "repo": "home-manager", - "rev": "da72e6fc6b7dc0c3f94edbd310aae7cd95c678b5", + "rev": "36999b8d19eb6eebb41983ef017d7e0095316af2", "type": "github" }, "original": { @@ -584,11 +577,11 @@ "master": { "flake": false, "locked": { - "lastModified": 1674781645, - "narHash": "sha256-NGp5BLOQmiXsUh9nrXP+PeVXyK1c8Ij5EnwtFXAkD9w=", + "lastModified": 1675728165, + "narHash": "sha256-ebSx6DaXoGKcCoK6UcDnWvdAW6J2X6pJRPD1Pw7UNOw=", "owner": "arkenfox", "repo": "user.js", - "rev": "b99dd27de828be13530ce2f48c9178d34f5f82ab", + "rev": "73884850632ffe284f76881786f7d5903b917f58", "type": "github" }, "original": { @@ -607,11 +600,11 @@ ] }, "locked": { - "lastModified": 1676598621, - "narHash": "sha256-635t9QFKNayo9QXamGBkvh3MbNPjkoRYrIYKz/mg720=", + "lastModified": 1678154054, + "narHash": "sha256-yFQwkmWZgQrcgHagP/7HP/Vg2/h6JfZuAs7AhbEsCMc=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "60301861c5ea5d33ab6d4d06fd4d013ddb245b0e", + "rev": "8118891606aa521d2c8f87da25d2a769c356eb4a", "type": "github" }, "original": { @@ -623,11 +616,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1675933606, - "narHash": "sha256-y427VhPQHOKkYvkc9MMsL/2R7M11rQxzsRdRLM3htx8=", + "lastModified": 1678095239, + "narHash": "sha256-4F6jovFJcwh6OkMsY94ZrHdrvVqZi1FX5pYv6V9LIQw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "44ae00e02e8036a66c08f4decdece7e3bbbefee2", + "rev": "f6610997b0fc5ea5f9e142c348fca27497efe1c7", "type": "github" }, "original": { @@ -639,11 +632,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1676549890, - "narHash": "sha256-sq/WcOEAl7gWrrfGkWdnyYazRyTf+enEim/o6LOQzI8=", + "lastModified": 1678237502, + "narHash": "sha256-J4cAbmC9RK+Jus3U88WaxkTsnNlZSroE2xZ9A0rSxL4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8c66bd1b68f4708c90dcc97c6f7052a5a7b33257", + "rev": "1eeea1f1922fb79a36008ba744310ccbf96130e2", "type": "github" }, "original": { @@ -655,11 +648,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1676662455, - "narHash": "sha256-paR22nF+MrW/iPqtf3EvSsQLkzNh+hftvclG9qif8gA=", + "lastModified": 1678280833, + "narHash": "sha256-0SPxdBYly0eL+CY/z4HjGqAjAfh9evtvTLsqKnS2prk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "505feabc489e0ddb074f444ac0b1fc792c8da4a8", + "rev": "e40b5250ab10f98a5343d78e2c6c83db6a6c4bec", "type": "github" }, "original": { @@ -671,11 +664,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1676656495, - "narHash": "sha256-ON7OvLv+U+hXPVfaQG4Ku1d1PWO+ffU7C8SvR8ByxYk=", + "lastModified": 1678266329, + "narHash": "sha256-rawge6yca5wvm+vcBB0pTp2q1Bf5Nc2Lk05dP7W+Q1E=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8a3f39ad8c03aa91f7de41ea5d854d0a985e0e9b", + "rev": "1e56d76f106e626764ee91785fe32b2342cc836e", "type": "github" }, "original": { @@ -721,11 +714,11 @@ }, "nur": { "locked": { - "lastModified": 1676658325, - "narHash": "sha256-s+SFI821NUXxuQqnVeBmHq1tEH5Mg1pYmrlDnxJ8PAo=", + "lastModified": 1678286808, + "narHash": "sha256-jC/AwS4HmeV255+tYRFOTkC0+sLGUSQFgNV98HjQYvE=", "owner": "nix-community", "repo": "NUR", - "rev": "10c6c5d9b3df8177472b5243ed8d9760f5316174", + "rev": "fc66688b4a56184061191482536f1d8de3aea462", "type": "github" }, "original": { @@ -777,11 +770,11 @@ ] }, "locked": { - "lastModified": 1676513100, - "narHash": "sha256-MK39nQV86L2ag4TmcK5/+r1ULpzRLPbbfvWbPvIoYJE=", + "lastModified": 1677832802, + "narHash": "sha256-XQf+k6mBYTiQUjWRf/0fozy5InAs03O1b30adCpWeXs=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "5f0cba88ac4d6dd8cad5c6f6f1540b3d6a21a798", + "rev": "382bee738397ca005206eefa36922cc10df8a21c", "type": "github" }, "original": { @@ -798,8 +791,7 @@ "azahi-cc": "azahi-cc", "darwin": "darwin", "dns-nix": "dns-nix", - "emacs-overlay": "emacs-overlay", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-registry": "flake-registry", "flake-utils": "flake-utils", "home-manager": "home-manager", diff --git a/flake.nix b/flake.nix index e5bd0b9..a9e0c30 100644 --- a/flake.nix +++ b/flake.nix @@ -77,36 +77,6 @@ ref = "master"; }; - emacs-overlay = { - type = "github"; - owner = "nix-community"; - repo = "emacs-overlay"; - ref = "master"; - inputs = { - flake-utils.follows = "flake-utils"; - nixpkgs.follows = "nixpkgs"; - }; - }; - - # Waiting for patches[1]. Currently, the new profile feature breaks - # everything and I don't want to spend 12 hours debugging this shit. - # - # [1]: https://github.com/nix-community/nix-doom-emacs/pull/316 - # nix-doom-emacs = { - # # type = "path"; - # # path = "/home/azahi/src/nix-doom-emacs"; - # type = "github"; - # owner = "nix-community"; - # repo = "nix-doom-emacs"; - # ref = "master"; - # inputs = { - # flake-compat.follows = "flake-compat"; - # emacs-overlay.follows = "emacs-overlay"; - # flake-utils.follows = "flake-utils"; - # nixpkgs.follows = "nixpkgs"; - # }; - # }; - arkenfox-nixos = { type = "github"; owner = "dwarfmaster"; diff --git a/modules/common/beets.nix b/modules/common/beets.nix deleted file mode 100644 index 83cbff1..0000000 --- a/modules/common/beets.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - config, - lib, - ... -}: -with lib; let - cfg = config.nixfiles.modules.beets; -in { - options.nixfiles.modules.beets.enable = - mkEnableOption "beets"; - - config = mkIf cfg.enable { - hm = let - beetsdir = "${config.dirs.data}/beets"; - in { - home.sessionVariables.BEETSDIR = beetsdir; - - programs = { - beets = { - enable = true; - - settings = { - library = "${beetsdir}/library.db"; - directory = config.userDirs.music; - plugins = "badfiles edit fetchart info mbsync scrub"; - original_date = true; - import = { - write = true; - copy = true; - move = false; - bell = true; - from_scratch = true; - }; - match = { - preferred = { - countries = [ - "JP" - "KR" - "TW" - "HK" - "CN" - "RU" - "NL" - "DE" - "AT" - "GB|UK" - "CA" - "AU" - "NZ" - "US" - ]; - original_year = true; - }; - }; - edit = { - albumfields = "album artist albumartist"; - itemfields = "track title album artist albumartist day month year genre"; - }; - fetchart = { - auto = true; - cautious = true; - cover_names = "cover Cover folder Folder art Art album Album front Front"; - sources = "filesystem coverart itunes amazon albumart wikipedia"; - }; - scrub.auto = true; - }; - }; - - bash.shellAliases.beet = "${config.hm.programs.beets.package}/bin/beet --config ${config.dirs.config}/beets/config.yaml"; - }; - }; - }; -} diff --git a/modules/common/common/nix/default.nix b/modules/common/common/nix/default.nix index 378cd36..9f80838 100644 --- a/modules/common/common/nix/default.nix +++ b/modules/common/common/nix/default.nix @@ -130,7 +130,6 @@ with lib; { tor-browser = tor-browser-bundle-bin; })) agenix.overlays.default - emacs-overlay.overlay nur.overlay ]; diff --git a/modules/common/default.nix b/modules/common/default.nix index e6040cd..b722cae 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -3,7 +3,6 @@ _: { ./alacritty.nix ./aria2.nix ./bat.nix - ./beets.nix ./chromium.nix ./common ./curl.nix diff --git a/modules/common/emacs/default.nix b/modules/common/emacs/default.nix index 268d77d..2dbe53f 100644 --- a/modules/common/emacs/default.nix +++ b/modules/common/emacs/default.nix @@ -46,6 +46,7 @@ in { asmfmt # :editor format bash-language-server # :lang (sh +lsp) clang-tools # :lang (cc +lsp) :editor format + cmake # :term vterm cmake-format # :lang cc :editor format cmigemo # :lang japanese css-language-server # :lang (web +lsp) @@ -53,6 +54,7 @@ in { dockerfile-language-server # :tools (docker +lsp) editorconfig # :tools editorconfig fd # doom! + gcc # :tools magit :term vterm gnuplot # :lang (org +gnuplot) gnutls # doom! go-language-server # :lang (go +lsp) @@ -65,6 +67,7 @@ in { html-tidy # :lang web jre # :lang plantuml json-language-server # :lang (json +lsp) + libtool # :term vterm nix-language-server # :lang (nix +lsp) nixfmt # :lang nix :editor format nodePackages.eslint # :lang (json +lsp) @@ -73,6 +76,7 @@ in { nodePackages.stylelint # :lang web nodejs # :tools debugger pandoc # :lang org markdown latex + perl # term vterm pinentry-emacs # doom! pre-commit # :tools magit ripgrep # doom! @@ -175,7 +179,6 @@ in { programs.emacs = { enable = true; package = pkgs.emacs28; # Pin to avoid surprises. - extraPackages = p: with p; [vterm]; }; }; }; diff --git a/modules/common/git.nix b/modules/common/git.nix index c3ebafc..ce4e505 100644 --- a/modules/common/git.nix +++ b/modules/common/git.nix @@ -68,6 +68,8 @@ in { }; init.defaultBranch = "master"; status.submoduleSummary = true; + github.user = my.username; + gitlab.user = my.username; } // mapAttrs' (n: v: nameValuePair ''url "git@${v}:"'' {insteadOf = "${n}:";}) { diff --git a/modules/common/openconnect.nix b/modules/common/openconnect.nix deleted file mode 100644 index 936c9d1..0000000 --- a/modules/common/openconnect.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.nixfiles.modules.openconnect; -in { - options.nixfiles.modules.openconnect.enable = - mkEnableOption "OpenConnect VPN"; - - config = mkIf cfg.enable { - assertions = [ - { - assertion = config.networking.networkmanager.enable; - message = "NetworkManager is required"; - } - ]; - - # Spent three days trying to make this work but still getting "No SSO - # handler" even on the HEAD version that 100% has SSO support baked in. - # It's all so tiresome[1]... aaand KDE is not supported[2]. - # - # I fucking hate AnyConnect, truly an example of how shit is is non-free - # software. SAML also sucks balls. I also hate my company for using this - # shit, guess I have no other choice but to use the absolute dogshit laptop - # they gave me. - # - # [1]: https://gitlab.gnome.org/GNOME/NetworkManager-openconnect - # [1]: https://gitlab.com/openconnect/openconnect/-/issues/424 - # [2]: https://groups.google.com/g/linux.debian.bugs.dist/c/lK8u-LMY7n4 - # [2]: https://bugs.kde.org/show_bug.cgi?id=448153 - - networking.networkmanager.plugins = with pkgs; [ - ((networkmanager-openconnect.override { - withGnome = false; - openconnect = openconnect.overrideAttrs (_: _: { - version = "unstable-2022-10-23"; - src = fetchFromGitLab { - owner = "openconnect"; - repo = "openconnect"; - rev = "acdfc753f7885b2a539f99036ac41ba1b78cc7ae"; - hash = "sha256-ub+Z4WFD77h5YMQTb+TLc7EyY2KjBWglF1QVTirCHJM="; - }; - }); - }) - .overrideAttrs (_: super: { - version = "unstable-2022-09-10"; - src = fetchFromGitLab { - domain = "gitlab.gnome.org"; - owner = "GNOME"; - repo = "NetworkManager-openconnect"; - rev = "3c1590786518e9acca33c250660ad21cae565acd"; - hash = "sha256-YTUN46QHsHkXPAhImPG/MMLMqjlSRknapVO8u43nnWk="; - }; - buildInputs = - super.buildInputs - ++ [ - (webkitgtk_4_1.override { - inherit (gnome) libsoup; - }) - ]; - nativeBuildInputs = - super.nativeBuildInputs - ++ [ - autoreconfHook - ]; - postPatch = '' - substituteInPlace configure.ac \ - --replace "PKG_CHECK_MODULES(LIBSECRET, libsecret-1 >= 0.18)" "" - ''; - preAutoreconf = '' - autoupdate - ''; - preConfigure = '' - NOCONFIGURE=x ./autogen.sh - touch gtk4/nm-openconnect-dialog.ui - ''; - })) - ]; - }; -} diff --git a/modules/nixos/beets.nix b/modules/nixos/beets.nix new file mode 100644 index 0000000..83cbff1 --- /dev/null +++ b/modules/nixos/beets.nix @@ -0,0 +1,73 @@ +{ + config, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.beets; +in { + options.nixfiles.modules.beets.enable = + mkEnableOption "beets"; + + config = mkIf cfg.enable { + hm = let + beetsdir = "${config.dirs.data}/beets"; + in { + home.sessionVariables.BEETSDIR = beetsdir; + + programs = { + beets = { + enable = true; + + settings = { + library = "${beetsdir}/library.db"; + directory = config.userDirs.music; + plugins = "badfiles edit fetchart info mbsync scrub"; + original_date = true; + import = { + write = true; + copy = true; + move = false; + bell = true; + from_scratch = true; + }; + match = { + preferred = { + countries = [ + "JP" + "KR" + "TW" + "HK" + "CN" + "RU" + "NL" + "DE" + "AT" + "GB|UK" + "CA" + "AU" + "NZ" + "US" + ]; + original_year = true; + }; + }; + edit = { + albumfields = "album artist albumartist"; + itemfields = "track title album artist albumartist day month year genre"; + }; + fetchart = { + auto = true; + cautious = true; + cover_names = "cover Cover folder Folder art Art album Album front Front"; + sources = "filesystem coverart itunes amazon albumart wikipedia"; + }; + scrub.auto = true; + }; + }; + + bash.shellAliases.beet = "${config.hm.programs.beets.package}/bin/beet --config ${config.dirs.config}/beets/config.yaml"; + }; + }; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 850d93e..8ac9a29 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -3,6 +3,7 @@ _: { ./acme.nix ./alertmanager.nix ./android.nix + ./beets.nix ./bluetooth.nix ./common ./discord.nix @@ -21,6 +22,7 @@ _: { ./grafana.nix ./hydra.nix ./ipfs.nix + ./k3s.nix ./kde.nix ./libvirtd.nix ./lidarr.nix @@ -29,6 +31,7 @@ _: { ./matrix ./monitoring ./mpd.nix + ./murmur.nix ./nextcloud.nix ./nginx.nix ./node-exporter.nix diff --git a/modules/nixos/k3s.nix b/modules/nixos/k3s.nix new file mode 100644 index 0000000..dcbd052 --- /dev/null +++ b/modules/nixos/k3s.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.k3s; +in { + options.nixfiles.modules.k3s = { + enable = mkEnableOption "K3s"; + }; + + config = mkIf cfg.enable { + ark.directories = [ + "/etc/rancher/k3s" + "/var/lib/rancher/k3s" + ]; + + services.k3s = { + enable = true; + role = "server"; + }; + + systemd.services.k3s.environment = { + K3S_KUBECONFIG_OUTPUT = "/etc/rancher/k3s/k3s.yaml"; + K3S_KUBECONFIG_MODE = "600"; + }; + }; +} diff --git a/modules/nixos/murmur.nix b/modules/nixos/murmur.nix new file mode 100644 index 0000000..cbd90d4 --- /dev/null +++ b/modules/nixos/murmur.nix @@ -0,0 +1,28 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.murmur; +in { + options.nixfiles.modules.murmur.enable = mkEnableOption "Murmur"; + + config = mkIf cfg.enable { + secrets.murmur-environment = { + file = "${inputs.self}/secrets/murmur-environment"; + owner = "murmur"; + group = "murmur"; + }; + + services.murmur = { + enable = true; + openFirewall = true; + logDays = -1; + registerName = mkDefault my.domain.shire; + password = "$MURMUR_PASSWORD"; + environmentFile = config.secrets."murmur-environment".path; + }; + }; +} diff --git a/modules/nixos/profiles/headful.nix b/modules/nixos/profiles/headful.nix index d0ca777..67bec29 100644 --- a/modules/nixos/profiles/headful.nix +++ b/modules/nixos/profiles/headful.nix @@ -22,6 +22,7 @@ in { home.packages = with pkgs; [ calibre imv + mumble neochat tdesktop tor-browser @@ -33,18 +34,15 @@ in { boot = { kernelPackages = mkDefault pkgs.linuxPackages_latest; - # There are (arguably) not a lot of reasons to keep mitigations enabled - # for on machine that is not web-facing. First of all, to completely - # mitigate any possible Spectre holes one would need to disable - # Hyperthreading altogether which will essentially put one's computer into - # the stone age by not being able to to effectively utilise multi-core its - # multicore capabilities. Secondly, by enabling mitigations, we introduce - # a plethora of performance overheads[1], which, albeit small, but still - # contribute to the overall speed of things. This is however still poses a - # security risk, which I am willing to take. - # - # [1]: https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11 - kernelParams = ["mitigations=off"]; + kernelParams = [ + # https://wiki.archlinux.org/title/improving_performance#Watchdogs + "nowatchdog" + "kernel.nmi_watchdog=0" + # A security risk I'm willing to take for a reason[1]. + # + # [1]: https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11 + "mitigations=off" + ]; loader = { efi.canTouchEfiVariables = true; diff --git a/nixosConfigurations/eonwe/default.nix b/nixosConfigurations/eonwe/default.nix index a5a07ab..f66478d 100644 --- a/nixosConfigurations/eonwe/default.nix +++ b/nixosConfigurations/eonwe/default.nix @@ -59,13 +59,17 @@ with lib; { # some patching and whatnot. kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - # Silence benign MCE errors: - # ``` - # mce: [Hardware Error]: CPU 1: Machine Check: 0 Bank 29: ffffffffffffffff - # mce: [Hardware Error]: TSC 0 MISC ff1fffffffffffff SYND ffffffffffffffff IPID ffffffffffffffff - # mce: [Hardware Error]: PROCESSOR 2:a60f12 TIME 1669988017 SOCKET 0 APIC 2 microcode a601201 - # ``` - kernelParams = ["mce=nobootlog"]; + kernelParams = [ + # Silence benign MCE errors: + # ``` + # mce: [Hardware Error]: CPU 1: Machine Check: 0 Bank 29: ffffffffffffffff + # mce: [Hardware Error]: TSC 0 MISC ff1fffffffffffff SYND ffffffffffffffff IPID ffffffffffffffff + # mce: [Hardware Error]: PROCESSOR 2:a60f12 TIME 1669988017 SOCKET 0 APIC 2 microcode a601201 + # ``` + "mce=nobootlog" + # Required for Hogwats Legacy. + "clearcpuid=514" + ]; # The boot drive is Samsung SSD 980 PRO 2TB. initrd.kernelModules = ["nvme"]; diff --git a/nixosConfigurations/manwe/default.nix b/nixosConfigurations/manwe/default.nix index 12d929e..a47cd88 100644 --- a/nixosConfigurations/manwe/default.nix +++ b/nixosConfigurations/manwe/default.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, ... }: @@ -34,6 +35,7 @@ with lib; { enable = true; domain = my.domain.azahi; }; + murmur.enable = true; radicale.enable = true; rss-bridge.enable = true; shadowsocks.enable = true; @@ -44,6 +46,35 @@ with lib; { vaultwarden.enable = true; }; + # To play old LAN games with the boys. + secrets."wireguard-private-key-70".file = "${inputs.self}/secrets/wireguard-private-key-70"; + networking = mkIf config.nixfiles.modules.wireguard.server.enable { + wireguard.interfaces.wg70 = { + ips = ["10.70.0.1/16"]; + listenPort = 7070; + privateKeyFile = config.secrets."wireguard-private-key-70".path; + peers = [ + { + publicKey = "@PUBLIC_KEY@"; + allowedIPs = ["10.70.1.1/32"]; + } + { + publicKey = "@PUBLIC_KEY@"; + allowedIPs = ["10.70.1.2/32"]; + } + { + publicKey = "@PUBLIC_KEY@"; + allowedIPs = ["10.70.1.3/32"]; + } + { + publicKey = "@PUBLIC_KEY@"; + allowedIPs = ["10.70.1.4/32"]; + } + ]; + }; + firewall.allowedUDPPorts = [7070]; + }; + boot = { loader.grub = { enable = true; diff --git a/nixosConfigurations/varda/default.nix b/nixosConfigurations/varda/default.nix index ea1dc3c..340ea8b 100644 --- a/nixosConfigurations/varda/default.nix +++ b/nixosConfigurations/varda/default.nix @@ -5,10 +5,7 @@ with lib; { acme.enable = true; - games.minecraft.server = { - enable = false; # Disabled because no one is playing now. - memory = "6G"; - }; + k3s.enable = true; }; boot = { @@ -47,13 +44,6 @@ with lib; { } ]; - # TODO - services.k3s = { - enable = false; - role = "server"; - extraFlags = "--disable traefik"; - }; - zramSwap = { enable = true; memoryPercent = 25; diff --git a/readme.org b/readme.org index 01cd869..82127a6 100644 --- a/readme.org +++ b/readme.org @@ -1,34 +1,22 @@ -#+options: ':t *:t -:t ::t <:t H:3 \n:nil ^:t arch:headline author:t -#+options: broken-links:nil c:nil creator:nil d:(not "LOGBOOK") date:t e:t -#+options: email:nil f:t inline:t num:nil p:nil pri:nil prop:nil stat:t tags:t -#+options: tasks:t tex:t timestamp:t title:t toc:t todo:t |:t #+title: nixfiles -#+date: <2022-03-08 Tue> #+author: Azat Bahawi #+email: azat@bahawi.net #+language: en -#+select_tags: export -#+exclude_tags: noexport -#+creator: Emacs 27.2 (Org mode 9.5) -An [[https://en.wikipedia.org/wiki/Infrastructure_as_code][IaC]] recipe for my digital infrastructure. An evolution of the [[https://github.com/azahi/dotfiles][dotfiles]] thingy +An [[https://en.wikipedia.org/wiki/Infrastructure_as_code][IaC]] recipe for my digital infrastructure. An evolution of the [[https://git.azahi.cc/dotfiles][dotfiles]] thingy I had going for several years. -If you stumbled across this repository on GitHub, GitLab and such, the version -you are currently looking at is a /stripped/ down rendition of the actual -*nixfiles* where IP addresses, domain names, secrets and other sensitive -information was removed or replaced with gibberish. This is done so that you can -get a general understanding of how stuff is made without me spilling the beans -too much... pls no pwn. +If you stumbled across this repository online, the version you are currently +looking at is a /stripped/ down rendition of the /actual/ *nixfiles* where IP +addresses, domain names, secrets and other sensitive information was removed or +replaced with gibberish. This is done so that you can get a general +understanding of how stuff is defined without me spilling the beans too much... +pls no pwn. If you are looking to get into declarative configuration management with [[https://nixos.org][NixOS]], I /highly/ suggest to take this repository /only/ as a reference and not just mindlessly copy-paste everything. -For help, reach out directly to [[https://azahi.cc][me]], or come by /#nixos/ over at [[https://libera.chat][Libera.Chat]] or -join the official NixOS Matrix [[https://matrix.to/#/#community:nixos.org][server]]. Для русскоязычной поддержки есть -неофициальный Telegram [[https://t.me/ru_nixos][канал]]. - * Inspiration and Credits Big thanks to everyone involved with [[https://github.com/NixOS][Nix/NixOS/Nixpkgs]] and everything around @@ -42,4 +30,4 @@ project: - [[https://github.com/grahamc/nixos-config][grahamc]] - [[https://github.com/gytis-ivaskevicius/nixfiles][gytis-ivaskevicius]] - [[https://github.com/hlissner/dotfiles][hlissner]] -- [[https://github.com/ncfavier/config][ncfavier]] (Also big thanks for shilling and helping out) +- [[https://github.com/ncfavier/config][ncfavier]] -- cgit v1.2.3