From f746ce6790615c38dc6873f884ec009701cb22b1 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Mon, 29 Jul 2024 00:37:54 +0300 Subject: 2024-07-29 --- configurations/default.nix | 1 + configurations/eonwe/default.nix | 1 - flake.lock | 72 ++++---- modules/common/nix.nix | 31 +--- modules/profiles/dev/default.nix | 6 + modules/profiles/headful.nix | 6 + modules/unbound.nix | 350 +++++++++++++++++---------------------- modules/vim.nix | 2 + overlays.nix | 1 - packages/nixfiles.nix | 2 +- 10 files changed, 214 insertions(+), 258 deletions(-) diff --git a/configurations/default.nix b/configurations/default.nix index b45a184..cc160e9 100644 --- a/configurations/default.nix +++ b/configurations/default.nix @@ -68,6 +68,7 @@ mapAttrs' mkConfiguration ( ilmare.modules = with inputs; [ disko.nixosModules.disko + nixos-hardware.nixosModules.common-hidpi nixos-hardware.nixosModules.lenovo-thinkpad-x1-nano nixpkgs.nixosModules.notDetected srvos.nixosModules.desktop diff --git a/configurations/eonwe/default.nix b/configurations/eonwe/default.nix index 6248ff3..74e12af 100644 --- a/configurations/eonwe/default.nix +++ b/configurations/eonwe/default.nix @@ -31,7 +31,6 @@ with lib; anki calibre gimp - iaito kdenlive krita obs-studio diff --git a/flake.lock b/flake.lock index ad38a68..b9ad685 100644 --- a/flake.lock +++ b/flake.lock @@ -67,11 +67,11 @@ ] }, "locked": { - "lastModified": 1718613978, - "narHash": "sha256-iXzxAcovEZHHYUYIWtIJYMpQf96MwasMirMxMKJL5Aw=", + "lastModified": 1721720317, + "narHash": "sha256-KH0ILX8EGa/A4Bgc6DtsbviG8qaLrzDDV1m1bIXJ+pw=", "owner": "dwarfmaster", "repo": "arkenfox-nixos", - "rev": "35e803fa44abfd438c65b64ff2691f3f608cd2d3", + "rev": "92c9a287b7b98198c3ba5cdfc90218402e49c4b3", "type": "github" }, "original": { @@ -278,11 +278,11 @@ ] }, "locked": { - "lastModified": 1721417620, - "narHash": "sha256-6q9b1h8fI3hXg2DG6/vrKWCeG8c5Wj2Kvv22RCgedzg=", + "lastModified": 1722028105, + "narHash": "sha256-0ButnGQ1bCMIDblzC6NBSL71Wi6JmHGweI3scoV8CgM=", "owner": "nix-community", "repo": "disko", - "rev": "bec6e3cde912b8acb915fecdc509eda7c973fb42", + "rev": "5b01cea8b5753de9c2febd27203c530be14745ff", "type": "github" }, "original": { @@ -453,11 +453,11 @@ ] }, "locked": { - "lastModified": 1721534365, - "narHash": "sha256-XpZOkaSJKdOsz1wU6JfO59Rx2fqtcarQ0y6ndIOKNpI=", + "lastModified": 1722119539, + "narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=", "owner": "nix-community", "repo": "home-manager", - "rev": "635563f245309ef5320f80c7ebcb89b2398d2949", + "rev": "d0240a064db3987eb4d5204cf2400bc4452d9922", "type": "github" }, "original": { @@ -535,11 +535,11 @@ ] }, "locked": { - "lastModified": 1721525992, - "narHash": "sha256-u1PjXUmaNvDep7KybHfUDBjv/6o6I4gPnAg08wfDE3M=", + "lastModified": 1722130825, + "narHash": "sha256-wT3ujK3g3Ybqj2F7fNIBrEHY4SbEtoiI/mrUUPr//Fs=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "99f81e27c85f67177d89d129cb07529185281fbb", + "rev": "c04c517fc3d5f0d3e577b09b8bc527a18a95b79b", "type": "github" }, "original": { @@ -555,11 +555,11 @@ ] }, "locked": { - "lastModified": 1721531260, - "narHash": "sha256-O72uxk4gYFQDwNkoBioyrR3GK9EReZmexCStBaORMW8=", + "lastModified": 1722136042, + "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "b6db9fd8dc59bb2ccb403f76d16ba8bbc1d5263d", + "rev": "c0ca47e8523b578464014961059999d8eddd4aae", "type": "github" }, "original": { @@ -597,11 +597,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1721413321, - "narHash": "sha256-0GdiQScDceUrVGbxYpV819LHesK3szHOhJ09e6sgES4=", + "lastModified": 1722114937, + "narHash": "sha256-MOZ9woPwdpFJcHx3wic2Mlw9aztdKjMnFT3FaeLzJkM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ab165a8a6cd12781d76fe9cbccb9e975d0fb634f", + "rev": "e67b60fb1b2c3aad2202d95b91d4c218cf2a4fdd", "type": "github" }, "original": { @@ -612,11 +612,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1721497942, - "narHash": "sha256-EDPL9qJfklXoowl3nEBmjDIqcvXKUZInt5n6CCc1Hn4=", + "lastModified": 1722141560, + "narHash": "sha256-Ul3rIdesWaiW56PS/Ak3UlJdkwBrD4UcagCmXZR9Z7Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d43f0636fc9492e83be8bbb41f9595d7a87106b8", + "rev": "038fb464fcfa79b4f08131b07f2d8c9a6bcc4160", "type": "github" }, "original": { @@ -643,11 +643,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1721571131, - "narHash": "sha256-zqNz0lmvMFCWmGWAeuId1sR1eAWbb7dvmKtIBowCFw0=", + "lastModified": 1722177403, + "narHash": "sha256-X1wtgrkgLNHLOvOe8deNlQyuFIJKsiBdphTG36DZde4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1d3f9997f6c33dd53f492a69e72298782e22e333", + "rev": "480aa424113bfef080198fcdbc0ca3cdd38a6168", "type": "github" }, "original": { @@ -659,11 +659,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1721560568, - "narHash": "sha256-L61BXz7n/yNzOeZ3FqlnUmxj4145JOVeq9fvQTQzbNM=", + "lastModified": 1722176734, + "narHash": "sha256-sB+glJWgjypDGUXWO88FSpd6UEuROlQ5y5I63BH1rfE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "be3ca229c85e978880babdeda9748b14e6aa008f", + "rev": "ed739215d981ac5071ba6d7d568865c43aa2c29f", "type": "github" }, "original": { @@ -741,11 +741,11 @@ ] }, "locked": { - "lastModified": 1721263500, - "narHash": "sha256-6l0+MciXkktANuZ+Rwc6BZJxtMi7jHZRiSnzG+xpwyk=", + "lastModified": 1721888498, + "narHash": "sha256-O5/s8e6CL99AQoKEn8k6F99UoJdAzQ8z9LZ7SxFJ3c4=", "owner": "nix-community", "repo": "srvos", - "rev": "ef4f2248e1bbd84a0dd269ab31b9927d9c0bf2e6", + "rev": "27b3a9b23847cb2e716334ee6ad58b82ddc3f7a7", "type": "github" }, "original": { @@ -775,11 +775,11 @@ ] }, "locked": { - "lastModified": 1721478802, - "narHash": "sha256-+WMQs0fMAmpWPsKNgIFQoKLtvS4qtTj+mC++cD1May4=", + "lastModified": 1721989207, + "narHash": "sha256-APKQeMMdh1O1W3OnxEvNfHNBiE4eRvEN6rosFr2dLHE=", "owner": "danth", "repo": "stylix", - "rev": "6f36b27afd7b7ac8664bb62b7b27728540972c82", + "rev": "b9de20c76e8d5c13cf2304d23cf589803c311670", "type": "github" }, "original": { @@ -846,11 +846,11 @@ ] }, "locked": { - "lastModified": 1721525797, - "narHash": "sha256-3XfLw1qXUZVp0WzOfZpUC9kuQDC4pO/FQe+XyBMmA6w=", + "lastModified": 1722130475, + "narHash": "sha256-VT2GvIRL8+nNSQ/XS9N6m42VDBiNDy7Luz3wMHoPLBk=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "7a52354aeb98424039a5a7f1b69b3a93320e7c0d", + "rev": "25a36236f5051034e2085fb3414493c921bb1994", "type": "github" }, "original": { diff --git a/modules/common/nix.nix b/modules/common/nix.nix index 233edda..01b3f01 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -61,14 +61,15 @@ in notSelfInputs = filterAttrs (n: _: n != "self") inputs; in { - daemonCPUSchedPolicy = "idle"; - daemonIOSchedClass = "idle"; - daemonIOSchedPriority = 7; + nixPath = mapAttrsToList (n: v: "${n}=${v}") notSelfInputs ++ [ + "nixfiles=${config.my.home}/src/nixfiles" + ]; - settings = { - keep-derivations = if this.isHeadful then "true" else "false"; - keep-outputs = if this.isHeadful then "true" else "false"; + registry = mapAttrs (_: flake: { inherit flake; }) notSelfInputs // { + nixfiles.flake = inputs.self; + }; + settings = { warn-dirty = false; keep-going = true; @@ -86,28 +87,12 @@ in my.username ]; }; - - nixPath = mapAttrsToList (n: v: "${n}=${v}") notSelfInputs ++ [ - "nixfiles=${config.my.home}/src/nixfiles" - ]; - - registry = mapAttrs (_: flake: { inherit flake; }) notSelfInputs // { - nixfiles.flake = inputs.self; - }; }; nixpkgs = { config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages; - overlays = with inputs; [ - self.overlays.default - # (_: _prev: with packages; { - # # Global PR package overrides go here. Example: - # # ``` - # # inherit (package.formPR 309018 "sha256-x3ATxjrTVdaX5eo9P6pz+8/W6D2TNYzvjZpOBa3ZRI8=") endlessh-go; - # # ``` - # }) - ]; + overlays = [ inputs.self.overlays.default ]; }; environment = { diff --git a/modules/profiles/dev/default.nix b/modules/profiles/dev/default.nix index 3ee2ff5..61de848 100644 --- a/modules/profiles/dev/default.nix +++ b/modules/profiles/dev/default.nix @@ -62,6 +62,7 @@ in htmlq httpie hydra-check + iaito jq logcli nix-update @@ -89,6 +90,11 @@ in package = pkgs.wireshark; }; + nix.settings = { + keep-derivations = true; + keep-outputs = true; + }; + my.extraGroups = [ "kvm" "wireshark" diff --git a/modules/profiles/headful.nix b/modules/profiles/headful.nix index 7d6d00f..39f4e98 100644 --- a/modules/profiles/headful.nix +++ b/modules/profiles/headful.nix @@ -98,6 +98,12 @@ in hardware.graphics.enable = true; + nix = { + daemonCPUSchedPolicy = "idle"; + daemonIOSchedClass = "idle"; + daemonIOSchedPriority = 7; + }; + programs = { dconf.enable = true; iftop.enable = true; diff --git a/modules/unbound.nix b/modules/unbound.nix index d10096d..dae47f8 100644 --- a/modules/unbound.nix +++ b/modules/unbound.nix @@ -21,216 +21,174 @@ in }; }; - config = - let - adblock-conf = "${config.services.unbound.stateDir}/adblock.conf"; - in - mkIf cfg.enable { - ark.directories = [ config.services.unbound.stateDir ]; - - nixfiles.modules.redis.enable = true; - - services = { - unbound = { - enable = true; - - package = pkgs.unbound-with-systemd.override { - withRedis = true; - withTFO = true; - }; + config = mkIf cfg.enable { + ark.directories = [ config.services.unbound.stateDir ]; + + nixfiles.modules.redis.enable = true; - checkconf = false; - settings = { - server = { - interface = with this.wireguard; [ - "127.0.0.1" - "::1" - ipv4.address - ipv6.address - ]; - - local-zone = concatLists ( - mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations - ); - local-data = concatLists ( - mapAttrsToList ( - hostname: - let - domain = "${hostname}.${cfg.domain}"; - in - attr: - (optionals (hasAttr "wireguard" attr) ( - with attr.wireguard; - [ - "\"${domain} 604800 IN A ${ipv4.address}\"" - "\"${domain} 604800 IN AAAA ${ipv6.address}\"" - "\"${domain}. A ${ipv4.address}\"" - "\"${domain}. AAAA ${ipv6.address}\"" - ] - ++ concatMap (domain: [ - "\"${domain}. A ${ipv4.address}\"" - "\"${domain}. AAAA ${ipv6.address}\"" - ]) attr.domains - )) - ) my.configurations - ); - local-data-ptr = concatLists ( - mapAttrsToList ( - hostname: - let - domain = "${hostname}.${cfg.domain}"; - in - attr: - (optionals (hasAttr "wireguard" attr) ( - with attr.wireguard; - [ - "\"${ipv4.address} ${domain}\"" - "\"${ipv6.address} ${domain}\"" - ] - ++ concatMap (domain: [ - "\"${ipv4.address} ${domain}\"" - "\"${ipv6.address} ${domain}\"" - ]) attr.domains - )) - ) my.configurations - ); - - private-domain = map (domain: "${domain}.") [ - cfg.domain - "local" - ]; - private-address = with config.nixfiles.modules.wireguard; [ - ipv4.subnet - ipv6.subnet - ]; - - access-control = with config.nixfiles.modules.wireguard; [ - "0.0.0.0/0 refuse" - "::/0 refuse" - "127.0.0.0/8 allow" - "::1/128 allow" - "${ipv4.subnet} allow" - "${ipv6.subnet} allow" - ]; - - cache-min-ttl = 0; - - serve-expired = true; - serve-expired-reply-ttl = 0; - - prefetch = true; - prefetch-key = true; - - hide-identity = true; - hide-version = true; - - extended-statistics = true; - - log-replies = false; - log-tag-queryreply = false; - log-local-actions = false; - - verbosity = 0; - - include = ''"${adblock-conf}"''; - }; - - forward-zone = [ - { - name = "."; - forward-tls-upstream = true; - forward-addr = - let - mkDnsOverTls = - ips: auth: - map ( - ip: - concatStrings [ - ip - "@" - auth - ] - ) ips; - in - mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net"; - } + services = { + unbound = { + enable = true; + + package = pkgs.unbound-with-systemd.override { + withRedis = true; + withTFO = true; + }; + + checkconf = true; + settings = { + server = { + module-config = ''"respip validator iterator"''; + + interface = with this.wireguard; [ + "127.0.0.1" + "::1" + ipv4.address + ipv6.address ]; - cachedb = with config.services.redis.servers.default; { - backend = "redis"; - redis-server-host = bind; - redis-server-port = port; - }; - }; + local-zone = concatLists ( + mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations + ); + local-data = concatLists ( + mapAttrsToList ( + hostname: + let + domain = "${hostname}.${cfg.domain}"; + in + attr: + (optionals (hasAttr "wireguard" attr) ( + with attr.wireguard; + [ + "\"${domain} 604800 IN A ${ipv4.address}\"" + "\"${domain} 604800 IN AAAA ${ipv6.address}\"" + "\"${domain}. A ${ipv4.address}\"" + "\"${domain}. AAAA ${ipv6.address}\"" + ] + ++ concatMap (domain: [ + "\"${domain}. A ${ipv4.address}\"" + "\"${domain}. AAAA ${ipv6.address}\"" + ]) attr.domains + )) + ) my.configurations + ); + local-data-ptr = concatLists ( + mapAttrsToList ( + hostname: + let + domain = "${hostname}.${cfg.domain}"; + in + attr: + (optionals (hasAttr "wireguard" attr) ( + with attr.wireguard; + [ + "\"${ipv4.address} ${domain}\"" + "\"${ipv6.address} ${domain}\"" + ] + ++ concatMap (domain: [ + "\"${ipv4.address} ${domain}\"" + "\"${ipv6.address} ${domain}\"" + ]) attr.domains + )) + ) my.configurations + ); + + private-domain = map (domain: "${domain}.") [ + cfg.domain + "local" + ]; + private-address = with config.nixfiles.modules.wireguard; [ + ipv4.subnet + ipv6.subnet + ]; - enableRootTrustAnchor = true; + access-control = with config.nixfiles.modules.wireguard; [ + "0.0.0.0/0 refuse" + "::/0 refuse" + "127.0.0.0/8 allow" + "::1/128 allow" + "${ipv4.subnet} allow" + "${ipv6.subnet} allow" + ]; - localControlSocketPath = "/run/unbound/unbound.socket"; - }; + cache-min-ttl = 0; - prometheus.exporters.unbound = { - enable = true; - listenAddress = mkDefault this.wireguard.ipv4.address; - port = 9167; - inherit (config.services.unbound) group user; - unbound.host = "unix://${config.services.unbound.localControlSocketPath}"; - }; - }; + serve-expired = true; + serve-expired-reply-ttl = 0; + + prefetch = true; + prefetch-key = true; - systemd = { - services = { - unbound.after = [ "unbound-adblock-update.service" ]; - - unbound-adblock-update = { - serviceConfig = with config.services.unbound; { - Type = "oneshot"; - User = user; - Group = group; - ExecStart = getExe ( - pkgs.writeShellApplication { - name = "unbound-adblock-update"; - runtimeInputs = [ - pkgs.curl - package - ]; - text = '' - curl \ - -s \ - -o ${adblock-conf} \ - "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf" - - if [[ -f "${localControlSocketPath}" ]]; then - unbound-control reload - fi - ''; - } - ); - }; + hide-identity = true; + hide-version = true; + + extended-statistics = true; + + log-replies = false; + log-tag-queryreply = false; + log-local-actions = false; + + verbosity = 0; }; - }; - timers.unbound-adblock-update = { - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - Unit = "unbound-adblock-update.service"; + forward-zone = [ + { + name = "."; + forward-tls-upstream = true; + forward-addr = + let + mkDnsOverTls = + ips: auth: + map ( + ip: + concatStrings [ + ip + "@" + auth + ] + ) ips; + in + mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net"; + } + ]; + + cachedb = with config.services.redis.servers.default; { + backend = "redis"; + redis-server-host = bind; + redis-server-port = port; + }; + + rpz = { + name = "hagezi.pro"; + zonefile = "hagezi.pro"; + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"; }; - wantedBy = [ "timers.target" ]; }; + + enableRootTrustAnchor = true; + + localControlSocketPath = "/run/unbound/unbound.socket"; + }; + + prometheus.exporters.unbound = { + enable = true; + listenAddress = mkDefault this.wireguard.ipv4.address; + port = 9167; + inherit (config.services.unbound) group user; + unbound.host = "unix://${config.services.unbound.localControlSocketPath}"; }; + }; - boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3; + boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3; - topology = with cfg; { - nodes.${this.hostname}.services.unbound = { - name = "Unbound"; - icon = "${inputs.homelab-svg-assets}/assets/unbound.svg"; - details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") ( - filter (i: i != "127.0.0.1" && i != "::1") config.services.unbound.settings.server.interface - ); - }; + topology = with cfg; { + nodes.${this.hostname}.services.unbound = { + name = "Unbound"; + icon = "${inputs.homelab-svg-assets}/assets/unbound.svg"; + details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") ( + filter (i: i != "127.0.0.1" && i != "::1") config.services.unbound.settings.server.interface + ); }; }; + }; } diff --git a/modules/vim.nix b/modules/vim.nix index ecd1336..f1dba85 100644 --- a/modules/vim.nix +++ b/modules/vim.nix @@ -35,6 +35,8 @@ in set clipboard^=unnamed endif + set viminfo= + set diffopt+=iwhite set hidden set lazyredraw diff --git a/overlays.nix b/overlays.nix index 9e12522..e0cbf24 100644 --- a/overlays.nix +++ b/overlays.nix @@ -94,6 +94,5 @@ with packages; }; inherit (fromPR 328633 "sha256-TL0DkMGm0SXdkSRNa9LtpCFLgX3RLAqujTIJkW0nb+E=") soju; - inherit (fromPR 326898 "sha256-BLHeK1MNWQQXOwL2UkBj4OitBeg6D693lIKQbS+4hPk=") packcc; }; } diff --git a/packages/nixfiles.nix b/packages/nixfiles.nix index e1dc0e4..7a4c3db 100644 --- a/packages/nixfiles.nix +++ b/packages/nixfiles.nix @@ -153,7 +153,7 @@ let __complete_nix_cmd "$cword" nix flake lock "$nixfiles" --update-input ;; repl|eval|nix-build) - compreply -W '-w --wip' + __compreply -W '-w --wip' ;;& repl) __complete_nix_cmd 2 nix repl ~/.nix-defexpr -- cgit 1.4.1