chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-12 04:59:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: chn:nginx
Branches Tags
chn:production chn:next chn:legacy-2505 chn:archive chn:edge chn:a30 chn:hpcstat chn:rocm chn:nas-alderlake chn:one-fprint chn:rog-x chn:sbatch-add-fdtd chn:r2s chn:steamdeck chn:biu chn:sbatch-tui chn:sops chn:srv1 chn:srv1-archive chn:srv1-add-zgq chn:switch-srv2 chn:xray-debug chn:srv2-debug chn:srv2-notice chn:temp chn:staging chn:debug chn:wannier-tools chn:next-pc chn:fix-libvirt chn:add-pen chn:libvirt-cow chn:test-nfs chn:wg-stage chn:hdf5-slurm chn:vasp-debug chn:container chn:debug-nfs chn:test-impermanence chn:xmuserver chn:pc chn:test-motd chn:nvhpc chn:root chn:srv-archive chn:xmuserver-archive chn:python chn:test-bindmount chn:test-keyd chn:srv chn:vasp chn:ufo chn:ip-debug chn:nex chn:blog chn:fcitx5 chn:winjob chn:winjob-old-design chn:ollama chn:server chn:vps6 chn:chn-bsub chn:test-nvidia chn:bug chn:next-debug chn:krfb chn:xray chn:split-desktop-server chn:pi chn:envfs chn:main chn:dae chn:xmupc2 chn:xrdp chn:ipfs chn:xmupc1 chn:mumax chn:slurm chn:blas chn:firefox chn:color chn:gpu chn:nvidia chn:xanmod chn:rsshub chn:ttyd chn:fix-efishell chn:device chn:misskey chn:power chn:native chn:meilisearch-migration chn:nixos-23.05 chn:nginx chn:ua chn:vps7-freshrss chn:nvme-bug chn:yoga chn:kernel-lts chn:nas-beesd chn:vps7-beesd chn:vps6-beesd chn:phonopy chn:tested chn:docker chn:test-nebula chn:test-nebula-nas chn:stable chn:benchmark chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire
...
compare: chn:1a463ee71663a1f291702013b3b9c0f5c561b4bf
Branches Tags
chn:production chn:next chn:legacy-2505 chn:archive chn:edge chn:a30 chn:hpcstat chn:rocm chn:nas-alderlake chn:one-fprint chn:rog-x chn:sbatch-add-fdtd chn:r2s chn:steamdeck chn:biu chn:sbatch-tui chn:sops chn:srv1 chn:srv1-archive chn:srv1-add-zgq chn:switch-srv2 chn:xray-debug chn:srv2-debug chn:srv2-notice chn:temp chn:staging chn:debug chn:wannier-tools chn:next-pc chn:fix-libvirt chn:add-pen chn:libvirt-cow chn:test-nfs chn:wg-stage chn:hdf5-slurm chn:vasp-debug chn:container chn:debug-nfs chn:test-impermanence chn:xmuserver chn:pc chn:test-motd chn:nvhpc chn:root chn:srv-archive chn:xmuserver-archive chn:python chn:test-bindmount chn:test-keyd chn:srv chn:vasp chn:ufo chn:ip-debug chn:nex chn:blog chn:fcitx5 chn:winjob chn:winjob-old-design chn:ollama chn:server chn:vps6 chn:chn-bsub chn:test-nvidia chn:bug chn:next-debug chn:krfb chn:xray chn:split-desktop-server chn:pi chn:envfs chn:main chn:dae chn:xmupc2 chn:xrdp chn:ipfs chn:xmupc1 chn:mumax chn:slurm chn:blas chn:firefox chn:color chn:gpu chn:nvidia chn:xanmod chn:rsshub chn:ttyd chn:fix-efishell chn:device chn:misskey chn:power chn:native chn:meilisearch-migration chn:nixos-23.05 chn:nginx chn:ua chn:vps7-freshrss chn:nvme-bug chn:yoga chn:kernel-lts chn:nas-beesd chn:vps7-beesd chn:vps6-beesd chn:phonopy chn:tested chn:docker chn:test-nebula chn:test-nebula-nas chn:stable chn:benchmark chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire

235 Commits
nginx ... 1a463ee716

Author SHA1 Message Date
chn
1a463ee716 add znver4 support 2024-01-06 14:10:12 +08:00
chn
78a0a55bed localPackages: update misskey 2024-01-06 13:06:36 +08:00
chn
2a465b55ec modules.system: fstrim set to weekly (default) 2024-01-05 12:41:58 +08:00
chn
ea3f4bb00c modules.system: remove versionSuffix 2024-01-05 12:26:40 +08:00
chn
bbf601f5a8 modules.packages.desktop-fat.steam: replace chinese comment 2024-01-04 22:32:54 +08:00
chn
8543130661 packages.desktop: add firefoxpwa 2024-01-03 23:01:04 +08:00
chn
aa93dd53b6 packages.server.ssh: prefer askPassword 2024-01-03 22:43:28 +08:00
chn
0031080837 system.kernel: enable preempt as default 2024-01-02 22:21:05 +08:00
chn
d3f38c3b55 packages.server: enable gpg 2023-12-31 10:46:57 +08:00
chn
0c49c71899 services.nginx.applications.main: fix 2023-12-29 20:22:21 +08:00
chn
b0e543d324 packages.server.ssh: enable ssh agent forward 2023-12-29 20:22:02 +08:00
chn
51c8a516ff packages.server: remove gnupg agent 2023-12-29 15:33:06 +08:00
chn
f3c8017959 Revert "try to enable codex" 
This reverts commit 3867469fc5.
 2023-12-28 21:04:45 +08:00
chn
3867469fc5 try to enable codex 2023-12-28 21:03:38 +08:00
chn
f23f7101e4 update zsh-lsd 2023-12-28 12:55:18 +08:00
chn
8eea6ffdc3 packages.server.zsh: remove zsh-nix-shell 2023-12-28 12:29:35 +08:00
chn
729df7ab63 update misskey 2023-12-28 11:05:52 +08:00
chn
c1737fcb08 packages.server.ssh: set askPassword to systemd-ask-password 2023-12-27 17:42:53 +08:00
chn
50862f0e33 users.chn: add forwardAgent 2023-12-27 17:18:04 +08:00
chn
5b30aebfae services.frpClient: stcp allow all users 2023-12-27 15:11:15 +08:00
chn
f5e82ee889 localPackages.misskey: use nodejs 21 2023-12-25 20:50:42 +08:00
chn
a6241a201a try to fix pc power bug 2023-12-25 20:50:15 +08:00
chn
db3571b8e5 revert nodejs update 2023-12-25 20:46:27 +08:00
chn
bd6a867ab3 localPackages.misskey: use nodejs 20 2023-12-24 22:46:33 +08:00
chn
045de2b18e update nodejs 2023-12-24 22:45:26 +08:00
chn
501df43b0c services.misskey: increase statement_timeout 2023-12-24 14:58:20 +08:00
chn
fee1f32a0a localPackages.misskey: remove re2 2023-12-24 14:40:27 +08:00
chn
71c4426e53 Merge branch 'misskey' 2023-12-24 09:22:30 +08:00
chn
7cd03dd163 packages.server: add hexo-cli 2023-12-23 22:43:39 +08:00
chn
4941582aec update misskey 2023-12-23 22:42:04 +08:00
chn
29fef229d8 Revert "system: try to fix ipv6" 
This reverts commit 303d67ca06.
 2023-12-23 15:31:44 +08:00
chn
303d67ca06 system: try to fix ipv6 2023-12-23 10:03:09 +08:00
chn
3732d19de0 packages.server.ssh: auto cd in jykang 2023-12-22 11:39:10 +08:00
chn
26eec4d375 packages.server: split zsh 2023-12-22 11:38:56 +08:00
chn
ac362289de services.synapse: fix 2023-12-20 16:20:23 +08:00
chn
3bb5e840e7 services.synapse: fix 2023-12-20 15:26:35 +08:00
chn
8b3ef05d3b services.nginx.applications.main: fix alias 2023-12-20 15:14:51 +08:00
chn
0fd63c01f7 services.synapse: fix 2023-12-20 14:39:23 +08:00
chn
61c644a4b1 services.synapse: enable sliding sync 2023-12-20 14:33:14 +08:00
chn
788709aac9 services.synapse: fix 2023-12-20 12:33:17 +08:00
chn
f5053ae284 services.postgresql: add initializeFlags 2023-12-20 12:23:05 +08:00
chn
6a6625d585 system.kernel: port some change from xddxdd/nur-packages 2023-12-20 11:31:12 +08:00
chn
69c528a03d switch back to xanmod 2023-12-20 11:04:40 +08:00
chn
6c496b7b8e services.postgresql: fix locale setting 2023-12-19 22:09:35 +08:00
chn
13652e7c0e services.synapse: correct locale 2023-12-19 22:07:27 +08:00
chn
2160e453eb services.postgresql: allow set locale 2023-12-19 22:06:41 +08:00
chn
71acf32da3 vps7: enable second synapse instance 2023-12-19 21:43:48 +08:00
chn
aac7bad20a packages.workstation: add nheko 2023-12-19 21:19:27 +08:00
chn
1d9a3ad2c0 enable laptop-mode 2023-12-19 18:56:08 +08:00
chn
f55576883c system.kernel: switch to zen 2023-12-19 18:36:45 +08:00
chn
e71a08586d Revert "Revert "drop acpi workaround"" 
This reverts commit 8c2b6530a6.
 2023-12-19 13:43:28 +08:00
chn
8c2b6530a6 Revert "drop acpi workaround" 
This reverts commit 72e1e0140a.
 2023-12-19 13:29:17 +08:00
chn
38d3d8c7df update kernel 2023-12-19 12:56:24 +08:00
chn
72e1e0140a drop acpi workaround 2023-12-19 12:51:43 +08:00
chn
59dbfaa70f add acpi workaround 2023-12-18 21:04:42 +08:00
chn
75e2b84c4c Revert "nvidia: do not add modules to initrd" 
This reverts commit 45ec3e74b7.
 2023-12-18 20:25:35 +08:00
chn
9cfd30db6a Revert "hardware: gpu drivers should not be in initrd" 
This reverts commit 02a2d399d6.
 2023-12-18 20:24:40 +08:00
chn
02a2d399d6 hardware: gpu drivers should not be in initrd 2023-12-18 20:08:24 +08:00
chn
eb25e31c70 always apply embree patch 2023-12-18 14:04:39 +08:00
chn
6265e41ca7 revert some nvidia config 2023-12-17 22:46:58 +08:00
chn
6f36cfe007 services.akkoma: init 2023-12-17 22:43:54 +08:00
chn
b8abc4a326 services.nginx.https: allow custom TLS certificate 2023-12-17 21:42:57 +08:00
chn
59b053886b services.synapse: enable redis 2023-12-17 19:52:12 +08:00
chn
1769069057 synapse 支持多实例 2023-12-17 19:44:40 +08:00
chn
9801e53230 services.gitea: fix ssh 2023-12-17 14:41:00 +08:00
chn
9ea81dfe9e services.gitea: fix ssh 2023-12-17 14:10:16 +08:00
chn
c6c9bbafae services.gitea: fix 2023-12-17 13:46:29 +08:00
chn
f906e9d556 services.gitea: init 2023-12-17 13:37:15 +08:00
chn
4ffd5aebd5 move wireguard peer config to top level 2023-12-17 12:10:45 +08:00
chn
8724c23fde fix watchfiles 2023-12-17 11:50:40 +08:00
chn
808058596f xmupc1: do not build firefox 2023-12-17 11:44:32 +08:00
chn
36b37daf2e packages.desktop.vscode: remove copilot-labs 2023-12-17 10:50:42 +08:00
chn
45ec3e74b7 nvidia: do not add modules to initrd 2023-12-17 10:49:22 +08:00
chn
f5724e10a4 pc: fix power down on load graphic driver 2023-12-17 01:10:00 +08:00
chn
183d805a8f services.gitlab: currently disable ssh 2023-12-16 22:29:02 +08:00
chn
ca7668cbd5 services.gitlab: change hostname, enable ssh and lfs 2023-12-16 21:16:56 +08:00
chn
2462e85b70 pc: disable XHCI wakeup 2023-12-16 20:34:30 +08:00
chn
a6b4077114 packages.desktop-fat: add fluffychat 2023-12-16 13:42:19 +08:00
chn
e5b13ace75 add chn.moe 2023-12-15 21:01:29 +08:00
chn
b861d7bfb9 fix tmpfiles permission 2023-12-15 20:26:04 +08:00
chn
2d8c36d108 fix wireguard port 2023-12-15 12:40:28 +08:00
chn
9ec9597421 services.fz-new-order: fix permission 2023-12-15 12:38:39 +08:00
chn
469919c75a services.wireguard: auto deduce port 2023-12-14 23:34:03 +08:00
chn
9e14036e57 system.gui: default coincide with packages._packageSets 2023-12-14 23:28:30 +08:00
chn
839e56e52c init xmupc1 2023-12-14 23:24:20 +08:00
chn
087b4f0a7f yoga: try to fix touch keyboard in initrd 2023-12-13 22:20:29 +08:00
chn
99b891a4cb packages.server.ssh: remove internal hostnames 2023-12-13 12:33:56 +08:00
chn
73d6b46a4b vps7: fix wireguard private key 2023-12-13 12:01:16 +08:00
chn
d15794e7b1 yoga: prefer gui 2023-12-12 23:40:10 +08:00
chn
417e924b04 add yogabook module to initrd 2023-12-12 23:30:43 +08:00
chn
f4d12652c2 fix 2023-12-12 00:18:03 +08:00
chn
219d3fbb20 整理 flake.nix 2023-12-11 19:19:36 +08:00
chn
d44a9c4ddb add ventoy-full 2023-12-11 17:29:51 +08:00
chn
266692c74a remove pe 2023-12-11 17:27:26 +08:00
chn
c1a8043322 install pe 2023-12-11 17:05:29 +08:00
chn
d330f60909 add exfatprogs 2023-12-11 13:48:47 +08:00
chn
2b16dde96d move some packages to workstation 2023-12-10 15:20:04 +08:00
chn
6369cf7842 use fixed uid 2023-12-09 20:01:50 +08:00
chn
0dff3a17c0 fix libreoffice 2023-12-09 10:53:51 +08:00
chn
05dddf63b1 system.security.sudo: enable pwfeedback 2023-12-08 21:41:53 +08:00
chn
73c29c5f82 Merge branch 'main' into native 2023-12-08 20:46:14 +08:00
chn
d6b6f449b8 vps7: disable nebula, enable wireguard 2023-12-08 20:25:39 +08:00
chn
1b0d9e9a2d fix zip 2023-12-08 16:43:23 +08:00
chn
625bcaf448 分离vscode的配置 2023-12-08 13:09:17 +08:00
chn
7bfbc43a50 packages.desktop.vscode: add markdown-preview-enhanced 2023-12-08 13:04:50 +08:00
chn
2463a8c1af fix 2023-12-08 12:12:53 +08:00
chn
b9fa645334 plasmamanager: init 2023-12-08 00:46:29 +08:00
chn
78b132cc58 fix pe build 2023-12-07 22:03:20 +08:00
chn
608774790b pe: init 2023-12-07 21:20:25 +08:00
chn
9ccb3d3316 build everything from source 2023-12-07 21:12:01 +08:00
chn
a0f7af141a services.nginx.transparentProxy: default listen on all interfaces 2023-12-07 20:00:22 +08:00
chn
f65433eb1e services.wireguard: fix firewall 2023-12-07 19:48:03 +08:00
chn
a9d0f4d8f9 整理ssh 2023-12-07 18:15:06 +08:00
chn
651604da94 disable nebula for pc and nas 2023-12-07 17:53:35 +08:00
chn
bb3d4db6f5 nas: enable wireguard 2023-12-07 17:46:59 +08:00
chn
7dfcd83071 services.wireguard: fix collision with xray 2023-12-07 17:44:14 +08:00
chn
b1d885f62c services.wireguard: init 2023-12-07 17:30:12 +08:00
chn
cb849daf0a move default secrets to subdirs 2023-12-07 16:28:19 +08:00
chn
66ba4864a7 packages.server: add wireguard-tools 2023-12-07 16:19:24 +08:00
chn
9a4aaedb9a add pix2tex 2023-12-07 12:58:07 +08:00
chn
902fd30be8 auto optimize store as default 2023-12-07 00:01:13 +08:00
chn
e12d3a7349 fix 2023-12-06 22:28:12 +08:00
chn
b767b11e8a pc: do not replace tensorflow 2023-12-06 22:24:32 +08:00
chn
b5eeef1147 enhance cuda support 2023-12-06 22:23:31 +08:00
chn
e07abc0ad5 packages.server: enable yazi 2023-12-06 14:52:01 +08:00
chn
07050cd9cd packages.server: enable mosh 2023-12-06 14:44:27 +08:00
chn
9097917855 fix mirism 2023-12-06 11:45:57 +08:00
chn
18e9922846 fix xdg-desktop-portal 2023-12-06 09:39:35 +08:00
chn
11058dc731 update rsshub 2023-12-05 23:25:01 +08:00
chn
8872c18810 use optimized fastfetch 2023-12-05 23:19:50 +08:00
chn
8c3d74abaf fix xdg-desktop-portal 2023-12-05 23:16:14 +08:00
chn
d83062faf0 fix fwupd 2023-12-05 19:10:02 +08:00
chn
87eb5cb8fc 分割配置文件 2023-12-05 16:40:40 +08:00
chn
1faa6103ca packages.chromium: 增加沉浸式翻译插件 2023-12-05 16:04:38 +08:00
chn
38c419f291 system.gui.fcitx5: add more themes 2023-12-05 15:52:04 +08:00
chn
a5ddab766b 铜锣湾实验室直接从本地访问 2023-12-05 14:45:56 +08:00
chn
a0c9b62c0e Revert "services.xray: nebula do not bypass" 
This reverts commit 5a30ebe7b6.
 2023-12-05 14:41:05 +08:00
chn
5a30ebe7b6 services.xray: nebula do not bypass 2023-12-05 12:24:18 +08:00
chn
6fd53808e6 remove trace 2023-12-05 11:43:08 +08:00
chn
e372278343 fix gdal 2023-12-05 10:55:37 +08:00
chn
d13364fa42 fix latex 2023-12-05 10:53:11 +08:00
chn
666990c1a9 替换更多包 2023-12-05 10:27:12 +08:00
chn
13363f42a1 缩减行数 2023-12-04 21:41:23 +08:00
chn
f642e11739 update flake.lock 2023-12-04 21:39:19 +08:00
chn
ed6b68eb89 vim use optimized version 2023-12-04 21:38:27 +08:00
chn
396ee9fc73 use localPackages.esbonio instead of esbonio 2023-12-04 21:38:08 +08:00
chn
44ae89efee nixpkgs: allow to replace tensorflow 2023-12-04 21:20:32 +08:00
chn
36e1faee0c fix eval 2023-12-04 18:26:27 +08:00
chn
1080a2dacf 整理 nixpkgs 2023-12-04 17:27:47 +08:00
chn
f9e35b8837 do not build with ccache 2023-12-04 11:41:29 +08:00
chn
dfad8c1df7 add logseq 2023-12-03 14:43:19 +08:00
chn
6444e76b49 fix pygls 2023-12-02 22:20:58 +08:00
chn
c2864ad7a0 fix pygls 2023-12-02 21:55:14 +08:00
chn
136d02b0eb packages: add autograd 2023-12-02 17:04:47 +08:00
chn
97158555e4 packages.vscode: add restrucuredtext 2023-12-02 15:34:50 +08:00
chn
3deeb55dbd fix nextcloud 
update everything
 2023-12-02 10:52:42 +08:00
chn
2184dfa34f disable ccache for tensorflow 2023-11-30 23:18:11 +08:00
chn
94d74eac46 enable ccache for multiple packages 2023-11-30 22:44:06 +08:00
chn
2bf0d49e52 ccache: move cache to /var/lib/ccache 2023-11-30 20:21:06 +08:00
chn
73ddbd00a9 fix chromium build with ccache 2023-11-30 20:14:49 +08:00
chn
1deffccf00 enable ccache for chromium 2023-11-30 14:47:38 +08:00
chn
bac20eae3e upate everything 2023-11-30 14:15:26 +08:00
chn
6057c5079f remove touchix 2023-11-29 02:19:41 +08:00
chn
2ab7119ea9 fix nextcloud twofactor_webauthn url 2023-11-29 01:30:41 +08:00
chn
56a34a9f73 update everything 2023-11-29 01:07:20 +08:00
chn
693967cf49 system.kernel: remove preempt patch 2023-11-27 02:22:08 +08:00
chn
d273fd6046 update rsshub 2023-11-26 01:07:32 +08:00
chn
73a509b1ba remove unused packages 2023-11-26 01:07:18 +08:00
chn
df7ff0516c Merge branch 'main' into next 2023-11-25 23:05:24 +08:00
chn
2b3c0e61c5 add emacs 2023-11-25 22:33:21 +08:00
chn
47406cd0a5 update 2023-11-24 11:12:05 +08:00
chn
36a702a9a2 Merge branch 'main' into next 2023-11-24 11:08:10 +08:00
chn
b42024378b add aircrack-ng 2023-11-23 23:53:13 +08:00
chn
7f68855c7d users: fix 2023-11-23 02:04:47 +08:00
chn
38c7491640 services.mastodon: fix 2023-11-22 22:00:58 +08:00
chn
18ca4d7a00 services.nextcloud: update apps 2023-11-22 21:48:23 +08:00
chn
d52d0e3139 services.mastodon: fix 2023-11-22 21:35:47 +08:00
chn
fecf4816dc packages: move some packages from desktop to desktop-fat 2023-11-22 20:54:03 +08:00
chn
3d92e9e593 localPackages.mirism: fix 2023-11-22 20:48:12 +08:00
chn
d54d37b8f2 minor fixes 2023-11-22 20:12:41 +08:00
chn
44e843ae5f exa -> eza 2023-11-22 16:42:31 +08:00
chn
ec07725983 fix pnpm2nix 2023-11-22 16:40:38 +08:00
chn
bc40195d0f yoga: add to default 2023-11-22 13:49:45 +08:00
chn
7561442593 done some todo 2023-11-22 11:58:58 +08:00
chn
b240f8d04c update meilisearch 2023-11-22 11:48:39 +08:00
chn
10691aa076 remove unnecessary unstablePackages 2023-11-22 11:41:36 +08:00
chn
8599296ff5 update inputs 2023-11-22 11:39:30 +08:00
chn
86e89c7310 use archived branch 2023-11-22 10:57:38 +08:00
chn
367c78abd7 move some packages 2023-11-22 10:48:00 +08:00
chn
50025a78a1 hardware.cpu: add some intel modules 2023-11-22 01:48:09 +08:00
chn
7c08aa5b05 system.impermanence: fix /srv mount 2023-11-21 22:03:47 +08:00
chn
24727ea5f0 services.fail2ban: add ignoreIP 2023-11-21 20:52:46 +08:00
chn
04d411d16f services.fail2ban: init 2023-11-21 20:44:31 +08:00
chn
84a2bc2eac system.impermanence: write journal to nodatacow 2023-11-21 20:06:48 +08:00
chn
616a366221 services.grafana: init 2023-11-21 00:05:26 +08:00
chn
757f0f63bf services.gitlab: add email_from option 2023-11-20 22:25:47 +08:00
chn
083cf9524c services.gitlab: fix port number 2023-11-20 22:23:45 +08:00
chn
19729fb334 services.gitlab: fix smtp 2023-11-20 22:09:41 +08:00
chn
da4a7e33ff typo 2023-11-20 20:53:34 +08:00
chn
ff5780ca42 services.gitlab: fix nginx 2023-11-20 20:51:57 +08:00
chn
9bdb9c8293 services.nextcloud: run nextcloud-setup after postgresql 2023-11-20 20:46:29 +08:00
chn
f51f9c9992 services.gitlab: init 2023-11-20 20:15:53 +08:00
chn
f5777bc89d services.gitlab: prepare 2023-11-20 15:03:02 +08:00
chn
54f2458f69 services.mastodon: add package to system 2023-11-19 22:52:06 +08:00
chn
d0ff526f82 fix mastodon 2023-11-19 22:44:06 +08:00
chn
e7708c5647 services.gitlab: preprare 2023-11-19 22:01:36 +08:00
chn
c38d84a1b1 services.mastodon: init 2023-11-19 20:47:52 +08:00
chn
4e44953e75 typo 2023-11-19 17:44:07 +08:00
chn
be8cf779c9 change some default settings 2023-11-19 17:33:38 +08:00
chn
3209e0aa60 users: 分离各个用户的配置 2023-11-19 17:15:44 +08:00
chn
7bba7613a2 add plasma-manager 2023-11-19 16:38:21 +08:00
chn
e78c263248 system.fileSystems: set delay to 2 day 2023-11-19 08:29:15 +08:00
chn
3ab09c31bb mastodon: prepare 2023-11-19 06:38:05 +08:00
chn
ae468cb654 fix 2023-11-19 02:35:06 +08:00
chn
2615d82fea nginx.applications.webdav: allow multiple instances 2023-11-19 02:32:07 +08:00
chn
3d2ad2e800 update misskey 2023-11-17 22:35:15 +08:00
chn
15e9cf917e nas: add webdav 2023-11-17 22:11:36 +08:00
chn
b0619ec108 fix xray error 2023-11-16 16:10:46 +08:00
chn
3c29b08a08 add blog catalog 2023-11-16 16:06:52 +08:00
chn
ed794ac95f 缩减行数 2023-11-16 15:51:47 +08:00
chn
17a462ad04 fix mirism path 2023-11-16 14:45:53 +08:00
chn
994360d473 dnsmasq: fix dns 2023-11-16 14:43:16 +08:00
chn
c32cff7349 nginx: fix path 2023-11-16 14:09:23 +08:00
chn
97468b121b add mirism 2023-11-16 13:58:59 +08:00
chn
8cbad5dc58 add httpapi 2023-11-16 13:18:21 +08:00
chn
790aa5fa2e add crunch hashcat 2023-11-16 12:09:11 +08:00
chn
3cfedc26c9 add john 2023-11-16 12:06:53 +08:00
chn
d2479b229e nginx.webdav: restrict write path 2023-11-16 11:57:02 +08:00
chn
87684a981d packages.ssh: add some hostname 2023-11-16 11:35:03 +08:00
chn
3386b3bd2b nginx: fix permission 2023-11-15 22:09:44 +08:00
chn
86cb0a4d85 add webdav 2023-11-15 21:37:20 +08:00
chn
7c96745618 nginx: add charset 2023-11-15 20:59:27 +08:00
chn
2a515f2a9b add kkmeeting 2023-11-15 20:42:42 +08:00
chn
5f4fea3df6 Merge branch 'nginx' 2023-11-15 19:48:38 +08:00
chn
d9c956bca1 init fz-new-order 2023-11-15 14:20:56 +08:00
128 changed files with 5059 additions and 2237 deletions
Expand all files Collapse all files

22
.sops.yaml
View File

@@ -4,44 +4,40 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
- &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6 - &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
- &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902 - &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
- &yoga age1qrea4twxdhd7fnvlq5v45528c90qy6hp2wa55kghsxzgut6n6fxs7w6u42 - &yoga age1qrea4twxdhd7fnvlq5v45528c90qy6hp2wa55kghsxzgut6n6fxs7w6u42
- &pe age1cahahn9hp265dkhduaec65vugk8fct2vt9ur6y54m4mgmyx4v4fq0etjhv
- &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3 - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
- &xmupc1 age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
creation_rules: creation_rules:
- path_regex: secrets/pc\.yaml$ - path_regex: secrets/pc/.*$
key_groups: key_groups:
- age: - age:
- *chn - *chn
- *pc - *pc
- path_regex: secrets/vps6\.yaml$ - path_regex: secrets/vps6/.*$
key_groups: key_groups:
- age: - age:
- *chn - *chn
- *vps6 - *vps6
- path_regex: secrets/vps4\.yaml$ - path_regex: secrets/vps7/.*$
key_groups:
- age:
- *chn
- path_regex: secrets/vps7\.yaml$
key_groups: key_groups:
- age: - age:
- *chn - *chn
- *vps7 - *vps7
- path_regex: secrets/nas\.yaml$ - path_regex: secrets/nas/.*$
key_groups: key_groups:
- age: - age:
- *chn - *chn
- *nas - *nas
- path_regex: secrets/xmupc1\.yaml$ - path_regex: secrets/xmupc1/.*$
key_groups: key_groups:
- age: - age:
- *chn - *chn
- path_regex: secrets/yoga\.yaml$ - path_regex: secrets/yoga/.*$
key_groups: key_groups:
- age: - age:
- *chn - *chn
- *yoga - *yoga
- path_regex: secrets/pe\.yaml$ - path_regex: secrets/xmupc1/.*$
key_groups: key_groups:
- age: - age:
- *chn - *chn
- *pe - *xmupc1

726
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

392
flake.nix
View File

@@ -3,26 +3,26 @@
inputs = inputs =
{ {
nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-23.05"; nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:CHN-beta/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:CHN-beta/nixpkgs/nixos-unstable";
home-manager = { url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; nixpkgs-2305.url = "github:CHN-beta/nixpkgs/nixos-23.05";
home-manager = { url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; };
sops-nix = sops-nix =
{ {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; }; inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; };
}; };
touchix = { url = "github:CHN-beta/touchix"; inputs.nixpkgs.follows = "nixpkgs"; };
aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
nur.url = "github:nix-community/NUR"; nur.url = "github:nix-community/NUR";
nixos-cn = { url = "github:nixos-cn/flakes"; inputs.nixpkgs.follows = "nixpkgs"; }; nixos-cn = { url = "github:nixos-cn/flakes"; inputs.nixpkgs.follows = "nixpkgs"; };
nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; }; nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
nix-vscode-extensions = nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; };
nix-alien =
{ {
url = "github:nix-community/nix-vscode-extensions?rev=50c4bce16b93e7ca8565d51fafabc05e9f0515da"; url = "github:thiagokokada/nix-alien";
inputs.nixpkgs.follows = "nixpkgs"; inputs = { nixpkgs.follows = "nixpkgs"; nix-index-database.follows = "nix-index-database"; };
}; };
nix-alien = { url = "github:thiagokokada/nix-alien"; inputs.nix-index-database.follows = "nix-index-database"; };
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
qchem = { url = "github:Nix-QChem/NixOS-QChem"; inputs.nixpkgs.follows = "nixpkgs"; }; qchem = { url = "github:Nix-QChem/NixOS-QChem"; inputs.nixpkgs.follows = "nixpkgs"; };
nixd = { url = "github:nix-community/nixd"; inputs.nixpkgs.follows = "nixpkgs"; }; nixd = { url = "github:nix-community/nixd"; inputs.nixpkgs.follows = "nixpkgs"; };
@@ -32,6 +32,12 @@
pnpm2nix-nzbr = { url = "github:CHN-beta/pnpm2nix-nzbr"; inputs.nixpkgs.follows = "nixpkgs"; }; pnpm2nix-nzbr = { url = "github:CHN-beta/pnpm2nix-nzbr"; inputs.nixpkgs.follows = "nixpkgs"; };
lmix = { url = "github:CHN-beta/lmix"; inputs.nixpkgs.follows = "nixpkgs"; }; lmix = { url = "github:CHN-beta/lmix"; inputs.nixpkgs.follows = "nixpkgs"; };
dguibert-nur-packages = { url = "github:CHN-beta/dguibert-nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; }; dguibert-nur-packages = { url = "github:CHN-beta/dguibert-nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
plasma-manager =
{
url = "github:pjones/plasma-manager";
inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
};
nix-doom-emacs = { url = "github:nix-community/nix-doom-emacs"; inputs.nixpkgs.follows = "nixpkgs"; };
}; };
outputs = inputs: outputs = inputs:
@@ -44,7 +50,7 @@
default = inputs.nixpkgs.legacyPackages.x86_64-linux.writeText "systems" default = inputs.nixpkgs.legacyPackages.x86_64-linux.writeText "systems"
(builtins.concatStringsSep "\n" (builtins.map (builtins.concatStringsSep "\n" (builtins.map
(system: builtins.toString inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel) (system: builtins.toString inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel)
[ "pc" "vps6" "vps7" "nas" ])); [ "pc" "vps6" "vps7" "nas" "yoga" ]));
} }
// ( // (
builtins.listToAttrs (builtins.map builtins.listToAttrs (builtins.map
@@ -53,32 +59,16 @@
name = system; name = system;
value = inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel; value = inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel;
}) })
[ "pc" "vps6" "vps7" "nas" "yoga" ]) [ "pc" "vps6" "vps7" "nas" "yoga" "xmupc1" ])
); );
nixosConfigurations = builtins.listToAttrs (builtins.map # ssh-keygen -t rsa -C root@pe -f /mnt/nix/persistent/etc/ssh/ssh_host_rsa_key
(system: # ssh-keygen -t ed25519 -C root@pe -f /mnt/nix/persistent/etc/ssh/ssh_host_ed25519_key
{ # systemd-machine-id-setup --root=/mnt/nix/persistent
name = system.name; nixosConfigurations =
value = inputs.nixpkgs.lib.nixosSystem let
system =
{ {
system = "x86_64-linux"; pc =
specialArgs = { topInputs = inputs; inherit localLib; };
modules = localLib.mkModules
(
[
(inputs: { config.nixpkgs.overlays = [(final: prev:
{ localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; }); })]; })
./modules
]
++ system.value
);
};
})
(localLib.attrsToList
{
"pc" =
[
(inputs: { config.nixos =
{ {
system = system =
{ {
@@ -121,16 +111,16 @@
"znver2" "znver3" "znver2" "znver3"
# CX16 SAHF FXSR HLE RDSEED # CX16 SAHF FXSR HLE RDSEED
"broadwell" "broadwell"
"znver4"
]; ];
keepOutputs = true; keepOutputs = true;
}; };
nixpkgs = { march = "alderlake"; cudaSupport = true; }; nixpkgs =
gui = { enable = true; preferred = true; }; { march = "alderlake"; cuda = { enable = true; capabilities = [ "8.6" ]; forwardCompat = false; }; };
kernel.patches = [ "cjktty" "preempt" ]; kernel.patches = [ "cjktty" "lantian" ];
impermanence.enable = true; impermanence.enable = true;
networking = networking.hostname = "pc";
{ hostname = "pc"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; }; sysctl.laptop-mode = 5;
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
}; };
hardware = hardware =
{ {
@@ -140,17 +130,10 @@
joystick.enable = true; joystick.enable = true;
printer.enable = true; printer.enable = true;
sound.enable = true; sound.enable = true;
prime = prime = { enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; }; };
{ enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };};
gamemode.drmDevice = 1; gamemode.drmDevice = 1;
}; };
packages = packages.packageSet = "workstation";
{
packageSet = "workstation";
extraPrebuildPackages = with inputs.pkgs; [ llvmPackages_git.stdenv ];
extraPythonPackages = [(pythonPackages:
[ inputs.pkgs.localPackages.upho inputs.pkgs.localPackages.spectral ])];
};
virtualization = virtualization =
{ {
waydroid.enable = true; waydroid.enable = true;
@@ -161,7 +144,7 @@
}; };
services = services =
{ {
snapper = { enable = true; configs.persistent = "/nix/persistent"; }; snapper.enable = true;
fontconfig.enable = true; fontconfig.enable = true;
samba = samba =
{ {
@@ -187,9 +170,9 @@
extraInterfaces = [ "docker0" ]; extraInterfaces = [ "docker0" ];
hosts = hosts =
{ {
"mirism.one" = "216.24.188.24"; "mirism.one" = "74.211.99.69";
"beta.mirism.one" = "216.24.188.24"; "beta.mirism.one" = "74.211.99.69";
"ng01.mirism.one" = "216.24.188.24"; "ng01.mirism.one" = "74.211.99.69";
"debug.mirism.one" = "127.0.0.1"; "debug.mirism.one" = "127.0.0.1";
"initrd.vps6.chn.moe" = "74.211.99.69"; "initrd.vps6.chn.moe" = "74.211.99.69";
"nix-store.chn.moe" = "127.0.0.1"; "nix-store.chn.moe" = "127.0.0.1";
@@ -208,20 +191,23 @@
}; };
nix-serve = { enable = true; hostname = "nix-store.chn.moe"; }; nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
smartd.enable = true; smartd.enable = true;
nginx.transparentProxy.externalIp = [ "192.168.82.3" ];
misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe"; misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; }; beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; };
wireguard =
{
enable = true;
peers = [ "vps6" ];
publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
wireguardIp = "192.168.83.3";
};
}; };
bugs = bugs =
[ [
"intel-hdmi" "suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" "xmunet" "suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" "xmunet"
"suspend-hibernate-waydroid" "embree" "suspend-hibernate-waydroid" "power"
]; ];
};}) };
]; vps6 =
"vps6" =
[
(inputs: { config.nixos =
{ {
system = system =
{ {
@@ -246,66 +232,60 @@
}; };
grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0"; grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
nixpkgs.march = "sandybridge"; nixpkgs.march = "sandybridge";
nix = nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
{ initrd.sshd.enable = true;
substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
autoOptimiseStore = true;
};
initrd =
{
network.enable = true;
sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
};
kernel.patches = [ "preempt" ];
impermanence.enable = true; impermanence.enable = true;
networking = { hostname = "vps6"; nebula.enable = true; }; networking.hostname = "vps6";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
}; };
packages.packageSet = "server"; packages.packageSet = "server";
services = services =
{ {
snapper = { enable = true; configs.persistent = "/nix/persistent"; }; snapper.enable = true;
sshd.enable = true; sshd.enable = true;
xrayServer = { enable = true; serverName = "vps6.xserver.chn.moe"; }; xrayServer = { enable = true; serverName = "vps6.xserver.chn.moe"; };
frpServer = { enable = true; serverName = "frp.chn.moe"; }; frpServer = { enable = true; serverName = "frp.chn.moe"; };
nginx = nginx =
{ {
transparentProxy =
{
externalIp = [ "74.211.99.69" "192.168.82.1" ];
map =
{
"ng01.mirism.one" = 7411;
"beta.mirism.one" = 9114;
};
};
streamProxy.map = streamProxy.map =
{ {
"anchor.fm" = { upstream = "anchor.fm:443"; proxyProtocol = false; }; "anchor.fm" = { upstream = "anchor.fm:443"; proxyProtocol = false; };
"podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; proxyProtocol = false; }; "podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; proxyProtocol = false; };
"xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; }; "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; };
"nix-store.chn.moe".upstream.address = "internal.pc.chn.moe"; }
"xn--qbtm095lrg0bfka60z.chn.moe".upstream.address = "internal.pc.chn.moe"; // (builtins.listToAttrs (builtins.map
"xn--s8w913fdga.chn.moe".upstream.address = "internal.vps7.chn.moe"; (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.pc.chn.moe"; })
"misskey.chn.moe".upstream.address = "internal.vps7.chn.moe"; [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
"synapse.chn.moe".upstream.address = "internal.vps7.chn.moe"; // (builtins.listToAttrs (builtins.map
"send.chn.moe".upstream.address = "internal.vps7.chn.moe"; (site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
}; [
"xn--s8w913fdga" "misskey" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
"send" "kkmeeting" "api" "git" "grafana"
]));
applications = applications =
{ {
element.instances."element.chn.moe" = {}; element.instances."element.chn.moe" = {};
synapse-admin.instances."synapse-admin.chn.moe" = {}; synapse-admin.instances."synapse-admin.chn.moe" = {};
catalog.enable = true;
blog.enable = true;
main.enable = true;
}; };
}; };
coturn.enable = true; coturn.enable = true;
httpua.enable = true; httpua.enable = true;
fcgiwrap.enable = true; mirism.enable = true;
fail2ban.enable = true;
wireguard =
{
enable = true;
peers = [ "pc" "nas" "vps7" ];
publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
wireguardIp = "192.168.83.1";
externalIp = "74.211.99.69";
lighthouse = true;
};
}; };
};}) };
]; vps7 =
"vps7" =
[
(inputs: { config.nixos =
{ {
system = system =
{ {
@@ -331,35 +311,29 @@
grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0"; grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
nixpkgs.march = "broadwell"; nixpkgs.march = "broadwell";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ]; nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
initrd = initrd.sshd.enable = true;
{
network.enable = true;
sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
};
kernel.patches = [ "preempt" ];
impermanence.enable = true; impermanence.enable = true;
networking = { hostname = "vps7"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; }; }; networking.hostname = "vps7";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; gui.preferred = false;
gui.enable = true;
};
packages =
{
packageSet = "desktop";
}; };
packages.packageSet = "desktop";
services = services =
{ {
snapper = { enable = true; configs.persistent = "/nix/persistent"; }; snapper.enable = true;
fontconfig.enable = true; fontconfig.enable = true;
sshd.enable = true; sshd.enable = true;
rsshub.enable = true; rsshub.enable = true;
nginx.transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
wallabag.enable = true; wallabag.enable = true;
misskey.instances = misskey.instances =
{ {
misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey.hostname = "xn--s8w913fdga.chn.moe";
misskey-old = { port = 9727; redis.port = 3546; meilisearch.enable = false; }; misskey-old = { port = 9727; redis.port = 3546; meilisearch.enable = false; };
}; };
synapse.enable = true; synapse.instances =
{
synapse.matrixHostname = "synapse.chn.moe";
matrix = { port = 8009; redisPort = 6380; slidingSyncPort = 9001; };
};
xrdp = { enable = true; hostname = [ "vps7.chn.moe" ]; }; xrdp = { enable = true; hostname = [ "vps7.chn.moe" ]; };
vaultwarden.enable = true; vaultwarden.enable = true;
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; }; beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
@@ -368,12 +342,24 @@
freshrss.enable = true; freshrss.enable = true;
send.enable = true; send.enable = true;
huginn.enable = true; huginn.enable = true;
fz-new-order.enable = true;
nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; };
httpapi.enable = true;
mastodon.enable = true;
gitea.enable = true;
grafana.enable = true;
fail2ban.enable = true;
wireguard =
{
enable = true;
peers = [ "vps6" ];
publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
wireguardIp = "192.168.83.2";
externalIp = "95.111.228.40";
};
}; };
};}) };
]; nas =
"nas" =
[
(inputs: { config.nixos =
{ {
system = system =
{ {
@@ -410,40 +396,26 @@
swap = [ "/nix/swap/swap" ]; swap = [ "/nix/swap/swap" ];
rollingRootfs = { device = "/dev/mapper/root1"; path = "/nix/rootfs"; }; rollingRootfs = { device = "/dev/mapper/root1"; path = "/nix/rootfs"; };
}; };
initrd = initrd.sshd.enable = true;
{
network.enable = true;
sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
};
grub.installDevice = "efi"; grub.installDevice = "efi";
nixpkgs.march = "silvermont"; nixpkgs.march = "silvermont";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ]; nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
kernel.patches = [ "cjktty" "preempt" ]; kernel.patches = [ "cjktty" ];
impermanence.enable = true; impermanence.enable = true;
networking = networking.hostname = "nas";
{ hostname = "nas"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; }; gui.preferred = false;
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
gui.enable = true;
};
hardware =
{
cpus = [ "intel" ];
gpus = [ "intel" ];
}; };
hardware = { cpus = [ "intel" ]; gpus = [ "intel" ]; };
packages.packageSet = "desktop"; packages.packageSet = "desktop";
services = services =
{ {
snapper = { enable = true; configs.persistent = "/nix/persistent"; }; snapper.enable = true;
fontconfig.enable = true; fontconfig.enable = true;
samba = samba =
{ {
enable = true; enable = true;
hostsAllowed = "192.168. 127."; hostsAllowed = "192.168. 127.";
shares = shares = { home.path = "/home"; root.path = "/"; };
{
home.path = "/home";
root.path = "/";
};
}; };
sshd = { enable = true; passwordAuthentication = true; }; sshd = { enable = true; passwordAuthentication = true; };
xrayClient = xrayClient =
@@ -472,13 +444,18 @@
user = "nas"; user = "nas";
stcp.hpc = { localIp = "hpc.xmu.edu.cn"; localPort = 22; }; stcp.hpc = { localIp = "hpc.xmu.edu.cn"; localPort = 22; };
}; };
nginx = { enable = true; applications.webdav.instances."local.webdav.chn.moe" = {}; };
wireguard =
{
enable = true;
peers = [ "vps6" ];
publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
wireguardIp = "192.168.83.4";
};
}; };
users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ]; users.users = [ "chn" "xll" "zem" "yjq" "yxy" ];
};}) };
]; yoga =
"yoga" =
[
(inputs: { config.nixos =
{ {
system = system =
{ {
@@ -499,13 +476,11 @@
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; }; rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
}; };
nixpkgs.march = "silvermont"; nixpkgs.march = "silvermont";
gui.enable = true;
grub.installDevice = "efi"; grub.installDevice = "efi";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ]; nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
kernel.patches = [ "cjktty" "preempt" ]; kernel.patches = [ "cjktty" ];
impermanence.enable = true; impermanence.enable = true;
networking.hostname = "yoga"; networking.hostname = "yoga";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
}; };
hardware = hardware =
{ {
@@ -517,11 +492,11 @@
sound.enable = true; sound.enable = true;
halo-keyboard.enable = true; halo-keyboard.enable = true;
}; };
packages.packageSet = "desktop"; packages.packageSet = "desktop-fat";
virtualization.docker.enable = true; virtualization.docker.enable = true;
services = services =
{ {
snapper = { enable = true; configs.persistent = "/nix/persistent"; }; snapper.enable = true;
fontconfig.enable = true; fontconfig.enable = true;
sshd.enable = true; sshd.enable = true;
xrayClient = xrayClient =
@@ -533,10 +508,121 @@
}; };
firewall.trustedInterfaces = [ "virbr0" ]; firewall.trustedInterfaces = [ "virbr0" ];
}; };
bugs = [ "xmunet" "firmware-unstable" ]; bugs = [ "xmunet" ];
};}) };
]; xmupc1 =
})); {
system =
{
fileSystems =
{
mount =
{
vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
btrfs =
{
"/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
};
};
swap = [ "/dev/mapper/swap" ];
resume = "/dev/mapper/swap";
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
};
grub.installDevice = "efi";
nixpkgs =
{
march = "znver3";
cuda =
{
enable = true;
capabilities =
[
# 2080 Ti
"7.5"
# 3090
"8.6"
# 4090
"8.9"
];
forwardCompat = false;
};
};
gui.preferred = false;
kernel.patches = [ "cjktty" ];
impermanence.enable = true;
networking.hostname = "xmupc1";
};
hardware =
{
cpus = [ "amd" ];
gpus = [ "nvidia" ];
bluetooth.enable = true;
joystick.enable = true;
printer.enable = true;
sound.enable = true;
gamemode.drmDevice = 1;
};
packages.packageSet = "workstation";
virtualization = { docker.enable = true; kvmHost = { enable = true; gui = true; }; };
services =
{
snapper.enable = true;
fontconfig.enable = true;
samba =
{
enable = true;
private = true;
hostsAllowed = "192.168. 127.";
shares =
{
media.path = "/run/media/chn";
home.path = "/home/chn";
mnt.path = "/mnt";
share.path = "/home/chn/share";
};
};
sshd.enable = true;
xrayClient =
{
enable = true;
serverAddress = "74.211.99.69";
serverName = "vps6.xserver.chn.moe";
dns.extraInterfaces = [ "docker0" ];
};
firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
acme = { enable = true; cert."debug.mirism.one" = {}; };
smartd.enable = true;
beesd = { enable = true; instances.root = { device = "/nix/persistent"; hashTableSizeMB = 2048; }; };
wireguard =
{
enable = true;
peers = [ "vps6" ];
publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
wireguardIp = "192.168.83.5";
};
};
bugs = [ "xmunet" "firefox" ];
};
};
in builtins.listToAttrs (builtins.map
(system:
{
name = system.name;
value = inputs.nixpkgs.lib.nixosSystem
{
system = "x86_64-linux";
specialArgs = { topInputs = inputs; inherit localLib; };
modules = localLib.mkModules
[
(inputs: { config.nixpkgs.overlays = [(final: prev:
{ localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; }); })]; })
./modules
{ config.nixos = system.value; }
];
};
})
(localLib.attrsToList system));
# sudo HTTPS_PROXY=socks5://127.0.0.1:10884 nixos-install --flake .#bootstrap --option substituters http://127.0.0.1:5000 --option require-sigs false --option system-features gccarch-silvermont # sudo HTTPS_PROXY=socks5://127.0.0.1:10884 nixos-install --flake .#bootstrap --option substituters http://127.0.0.1:5000 --option require-sigs false --option system-features gccarch-silvermont
# nix-serve -p 5000 # nix-serve -p 5000
# nix copy --substitute-on-destination --to ssh://server /run/current-system # nix copy --substitute-on-destination --to ssh://server /run/current-system
@@ -569,7 +655,7 @@
{ {
hostname = node; hostname = node;
profiles.system.path = inputs.self.nixosConfigurations.${node}.pkgs.deploy-rs.lib.activate.nixos profiles.system.path = inputs.self.nixosConfigurations.${node}.pkgs.deploy-rs.lib.activate.nixos
inputs.self.nixosConfigurations.${node}; inputs.self.nixosConfigurations.${node};
}; };
}) })
[ "vps6" "vps7" "nas" "yoga" ]); [ "vps6" "vps7" "nas" "yoga" ]);

5
local/lib/default.nix
View File

@@ -32,4 +32,9 @@ lib:
in in
# Split into lines. Strip leading tabs. Concat back to string. # Split into lines. Strip leading tabs. Concat back to string.
builtins.concatStringsSep "\n" (stripTabs (lib.strings.splitString "\n" text)); builtins.concatStringsSep "\n" (stripTabs (lib.strings.splitString "\n" text));
# find an element in a list, return the index
findIndex = e: list:
let findIndex_ = i: list: if (builtins.elemAt list i) == e then i else findIndex_ (i + 1) list;
in findIndex_ 0 list;
} }

29
local/pkgs/12to11/default.nix
View File

@@ -1,29 +0,0 @@
{
lib, stdenv, fetchsvn, xorg, libdrm
}:
stdenv.mkDerivation rec
{
pname = "12to11";
version = "193";
src = fetchsvn
{
url = "svn://svn.code.sf.net/p/twelveto11/code";
rev = version;
sha256 = "12csy55f2xxj03c5b60dvip68mz8cggic6751y3hvj22ar4ncaaj";
};
postPatch =
''
for i in *.c
do
sed -i -e "s|#include <drm_fourcc.h>|#include <libdrm/drm_fourcc.h>|" $i
done
for i in tests/*.c
do
sed -i -e "s|#include <drm/drm_fourcc.h>|#include <libdrm/drm_fourcc.h>|" $i
done
'';
nativeBuildInputs = [ ];
buildInputs = [ xorg.imake libdrm.dev ];
}

2
local/pkgs/latex-citation-style-language/default.nix → local/pkgs/citation-style-language/default.nix
View File

@@ -1,6 +1,6 @@
{ stdenvNoCC, texlive, fetchFromGitHub }: stdenvNoCC.mkDerivation (finalAttrs: rec { stdenvNoCC, texlive, fetchFromGitHub }: stdenvNoCC.mkDerivation (finalAttrs: rec
{ {
pname = "latex-citation-style-language"; pname = "citation-style-language";
version = "0.4.5"; version = "0.4.5";
passthru = { passthru = {
pkgs = [ finalAttrs.finalPackage ]; pkgs = [ finalAttrs.finalPackage ];

17
local/pkgs/default.nix
View File

@@ -1,15 +1,11 @@
{ lib, pkgs }: with pkgs; rec { lib, pkgs }: with pkgs; rec
{ {
typora = callPackage ./typora {}; typora = callPackage ./typora {};
upho = python3Packages.callPackage ./upho {};
spectral = python3Packages.callPackage ./spectral {};
vesta = callPackage ./vesta {}; vesta = callPackage ./vesta {};
oneapi = callPackage ./oneapi {}; oneapi = callPackage ./oneapi {};
send = callPackage ./send {};
rsshub = callPackage ./rsshub {}; rsshub = callPackage ./rsshub {};
misskey = callPackage ./misskey {}; misskey = callPackage ./misskey { nodejs = nodejs_21; };
mk-meili-mgn = callPackage ./mk-meili-mgn {}; mk-meili-mgn = callPackage ./mk-meili-mgn {};
phonon-unfolding = callPackage ./phonon-unfolding {};
# vasp = callPackage ./vasp # vasp = callPackage ./vasp
# { # {
# stdenv = pkgs.lmix-pkgs.intel21Stdenv; # stdenv = pkgs.lmix-pkgs.intel21Stdenv;
@@ -22,8 +18,6 @@
openmpi = pkgs.openmpi.override { cudaSupport = false; }; openmpi = pkgs.openmpi.override { cudaSupport = false; };
}; };
vaspkit = callPackage ./vaspkit { attrsToList = (import ../lib lib).attrsToList; }; vaspkit = callPackage ./vaspkit { attrsToList = (import ../lib lib).attrsToList; };
# "12to11" = callPackage ./12to11 {};
huginn = callPackage ./huginn {};
v_sim = callPackage ./v_sim {}; v_sim = callPackage ./v_sim {};
concurrencpp = callPackage ./concurrencpp { stdenv = gcc13Stdenv; }; concurrencpp = callPackage ./concurrencpp { stdenv = gcc13Stdenv; };
eigengdb = python3Packages.callPackage ./eigengdb {}; eigengdb = python3Packages.callPackage ./eigengdb {};
@@ -38,12 +32,17 @@
yoga-support = callPackage ./yoga-support {}; yoga-support = callPackage ./yoga-support {};
tgbot-cpp = callPackage ./tgbot-cpp {}; tgbot-cpp = callPackage ./tgbot-cpp {};
biu = callPackage ./biu { inherit concurrencpp tgbot-cpp nameof; stdenv = gcc13Stdenv; }; biu = callPackage ./biu { inherit concurrencpp tgbot-cpp nameof; stdenv = gcc13Stdenv; };
latex-citation-style-language = callPackage ./latex-citation-style-language {}; citation-style-language = callPackage ./citation-style-language {};
mirism = callPackage ./mirism mirism = callPackage ./mirism
{ {
inherit cppcoro nameof tgbot-cpp date; inherit cppcoro nameof tgbot-cpp date;
nghttp2 = nghttp2.override { enableAsioLib = true; }; nghttp2 = nghttp2-2305.override { enableAsioLib = true; };
}; };
cppcoro = callPackage ./cppcoro {}; cppcoro = callPackage ./cppcoro {};
date = callPackage ./date {}; date = callPackage ./date {};
esbonio = python3Packages.callPackage ./esbonio {};
pix2tex = python3Packages.callPackage ./pix2tex {};
pyreadline3 = python3Packages.callPackage ./pyreadline3 {};
torchdata = python3Packages.callPackage ./torchdata {};
torchtext = python3Packages.callPackage ./torchtext { inherit torchdata; };
} }

11
local/pkgs/esbonio/default.nix Normal file
View File

@@ -0,0 +1,11 @@
{ lib, fetchPypi, buildPythonPackage }: buildPythonPackage rec
{
pname = "esbonio";
version = "0.16.3";
src = fetchPypi
{
inherit pname version;
sha256 = "1ggxdzl95fy0zxpyd1pcylhif1x604wk4wy7sv9322hc84b708zx";
};
doCheck = false;
}

29
local/pkgs/huginn/default.nix
View File

@@ -1,29 +0,0 @@
{ lib, stdenv, bundlerEnv, fetchFromGitHub }:
let
pname = "huginn";
version = "20230723";
src = fetchFromGitHub
{
owner = "CHN-beta";
repo = "huginn";
rev = "a02977ad420a01b6460634af19f714db4a8f8f36";
hash = "sha256-Ty2EDCIjbvcf3PzPupcV4s7ZfAFTuYEjSfy0m+Yt3j4=";
};
gems = bundlerEnv
{
name = "${pname}-${version}-gems";
gemdir = "${src}";
gemfile = "${src}/Gemfile";
lockfile = "${src}/Gemfile.lock";
gemset = "${src}/gemset.nix";
copyGemFiles = true;
};
in stdenv.mkDerivation
{
inherit pname version src;
buildInputs = [ gems gems.wrappedRuby ];
installPhase =
''
false
'';
}

2
local/pkgs/mirism/default.nix
View File

@@ -8,7 +8,7 @@
src = requireFile src = requireFile
{ {
inherit name; inherit name;
sha256 = "10r40j4d6nnj930c8rw925akpim8f8sixh1lqrwdyp561nw774s4"; sha256 = "1q3f4q4ln9dz68dfc35jybgv861f7acqiiykkm7jxviz8jdgn8c7";
hashMode = "recursive"; hashMode = "recursive";
message = "Source file not found."; message = "Source file not found.";
}; };

68
local/pkgs/misskey/default.nix
View File

@@ -1,95 +1,45 @@
{ {
lib, stdenv, mkPnpmPackage, fetchFromGitHub, fetchurl, nodejs_20, writeShellScript, buildFHSEnv, lib, stdenv, mkPnpmPackage, fetchFromGitHub, fetchurl, nodejs, writeShellScript, buildFHSEnv,
bash, cypress, vips, pkg-config bash, cypress, vips, pkg-config
}: }:
let let
pname = "misskey"; pname = "misskey";
version = "2023.11.0"; version = "2023.12.2";
src = fetchFromGitHub src = fetchFromGitHub
{ {
owner = "CHN-beta"; owner = "CHN-beta";
repo = "misskey"; repo = "misskey";
rev = "aa182cd92ea5dc446f4d1ae2bf942bf46c645811"; rev = "cd1d0ab06eb6b7e06afdfae9a12b2d2829564229";
sha256 = "hotUhy4Rhm4QWO7oYH3UENr7LewF+/dC8rsaKD0y2uc="; hash = "sha256-sKEZ1ZpyA/02CNwiOMIOS5f/csx6ELDwCVJYc+oMChM=";
fetchSubmodules = true; fetchSubmodules = true;
}; };
originalPnpmPackage = mkPnpmPackage originalPnpmPackage = mkPnpmPackage
{ {
inherit pname version src; inherit pname version src nodejs;
nodejs = nodejs_20;
copyPnpmStore = true; copyPnpmStore = true;
}; };
startScript = writeShellScript "misskey" startScript = writeShellScript "misskey"
'' ''
export PATH=${lib.makeBinPath [ bash nodejs_20 nodejs_20.pkgs.pnpm nodejs_20.pkgs.gulp cypress ]}:$PATH export PATH=${lib.makeBinPath [ bash nodejs nodejs.pkgs.pnpm nodejs.pkgs.gulp cypress ]}:$PATH
export CYPRESS_RUN_BINARY="${cypress}/bin/Cypress" export CYPRESS_RUN_BINARY="${cypress}/bin/Cypress"
export NODE_ENV=production export NODE_ENV=production
pnpm run migrateandstart pnpm run migrateandstart
''; '';
re2 = stdenv.mkDerivation rec
{
pname = "re2";
version = "1.20.5";
srcs =
[
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-120.br";
sha256 = "07hwfgb7yw7pad2svkmx8qapc490xxxk0bbbx51h3kajckw98b9w";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-120.gz";
sha256 = "0c3z7bw4b1hgafv4n86pkg3z627zsmlzaghbzpyb81pilf1hzn8z";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-115.br";
sha256 = "17sbfx0dbfqc42qsxbqnn94a3vsih4mc06d8svbarvx5b5x0mg31";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-115.gz";
sha256 = "1lnmad2vqhjck0fjs55z74jm9psl1p81g84k2nn9gxbqnk2lxsjd";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-108.br";
sha256 = "1c605zipadwbd8z3mzvjzw4x9v89jdq19m4hmd6bqbrcz3qbgg4n";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-108.gz";
sha256 = "0sqsn3rdlg8abqcn7i9gyhpsd1znfj1x2bxm1nj222g0svp1mry3";
})
];
phases = [ "installPhase" ];
installPhase =
''
mkdir -p $out/${version}
for i in $srcs
do
cp $i $out/${version}/''${i#*-}
done
'';
};
in in
stdenv.mkDerivation rec stdenv.mkDerivation rec
{ {
inherit version src pname; inherit version src pname;
buildInputs = buildInputs =
[ [
bash nodejs_20 nodejs_20.pkgs.typescript nodejs_20.pkgs.pnpm nodejs_20.pkgs.gulp cypress vips pkg-config bash nodejs nodejs.pkgs.typescript nodejs.pkgs.pnpm nodejs.pkgs.gulp cypress vips pkg-config
]; ];
nativeBuildInputs = buildInputs; nativeBuildInputs = buildInputs;
CYPRESS_RUN_BINARY = "${cypress}/bin/Cypress"; CYPRESS_RUN_BINARY = "${cypress}/bin/Cypress";
NODE_ENV = "production"; NODE_ENV = "production";
RE2_DOWNLOAD_MIRROR = "${re2}";
RE2_DOWNLOAD_SKIP_PATH = "true";
configurePhase = configurePhase =
'' ''
export HOME=$NIX_BUILD_TOP # Some packages need a writable HOME export HOME=$NIX_BUILD_TOP # Some packages need a writable HOME
export npm_config_nodedir=${nodejs_20} export npm_config_nodedir=${nodejs}
runHook preConfigure runHook preConfigure
@@ -121,6 +71,6 @@ in
''; '';
passthru = passthru =
{ {
inherit originalPnpmPackage startScript re2; inherit originalPnpmPackage startScript;
}; };
} }

28
local/pkgs/phonon-unfolding/default.nix
View File

@@ -1,28 +0,0 @@
{
stdenv, fetchFromGitHub, gfortran, blas
}:
stdenv.mkDerivation
{
pname = "phonon-unfolding";
version = "0";
src = fetchFromGitHub
{
owner = "CHN-beta";
repo = "phonon_unfolding";
rev = "ec363ef2bad0ee18a0839a1681ea9915c0b72e1d";
hash = "sha256-zDTbtYk5OXf//6eS4gEF7IvrpWcRAz18ue48IDZnfSk=";
};
buildInputs = [ blas ];
nativeBuildInputs = [ gfortran ];
buildPhase =
''
gfortran PhononUnfoldingModule.f90 -o PhononUnfoldingModule.mod -c
gfortran PhononUnfolding.f90 -c -o PhononUnfolding.mod
gfortran PhononUnfolding.mod PhononUnfoldingModule.mod -o PhononUnfolding -lblas
'';
installPhase =
''
mkdir -p $out/bin
cp PhononUnfolding $out/bin
'';
}

32
local/pkgs/pix2tex/default.nix Normal file
View File

@@ -0,0 +1,32 @@
{
lib, fetchFromGitHub, buildPythonPackage,
# general dependencies:
tqdm, munch, torch, opencv, requests, einops, transformers, tokenizers, numpy, pillow, pyyaml, pandas, timm,
albumentations,
# gui
pyqt6, pyqt6-webengine, pyside6, pynput, screeninfo,
# api
streamlit, fastapi, uvicorn, python-multipart,
# training
# python-Levenshtein, torchtext, imagesize
# highlight
pygments
}: buildPythonPackage
{
name = "pix2tex";
src = fetchFromGitHub
{
owner = "lukas-blecher";
repo = "LaTeX-OCR";
rev = "1781514fb8c92ea9f94057295fdae0e683f4648e";
hash = "sha256-I3B8eH7zV2zIogDt9znkEzp4EeBjY6NfI4jsl+v/8aM=";
};
patches = [ ./remove-version-requires.patch ];
propagatedBuildInputs =
[
tqdm munch torch opencv requests einops transformers tokenizers numpy pillow pyyaml pandas timm albumentations
pyqt6 pyqt6-webengine pyside6 pynput screeninfo
streamlit fastapi uvicorn python-multipart
pygments
];
}

13
local/pkgs/pix2tex/remove-version-requires.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/setup.py b/setup.py
index 29b26cb..511012f 100644
--- a/setup.py
+++ b/setup.py
@@ -64,7 +64,7 @@ setuptools.setup(
'Pillow>=9.1.0',
'PyYAML>=5.4.1',
'pandas>=1.0.0',
- 'timm==0.5.4',
+ 'timm>=0.5.4',
'albumentations>=0.5.2',
'pyreadline3>=3.4.1; platform_system=="Windows"',
],

14
local/pkgs/pyreadline3/default.nix Normal file
View File

@@ -0,0 +1,14 @@
{
lib, fetchFromGitHub, buildPythonPackage
}: buildPythonPackage rec
{
pname = "pyreadline3";
version = "3.4.1";
src = fetchFromGitHub
{
owner = "pyreadline3";
repo = "pyreadline3";
rev = "v${version}";
hash = "sha256-02/gkx955NupVKXSu/xBQQtY4SEP4zxbNQYg1oQ/nGY=";
};
}

4
local/pkgs/rsshub/default.nix
View File

@@ -8,8 +8,8 @@ let
{ {
owner = "DIYgod"; owner = "DIYgod";
repo = "RSSHub"; repo = "RSSHub";
rev = "4356fad91a268c81b8dacd2e3d9d07dbdce231a0"; rev = "38a5b0c193bf77d71c4eea33db6e76bc8b565d0b";
sha256 = "rUfXHtePIkBGF1U/tqrXHEsYC5jah2A7hoJZfEAnCoQ="; hash = "sha256-gJsT9W2fFiy2IG89E5th49DpBHsPMfsdONyzAKDG48c=";
}; };
originalPnpmPackage = mkPnpmPackage { inherit name src nodejs; }; originalPnpmPackage = mkPnpmPackage { inherit name src nodejs; };
nodeModules = originalPnpmPackage.nodeModules.overrideAttrs { PUPPETEER_SKIP_DOWNLOAD = true; }; nodeModules = originalPnpmPackage.nodeModules.overrideAttrs { PUPPETEER_SKIP_DOWNLOAD = true; };

21
local/pkgs/send/default.nix
View File

@@ -1,21 +0,0 @@
{ buildNpmPackage, fetchFromGitHub, nodejs-16_x, nodePackages }:
buildNpmPackage.override { nodejs = nodejs-16_x; }
{
pname = "send";
version = "3.4.23";
src = fetchFromGitHub
{
owner = "timvisee";
repo = "send";
rev = "6ad2885a168148fb996d3983457bc39527c7c8e5";
sha256 = "AdwYNfTMfEItC4kBP+YozUQSBVnu/uzZvGta4wfwv0I=";
leaveDotGit = true;
};
npmDepsHash = "sha256-r1iaurKuhpP0sevB5pFdtv9j1ikM1fKL7Jgakh4FzTI=";
makeCacheWritable = true;
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD = "1";
NODE_OPTIONS = "--openssl-legacy-provider";
dontNpmInstall = true;
NODE_ENV = "production";
nativeBuildInputs = with nodePackages; [ rimraf webpack webpack-cli copy-webpack-plugin webpack-manifest-plugin ];
}

15
local/pkgs/spectral/default.nix
View File

@@ -1,15 +0,0 @@
{
lib, fetchPypi, buildPythonPackage,
numpy, pillow, wxPython_4_2, matplotlib, ipython, pyopengl
}: buildPythonPackage rec
{
pname = "spectral";
version = "0.23.1";
src = fetchPypi
{
inherit pname version;
sha256 = "sha256-4YIic1Je81g7J6lmIm1Vr+CefSmnI2z82LwN+x+Wj8I=";
};
doCheck = false;
propagatedBuildInputs = [ numpy pillow wxPython_4_2 matplotlib ipython pyopengl ];
}

20
local/pkgs/torchdata/default.nix Normal file
View File

@@ -0,0 +1,20 @@
{
lib, fetchFromGitHub, buildPythonPackage,
torch, urllib3, requests, cmake, pkg-config, ninja
}: buildPythonPackage rec
{
pname = "torchdata";
version = "0.7.1";
src = fetchFromGitHub
{
owner = "pytorch";
repo = "data";
rev = "v${version}";
hash = "sha256-SOeu+mI4p2tHX0YyctrDBcrz2/zYcwH9GGJ+6ytRmjQ=";
fetchSubmodules = true;
};
dontUseCmakeConfigure = true;
pyproject = true;
propagatedBuildInputs = [ torch urllib3 requests ];
nativeBuildInputs = [ cmake pkg-config ninja ];
}

20
local/pkgs/torchtext/default.nix Normal file
View File

@@ -0,0 +1,20 @@
{
lib, fetchFromGitHub, buildPythonPackage,
tqdm, requests, torch, numpy, torchdata, cmake
}: buildPythonPackage rec
{
pname = "torchtext";
version = "0.16.1";
src = fetchFromGitHub
{
owner = "pytorch";
repo = "text";
rev = "v${version}";
hash = "sha256-4a33AWdd1VZwRL5vTawo0yplpw+qcNMetbfE1h1kafE=";
fetchSubmodules = true;
};
dontUseCmakeConfigure = true;
pyproject = true;
propagatedBuildInputs = [ tqdm requests torch numpy torchdata ];
nativeBuildInputs = [ cmake ];
}

14
local/pkgs/upho/default.nix
View File

@@ -1,14 +0,0 @@
{ lib, fetchFromGitHub, buildPythonPackage, numpy, h5py, phonopy }: buildPythonPackage rec
{
pname = "upho";
version = "0.6.6";
src = fetchFromGitHub
{
owner = "CHN-beta";
repo = "upho";
rev = "0f27ac6918e8972c70692816438e4ac37ec6b348";
sha256 = "sha256-NvoV+AUH9MmGT4ohrLAAvpLs8APP2DOKYlZVliHrVRM=";
};
doCheck = false;
propagatedBuildInputs = [ numpy h5py phonopy ];
}

11
modules/bugs/default.nix
View File

@@ -5,8 +5,6 @@ inputs:
inherit (inputs.lib) mkMerge mkIf mkOption types; inherit (inputs.lib) mkMerge mkIf mkOption types;
bugs = bugs =
{ {
# intel i915 hdmi
intel-hdmi.boot.kernelPatches = [{ name = "intel-hdmi"; patch = ./intel-hdmi.patch; }];
# suspend & hibernate do not use platform # suspend & hibernate do not use platform
suspend-hibernate-no-platform.systemd.sleep.extraConfig = suspend-hibernate-no-platform.systemd.sleep.extraConfig =
'' ''
@@ -47,6 +45,10 @@ inputs:
then then
echo LID0 > /proc/acpi/wakeup echo LID0 > /proc/acpi/wakeup
fi fi
if ${cat} /proc/acpi/wakeup | ${grep} XHCI | ${grep} -q enabled
then
echo XHCI > /proc/acpi/wakeup
fi
''; '';
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
@@ -76,10 +78,7 @@ inputs:
}; };
}; };
firefox.programs.firefox.enable = inputs.lib.mkForce false; firefox.programs.firefox.enable = inputs.lib.mkForce false;
embree.nixpkgs.overlays = power.boot.kernelParams = [ "cpufreq.default_governor=powersave" ];
[(final: prev: { embree = prev.embree.override { stdenv = final.genericPackages.stdenv; }; })];
firmware-unstable.nixpkgs.overlays =
[ (final: prev: { linux-firmware = final.unstablePackages.linux-firmware; }) ];
}; };
in in
{ {

14
modules/bugs/intel-hdmi.patch
View File

@@ -1,14 +0,0 @@
diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
index 55544d484318..d6f257f8fd14 100644
--- a/drivers/gpu/drm/i915/display/intel_bios.c
+++ b/drivers/gpu/drm/i915/display/intel_bios.c
@@ -2708,7 +2708,7 @@ static void parse_ddi_port(struct intel_bios_encoder_data *devdata)
if (i915->display.vbt.ports[port]) {
drm_dbg_kms(&i915->drm,
"More than one child device for port %c in VBT, using the first.\n",
port_name(port));
- return;
+ // return;
}
sanitize_device_type(devdata, port);

48
modules/default.nix
View File

@@ -13,24 +13,38 @@ inputs:
topInputs.nur.nixosModules.nur topInputs.nur.nixosModules.nur
topInputs.nur-xddxdd.nixosModules.setupOverlay topInputs.nur-xddxdd.nixosModules.setupOverlay
topInputs.impermanence.nixosModules.impermanence topInputs.impermanence.nixosModules.impermanence
(inputs: { config.nixpkgs.overlays = (inputs:
[ {
topInputs.qchem.overlays.default config =
topInputs.nixd.overlays.default
topInputs.nix-alien.overlays.default
topInputs.napalm.overlays.default
topInputs.pnpm2nix-nzbr.overlays.default
topInputs.lmix.overlays.default
(final: prev: topInputs.aagl.overlays.default {} final.unstablePackages)
(import "${topInputs.dguibert-nur-packages}/overlays/nvhpc-overlay")
(final: prev:
{ {
touchix = topInputs.touchix.packages."${prev.system}"; nixpkgs.overlays =
nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}"; [
nur-xddxdd = topInputs.nur-xddxdd.overlays.default final prev; topInputs.qchem.overlays.default
deploy-rs = { inherit (prev) deploy-rs; inherit ((topInputs.deploy-rs.overlay final prev).deploy-rs) lib; }; topInputs.nixd.overlays.default
}) topInputs.nix-alien.overlays.default
];}) topInputs.napalm.overlays.default
topInputs.pnpm2nix-nzbr.overlays.default
topInputs.lmix.overlays.default
topInputs.aagl.overlays.default
(import "${topInputs.dguibert-nur-packages}/overlays/nvhpc-overlay")
(final: prev:
{
nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
nur-xddxdd = topInputs.nur-xddxdd.overlays.default final prev;
deploy-rs =
{ inherit (prev) deploy-rs; inherit ((topInputs.deploy-rs.overlay final prev).deploy-rs) lib; };
# needed by mirism
nghttp2-2305 =
inputs.pkgs.callPackage "${inputs.topInputs.nixpkgs-2305}/pkgs/development/libraries/nghttp2" {};
})
];
home-manager.sharedModules =
[
topInputs.plasma-manager.homeManagerModules.plasma-manager
topInputs.nix-doom-emacs.hmModule
];
};
})
./hardware ./packages ./system ./virtualization ./services ./bugs ./users ./hardware ./packages ./system ./virtualization ./services ./bugs ./users
]; ];
} }

59
modules/hardware/default.nix
View File

@@ -7,7 +7,7 @@ inputs:
printer.enable = mkOption { type = types.bool; default = false; }; printer.enable = mkOption { type = types.bool; default = false; };
sound.enable = mkOption { type = types.bool; default = false; }; sound.enable = mkOption { type = types.bool; default = false; };
cpus = mkOption { type = types.listOf (types.enum [ "intel" "amd" ]); default = []; }; cpus = mkOption { type = types.listOf (types.enum [ "intel" "amd" ]); default = []; };
gpus = mkOption { type = types.listOf (types.enum [ "intel" "nvidia" ]); default = []; }; gpus = mkOption { type = types.listOf (types.enum [ "intel" "nvidia" "amd" ]); default = []; };
prime = prime =
{ {
enable = mkOption { type = types.bool; default = false; }; enable = mkOption { type = types.bool; default = false; };
@@ -71,7 +71,10 @@ inputs:
let let
modules = modules =
{ {
intel = [ "intel_cstate" "aesni_intel" ]; intel =
[
"intel_cstate" "aesni_intel" "intel_cstate" "intel_uncore" "intel_uncore_frequency" "intel_powerclamp"
];
amd = []; amd = [];
}; };
in in
@@ -88,6 +91,7 @@ inputs:
{ {
intel = [ "i915" ]; intel = [ "i915" ];
nvidia = [ "nvidia" "nvidia_drm" "nvidia_modeset" "nvidia_uvm" ]; nvidia = [ "nvidia" "nvidia_drm" "nvidia_modeset" "nvidia_uvm" ];
amd = [ "amdgpu" ];
}; };
in in
concatLists (map (gpu: modules.${gpu}) hardware.gpus); concatLists (map (gpu: modules.${gpu}) hardware.gpus);
@@ -104,6 +108,7 @@ inputs:
{ {
intel = [ intel-compute-runtime intel-media-driver libvdpau-va-gl ]; # intel-vaapi-driver intel = [ intel-compute-runtime intel-media-driver libvdpau-va-gl ]; # intel-vaapi-driver
nvidia = [ vaapiVdpau ]; nvidia = [ vaapiVdpau ];
amd = [];
}; };
in in
concatLists (map (gpu: packages.${gpu}) hardware.gpus); concatLists (map (gpu: packages.${gpu}) hardware.gpus);
@@ -158,23 +163,13 @@ inputs:
{ {
Type = "simple"; Type = "simple";
WorkingDirectory = "/etc/touch_keyboard"; WorkingDirectory = "/etc/touch_keyboard";
# ExecStartPre = let sh = "${inputs.pkgs.bash}/bin/sh"; in
# [
# ''-${sh} -c "echo 0 > /sys/class/pwm/pwmchip1/export"''
# ''${sh} -c "echo 0 > /sys/class/pwm/pwmchip1/pwm0/enable"''
# ''${sh} -c "echo 1 > /sys/class/pwm/pwmchip1/pwm0/enable"''
# ];
ExecStart = "${keyboard}/bin/touch_keyboard_handler"; ExecStart = "${keyboard}/bin/touch_keyboard_handler";
}; };
yogabook-modes-handler = yogabook-modes-handler.serviceConfig =
{ {
wantedBy = [ "default.target" ]; Type = "simple";
serviceConfig = ExecStart = "${support}/bin/yogabook-modes-handler";
{ StandardOutput = "journal";
Type = "simple";
ExecStart = "${support}/bin/yogabook-modes-handler";
StandardOutput = "journal";
};
}; };
monitor-sensor = monitor-sensor =
{ {
@@ -187,6 +182,38 @@ inputs:
}; };
}; };
environment.etc."touch_keyboard".source = "${keyboard}/etc/touch_keyboard"; environment.etc."touch_keyboard".source = "${keyboard}/etc/touch_keyboard";
boot.initrd =
{
services.udev.packages = [ keyboard support ];
systemd =
{
extraBin =
{
touch_keyboard_handler = "${keyboard}/bin/touch_keyboard_handler";
yogabook-modes-handler = "${support}/bin/yogabook-modes-handler";
};
services =
{
touch-keyboard-handler =
{
serviceConfig =
{
Type = "simple";
WorkingDirectory = "/etc/touch_keyboard";
ExecStart = "${keyboard}/bin/touch_keyboard_handler";
};
};
yogabook-modes-handler.serviceConfig =
{
Type = "simple";
ExecStart = "${support}/bin/yogabook-modes-handler";
StandardOutput = "journal";
};
};
};
extraFiles."/etc/touch_keyboard".source = "${keyboard}/etc/touch_keyboard";
};
} }
)) ))
]; ];

649
modules/packages/default.nix
View File

@@ -1,611 +1,72 @@
inputs: inputs:
{ {
options.nixos.packages = let inherit (inputs.lib) mkOption types; in imports = inputs.localLib.mkModules
{ [
packageSet = mkOption ./server
{ ./desktop
type = types.enum ./desktop-fat
./workstation
];
options.nixos.packages =
let
inherit (inputs.lib) mkOption types;
packageSets =
[ [
# no gui, only used for specific purpose # no gui, only used for specific purpose
"server" "server"
# gui, for daily use, but not install large programs such as matlab # gui, for daily use, but not install large programs such as matlab
"desktop" "desktop"
"desktop-fat"
# nearly everything # nearly everything
"workstation" "workstation"
]; ];
default = "server"; in
{
packageSet = mkOption { type = types.enum packageSets; default = "server"; };
extraPackages = mkOption { type = types.listOf types.unspecified; default = []; };
excludePackages = mkOption { type = types.listOf types.unspecified; default = []; };
extraPythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
excludePythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
extraPrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
excludePrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
_packageSets = mkOption
{
type = types.listOf types.nonEmptyStr;
readOnly = true;
default = builtins.genList (i: builtins.elemAt packageSets i)
((inputs.localLib.findIndex inputs.config.nixos.packages.packageSet packageSets) + 1);
};
_packages = mkOption { type = types.listOf types.unspecified; default = []; };
_pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
_prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
}; };
extraPackages = mkOption { type = types.listOf types.unspecified; default = []; };
excludePackages = mkOption { type = types.listOf types.unspecified; default = []; };
extraPythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
excludePythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
extraPrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
excludePrebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
_packages = mkOption { type = types.listOf types.unspecified; default = []; };
_pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
_prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
};
config = config =
let let
inherit (inputs.lib) mkMerge mkIf; inherit (builtins) concatLists map;
inherit (builtins) concatLists map listToAttrs; in
inherit (inputs.localLib) attrsToList; {
in mkMerge environment.systemPackages = let inherit (inputs.lib.lists) subtractLists; in with inputs.config.nixos.packages;
[ (subtractLists excludePackages (_packages ++ extraPackages))
# >= server ++ [
{ (inputs.pkgs.python3.withPackages (pythonPackages:
nixos = subtractLists
{ (concatLists (map (packageFunction: packageFunction pythonPackages) excludePythonPackages))
packages = with inputs.pkgs; (concatLists (map (packageFunction: packageFunction pythonPackages)
(_pythonPackages ++ extraPythonPackages)))))
(inputs.pkgs.callPackage ({ stdenv }: stdenv.mkDerivation
{ {
_packages = name = "prebuild-packages";
[ propagateBuildInputs = subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages);
# shell phases = [ "installPhase" ];
ksh installPhase =
# basic tools ''
beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij neofetch ipfetch localPackages.pslist runHook preInstall
unstablePackages.fastfetch reptyr mkdir -p $out
# lsxx runHook postInstall
pciutils usbutils lshw util-linux lsof '';
# top }) {})
iotop iftop htop btop powertop s-tui ];
# editor };
nano bat
# downloader
wget aria2 curl
# file manager
tree exa trash-cli lsd broot file xdg-ninja mlocate
# compress
pigz rar upx unzip zip lzip p7zip
# file system management
sshfs e2fsprogs adb-sync duperemove compsize
# disk management
smartmontools hdparm
# encryption and authentication
apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
# networking
ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils
# nix tools
nix-output-monitor nix-tree ssh-to-age
# office
todo-txt-cli
# development
gdb unstablePackages.try
] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
_pythonPackages = [(pythonPackages: with pythonPackages;
[
inquirerpy requests python-telegram-bot tqdm fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
certifi charset-normalizer idna orjson psycopg2 localPackages.eigengdb
])];
};
users.sharedModules = [(home-inputs:
{
config.programs =
{
zsh =
{
enable = true;
initExtraBeforeCompInit =
''
# p10k instant prompt
P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
[[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
HYPHEN_INSENSITIVE="true"
export PATH=~/bin:$PATH
function br
{
local cmd cmd_file code
cmd_file=$(mktemp)
if broot --outcmd "$cmd_file" "$@"; then
cmd=$(<"$cmd_file")
command rm -f "$cmd_file"
eval "$cmd"
else
code=$?
command rm -f "$cmd_file"
return "$code"
fi
}
alias todo="todo.sh"
'';
plugins =
[
{
file = "powerlevel10k.zsh-theme";
name = "powerlevel10k";
src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
}
{
file = "p10k.zsh";
name = "powerlevel10k-config";
src = ./p10k-config;
}
{
name = "zsh-lsd";
src = inputs.pkgs.fetchFromGitHub
{
owner = "z-shell";
repo = "zsh-lsd";
rev = "029a9cb0a9b39c9eb6c5b5100dd9182813332250";
sha256 = "sha256-oWjWnhiimlGBMaZlZB+OM47jd9hporKlPNwCx6524Rk=";
};
}
];
history =
{
path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
extended = true;
save = 100000000;
size = 100000000;
};
};
direnv = { enable = true; nix-direnv.enable = true; };
git =
{
enable = true;
lfs.enable = true;
extraConfig =
{
core.editor = if inputs.config.nixos.system.gui.preferred then "code --wait" else "vim";
advice.detachedHead = false;
merge.conflictstyle = "diff3";
diff.colorMoved = "default";
};
package = inputs.pkgs.gitFull;
delta =
{
enable = true;
options =
{
side-by-side = true;
navigate = true;
syntax-theme = "GitHub";
light = true;
zero-style = "syntax white";
line-numbers-zero-style = "#ffffff";
};
};
};
ssh =
{
enable = true;
controlMaster = "auto";
controlPersist = "1m";
compression = true;
};
vim =
{
enable = true;
defaultEditor = true;
packageConfigurable = inputs.config.programs.vim.package;
settings =
{
number = true;
expandtab = false;
shiftwidth = 2;
tabstop = 2;
};
extraConfig =
''
set clipboard=unnamedplus
colorscheme evening
'';
};
};
})];
};
programs =
{
nix-index-database.comma.enable = true;
nix-index.enable = true;
zsh =
{
enable = true;
syntaxHighlighting.enable = true;
autosuggestions.enable = true;
enableCompletion = true;
ohMyZsh =
{
enable = true;
plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
customPkgs = with inputs.pkgs; [ zsh-nix-shell ];
};
};
ccache.enable = true;
command-not-found.enable = false;
adb.enable = true;
gnupg.agent = { enable = true; enableSSHSupport = true; };
autojump.enable = true;
git =
{
enable = true;
package = inputs.pkgs.gitFull;
lfs.enable = true;
config =
{
init.defaultBranch = "main";
core = { quotepath = false; editor = "vim"; };
};
};
# yazi.enable = true;
};
services =
{
fwupd.enable = true;
udev.packages = with inputs.pkgs; [ yubikey-personalization libfido2 ];
openssh.knownHosts =
let
servers = rec
{
vps6 =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
hostnames = [ "vps6.chn.moe" "74.211.99.69" "192.168.82.1" ];
};
"initrd.vps6" =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB4DKB/zzUYco5ap6k9+UxeO04LL12eGvkmQstnYxgnS";
hostnames = [ "initrd.vps6.chn.moe" "74.211.99.69" ];
};
vps7 =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
hostnames = [ "vps7.chn.moe" "95.111.228.40" "192.168.82.2" ];
};
"initrd.vps7" =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZyQpdQmEZw3nLERFmk2tS1gpSvXwW0Eish9UfhrRxC";
hostnames = [ "initrd.vps7.chn.moe" "95.111.228.40" ];
};
nas =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
hostnames = [ "[office.chn.moe]:5440" "192.168.82.4" "192.168.1.185" ];
};
"initrd.nas" =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
hostnames = nas.hostnames;
};
pc =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
hostnames = [ "192.168.8.2.3" ];
};
hpc =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVpsQW3kZt5alHC6mZhay3ZEe2fRGziG4YJWCv2nn/O";
hostnames = [ "hpc.xmu.edu.cn" ];
};
github =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
hostnames = [ "github.com" ];
};
};
in listToAttrs (concatLists (map
(server:
(
if builtins.pathExists ./ssh/${server.name}_rsa.pub then
[{
name = "${server.name}-rsa";
value =
{
publicKey = builtins.readFile ./ssh/${server.name}_rsa.pub;
hostNames = server.value.hostnames;
};
}]
else []
)
++ (
if builtins.pathExists ./ssh/${server.name}_ecdsa.pub then
[{
name = "${server.name}-ecdsa";
value =
{
publicKey = builtins.readFile ./ssh/${server.name}_ecdsa.pub;
hostNames = server.value.hostnames;
};
}]
else []
)
++ (
if server.value ? ed25519 then
[{
name = "${server.name}-ed25519";
value =
{
publicKey = server.value.ed25519;
hostNames = server.value.hostnames;
};
}]
else []
))
(attrsToList servers)));
};
nix.settings.extra-sandbox-paths = [ inputs.config.programs.ccache.cacheDir ];
nixpkgs.config =
{
permittedInsecurePackages = with inputs.pkgs;
[
openssl_1_1.name electron_19.name nodejs-16_x.name python2.name electron_12.name electron_24.name
zotero.name
];
allowUnfree = true;
};
home-manager =
{
useGlobalPkgs = true;
useUserPackages = true;
};
}
# >= desktop
(
mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop" "desktop-fat" "workstation" ] )
{
nixos =
{
packages = with inputs.pkgs;
{
_packages =
[
# system management
gparted snapper-gui libsForQt5.qtstyleplugin-kvantum wl-clipboard-x11 kio-fuse wl-mirror
wayland-utils clinfo glxinfo vulkan-tools dracut
# networking
remmina putty mtr-gui
# password and key management
bitwarden yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui
# download
qbittorrent yt-dlp nur-xddxdd.baidupcs-go wgetpaste
# office
unstablePackages.crow-translate zotero pandoc ydict
# development
scrcpy
# media
spotify yesplaymusic mpv nomacs simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc
# text editor
localPackages.typora
# themes
orchis-theme tela-circle-icon-theme plasma-overdose-kde-theme materia-kde-theme graphite-kde-theme
arc-kde-theme materia-theme
# news
fluent-reader rssguard
# davinci-resolve playonlinux
weston cage openbox krita
genymotion hdfview electrum jabref
(
vscode-with-extensions.override
{
vscodeExtensions = with nix-vscode-extensions.vscode-marketplace;
(with equinusocio; [ vsc-community-material-theme vsc-material-theme-icons ])
++ (with github; [ copilot copilot-chat copilot-labs github-vscode-theme ])
++ (with intellsmi; [ comment-translate deepl-translate ])
++ (with ms-python; [ isort python vscode-pylance ])
++ (with ms-toolsai;
[
jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
])
++ (with ms-vscode;
[
cmake-tools cpptools cpptools-extension-pack cpptools-themes hexeditor remote-explorer
test-adapter-converter
])
++ (with ms-vscode-remote; [ remote-ssh remote-containers remote-ssh-edit ])
++ [
donjayamanne.githistory genieai.chatgpt-vscode fabiospampinato.vscode-diff cschlosser.doxdocgen
llvm-vs-code-extensions.vscode-clangd ms-ceintl.vscode-language-pack-zh-hans
oderwat.indent-rainbow
twxs.cmake guyutongxue.cpp-reference znck.grammarly thfriedrich.lammps leetcode.vscode-leetcode
james-yu.latex-workshop gimly81.matlab affenwiesel.matlab-formatter ckolkman.vscode-postgres
yzhang.markdown-all-in-one pkief.material-icon-theme bbenoist.nix ms-ossdata.vscode-postgresql
redhat.vscode-xml dotjoshjohnson.xml jnoortheen.nix-ide xdebug.php-debug
hbenl.vscode-test-explorer
jeff-hykin.better-cpp-syntax fredericbonnet.cmake-test-adapter mesonbuild.mesonbuild
hirse.vscode-ungit fortran-lang.linter-gfortran tboox.xmake-vscode ccls-project.ccls
feiskyer.chatgpt-copilot yukiuuh2936.vscode-modern-fortran-formatter wolframresearch.wolfram
njpipeorgan.wolfram-language-notebook brettm12345.nixfmt-vscode webfreak.debug
gruntfuggly.todo-tree
];
}
)
] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
};
users.sharedModules =
[{
config =
{
programs =
{
chromium =
{
enable = true;
extensions =
[
{ id = "mpkodccbngfoacfalldjimigbofkhgjn"; } # Aria2 Explorer
{ id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden
{ id = "kbfnbcaeplbcioakkpcpgfkobkghlhen"; } # Grammarly
{ id = "ihnfpdchjnmlehnoeffgcbakfmdjcckn"; } # Pixiv Fanbox Downloader
{ id = "cimiefiiaegbelhefglklhhakcgmhkai"; } # Plasma Integration
{ id = "dkndmhgdcmjdmkdonmbgjpijejdcilfh"; } # Powerful Pixiv Downloader
{ id = "padekgcemlokbadohgkifijomclgjgif"; } # Proxy SwitchyOmega
{ id = "kefjpfngnndepjbopdmoebkipbgkggaa"; } # RSSHub Radar
{ id = "abpdnfjocnmdomablahdcfnoggeeiedb"; } # Save All Resources
{ id = "nbokbjkabcmbfdlbddjidfmibcpneigj"; } # SmoothScroll
{ id = "onepmapfbjohnegdmfhndpefjkppbjkm"; } # SuperCopy 超级复制
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
{ id = "gppongmhjkpfnbhagpmjfkannfbllamg"; } # Wappalyzer
{ id = "hkbdddpiemdeibjoknnofflfgbgnebcm"; } # YouTube™ 双字幕
{ id = "ekhagklcjbdpajgpjgmbionohlpdbjgc"; } # Zotero Connector
{ id = "ikhdkkncnoglghljlkmcimlnlhkeamad"; } # 划词翻译
{ id = "dhdgffkkebhmkfjojejmpbldmpobfkfo"; } # 篡改猴
{ id = "hipekcciheckooncpjeljhnekcoolahp"; } # Tabliss
{ id = "nkbihfbeogaeaoehlefnkodbefgpgknn"; } # MetaMask
];
};
obs-studio =
{
enable = true;
plugins = with inputs.pkgs.obs-studio-plugins;
[ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
};
};
home.file.".config/baloofilerc".text =
''
[Basic Settings]
Indexing-Enabled=false
'';
};
}];
};
programs =
{
steam.enable = true;
kdeconnect.enable = true;
wireshark = { enable = true; package = inputs.pkgs.wireshark; };
firefox =
{
enable = true;
languagePacks = [ "zh-CN" "en-US" ];
};
vim.package = inputs.pkgs.genericPackages.vim-full;
};
nixpkgs.config.packageOverrides = pkgs:
{
telegram-desktop = pkgs.telegram-desktop.overrideAttrs (attrs:
{
patches = (if (attrs ? patches) then attrs.patches else []) ++ [ ./telegram.patch ];
});
};
services.pcscd.enable = true;
}
)
# >= desktop-fat
(
mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop-fat" "workstation" ] )
{
nixos =
{
packages = with inputs.pkgs;
{
_packages =
[
# system management
etcher unstablePackages.btrfs-assistant
# nix tools
deploy-rs.deploy-rs nixpkgs-fmt
# instant messager
element-desktop telegram-desktop discord inputs.config.nur.repos.linyinfeng.wemeet # native
cinny-desktop # nur-xddxdd.wine-wechat thunder
# browser
google-chrome
];
};
};
}
)
# >= workstation
(
mkIf (inputs.config.nixos.packages.packageSet == "workstation")
{
nixos.packages = with inputs.pkgs;
{
_packages =
[
# nix tools
nix-template appimage-run nil nixd nix-alien nix-serve node2nix nix-prefetch-github prefetch-npm-deps
nix-prefetch-docker pnpm-lock-export bundix
# instant messager
zoom-us signal-desktop qq nur-xddxdd.wechat-uos slack # jail
# office
libreoffice-qt texstudio poppler_utils pdftk gnuplot pdfchain
(texlive.combine
{
inherit (texlive) scheme-full;
inherit (localPackages) latex-citation-style-language;
})
# development
jetbrains.clion android-studio dbeaver cling clang-tools_16 ccls fprettify
# media
nur-xddxdd.svp obs-studio waifu2x-converter-cpp inkscape blender
# virtualization
wineWowPackages.stagingFull virt-viewer bottles # wine64
# text editor
appflowy notion-app-enhanced joplin-desktop standardnotes
# math, physics and chemistry
mathematica octaveFull root ovito paraview localPackages.vesta qchem.quantum-espresso
localPackages.vasp localPackages.phonon-unfolding localPackages.vaspkit jmol localPackages.v_sim
# news
newsflash newsboat
microsoft-edge
];
_pythonPackages = [(pythonPackages: with pythonPackages;
[
phonopy tensorflow keras openai scipy scikit-learn jupyterlab
])];
_prebuildPackages =
[
httplib magic-enum xtensor boost cereal cxxopts ftxui yaml-cpp gfortran gcc10 python2
unstablePackages.gcc13Stdenv
];
};
programs =
{
anime-game-launcher = { enable = true; package = inputs.pkgs.anime-game-launcher; };
honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
nix-ld.enable = true;
gamemode =
{
enable = true;
settings =
{
general.renice = 10;
gpu =
{
apply_gpu_optimisations = "accept-responsibility";
nv_powermizer_mode = 1;
};
custom = let notify-send = "${inputs.pkgs.libnotify}/bin/notify-send"; in
{
start = "${notify-send} 'GameMode started'";
end = "${notify-send} 'GameMode ended'";
};
};
};
chromium =
{
enable = true;
extraOpts.PasswordManagerEnabled = false;
};
};
}
)
# apply package configs
{
environment.systemPackages = let inherit (inputs.lib.lists) subtractLists; in with inputs.config.nixos.packages;
(subtractLists excludePackages (_packages ++ extraPackages))
++ [
(inputs.pkgs.python3.withPackages (pythonPackages:
subtractLists
(builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
excludePythonPackages))
(builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages)
(_pythonPackages ++ extraPythonPackages)))))
(inputs.pkgs.callPackage ({ stdenv }: stdenv.mkDerivation
{
name = "prebuild-packages";
propagateBuildInputs = subtractLists excludePrebuildPackages (_prebuildPackages ++ extraPrebuildPackages);
phases = [ "installPhase" ];
installPhase =
''
runHook preInstall
mkdir -p $out
runHook postInstall
'';
}) {})
];
}
];
} }
# programs.firejail = # programs.firejail =

39
modules/packages/desktop-fat/chromium.nix Normal file
View File

@@ -0,0 +1,39 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
in mkIf (builtins.elem "desktop-fat" inputs.config.nixos.packages._packageSets)
{
nixos.users.sharedModules =
[{
config.programs.chromium =
{
enable = true;
extensions =
[
{ id = "mpkodccbngfoacfalldjimigbofkhgjn"; } # Aria2 Explorer
{ id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden
{ id = "kbfnbcaeplbcioakkpcpgfkobkghlhen"; } # Grammarly
{ id = "ihnfpdchjnmlehnoeffgcbakfmdjcckn"; } # Pixiv Fanbox Downloader
{ id = "cimiefiiaegbelhefglklhhakcgmhkai"; } # Plasma Integration
{ id = "dkndmhgdcmjdmkdonmbgjpijejdcilfh"; } # Powerful Pixiv Downloader
{ id = "padekgcemlokbadohgkifijomclgjgif"; } # Proxy SwitchyOmega
{ id = "kefjpfngnndepjbopdmoebkipbgkggaa"; } # RSSHub Radar
{ id = "abpdnfjocnmdomablahdcfnoggeeiedb"; } # Save All Resources
{ id = "nbokbjkabcmbfdlbddjidfmibcpneigj"; } # SmoothScroll
{ id = "onepmapfbjohnegdmfhndpefjkppbjkm"; } # SuperCopy 超级复制
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
{ id = "gppongmhjkpfnbhagpmjfkannfbllamg"; } # Wappalyzer
{ id = "hkbdddpiemdeibjoknnofflfgbgnebcm"; } # YouTube™ 双字幕
{ id = "ekhagklcjbdpajgpjgmbionohlpdbjgc"; } # Zotero Connector
{ id = "ikhdkkncnoglghljlkmcimlnlhkeamad"; } # 划词翻译
{ id = "dhdgffkkebhmkfjojejmpbldmpobfkfo"; } # 篡改猴
{ id = "hipekcciheckooncpjeljhnekcoolahp"; } # Tabliss
{ id = "nkbihfbeogaeaoehlefnkodbefgpgknn"; } # MetaMask
{ id = "bpoadfkcbjbfhfodiogcnhhhpibjhbnh"; } # 沉浸式翻译
];
};
}];
};
}

48
modules/packages/desktop-fat/default.nix Normal file
View File

@@ -0,0 +1,48 @@
inputs:
{
imports = inputs.localLib.mkModules
[
./chromium.nix
./steam.nix
];
config =
let
inherit (inputs.lib) mkIf;
in mkIf (builtins.elem "desktop-fat" inputs.config.nixos.packages._packageSets)
{
nixos =
{
packages = with inputs.pkgs;
{
_packages =
[
# system management
etcher btrfs-assistant snapper-gui libsForQt5.qtstyleplugin-kvantum
# password and key management
yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden
# download
qbittorrent nur-xddxdd.baidupcs-go wgetpaste
# development
scrcpy weston cage openbox krita
# media
spotify yesplaymusic simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc
# editor
localPackages.typora
# themes
orchis-theme plasma-overdose-kde-theme materia-kde-theme graphite-kde-theme arc-kde-theme materia-theme
# news
fluent-reader
# nix tools
deploy-rs.deploy-rs nixpkgs-fmt
# instant messager
element-desktop telegram-desktop discord fluffychat
# browser
google-chrome
# office
crow-translate zotero pandoc ydict
] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
};
};
programs.kdeconnect.enable = true;
};
}

23
modules/packages/desktop-fat/steam.nix Normal file
View File

@@ -0,0 +1,23 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
in mkIf (builtins.elem "desktop-fat" inputs.config.nixos.packages._packageSets)
{
programs.steam =
{
enable = true;
package = inputs.pkgs.steam.override (prev:
{
steam = prev.steam.overrideAttrs (prev:
{
postInstall = prev.postInstall +
''
sed -i 's#Comment\[zh_CN\]=.*$#Comment\[zh_CN\]=®#' $out/share/applications/steam.desktop
'';
});
});
};
};
}

55
modules/packages/desktop/default.nix Normal file
View File

@@ -0,0 +1,55 @@
inputs:
{
imports = inputs.localLib.mkModules [ ./vscode.nix ];
config =
let
inherit (inputs.lib) mkIf;
in mkIf (builtins.elem "desktop" inputs.config.nixos.packages._packageSets)
{
nixos =
{
packages._packages = with inputs.pkgs;
[
# system management
gparted wl-clipboard-x11 kio-fuse
wayland-utils clinfo glxinfo vulkan-tools dracut
# networking
remmina putty mtr-gui
# media
mpv nomacs
# themes
tela-circle-icon-theme
firefoxpwa
];
users.sharedModules =
[{
config.home.file.".config/baloofilerc".text =
''
[Basic Settings]
Indexing-Enabled=false
'';
}];
};
programs =
{
adb.enable = true;
wireshark = { enable = true; package = inputs.pkgs.wireshark; };
firefox =
{
enable = true;
languagePacks = [ "zh-CN" "en-US" ];
nativeMessagingHosts.packages = [ inputs.pkgs.firefoxpwa ];
};
vim.package = inputs.pkgs.vim-full;
};
nixpkgs.config.packageOverrides = pkgs:
{
telegram-desktop = pkgs.telegram-desktop.overrideAttrs (attrs:
{
patches = (if (attrs ? patches) then attrs.patches else []) ++ [ ./telegram.patch ];
});
};
services.pcscd.enable = true;
};
}

0
modules/packages/telegram.patch → modules/packages/desktop/telegram.patch
View File

57
modules/packages/desktop/vscode.nix Normal file
View File

@@ -0,0 +1,57 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
in mkIf (builtins.elem "desktop" inputs.config.nixos.packages._packageSets)
{
nixos.packages = with inputs.pkgs;
{
_packages =
[(
vscode-with-extensions.override
{
vscodeExtensions = with nix-vscode-extensions.vscode-marketplace;
(with equinusocio; [ vsc-community-material-theme vsc-material-theme-icons ])
++ (with github; [ copilot copilot-chat github-vscode-theme ])
++ (with intellsmi; [ comment-translate deepl-translate ])
++ (with ms-python; [ isort python vscode-pylance ])
++ (with ms-toolsai;
[
jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
])
++ (with ms-vscode;
[
cmake-tools cpptools cpptools-extension-pack cpptools-themes hexeditor remote-explorer
test-adapter-converter
])
++ (with ms-vscode-remote; [ remote-ssh remote-containers remote-ssh-edit ])
++ [
donjayamanne.githistory genieai.chatgpt-vscode fabiospampinato.vscode-diff cschlosser.doxdocgen
llvm-vs-code-extensions.vscode-clangd ms-ceintl.vscode-language-pack-zh-hans
oderwat.indent-rainbow
twxs.cmake guyutongxue.cpp-reference znck.grammarly thfriedrich.lammps leetcode.vscode-leetcode
james-yu.latex-workshop gimly81.matlab affenwiesel.matlab-formatter ckolkman.vscode-postgres
yzhang.markdown-all-in-one pkief.material-icon-theme bbenoist.nix ms-ossdata.vscode-postgresql
redhat.vscode-xml dotjoshjohnson.xml jnoortheen.nix-ide xdebug.php-debug
hbenl.vscode-test-explorer
jeff-hykin.better-cpp-syntax fredericbonnet.cmake-test-adapter mesonbuild.mesonbuild
hirse.vscode-ungit fortran-lang.linter-gfortran tboox.xmake-vscode ccls-project.ccls
feiskyer.chatgpt-copilot yukiuuh2936.vscode-modern-fortran-formatter wolframresearch.wolfram
njpipeorgan.wolfram-language-notebook brettm12345.nixfmt-vscode webfreak.debug
gruntfuggly.todo-tree
# restrctured text
lextudio.restructuredtext trond-snekvik.simple-rst
# markdown
shd101wyy.markdown-preview-enhanced
];
}
)];
_pythonPackages = [(pythonPackages: with pythonPackages;
[
# required by vscode extensions restrucuredtext
localPackages.esbonio
])];
};
};
}

134
modules/packages/server/default.nix Normal file
View File

@@ -0,0 +1,134 @@
inputs:
{
imports = inputs.localLib.mkModules
[
./ssh
./zsh
./gpg.nix
];
config =
let
inherit (inputs.lib) mkIf;
inherit (builtins) concatLists map listToAttrs;
inherit (inputs.localLib) attrsToList;
in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
{
nixos =
{
packages = with inputs.pkgs;
{
_packages =
[
# shell
ksh
# basic tools
beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij neofetch ipfetch localPackages.pslist
fastfetch reptyr
# lsxx
pciutils usbutils lshw util-linux lsof
# top
iotop iftop htop btop powertop s-tui
# editor
nano bat
# downloader
wget aria2 curl yt-dlp
# file manager
tree eza trash-cli lsd broot file xdg-ninja mlocate
# compress
pigz rar upx unzip zip lzip p7zip
# file system management
sshfs e2fsprogs adb-sync duperemove compsize exfatprogs
# disk management
smartmontools hdparm
# encryption and authentication
apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
# networking
ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools
# nix tools
nix-output-monitor nix-tree ssh-to-age
# office
todo-txt-cli
# development
gdb try inputs.topInputs.plasma-manager.packages.x86_64-linux.rc2nix hexo-cli
] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
};
users.sharedModules = [(home-inputs:
{
config.programs =
{
direnv = { enable = true; nix-direnv.enable = true; };
git =
{
enable = true;
lfs.enable = true;
extraConfig =
{
core.editor = if inputs.config.nixos.system.gui.preferred then "code --wait" else "vim";
advice.detachedHead = false;
merge.conflictstyle = "diff3";
diff.colorMoved = "default";
};
package = inputs.pkgs.gitFull;
delta =
{
enable = true;
options =
{
side-by-side = true;
navigate = true;
syntax-theme = "GitHub";
light = true;
zero-style = "syntax white";
line-numbers-zero-style = "#ffffff";
};
};
};
vim =
{
enable = true;
defaultEditor = true;
packageConfigurable = inputs.config.programs.vim.package;
settings =
{
number = true;
expandtab = false;
shiftwidth = 2;
tabstop = 2;
};
extraConfig =
''
set clipboard=unnamedplus
colorscheme evening
'';
};
};
})];
};
programs =
{
nix-index-database.comma.enable = true;
nix-index.enable = true;
command-not-found.enable = false;
autojump.enable = true;
git =
{
enable = true;
package = inputs.pkgs.gitFull;
lfs.enable = true;
config =
{
init.defaultBranch = "main";
core = { quotepath = false; editor = "vim"; };
};
};
yazi.enable = true;
mosh.enable = true;
};
services =
{
fwupd.enable = true;
udev.packages = with inputs.pkgs; [ yubikey-personalization libfido2 ];
};
home-manager = { useGlobalPkgs = true; useUserPackages = true; };
};
}

10
modules/packages/server/gpg.nix Normal file
View File

@@ -0,0 +1,10 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
{
programs.gnupg.agent = { enable = true; pinentryFlavor = "tty"; };
};
}

169
modules/packages/server/ssh/default.nix Normal file
View File

@@ -0,0 +1,169 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
inherit (builtins) concatLists map listToAttrs;
inherit (inputs.localLib) attrsToList;
in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
{
services.openssh.knownHosts =
let
servers =
{
vps6 =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
hostnames = [ "vps6.chn.moe" "wireguard.vps6.chn.moe" "74.211.99.69" "192.168.83.1" ];
};
"initrd.vps6" =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB4DKB/zzUYco5ap6k9+UxeO04LL12eGvkmQstnYxgnS";
hostnames = [ "initrd.vps6.chn.moe" "74.211.99.69" ];
};
vps7 =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
hostnames = [ "vps7.chn.moe" "wireguard.vps7.chn.moe" "ssh.git.chn.moe" "95.111.228.40" "192.168.83.2" ];
};
"initrd.vps7" =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZyQpdQmEZw3nLERFmk2tS1gpSvXwW0Eish9UfhrRxC";
hostnames = [ "initrd.vps7.chn.moe" "95.111.228.40" ];
};
nas =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
hostnames = [ "wireguard.nas.chn.moe" "[office.chn.moe]:5440" "192.168.1.185" "192.168.83.4" ];
};
"initrd.nas" =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
hostnames = [ "initrd.nas.chn.moe" "[office.chn.moe]:5440" "192.168.1.185" ];
};
pc =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
hostnames = [ "wireguard.pc.chn.moe" "192.168.83.3" ];
};
hpc =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVpsQW3kZt5alHC6mZhay3ZEe2fRGziG4YJWCv2nn/O";
hostnames = [ "hpc.xmu.edu.cn" ];
};
github =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
hostnames = [ "github.com" ];
};
};
in listToAttrs (concatLists (map
(server:
(
if builtins.pathExists ./ssh/${server.name}_rsa.pub then
[{
name = "${server.name}-rsa";
value =
{
publicKey = builtins.readFile ./ssh/${server.name}_rsa.pub;
hostNames = server.value.hostnames;
};
}]
else []
)
++ (
if builtins.pathExists ./ssh/${server.name}_ecdsa.pub then
[{
name = "${server.name}-ecdsa";
value =
{
publicKey = builtins.readFile ./ssh/${server.name}_ecdsa.pub;
hostNames = server.value.hostnames;
};
}]
else []
)
++ (
if server.value ? ed25519 then
[{
name = "${server.name}-ed25519";
value =
{
publicKey = server.value.ed25519;
hostNames = server.value.hostnames;
};
}]
else []
))
(attrsToList servers)));
programs.ssh =
{
startAgent = true;
enableAskPassword = true;
askPassword = "${inputs.pkgs.systemd}/bin/systemd-ask-password";
extraConfig = "AddKeysToAgent yes";
};
environment.sessionVariables.SSH_ASKPASS_REQUIRE = "prefer";
nixos.users.sharedModules =
[(hmInputs: {
config.programs.ssh =
{
enable = true;
controlMaster = "auto";
controlPersist = "1m";
compression = true;
matchBlocks = builtins.listToAttrs
(
(builtins.map
(host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; }; })
[ "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.pc" "wireguard.nas" ])
++ (builtins.map
(host:
{
name = host;
value =
{
host = host;
hostname = "hpc.xmu.edu.cn";
user = host;
extraOptions =
{
PubkeyAcceptedAlgorithms = "+ssh-rsa";
HostkeyAlgorithms = "+ssh-rsa";
SetEnv =
let
usernameMap =
{
chn = "linwei/chn";
};
cdString =
if host == "jykang" && (usernameMap ? ${hmInputs.config.home.username}) then
":chn_cd:${usernameMap.${hmInputs.config.home.username}}"
else "";
in "TERM=chn_unset_ls_colors${cdString}:xterm-256color";
# in .bash_profile:
# if [[ $TERM == chn_unset_ls_colors* ]]; then
# export TERM=${TERM#*:}
# export CHN_LS_USE_COLOR=1
# fi
# if [[ $TERM == chn_cd* ]]; then
# export TERM=${TERM#*:}
# cd ~/${TERM%%:*}
# export TERM=${TERM#*:}
# fi
# in .bashrc
# [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"
};
};
})
[ "wlin" "jykang" "hwang" ])
)
// {
xmupc1 = { host = "xmupc1"; hostname = "office.chn.moe"; port = 6007; };
nas = { host = "nas"; hostname = "office.chn.moe"; port = 5440; };
gitea = { host = "gitea"; hostname = "ssh.git.chn.moe"; };
};
};
})];
};
}

0
modules/packages/ssh/github_ecdsa.pub → modules/packages/server/ssh/github_ecdsa.pub
View File

0
modules/packages/ssh/github_rsa.pub → modules/packages/server/ssh/github_rsa.pub
View File

0
modules/packages/ssh/hpc_ecdsa.pub → modules/packages/server/ssh/hpc_ecdsa.pub
View File

0
modules/packages/ssh/hpc_rsa.pub → modules/packages/server/ssh/hpc_rsa.pub
View File

0
modules/packages/ssh/nas_rsa.pub → modules/packages/server/ssh/nas_rsa.pub
View File

0
modules/packages/ssh/pc_rsa.pub → modules/packages/server/ssh/pc_rsa.pub
View File

0
modules/packages/ssh/vps6_rsa.pub → modules/packages/server/ssh/vps6_rsa.pub
View File

0
modules/packages/ssh/vps7_rsa.pub → modules/packages/server/ssh/vps7_rsa.pub
View File

78
modules/packages/server/zsh/default.nix Normal file
View File

@@ -0,0 +1,78 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
{
nixos.users.sharedModules = [(home-inputs: { config.programs.zsh =
{
enable = true;
initExtraBeforeCompInit =
''
# p10k instant prompt
P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
[[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
HYPHEN_INSENSITIVE="true"
export PATH=~/bin:$PATH
function br
{
local cmd cmd_file code
cmd_file=$(mktemp)
if broot --outcmd "$cmd_file" "$@"; then
cmd=$(<"$cmd_file")
command rm -f "$cmd_file"
eval "$cmd"
else
code=$?
command rm -f "$cmd_file"
return "$code"
fi
}
alias todo="todo.sh"
'';
plugins =
[
{
file = "powerlevel10k.zsh-theme";
name = "powerlevel10k";
src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
}
{
file = "p10k.zsh";
name = "powerlevel10k-config";
src = ./p10k-config;
}
{
name = "zsh-lsd";
src = inputs.pkgs.fetchFromGitHub
{
owner = "z-shell";
repo = "zsh-lsd";
rev = "65bb5ac49190beda263aae552a9369127961632d";
hash = "sha256-JSNsfpgiqWhtmGQkC3B0R1Y1QnDKp9n0Zaqzjhwt7Xk=";
};
}
];
history =
{
path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
extended = true;
save = 100000000;
size = 100000000;
};
};})];
programs.zsh =
{
enable = true;
syntaxHighlighting.enable = true;
autosuggestions.enable = true;
enableCompletion = true;
ohMyZsh =
{
enable = true;
plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
};
};
};
}

2
modules/packages/p10k-config/p10k.zsh → modules/packages/server/zsh/p10k-config/p10k.zsh
View File

@@ -855,7 +855,7 @@
# #
# These variables correspond to the last line of the output of `todo.sh -p ls`: # These variables correspond to the last line of the output of `todo.sh -p ls`:
# #
# TODO: 24 of 42 tasks shown # TO DO: 24 of 42 tasks shown
# #
# Here 24 is P9K_TODO_FILTERED_TASK_COUNT and 42 is P9K_TODO_TOTAL_TASK_COUNT. # Here 24 is P9K_TODO_FILTERED_TASK_COUNT and 42 is P9K_TODO_TOTAL_TASK_COUNT.
# #

104
modules/packages/workstation/default.nix Normal file
View File

@@ -0,0 +1,104 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
in mkIf (builtins.elem "workstation" inputs.config.nixos.packages._packageSets)
{
nixos =
{
packages = with inputs.pkgs;
{
_packages =
[
# password and key management
electrum jabref
# system management
wl-mirror ventoy-full
# nix tools
nix-template appimage-run nil nixd nix-alien nix-serve node2nix nix-prefetch-github prefetch-npm-deps
nix-prefetch-docker pnpm-lock-export bundix
# instant messager
zoom-us signal-desktop qq nur-xddxdd.wechat-uos slack inputs.config.nur.repos.linyinfeng.wemeet
cinny-desktop nheko
# office
libreoffice-qt texstudio poppler_utils pdftk gnuplot pdfchain hdfview
(texlive.combine { inherit (texlive) scheme-full; inherit (localPackages) citation-style-language; })
# development
jetbrains.clion android-studio dbeaver cling clang-tools_16 ccls fprettify aircrack-ng
# media
nur-xddxdd.svp obs-studio waifu2x-converter-cpp inkscape blender
# virtualization
wineWowPackages.stagingFull virt-viewer bottles # wine64
# text editor
appflowy notion-app-enhanced joplin-desktop standardnotes logseq
# math, physics and chemistry
mathematica octaveFull root ovito paraview localPackages.vesta qchem.quantum-espresso
localPackages.vasp localPackages.vaspkit jmol localPackages.v_sim
# encryption and password management
john crunch hashcat
# container and vm
genymotion # davinci-resolve playonlinux
# browser
microsoft-edge
# news
rssguard newsflash newsboat
];
_pythonPackages = [(pythonPackages: with pythonPackages;
[
phonopy tensorflow keras openai scipy scikit-learn jupyterlab autograd
# localPackages.pix2tex
inquirerpy requests python-telegram-bot tqdm fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
certifi charset-normalizer idna orjson psycopg2 localPackages.eigengdb
])];
_prebuildPackages =
[
httplib magic-enum xtensor boost cereal cxxopts ftxui yaml-cpp gfortran gcc10 python2
gcc13Stdenv
];
};
users.sharedModules =
[{
config.programs =
{
obs-studio =
{
enable = true;
plugins = with inputs.pkgs.obs-studio-plugins;
[ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
};
doom-emacs = { enable = true; doomPrivateDir = ./doom.d; };
};
}];
};
programs =
{
anime-game-launcher = { enable = true; package = inputs.pkgs.anime-game-launcher; };
honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
nix-ld.enable = true;
gamemode =
{
enable = true;
settings =
{
general.renice = 10;
gpu =
{
apply_gpu_optimisations = "accept-responsibility";
nv_powermizer_mode = 1;
};
custom = let notify-send = "${inputs.pkgs.libnotify}/bin/notify-send"; in
{
start = "${notify-send} 'GameMode started'";
end = "${notify-send} 'GameMode ended'";
};
};
};
chromium =
{
enable = true;
extraOpts.PasswordManagerEnabled = false;
};
};
};
}

0
modules/packages/workstation/doom.d/config.el Normal file
View File

191
modules/packages/workstation/doom.d/init.el Normal file
View File

@@ -0,0 +1,191 @@
;;; init.el -*- lexical-binding: t; -*-
;; This file controls what Doom modules are enabled and what order they load
;; in. Remember to run 'doom sync' after modifying it!
;; NOTE Press 'SPC h d h' (or 'C-h d h' for non-vim users) to access Doom's
;; documentation. There you'll find a "Module Index" link where you'll find
;; a comprehensive list of Doom's modules and what flags they support.
;; NOTE Move your cursor over a module's name (or its flags) and press 'K' (or
;; 'C-c c k' for non-vim users) to view its documentation. This works on
;; flags as well (those symbols that start with a plus).
;;
;; Alternatively, press 'gd' (or 'C-c c d') on a module to browse its
;; directory (for easy access to its source code).
(doom! :input
;;chinese
;;japanese
;;layout ; auie,ctsrnm is the superior home row
:completion
company ; the ultimate code completion backend
;;helm ; the *other* search engine for love and life
;;ido ; the other *other* search engine...
;;ivy ; a search engine for love and life
vertico ; the search engine of the future
:ui
;;deft ; notational velocity for Emacs
doom ; what makes DOOM look the way it does
doom-dashboard ; a nifty splash screen for Emacs
doom-quit ; DOOM quit-message prompts when you quit Emacs
;;(emoji +unicode) ; 🙂
hl-todo ; highlight TODO/FIXME/NOTE/DEPRECATED/HACK/REVIEW
;;hydra
;;indent-guides ; highlighted indent columns
;;ligatures ; ligatures and symbols to make your code pretty again
;;minimap ; show a map of the code on the side
modeline ; snazzy, Atom-inspired modeline, plus API
;;nav-flash ; blink cursor line after big motions
;;neotree ; a project drawer, like NERDTree for vim
ophints ; highlight the region an operation acts on
(popup +defaults) ; tame sudden yet inevitable temporary windows
;;tabs ; a tab bar for Emacs
;;treemacs ; a project drawer, like neotree but cooler
;;unicode ; extended unicode support for various languages
vc-gutter ; vcs diff in the fringe
vi-tilde-fringe ; fringe tildes to mark beyond EOB
;;window-select ; visually switch windows
workspaces ; tab emulation, persistence & separate workspaces
;;zen ; distraction-free coding or writing
:editor
(evil +everywhere); come to the dark side, we have cookies
file-templates ; auto-snippets for empty files
fold ; (nigh) universal code folding
;;(format +onsave) ; automated prettiness
;;god ; run Emacs commands without modifier keys
;;lispy ; vim for lisp, for people who don't like vim
;;multiple-cursors ; editing in many places at once
;;objed ; text object editing for the innocent
;;parinfer ; turn lisp into python, sort of
;;rotate-text ; cycle region at point between text candidates
snippets ; my elves. They type so I don't have to
;;word-wrap ; soft wrapping with language-aware indent
:emacs
dired ; making dired pretty [functional]
electric ; smarter, keyword-based electric-indent
;;ibuffer ; interactive buffer management
undo ; persistent, smarter undo for your inevitable mistakes
vc ; version-control and Emacs, sitting in a tree
:term
;;eshell ; the elisp shell that works everywhere
;;shell ; simple shell REPL for Emacs
;;term ; basic terminal emulator for Emacs
;;vterm ; the best terminal emulation in Emacs
:checkers
syntax ; tasing you for every semicolon you forget
;;(spell +flyspell) ; tasing you for misspelling mispelling
;;grammar ; tasing grammar mistake every you make
:tools
;;ansible
;;biblio ; Writes a PhD for you (citation needed)
;;debugger ; FIXME stepping through code, to help you add bugs
;;direnv
;;docker
;;editorconfig ; let someone else argue about tabs vs spaces
;;ein ; tame Jupyter notebooks with emacs
(eval +overlay) ; run code, run (also, repls)
;;gist ; interacting with github gists
lookup ; navigate your code and its documentation
;;lsp ; M-x vscode
magit ; a git porcelain for Emacs
;;make ; run make tasks from Emacs
;;pass ; password manager for nerds
;;pdf ; pdf enhancements
;;prodigy ; FIXME managing external services & code builders
;;rgb ; creating color strings
;;taskrunner ; taskrunner for all your projects
;;terraform ; infrastructure as code
;;tmux ; an API for interacting with tmux
;;upload ; map local to remote projects via ssh/ftp
:os
(:if IS-MAC macos) ; improve compatibility with macOS
;;tty ; improve the terminal Emacs experience
:lang
;;agda ; types of types of types of types...
;;beancount ; mind the GAAP
;;cc ; C > C++ == 1
;;clojure ; java with a lisp
;;common-lisp ; if you've seen one lisp, you've seen them all
;;coq ; proofs-as-programs
;;crystal ; ruby at the speed of c
;;csharp ; unity, .NET, and mono shenanigans
;;data ; config/data formats
;;(dart +flutter) ; paint ui and not much else
;;dhall
;;elixir ; erlang done right
;;elm ; care for a cup of TEA?
emacs-lisp ; drown in parentheses
;;erlang ; an elegant language for a more civilized age
;;ess ; emacs speaks statistics
;;factor
;;faust ; dsp, but you get to keep your soul
;;fortran ; in FORTRAN, GOD is REAL (unless declared INTEGER)
;;fsharp ; ML stands for Microsoft's Language
;;fstar ; (dependent) types and (monadic) effects and Z3
;;gdscript ; the language you waited for
;;(go +lsp) ; the hipster dialect
;;(haskell +lsp) ; a language that's lazier than I am
;;hy ; readability of scheme w/ speed of python
;;idris ; a language you can depend on
;;json ; At least it ain't XML
;;(java +meghanada) ; the poster child for carpal tunnel syndrome
;;javascript ; all(hope(abandon(ye(who(enter(here))))))
;;julia ; a better, faster MATLAB
;;kotlin ; a better, slicker Java(Script)
;;latex ; writing papers in Emacs has never been so fun
;;lean ; for folks with too much to prove
;;ledger ; be audit you can be
;;lua ; one-based indices? one-based indices
markdown ; writing docs for people to ignore
;;nim ; python + lisp at the speed of c
;;nix ; I hereby declare "nix geht mehr!"
;;ocaml ; an objective camel
org ; organize your plain life in plain text
;;php ; perl's insecure younger brother
;;plantuml ; diagrams for confusing people more
;;purescript ; javascript, but functional
;;python ; beautiful is better than ugly
;;qt ; the 'cutest' gui framework ever
;;racket ; a DSL for DSLs
;;raku ; the artist formerly known as perl6
;;rest ; Emacs as a REST client
;;rst ; ReST in peace
;;(ruby +rails) ; 1.step {|i| p "Ruby is #{i.even? ? 'love' : 'life'}"}
;;rust ; Fe2O3.unwrap().unwrap().unwrap().unwrap()
;;scala ; java, but good
;;(scheme +guile) ; a fully conniving family of lisps
sh ; she sells {ba,z,fi}sh shells on the C xor
;;sml
;;solidity ; do you need a blockchain? No.
;;swift ; who asked for emoji variables?
;;terra ; Earth and Moon in alignment for performance.
;;web ; the tubes
;;yaml ; JSON, but readable
;;zig ; C, but simpler
:email
;;(mu4e +org +gmail)
;;notmuch
;;(wanderlust +gmail)
:app
;;calendar
;;emms
;;everywhere ; *leave* Emacs!? You must be joking
;;irc ; how neckbeards socialize
;;(rss +org) ; emacs as an RSS reader
;;twitter ; twitter client https://twitter.com/vnought
:config
;;literate
(default +bindings +smartparens))

0
modules/packages/workstation/doom.d/packages.el Normal file
View File

5
modules/services/acme.nix
View File

@@ -8,10 +8,7 @@ inputs:
type = types.attrsOf (types.submodule (submoduleInputs: { options = type = types.attrsOf (types.submodule (submoduleInputs: { options =
{ {
domains = mkOption domains = mkOption
{ { type = types.nonEmptyListOf types.nonEmptyStr; default = [ submoduleInputs.config._module.args.name ]; };
type = types.nonEmptyListOf types.nonEmptyStr;
default = [ submoduleInputs.config._module.args.name ];
};
group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; }; group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
};})); };}));
default = {}; default = {};

51
modules/services/akkoma.nix Normal file
View File

@@ -0,0 +1,51 @@
inputs:
{
options.nixos.services.akkoma = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "akkoma.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) akkoma;
inherit (inputs.lib) mkIf;
in mkIf akkoma.enable
{
services.akkoma =
{
enable = true;
config.":pleroma" =
{
"Pleroma.Web.Endpoint".url.host = akkoma.hostname;
"Pleroma.Repo" =
{
adapter = (inputs.pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
hostname = "127.0.0.1";
username = "akkoma";
password._secret = inputs.config.sops.secrets."akkoma/db".path;
database = "akkoma";
};
":instance" =
{
name = "";
email = "grass@grass.squre";
description = "";
};
};
};
nixos.services =
{
nginx =
{
enable = true;
https."${akkoma.hostname}" =
{
global.tlsCert = "/var/lib/akkoma";
location."/".proxy = { upstream = "http://127.0.0.1:4000"; websocket = true; };
};
};
postgresql.instances.akkoma = {};
};
sops.secrets."akkoma/db" = { owner = "akkoma"; key = "postgresql/akkoma"; };
};
}

5
modules/services/beesd.nix
View File

@@ -9,10 +9,7 @@ inputs:
[ [
types.nonEmptyStr types.nonEmptyStr
(types.submodule { options = (types.submodule { options =
{ { device = mkOption { type = types.nonEmptyStr; }; hashTableSizeMB = mkOption { type = types.int; }; };})
device = mkOption { type = types.nonEmptyStr; };
hashTableSizeMB = mkOption { type = types.int; };
};})
]); ]);
default = {}; default = {};
}; };

23
modules/services/coturn.nix
View File

@@ -11,19 +11,16 @@ inputs:
inherit (inputs.lib) mkIf; inherit (inputs.lib) mkIf;
in mkIf coturn.enable in mkIf coturn.enable
{ {
services.coturn = services.coturn = let keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; in
let {
keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; enable = true;
in use-auth-secret = true;
{ static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
enable = true; realm = coturn.hostname;
use-auth-secret = true; cert = "${keydir}/full.pem";
static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path; pkey = "${keydir}/key.pem";
realm = coturn.hostname; no-cli = true;
cert = "${keydir}/full.pem"; };
pkey = "${keydir}/key.pem";
no-cli = true;
};
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User; sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
nixos.services.acme = nixos.services.acme =
{ {

11
modules/services/default.nix
View File

@@ -31,7 +31,15 @@ inputs:
./send.nix ./send.nix
./huginn.nix ./huginn.nix
./httpua ./httpua
./fcgiwrap.nix ./fz-new-order
./httpapi.nix
./mirism.nix
./mastodon.nix
./gitea.nix
./grafana.nix
./fail2ban.nix
./wireguard.nix
./akkoma.nix
]; ];
options.nixos.services = let inherit (inputs.lib) mkOption types; in options.nixos.services = let inherit (inputs.lib) mkOption types; in
{ {
@@ -105,7 +113,6 @@ inputs:
postgresql = { enable = true; instances.wallabag = {}; }; postgresql = { enable = true; instances.wallabag = {}; };
redis.instances.wallabag = { user = "root"; port = 8790; }; redis.instances.wallabag = { user = "root"; port = 8790; };
}; };
# TODO: root docker use config of rootless docker?
virtualization.docker.enable = true; virtualization.docker.enable = true;
}; };
} }

19
modules/services/fail2ban.nix Normal file
View File

@@ -0,0 +1,19 @@
inputs:
{
options.nixos.services.fail2ban = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services) fail2ban;
inherit (inputs.lib) mkIf;
in mkIf fail2ban.enable
{
services.fail2ban =
{
enable = true;
ignoreIP = [ "127.0.0.0/8" "192.168.0.0/16" "vps6.chn.moe" ];
};
};
}

21
modules/services/fcgiwrap.nix
View File

@@ -1,21 +0,0 @@
inputs:
{
options.nixos.services.fcgiwrap = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services) fcgiwrap;
inherit (inputs.lib) mkIf;
in mkIf fcgiwrap.enable
{
nixos.services.nginx.enable = true;
services.fcgiwrap =
{
enable = true;
user = inputs.config.users.users.nginx.name;
group = inputs.config.users.users.nginx.group;
};
};
}

2
modules/services/fontconfig.nix
View File

@@ -13,7 +13,7 @@ inputs:
fonts = fonts =
{ {
fontDir.enable = true; fontDir.enable = true;
fonts = with inputs.pkgs; packages = with inputs.pkgs;
[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ]; [ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
fontconfig.defaultFonts = fontconfig.defaultFonts =
{ {

12
modules/services/freshrss.nix
View File

@@ -17,21 +17,13 @@ inputs:
baseUrl = "https://${freshrss.hostname}"; baseUrl = "https://${freshrss.hostname}";
defaultUser = "chn"; defaultUser = "chn";
passwordFile = inputs.config.sops.secrets."freshrss/chn".path; passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
database = database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
{
type = "mysql";
passFile = inputs.config.sops.secrets."freshrss/db".path;
};
virtualHost = null; virtualHost = null;
}; };
sops.secrets = sops.secrets =
{ {
"freshrss/chn".owner = inputs.config.users.users.freshrss.name; "freshrss/chn".owner = inputs.config.users.users.freshrss.name;
"freshrss/db" = "freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
{
owner = inputs.config.users.users.freshrss.name;
key = "mariadb/freshrss";
};
}; };
systemd.services.freshrss-config.after = [ "mysql.service" ]; systemd.services.freshrss-config.after = [ "mysql.service" ];
nixos.services = nixos.services =

17
modules/services/frp.nix
View File

@@ -1,5 +1,3 @@
# TODO: update to json config at 23.11
# TODO: switch to module in nixpkgs
inputs: inputs:
{ {
options.nixos.services = let inherit (inputs.lib) mkOption types; in options.nixos.services = let inherit (inputs.lib) mkOption types; in
@@ -115,6 +113,7 @@ inputs:
type = "stcp"; type = "stcp";
transport.useCompression = true; transport.useCompression = true;
secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}"; secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
allowUsers = [ "*" ];
inherit (stcp.value) localIp localPort; inherit (stcp.value) localIp localPort;
}) })
(attrsToList frpClient.stcp)); (attrsToList frpClient.stcp));
@@ -141,7 +140,11 @@ inputs:
(attrsToList (with frpClient; stcp // stcpVisitor))) (attrsToList (with frpClient; stcp // stcpVisitor)))
); );
}; };
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; }; users =
{
users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; };
groups.frp.gid = inputs.config.nixos.system.user.group.frp;
};
} }
) )
( (
@@ -187,12 +190,12 @@ inputs:
}; };
secrets."frp/token" = {}; secrets."frp/token" = {};
}; };
nixos.services.acme = nixos.services.acme = { enable = true; cert.${frpServer.serverName}.group = "frp"; };
users =
{ {
enable = true; users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; };
cert.${frpServer.serverName}.group = "frp"; groups.frp.gid = inputs.config.nixos.system.user.group.frp;
}; };
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
networking.firewall.allowedTCPPorts = [ 7000 ]; networking.firewall.allowedTCPPorts = [ 7000 ];
} }
) )

115
modules/services/fz-new-order/default.nix Normal file
View File

@@ -0,0 +1,115 @@
inputs:
{
options.nixos.services.fz-new-order = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services) fz-new-order;
inherit (inputs.localLib) attrsToList;
inherit (inputs.lib) mkIf;
inherit (builtins) map listToAttrs toString concatLists;
in mkIf fz-new-order.enable
{
users =
{
users.fz-new-order =
{
uid = inputs.config.nixos.system.user.user.fz-new-order;
group = "fz-new-order";
home = "/var/lib/fz-new-order";
createHome = true;
isSystemUser = true;
};
groups.fz-new-order.gid = inputs.config.nixos.system.user.group.fz-new-order;
};
systemd =
{
timers.fz-new-order =
{
wantedBy = [ "timers.target" ];
timerConfig =
{
OnBootSec = "10m";
OnUnitActiveSec = "10m";
Unit = "fz-new-order.service";
};
};
services.fz-new-order = rec
{
description = "fz-new-order";
after = [ "network.target" ];
requires = after;
serviceConfig =
{
User = inputs.config.users.users."fz-new-order".name;
Group = inputs.config.users.users."fz-new-order".group;
WorkingDirectory = "/var/lib/fz-new-order";
ExecStart =
let
src = inputs.pkgs.substituteAll
{
src = ./main.cpp;
config_file = inputs.config.sops.templates."fz-new-order/config.json".path;
};
binary = inputs.pkgs.stdenv.mkDerivation
{
name = "fz-new-order";
inherit src;
buildInputs = with inputs.pkgs; [ jsoncpp.dev cereal fmt httplib ];
dontUnpack = true;
buildPhase =
''
runHook preBuild
g++ -std=c++20 -O2 -o fz-new-order ${src} -ljsoncpp -lfmt
runHook postBuild
'';
installPhase =
''
runHook preInstall
mkdir -p $out/bin
cp fz-new-order $out/bin/fz-new-order
runHook postInstall
'';
};
in "${binary}/bin/fz-new-order";
};
};
tmpfiles.rules =
[
"d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
"Z /var/lib/fz-new-order - fz-new-order fz-new-order"
];
};
sops = let userNum = 6; configNum = 2; in
{
templates."fz-new-order/config.json" =
{
owner = inputs.config.users.users."fz-new-order".name;
group = inputs.config.users.users."fz-new-order".group;
content = let placeholder = inputs.config.sops.placeholder; in builtins.toJSON
{
manager = placeholder."fz-new-order/manager";
token = placeholder."fz-new-order/token";
uids = map (j: placeholder."fz-new-order/uids/user${toString j}") (builtins.genList (n: n) userNum);
config = map
(i: listToAttrs (map
(attrName: { name = attrName; value = placeholder."fz-new-order/config${toString i}/${attrName}"; })
[ "username" "password" "comment" ]))
(builtins.genList (n: n) configNum);
};
};
secrets =
{ "fz-new-order/manager" = {}; "fz-new-order/token" = {}; }
// (listToAttrs (map
(i: { name = "fz-new-order/uids/user${toString i}"; value = {}; })
(builtins.genList (n: n) userNum)))
// (listToAttrs (concatLists (map
(i: map
(attrName: { name = "fz-new-order/config${toString i}/${attrName}"; value = {}; })
[ "username" "password" "comment" ])
(builtins.genList (n: n) configNum))));
};
};
}

254
modules/services/fz-new-order/main.cpp Normal file
View File

@@ -0,0 +1,254 @@
# include <iostream>
# include <set>
# include <sstream>
# include <filesystem>
# include <cereal/types/set.hpp>
# include <cereal/archives/json.hpp>
# include <fmt/format.h>
# include <fmt/ranges.h>
# include <httplib.h>
# include <json/json.h>
std::string urlencode(std::string s)
{
auto hexchar = [](unsigned char c, unsigned char &hex1, unsigned char &hex2)
{
hex1 = c / 16;
hex2 = c % 16;
hex1 += hex1 <= 9 ? '0' : 'a' - 10;
hex2 += hex2 <= 9 ? '0' : 'a' - 10;
};
const char *str = s.c_str();
std::vector<char> v(s.size());
v.clear();
for (std::size_t i = 0, l = s.size(); i < l; i++)
{
char c = str[i];
if
(
(c >= '0' && c <= '9')
|| (c >= 'a' && c <= 'z')
|| (c >= 'A' && c <= 'Z')
|| c == '-' || c == '_' || c == '.' || c == '!' || c == '~'
|| c == '*' || c == '\'' || c == '(' || c == ')'
)
v.push_back(c);
else
{
v.push_back('%');
unsigned char d1, d2;
hexchar(c, d1, d2);
v.push_back(d1);
v.push_back(d2);
}
}
return std::string(v.cbegin(), v.cend());
}
void oneshot
(
const std::string& username, const std::string& password, const std::string& comment,
const std::set<std::string>& wxuser, const std::set<std::string>& manager, const std::string& token
)
{
httplib::Client fzclient("http://scmv9.fengzhansy.com:8882");
httplib::Client wxclient("http://wxpusher.zjiecode.com");
auto& log = std::clog;
try
{
// get JSESSIONID
auto cookie_jsessionid = [&]() -> std::string
{
log << "get /scmv9/login.jsp\n";
auto result = fzclient.Get("/scmv9/login.jsp");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
auto it = result.value().headers.find("Set-Cookie");
if (it == result.value().headers.end() || it->first != "Set-Cookie")
throw std::runtime_error("find cookie failed");
log << fmt::format("set_cookie JSESSIONID {}\n", it->second.substr(0, it->second.find(';')));
return it->second.substr(0, it->second.find(';'));
}();
// login
auto cookie_pppp = [&]() -> std::string
{
auto body = fmt::format("method=dologinajax&rand=1234&userc={}&mdid=P&passw={}", username, password);
httplib::Headers headers =
{
{ "X-Requested-With", "XMLHttpRequest" },
{
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
},
{ "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
{ "Origin", "http://scmv9.fengzhansy.com:8882" },
{ "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/login.jsp" },
{ "Cookie", cookie_jsessionid }
};
log << "post /scmv9/data.jsp\n";
auto result = fzclient.Post("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
log << fmt::format("set_cookie pppp {}\n", fmt::format("pppp={}%40{}", username, password));
return fmt::format("pppp={}%40{}", username, password);
}();
// get order list
auto order_list = [&]() -> std::map<std::string, std::pair<std::string, std::string>>
{
auto body = fmt::format("method=dgate&rand=1234&op=scmmgr_pcggl&nv%5B%5D=opmode&nv%5B%5D=dd_qry&nv%5B%5D=bill&nv%5B%5D=&nv%5B%5D=storeid&nv%5B%5D=&nv%5B%5D=vendorid&nv%5B%5D={}&nv%5B%5D=qr_status&nv%5B%5D=&nv%5B%5D=ddprt&nv%5B%5D=%25&nv%5B%5D=fdate&nv%5B%5D=&nv%5B%5D=tdate&nv%5B%5D=&nv%5B%5D=shfdate&nv%5B%5D=&nv%5B%5D=shtdate&nv%5B%5D=&nv%5B%5D=fy_pno&nv%5B%5D=1&nv%5B%5D=fy_psize&nv%5B%5D=10", username);
httplib::Headers headers =
{
{ "X-Requested-With", "XMLHttpRequest" },
{
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
},
{ "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
{ "Origin", "http://scmv9.fengzhansy.com:8882"
},
{ "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/SCM/cggl_po_qry.jsp" },
{ "Cookie", fmt::format("{}; {}", cookie_jsessionid, cookie_pppp) }
};
log << "post /scmv9/data.jsp\n";
auto result = fzclient.Post("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
log << fmt::format("get result {}\n", result.value().body);
std::stringstream result_body(result.value().body);
Json::Value root;
result_body >> root;
std::map<std::string, std::pair<std::string, std::string>> orders;
for (unsigned i = 0; i < root["dt"][1].size(); i++)
{
log << fmt::format
(
"insert order {} {} {}\n", root["dt"][1][i].asString(), root["dt"][2][i].asString(),
root["dt"][4][i].asString()
);
orders.insert({root["dt"][1][i].asString(), {root["dt"][2][i].asString(), root["dt"][4][i].asString()}});
}
return orders;
}();
// read order old
auto order_old = [&]() -> std::set<std::string>
{
if (!std::filesystem::exists("orders.json"))
return {};
else
{
std::ifstream ins("orders.json");
cereal::JSONInputArchive ina(ins);
std::set<std::string> data;
cereal::load(ina, data);
return data;
}
}();
// push new order info
for (const auto& order : order_list)
if (!order_old.contains(order.first))
{
for (const auto& user : manager)
{
auto path = fmt::format
(
"/api/send/message/?appToken={}&content={}&uid={}",
token, urlencode(fmt::format("push {}", order.first)), user
);
auto wxresult = wxclient.Get(path.c_str());
}
auto body = fmt::format
(
"method=dgate&rand=1234&op=scmmgr_pcggl&nv%5B%5D=opmode&nv%5B%5D=ddsp_qry&nv%5B%5D=bill&nv%5B%5D={}",
order.first
);
httplib::Headers headers =
{
{ "X-Requested-With", "XMLHttpRequest" },
{
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
},
{ "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
{ "Origin", "http://scmv9.fengzhansy.com:8882" },
{ "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/SCM/cggl_po_qry.jsp" },
{ "Cookie", fmt::format("{}; {}", cookie_jsessionid, cookie_pppp) }
};
log << "post /scmv9/data.jsp\n";
auto result = fzclient.Post
("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
log << fmt::format("get result {}\n", result.value().body);
std::stringstream result_body(result.value().body);
Json::Value root;
result_body >> root;
std::stringstream push_body;
double all_cost = 0;
push_body << fmt::format
(
"{} {} {}店\n", comment, order.second.second.substr(order.second.second.find('-') + 1),
order.second.first.substr(1, 2)
);
for (unsigned i = 0; i < root["dt"][6].size(); i++)
{
push_body << fmt::format
(
"{} {}{}\n", root["dt"][6][i].asString().substr(root["dt"][6][i].asString().length() - 4),
root["dt"][7][i].asString(), root["dt"][5][i].asString()
);
// 订货金额 maybe empty ???
if (root["dt"][10][i].asString() != "")
all_cost += std::stod(root["dt"][10][i].asString());
}
push_body << fmt::format("共{:.2f}元\n", all_cost);
log << fmt::format("push to wx {}\n", push_body.str());
auto encoded = urlencode(push_body.str());
for (const auto& wxu : wxuser)
{
auto path = fmt::format
("/api/send/message/?appToken={}&content={}&uid={}", token, encoded, wxu);
auto wxresult = wxclient.Get(path.c_str());
}
}
// save data
{
for (const auto& order : order_list)
if (!order_old.contains(order.first))
order_old.insert(order.first);
std::ofstream os("orders.json");
cereal::JSONOutputArchive oa(os);
cereal::save(oa, order_old);
}
}
catch (const std::exception& ex)
{
log << ex.what() << "\n" << std::flush;
std::terminate();
}
}
int main(int argc, char** argv)
{
Json::Value configs;
std::ifstream("@config_file@") >> configs;
auto config_uids = configs["uids"];
std::set<std::string> uids;
for (auto& uid : config_uids)
uids.insert(uid.asString());
for (auto& config : configs["config"])
oneshot
(
config["username"].asString(), config["password"].asString(), config["comment"].asString(),
uids, { configs["manager"].asString() }, configs["token"].asString()
);
}

54
modules/services/gitea.nix Normal file
View File

@@ -0,0 +1,54 @@
inputs:
{
options.nixos.services.gitea = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "git.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) gitea;
inherit (inputs.lib) mkIf;
in mkIf gitea.enable
{
services.gitea =
{
enable = true;
lfs.enable = true;
mailerPasswordFile = inputs.config.sops.secrets."gitea/mail".path;
database =
{ createDatabase = false; type = "postgres"; passwordFile = inputs.config.sops.secrets."gitea/db".path; };
settings =
{
session.COOKIE_SECURE = true;
server =
{
ROOT_URL = "https://${gitea.hostname}";
DOMAIN = gitea.hostname;
HTTP_PORT = 3002;
SSH_DOMAIN = "ssh.${gitea.hostname}";
};
mailer =
{
ENABLED = true;
FROM = "bot@chn.moe";
PROTOCOL = "smtps";
SMTP_ADDR = "mail.chn.moe";
SMTP_PORT = 465;
USER = "bot@chn.moe";
};
};
};
nixos.services =
{
nginx = { enable = true; https."${gitea.hostname}".location."/".proxy.upstream = "http://127.0.0.1:3002"; };
postgresql.instances.gitea = {};
};
sops.secrets =
{
"gitea/mail" = { owner = "gitea"; key = "mail/bot"; };
"gitea/db" = { owner = "gitea"; key = "postgresql/gitea"; };
"mail/bot" = {};
};
};
}

67
modules/services/grafana.nix Normal file
View File

@@ -0,0 +1,67 @@
inputs:
{
options.nixos.services.grafana = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "grafana.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) grafana;
inherit (inputs.lib) mkIf;
in mkIf grafana.enable
{
services.grafana =
{
enable = true;
declarativePlugins = with inputs.pkgs.grafanaPlugins; [];
settings =
{
users = { verify_email_enabled = true; default_language = "zh-CN"; allow_sign_up = true; };
smtp =
{
enabled = true;
host = "mail.chn.moe";
user = "bot@chn.moe";
password = "$__file{${inputs.config.sops.secrets."grafana/mail".path}}";
from_address = "bot@chn.moe";
ehlo_identity = grafana.hostname;
startTLS_policy = "MandatoryStartTLS";
};
server = { root_url = "https://${grafana.hostname}"; http_port = 3001; enable_gzip = true; };
security =
{
secret_key = "$__file{${inputs.config.sops.secrets."grafana/secret".path}}";
admin_user = "chn";
admin_password = "$__file{${inputs.config.sops.secrets."grafana/chn".path}}";
admin_email = "chn@chn.moe";
};
database =
{
type = "postgres";
host = "127.0.0.1:5432";
user = "grafana";
password = "$__file{${inputs.config.sops.secrets."grafana/db".path}}";
};
};
};
nixos.services =
{
nginx =
{
enable = true;
https."${grafana.hostname}".location."/".proxy =
{ upstream = "http://127.0.0.1:3001"; websocket = true; };
};
postgresql.instances.grafana = {};
};
sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
{
"grafana/mail" = { owner = owner; key = "mail/bot"; };
"grafana/secret".owner = owner;
"grafana/chn".owner = owner;
"grafana/db" = { owner = owner; key = "postgresql/grafana"; };
"mail/bot" = {};
};
};
}

17
modules/services/groupshare.nix
View File

@@ -9,22 +9,25 @@ inputs:
config = config =
let let
inherit (inputs.lib) mkIf; inherit (inputs.lib) mkIf;
inherit (builtins) listToAttrs map concatLists; inherit (builtins) listToAttrs map concatLists concatStringsSep;
inherit (inputs.config.nixos.services) groupshare; inherit (inputs.config.nixos.services) groupshare;
users = inputs.config.users.groups.groupshare.members; users = inputs.config.users.groups.groupshare.members;
in mkIf groupshare.enable in mkIf groupshare.enable
{ {
users.groups.groupshare = {}; users.groups.groupshare.gid = inputs.config.nixos.system.user.group.groupshare;
systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ] systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ]
++ (concatLists (map ++ (concatLists (map
(user: (user:
[ [
"d /var/lib/groupshare/${user} 2750 ${user} groupshare" "d /var/lib/groupshare/${user} 2750 ${user} groupshare"
# TODO: auto set 'X' bit in 23.11 "Z /var/lib/groupshare/${user} - ${user} groupshare"
# systemd 253 does not support 'X' bit, it should be manually set ("A /var/lib/groupshare/${user} - - - - "
# sudo setfacl -m 'xxx' dir # d 指 default, 即目录下新创建的文件和目录的权限
# ("a /var/lib/groupshare/${user} - - - - " # 大写 X 指仅给目录执行权限
# + "d:u:${user}:rwX,u:${user}:rwX,d:g:groupshare:r-X,g:groupshare:r-X,d:o::---,o::---,d:m::r-x,m::r-x") # m 指 mask, 即对于所有者以外的用户, 该用户的权限最大为 m 指定的权限
+ (concatStringsSep "," (concatLists (map
(perm: [ "d:${perm}" perm ])
[ "u:${user}:rwX" "g:groupshare:r-X" "o::---" "m::r-x" ]))))
]) ])
users)); users));
fileSystems = listToAttrs (map fileSystems = listToAttrs (map

45
modules/services/httpapi.nix Normal file
View File

@@ -0,0 +1,45 @@
inputs:
{
options.nixos.services.httpapi = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "api.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) httpapi;
inherit (inputs.lib) mkIf;
inherit (builtins) toString map;
in mkIf httpapi.enable
{
nixos.services =
{
phpfpm.instances.httpapi = {};
nginx.https.${httpapi.hostname}.location =
{
"/files".static.root = "/srv/api";
"/led".static = { root = "/srv/api"; detectAuth.users = [ "led" ]; };
"/notify.php".php =
{
root = builtins.dirOf inputs.config.sops.templates."httpapi/notify.php".path;
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi;
};
};
};
sops =
{
templates."httpapi/notify.php" =
{
owner = inputs.config.users.users.httpapi.name;
group = inputs.config.users.users.httpapi.group;
content =
let
placeholder = inputs.config.sops.placeholder;
request = "https://api.telegram.org/${placeholder."httpapi/token"}/sendMessage?chat_id=861886506&text=";
in ''<?php print file_get_contents("${request}".urlencode($_GET["message"])); ?>'';
};
secrets."httpapi/token" = {};
};
systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ];
};
}

25
modules/services/httpapi/default.nix
View File

@@ -1,25 +0,0 @@
inputs:
{
options.nixos.services.httpua = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "ua.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) httpua;
inherit (inputs.lib) mkIf;
inherit (builtins) toString;
in mkIf httpua.enable
{
nixos.services =
{
phpfpm.instances.httpua = {};
nginx.http.${httpua.hostname}.php =
{
root = toString ./.;
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi;
};
};
};
}

1
modules/services/huginn.nix
View File

@@ -60,7 +60,6 @@ inputs:
}; };
mariadb.instances.huginn = {}; mariadb.instances.huginn = {};
}; };
# TODO: root docker use config of rootless docker?
virtualization.docker.enable = true; virtualization.docker.enable = true;
}; };
}; };

6
modules/services/mariadb.nix
View File

@@ -31,11 +31,7 @@ inputs:
settings.mysqld.skip_name_resolve = true; settings.mysqld.skip_name_resolve = true;
ensureDatabases = map (db: db.value.database) (attrsToList mariadb.instances); ensureDatabases = map (db: db.value.database) (attrsToList mariadb.instances);
ensureUsers = map ensureUsers = map
(db: (db: { name = db.value.user; ensurePermissions."${db.value.database}.*" = "ALL PRIVILEGES"; })
{
name = db.value.user;
ensurePermissions."${db.value.database}.*" = "ALL PRIVILEGES";
})
(attrsToList mariadb.instances); (attrsToList mariadb.instances);
}; };
mysqlBackup = mysqlBackup =

83
modules/services/mastodon.nix Normal file
View File

@@ -0,0 +1,83 @@
inputs:
{
options.nixos.services.mastodon = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "dudu.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) mastodon;
inherit (inputs.lib) mkIf;
inherit (builtins) toString;
in mkIf mastodon.enable
{
services.mastodon =
{
enable = true;
streamingProcesses = 1;
enableUnixSocket = false;
localDomain = mastodon.hostname;
database =
{
createLocally = false;
host = "127.0.0.1";
passwordFile = inputs.config.sops.secrets."mastodon/postgresql".path;
};
redis.createLocally = false;
smtp =
{
createLocally = false;
user = "bot@chn.moe";
port = 465;
passwordFile = inputs.config.sops.secrets."mastodon/mail".path;
host = "mail.chn.moe";
fromAddress = "bot@chn.moe";
authenticate = true;
};
extraEnvFiles = [ inputs.config.sops.templates."mastodon/env".path ];
};
nixos.services =
{
postgresql = { enable = true; instances.mastodon = {}; };
redis.instances.mastodon.port = inputs.config.services.mastodon.redis.port;
nginx =
{
enable = true;
https."${mastodon.hostname}".location =
{
"/system/".alias.path = "/var/lib/mastodon/public-system/";
"/".static =
{ root = "${inputs.config.services.mastodon.package}/public"; tryFiles = [ "$uri" "@proxy" ]; };
"@proxy".proxy =
{ upstream = "http://127.0.0.1:${toString inputs.config.services.mastodon.webPort}"; websocket = true; };
"/api/v1/streaming/".proxy =
{
upstream = "http://unix:/run/mastodon-streaming/streaming-1.socket";
websocket = true;
};
};
};
};
sops =
{
secrets =
{
"mastodon/mail" = { owner = "mastodon"; key = "mail/bot"; };
"mastodon/postgresql" = { owner = "mastodon"; key = "postgresql/mastodon"; };
};
templates."mastodon/env" =
{
owner = "mastodon";
content =
''
REDIS_PASSWORD=${inputs.config.sops.placeholder."redis/mastodon"}
SMTP_SSL=true
SMTP_AUTH_METHOD=plain
'';
};
};
environment.systemPackages = [ inputs.config.services.mastodon.package ];
# sudo -u mastodon mastodon-tootctl accounts modify chn --role Owner
};
}

11
modules/services/meilisearch.nix
View File

@@ -17,7 +17,7 @@ inputs:
let let
inherit (inputs.config.nixos.services) meilisearch; inherit (inputs.config.nixos.services) meilisearch;
inherit (inputs.localLib) stripeTabs attrsToList; inherit (inputs.localLib) stripeTabs attrsToList;
inherit (builtins) map listToAttrs; inherit (builtins) map listToAttrs concatLists;
in in
{ {
systemd = systemd =
@@ -38,7 +38,7 @@ inputs:
Group = inputs.config.users.users.${instance.value.user}.group; Group = inputs.config.users.users.${instance.value.user}.group;
ExecStart = ExecStart =
let let
meilisearch = inputs.pkgs.unstablePackages.meilisearch.overrideAttrs (prev: meilisearch = inputs.pkgs.meilisearch.overrideAttrs (prev:
{ {
RUSTFLAGS = prev.RUSTFLAGS or [] ++ [ "-Clto=true" "-Cpanic=abort" "-Cembed-bitcode=yes"] RUSTFLAGS = prev.RUSTFLAGS or [] ++ [ "-Clto=true" "-Cpanic=abort" "-Cembed-bitcode=yes"]
++ ( ++ (
@@ -73,14 +73,15 @@ inputs:
}; };
}) })
(attrsToList meilisearch.instances)); (attrsToList meilisearch.instances));
tmpfiles.rules = map tmpfiles.rules = concatLists (map
(instance: (instance:
let let
user = instance.value.user; user = instance.value.user;
group = inputs.config.users.users.${instance.value.user}.group; group = inputs.config.users.users.${instance.value.user}.group;
dir = "/var/lib/meilisearch/${instance.name}";
in in
"d /var/lib/meilisearch/${instance.name} 0700 ${user} ${group}") [ "d ${dir} 0700 ${user} ${group}" "Z ${dir} - ${user} ${group}" ])
(attrsToList meilisearch.instances); (attrsToList meilisearch.instances));
}; };
sops = sops =
{ {

73
modules/services/mirism.nix Normal file
View File

@@ -0,0 +1,73 @@
inputs:
{
options.nixos.services.mirism = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services) mirism;
inherit (inputs.lib) mkIf;
inherit (builtins) map listToAttrs toString concatLists;
in mkIf mirism.enable
{
users =
{
users.mirism = { uid = inputs.config.nixos.system.user.user.mirism; group = "mirism"; isSystemUser = true; };
groups.mirism.gid = inputs.config.nixos.system.user.group.mirism;
};
systemd =
{
services = listToAttrs (map
(instance:
{
name = "mirism-${instance}";
value =
{
description = "mirism ${instance}";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig =
{
User = inputs.config.users.users.mirism.name;
Group = inputs.config.users.users.mirism.group;
ExecStart = "${inputs.pkgs.localPackages.mirism}/bin/${instance}";
};
};
})
[ "ng01" "beta" ]);
tmpfiles.rules = concatLists (map
(dir: [ "d /srv/${dir}mirism 0700 nginx nginx" "Z /srv/${dir}mirism - nginx nginx" ])
[ "" "entry." ]);
};
nixos.services =
{
nginx =
{
enable = true;
transparentProxy.map = { "ng01.mirism.one" = 7411; "beta.mirism.one" = 9114; };
https = listToAttrs (map
(instance:
{
name = "${instance}mirism.one";
value.location."/".static = { root = "/srv/${instance}mirism"; index = [ "index.html" ]; };
})
[ "entry." "" ]);
};
acme = { enable = true; cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; }; };
};
environment.etc = listToAttrs (concatLists (map
(instance:
[
{
name = "letsencrypt/live/${instance}.mirism.one/fullchain.pem";
value.source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/fullchain.pem";
}
{
name = "letsencrypt/live/${instance}.mirism.one/privkey.pem";
value.source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/key.pem";
}
])
[ "ng01" "beta" ]));
};
}

17
modules/services/misskey.nix
View File

@@ -48,8 +48,8 @@ inputs:
Restart = "always"; Restart = "always";
}; };
}; };
tmpfiles.rules = tmpfiles.rules = let dir = "/var/lib/misskey/${instance.name}/files"; owner = "misskey-${instance.name}"; in
[ "d /var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}" ]; [ "d ${dir} 0700 ${owner} ${owner}" "Z ${dir} - ${owner} ${owner}" ];
}) })
(attrsToList misskey.instances)); (attrsToList misskey.instances));
fileSystems = mkMerge (map fileSystems = mkMerge (map
@@ -89,7 +89,7 @@ inputs:
user: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name} user: misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}
pass: ${placeholder."postgresql/misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"} pass: ${placeholder."postgresql/misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"}
extra: extra:
statement_timeout: 60000 statement_timeout: 600000
dbReplications: false dbReplications: false
redis: redis:
host: 127.0.0.1 host: 127.0.0.1
@@ -125,22 +125,19 @@ inputs:
{ {
users."misskey-${instance.name}" = users."misskey-${instance.name}" =
{ {
isSystemUser = true; uid = inputs.config.nixos.system.user.user."misskey-${instance.name}";
group = "misskey-${instance.name}"; group = "misskey-${instance.name}";
home = "/var/lib/misskey/${instance.name}"; home = "/var/lib/misskey/${instance.name}";
createHome = true; createHome = true;
isSystemUser = true;
}; };
groups."misskey-${instance.name}" = {}; groups."misskey-${instance.name}".gid = inputs.config.nixos.system.user.group."misskey-${instance.name}";
}) })
(attrsToList misskey.instances)); (attrsToList misskey.instances));
nixos.services = nixos.services =
{ {
redis.instances = listToAttrs (map redis.instances = listToAttrs (map
(instance: (instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
{
name = "misskey-${instance.name}";
value.port = instance.value.redis.port;
})
(attrsToList misskey.instances)); (attrsToList misskey.instances));
postgresql = postgresql =
{ {

44
modules/services/nextcloud.nix
View File

@@ -45,33 +45,36 @@ inputs:
}; };
secretFile = inputs.config.sops.templates."nextcloud/secret".path; secretFile = inputs.config.sops.templates."nextcloud/secret".path;
extraApps = extraApps =
{ let
maps = inputs.pkgs.fetchNextcloudApp githubRelease = repo: file: "https://github.com/${repo}/releases/download/${file}";
in
{ {
url = "https://github.com/nextcloud/maps/releases/download/v1.1.1/maps-1.1.1.tar.gz"; # nix-prefetch-url --unpack
sha256 = "1rcmqnm5364h5gaq1yy6b6d7k17napgn0yc9ymrnn75bps9s71v9"; maps = inputs.pkgs.fetchNextcloudApp
}; {
phonetrack = inputs.pkgs.fetchNextcloudApp url = githubRelease "nextcloud/maps" "v1.1.1/maps-1.1.1.tar.gz";
{ sha256 = "1rcmqnm5364h5gaq1yy6b6d7k17napgn0yc9ymrnn75bps9s71v9";
url = "https://github.com/julien-nc/phonetrack/releases/download/v0.7.6/phonetrack-0.7.6.tar.gz"; license = "agpl3";
sha256 = "1p15vw7c5c1h08czyxi1r6svjd5hjmnc0i6is4vl3xq2kfjmcyyx"; };
}; phonetrack = inputs.pkgs.fetchNextcloudApp
twofactor_webauthn = inputs.pkgs.fetchNextcloudApp {
{ url = githubRelease "julien-nc/phonetrack" "v0.7.6/phonetrack-0.7.6.tar.gz";
url = "https://github.com/nextcloud-releases/twofactor_webauthn/releases/download/v1.2.0/twofactor_webauthn-v1.2.0.tar.gz"; sha256 = "1p15vw7c5c1h08czyxi1r6svjd5hjmnc0i6is4vl3xq2kfjmcyyx";
sha256 = "1lqcw74rsnl8c4sirw9208ra3c8zl8zp93scs7y8fv2n4n60l465"; license = "agpl3";
};
twofactor_webauthn = inputs.pkgs.fetchNextcloudApp
{
url = githubRelease "nextcloud-releases/twofactor_webauthn" "v1.3.0/twofactor_webauthn-v1.3.0.tar.gz";
sha256 = "0z6m2chq5kxc8f10g6n1lh51yi10svy2qp5gp0v8xs71apqcc2wx";
license = "agpl3";
};
}; };
}; };
};
nixos.services = nixos.services =
{ {
postgresql = { enable = true; instances.nextcloud = {}; }; postgresql = { enable = true; instances.nextcloud = {}; };
redis.instances.nextcloud.port = 3499; redis.instances.nextcloud.port = 3499;
nginx = nginx = { enable = true; https.${nextcloud.hostname}.global.configName = nextcloud.hostname; };
{
enable = true;
https.${nextcloud.hostname}.global.configName = nextcloud.hostname;
};
}; };
sops = sops =
{ {
@@ -90,5 +93,6 @@ inputs:
"nextcloud/admin".owner = inputs.config.users.users.nextcloud.name; "nextcloud/admin".owner = inputs.config.users.users.nextcloud.name;
}; };
}; };
systemd.services.nextcloud-setup = rec { requires = [ "postgresql.service" ]; after = requires; };
}; };
} }

17
modules/services/nginx/applications/blog.nix Normal file
View File

@@ -0,0 +1,17 @@
inputs:
{
options.nixos.services.nginx.applications.blog = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications) blog;
inherit (inputs.lib) mkIf;
in mkIf blog.enable
{
nixos.services.nginx.https."blog.chn.moe".location."/".static =
{ root = "/srv/blog"; index = [ "index.html" ]; };
systemd.tmpfiles.rules = [ "d /srv/blog 0700 nginx nginx" "Z /srv/blog - nginx nginx" ];
};
}

17
modules/services/nginx/applications/catalog.nix Normal file
View File

@@ -0,0 +1,17 @@
inputs:
{
options.nixos.services.nginx.applications.catalog = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications) catalog;
inherit (inputs.lib) mkIf;
in mkIf catalog.enable
{
nixos.services.nginx.https."catalog.chn.moe".location."/".static =
{ root = "/srv/catalog"; index = [ "index.html" ]; };
systemd.tmpfiles.rules = [ "d /srv/catalog 0700 nginx nginx" "Z /srv/catalog - nginx nginx" ];
};
}

5
modules/services/nginx/applications/default.nix
View File

@@ -4,5 +4,10 @@ inputs:
[ [
./element.nix ./element.nix
./synapse-admin.nix ./synapse-admin.nix
./kkmeeting.nix
./webdav.nix
./blog.nix
./catalog.nix
./main.nix
]; ];
} }

23
modules/services/nginx/applications/element.nix
View File

@@ -5,7 +5,7 @@ inputs:
type = types.attrsOf (types.submodule (submoduleInputs: { options = type = types.attrsOf (types.submodule (submoduleInputs: { options =
{ {
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; }; hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
defaultServer = mkOption { type = types.nullOr types.nonEmptyStr; default = "element.chn.moe"; }; defaultServer = mkOption { type = types.nullOr types.nonEmptyStr; default = "matrix.chn.moe"; };
};})); };}));
default = {}; default = {};
}; };
@@ -20,17 +20,18 @@ inputs:
(instance: with instance.value; (instance: with instance.value;
{ {
name = hostname; name = hostname;
value.location."/".static.root = value.location."/".static =
if defaultServer == null then toString inputs.pkgs.element-web {
else toString (inputs.pkgs.element-web.override { conf = root =
{ if defaultServer == null then toString inputs.pkgs.element-web
default_server_config."m.homeserver" = else toString (inputs.pkgs.element-web.override { conf =
{ {
base_url = "https://${defaultServer}"; default_server_config."m.homeserver" =
server_name = defaultServer; { base_url = "https://${defaultServer}"; server_name = defaultServer; };
}; disable_guests = false;
disable_guests = false; };});
};}); index = [ "index.html" ];
};
}) })
(attrsToList instances)); (attrsToList instances));
}; };

18
modules/services/nginx/applications/kkmeeting.nix Normal file
View File

@@ -0,0 +1,18 @@
inputs:
{
options.nixos.services.nginx.applications.kkmeeting = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "kkmeeting.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications) kkmeeting;
inherit (inputs.lib) mkIf;
in mkIf kkmeeting.enable
{
nixos.services.nginx.https.${kkmeeting.hostname}.location."/".static =
{ root = "/srv/kkmeeting"; index = "auto"; charset = "utf-8"; };
systemd.tmpfiles.rules = [ "d /srv/kkmeeting 0700 nginx nginx" "Z /srv/kkmeeting - nginx nginx" ];
};
}

23
modules/services/nginx/applications/main.nix Normal file
View File

@@ -0,0 +1,23 @@
inputs:
{
options.nixos.services.nginx.applications.main = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications) main;
inherit (inputs.lib) mkIf;
in mkIf main.enable
{
nixos.services.nginx.https."chn.moe".location =
{
"/".return.return = "302 https://xn--s8w913fdga.chn.moe/@chn";
"/.well-known/matrix/server".proxy =
{
setHeaders.Host = "matrix.chn.moe";
upstream = "https://matrix.chn.moe";
};
};
};
}

3
modules/services/nginx/applications/synapse-admin.nix
View File

@@ -18,7 +18,8 @@ inputs:
(site: with site.value; (site: with site.value;
{ {
name = hostname; name = hostname;
value.location."/".static.root = "${inputs.pkgs.synapse-admin}"; value.location."/".static =
{ root = "${inputs.pkgs.synapse-admin}"; index = [ "index.html" ]; };
}) })
(attrsToList instances)); (attrsToList instances));
}; };

36
modules/services/nginx/applications/webdav.nix Normal file
View File

@@ -0,0 +1,36 @@
inputs:
{
options.nixos.services.nginx.applications.webdav.instances = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
path = mkOption { type = types.nonEmptyStr; default = "/srv/webdav"; };
users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; default = [ "chn" ]; };
};}));
default = {};
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications.webdav) instances;
inherit (builtins) map listToAttrs attrValues;
inherit (inputs.lib) mkMerge;
in
{
nixos.services.nginx.https = listToAttrs (map
(site:
{
name = site.hostname;
value.location."/".static =
{ root = site.path; index = "auto"; charset = "utf-8"; webdav = true; detectAuth.users = site.users; };
})
(attrValues instances));
systemd = mkMerge (map
(site:
{
tmpfiles.rules = [ "d ${site.path} 0700 nginx nginx" "Z ${site.path} - nginx nginx" ];
services.nginx.serviceConfig.ReadWritePaths = [ site.path ];
})
(attrValues instances));
};
}

131
modules/services/nginx/default.nix
View File

@@ -19,7 +19,7 @@ inputs:
{ {
httpsPort = 3065; httpsPort = 3065;
httpsPortShift = { http2 = 1; proxyProtocol = 2; }; httpsPortShift = { http2 = 1; proxyProtocol = 2; };
httpsLocationTypes = [ "proxy" "static" "php" "return" "cgi" ]; httpsLocationTypes = [ "proxy" "static" "php" "return" "cgi" "alias" ];
httpTypes = [ "rewriteHttps" "php" ]; httpTypes = [ "rewriteHttps" "php" ];
streamPort = 5575; streamPort = 5575;
streamPortShift = { proxyProtocol = 1; }; streamPortShift = { proxyProtocol = 1; };
@@ -29,7 +29,7 @@ inputs:
{ {
# only disable in some rare cases # only disable in some rare cases
enable = mkOption { type = types.bool; default = true; }; enable = mkOption { type = types.bool; default = true; };
externalIp = mkOption { type = types.listOf types.nonEmptyStr; }; externalIp = mkOption { type = types.listOf types.nonEmptyStr; default = [ "0.0.0.0" ]; };
# proxy to 127.0.0.1:${specified port} # proxy to 127.0.0.1:${specified port}
map = mkOption { type = types.attrsOf types.ints.unsigned; default = {}; }; map = mkOption { type = types.attrsOf types.ints.unsigned; default = {}; };
}; };
@@ -78,17 +78,23 @@ inputs:
default = "https:${siteSubmoduleInputs.config._module.args.name}"; default = "https:${siteSubmoduleInputs.config._module.args.name}";
}; };
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; }; root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
index = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; }; index = mkOption
{
type = types.nullOr (types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
default = null;
};
charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
detectAuth = mkOption detectAuth = mkOption
{ {
type = types.nullOr (types.submodule { options = type = types.nullOr (types.submodule { options =
{ {
text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; }; text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
users = types.nonEmptyListOf types.nonEmptyStr; users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
};}); };});
default = null; default = null;
}; };
rewriteHttps = mkOption { type = types.bool; default = true; }; rewriteHttps = mkOption { type = types.bool; default = true; };
tlsCert = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
}; };
listen = mkOption listen = mkOption
{ {
@@ -110,13 +116,12 @@ inputs:
{ {
# should be set to non null value if global root is null # should be set to non null value if global root is null
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; }; root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
# htpasswd -n username
detectAuth = mkOption detectAuth = mkOption
{ {
type = types.nullOr (types.submodule { options = type = types.nullOr (types.submodule { options =
{ {
text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; }; text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
users = types.nonEmptyListOf types.nonEmptyStr; users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
};}); };});
default = null; default = null;
}; };
@@ -146,26 +151,40 @@ inputs:
type = types.nullOr (types.submodule { options = type = types.nullOr (types.submodule { options =
{ {
inherit (genericOptions) detectAuth root; inherit (genericOptions) detectAuth root;
index = mkOption { type = types.listOf types.nonEmptyStr; default = [ "index.html" ]; }; index = mkOption
tryFiles = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; {
type = types.nullOr
(types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
default = null;
};
charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
tryFiles = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
webdav = mkOption { type = types.bool; default = false; };
};}); };});
default = null; default = null;
}; };
php = mkOption php = mkOption
{ {
type = types.nullOr (types.submodule { options = type = types.nullOr (types.submodule { options =
{ { inherit (genericOptions) detectAuth root; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
inherit (genericOptions) detectAuth root; default = null;
fastcgiPass = mkOption { type = types.nonEmptyStr; }; };
};}); return = mkOption
{
type = types.nullOr (types.submodule { options =
{ return = mkOption { type = types.nonEmptyStr; }; };});
default = null; default = null;
}; };
return.return = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
cgi = mkOption cgi = mkOption
{
type = types.nullOr (types.submodule { options = { inherit (genericOptions) detectAuth root; };});
default = null;
};
alias = mkOption
{ {
type = types.nullOr (types.submodule { options = type = types.nullOr (types.submodule { options =
{ {
inherit (genericOptions) detectAuth root; path = mkOption { type = types.nonEmptyStr; };
};}); };});
default = null; default = null;
}; };
@@ -190,10 +209,7 @@ inputs:
php = mkOption php = mkOption
{ {
type = types.nullOr (types.submodule { options = type = types.nullOr (types.submodule { options =
{ { root = mkOption { type = types.nonEmptyStr; }; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
root = mkOption { type = types.nonEmptyStr; };
fastcgiPass = mkOption { type = types.nonEmptyStr; };
};});
default = null; default = null;
}; };
};})); };}));
@@ -502,12 +518,20 @@ inputs:
inputs.config.sops.templates."nginx/templates/detectAuth/${escapeURL site.name}-global".path; inputs.config.sops.templates."nginx/templates/detectAuth/${escapeURL site.name}-global".path;
extraConfig = concatStringsSep "\n" extraConfig = concatStringsSep "\n"
( (
let inherit (site.value.global) index; in (
if (index != null) then [ "index ${concatStringsSep " " index};" ] else [] let inherit (site.value.global) index; in
) if (builtins.typeOf index == "list") then [ "index ${concatStringsSep " " index};" ]
++ ( else if (index == "auto") then [ "autoindex on;" ]
let inherit (site.value.global) detectAuth; in else []
if (detectAuth != null) then [ ''auth_basic "${detectAuth.text}"'' ] else [] )
++ (
let inherit (site.value.global) detectAuth; in
if (detectAuth != null) then [ ''auth_basic "${detectAuth.text}"'' ] else []
)
++ (
let inherit (site.value.global) charset; in
if (charset != null) then [ "charset ${charset};" ] else []
)
); );
listen = map listen = map
(listen: (listen:
@@ -517,17 +541,18 @@ inputs:
+ (if listen.http2 then httpsPortShift.http2 else 0) + (if listen.http2 then httpsPortShift.http2 else 0)
+ (if listen.proxyProtocol then httpsPortShift.proxyProtocol else 0); + (if listen.proxyProtocol then httpsPortShift.proxyProtocol else 0);
ssl = true; ssl = true;
# TODO: use proxy_protocol in 23.11 proxyProtocol = listen.proxyProtocol;
extraParameters = extraParameters = mkIf listen.http2 [ "http2" ];
(if listen.proxyProtocol then [ "proxy_protocol" ] else [])
++ (if listen.http2 then [ "http2" ] else []);
}) })
site.value.listens; site.value.listens;
# do not automatically add http2 listen # do not automatically add http2 listen
http2 = false; http2 = false;
onlySSL = true; onlySSL = true;
# TODO: disable well-known in 23.11 useACMEHost = mkIf (site.value.global.tlsCert == null) site.name;
useACMEHost = site.name; sslCertificate = mkIf (site.value.global.tlsCert != null)
"${site.value.global.tlsCert}/fullchain.pem";
sslCertificateKey = mkIf (site.value.global.tlsCert != null)
"${site.value.global.tlsCert}/privkey.pem";
locations = listToAttrs (map locations = listToAttrs (map
(location: (location:
{ {
@@ -565,8 +590,22 @@ inputs:
}; };
static = static =
{ {
index = mkIf (location.value.index != []) (concatStringsSep " " location.value.index); index = mkIf (builtins.typeOf location.value.index == "list")
tryFiles = mkIf (location.value.tryFiles != []) (concatStringsSep " " location.value.tryFiles); (concatStringsSep " " location.value.index);
tryFiles = mkIf (location.value.tryFiles != null)
(concatStringsSep " " location.value.tryFiles);
extraConfig = mkMerge
[
(mkIf (location.value.index == "auto") "autoindex on;")
(mkIf (location.value.charset != null) "charset ${location.value.charset};")
(mkIf location.value.webdav
''
dav_access user:rw group:rw;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
create_full_put_path on;
'')
];
}; };
php.extraConfig = php.extraConfig =
'' ''
@@ -582,24 +621,21 @@ inputs:
fastcgi_pass unix:${inputs.config.services.fcgiwrap.socketAddress}; fastcgi_pass unix:${inputs.config.services.fcgiwrap.socketAddress};
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
''; '';
alias.alias = location.value.path;
}.${location.value.type}; }.${location.value.type};
}) })
site.value.location); site.value.locations);
}; };
}) })
sites); sites);
fcgiwrap = mkIf fcgiwrap = mkIf
( (
filter (site: site != []) (map filter (site: site != []) (map
(site: filter (location: location.value.type == "cgi") (attrsToList site.value.locations)) (site: filter (location: location.value.type == "cgi") site.value.locations)
sites) sites)
!= [] != []
) )
{ (with inputs.config.users.users.nginx; { enable = true; user = name; inherit group; });
enable = true;
user = inputs.config.users.users.nginx.name;
group = inputs.config.users.users.nginx.group;
};
}; };
nixos.services = nixos.services =
{ {
@@ -609,9 +645,7 @@ inputs:
listens = filter listens = filter
(listen: listen.value.addToTransparentProxy) (listen: listen.value.addToTransparentProxy)
(concatLists (map (concatLists (map
(site: map (site: map (listen: { inherit (site) name; value = listen; }) site.value.listens)
(listen: { inherit (site) name; value = listen; })
site.value.listens)
sites)); sites));
in in
{ {
@@ -646,11 +680,6 @@ inputs:
(site: { inherit (site) name; value.group = inputs.config.services.nginx.group; }) (site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
sites); sites);
}; };
fcgiwrap.enable =
filter (site: site != []) (map
(site: filter (location: location.type == "cgi") site.value.locations)
sites)
!= [];
}; };
sops = sops =
let let
@@ -676,7 +705,7 @@ inputs:
name = "${escapeURL site.name}/${escapeURL location.name}"; name = "${escapeURL site.name}/${escapeURL location.name}";
value = location.value.addAuth; value = location.value.addAuth;
}) })
(filter (location: location.value.addAuth != null) site.value.locations) (filter (location: location.value.addAuth or null != null) site.value.locations)
) )
sites); sites);
in in
@@ -735,11 +764,7 @@ inputs:
(site: (site:
{ {
name = "http.${site.name}"; name = "http.${site.name}";
value = value = { serverName = site.name; listen = [ { addr = "0.0.0.0"; port = 80; } ]; }
{
serverName = site.name;
listen = [ { addr = "0.0.0.0"; port = 80; } ];
}
// (if site.value.rewriteHttps != null then // (if site.value.rewriteHttps != null then
{ locations."/".return = "301 https://${site.value.rewriteHttps.hostname}$request_uri"; } { locations."/".return = "301 https://${site.value.rewriteHttps.hostname}$request_uri"; }
else {}) else {})

5
modules/services/nix-serve.nix
View File

@@ -21,9 +21,6 @@ inputs:
}; };
sops.secrets."store/signingKey" = {}; sops.secrets."store/signingKey" = {};
nixos.services.nginx = nixos.services.nginx =
{ { enable = true; https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000"; };
enable = true;
https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000";
};
}; };
} }

5
modules/services/photoprism.nix
View File

@@ -49,10 +49,7 @@ inputs:
{ {
enable = true; enable = true;
https.${photoprism.hostname}.location."/".proxy = https.${photoprism.hostname}.location."/".proxy =
{ { upstream = "http://127.0.0.1:${toString photoprism.port}"; websocket = true; };
upstream = "http://127.0.0.1:${toString photoprism.port}";
websocket = true;
};
}; };
}; };
}; };

14
modules/services/phpfpm.nix
View File

@@ -50,10 +50,20 @@ inputs:
users = users =
{ {
users = listToAttrs (map users = listToAttrs (map
(pool: { inherit (pool) name; value = { isSystemUser = true; group = pool.name; extraGroups = [ "nginx" ]; }; }) (pool:
{
inherit (pool) name;
value =
{
uid = inputs.config.nixos.system.user.user.${pool.name};
group = pool.name;
extraGroups = [ "nginx" ];
isSystemUser = true;
};
})
(filter (pool: pool.value.user == null) (attrsToList phpfpm.instances))); (filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
groups = listToAttrs (map groups = listToAttrs (map
(pool: { inherit (pool) name; value = {}; }) (pool: { inherit (pool) name; value.gid = inputs.config.nixos.system.user.group.${pool.name}; })
(filter (pool: pool.value.user == null) (attrsToList phpfpm.instances))); (filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
}; };
}; };

32
modules/services/postgresql.nix
View File

@@ -10,6 +10,7 @@ inputs:
database = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; }; database = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; }; user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
passwordFile = mkOption { type = types.nullOr types.nonEmptyStr; default = null; }; passwordFile = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
initializeFlags = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
};})); };}));
default = {}; default = {};
}; };
@@ -51,7 +52,6 @@ inputs:
# chattr +C /path/to/dir # chattr +C /path/to/dir
# cp -a --reflink=never /path/to/dir_old/. /path/to/dir # cp -a --reflink=never /path/to/dir_old/. /path/to/dir
# rm -rf /path/to/dir_old # rm -rf /path/to/dir_old
ensureDatabases = map (db: db.value.database) (attrsToList postgresql.instances);
ensureUsers = map (db: { name = db.value.user; }) (attrsToList postgresql.instances); ensureUsers = map (db: { name = db.value.user; }) (attrsToList postgresql.instances);
}; };
postgresqlBackup = postgresqlBackup =
@@ -68,16 +68,26 @@ inputs:
passwordFile = passwordFile =
if db.value.passwordFile or null != null then db.value.passwordFile if db.value.passwordFile or null != null then db.value.passwordFile
else inputs.config.sops.secrets."postgresql/${db.value.user}".path; else inputs.config.sops.secrets."postgresql/${db.value.user}".path;
in initializeFlag =
# set user password if db.value.initializeFlags != {} then
"$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\"" " WITH "
# TODO: still needed in 23.11? + (concatStringsSep " " (map
# set db owner (flag: ''${flag.name} = "${flag.value}"'')
+ "\n" (attrsToList db.value.initializeFlags)))
+ "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d" else "";
+ " WHERE d.datname = '${db.value.database}' ORDER BY 1\"" in
+ " | grep -E '^${db.value.user}$' -q" # create database if not exist
+ " || $PSQL -tAc \"ALTER DATABASE ${db.value.database} OWNER TO ${db.value.user}\"") "$PSQL -tAc \"SELECT 1 FROM pg_database WHERE datname = '${db.value.database}'\" | grep -q 1"
+ " || $PSQL -tAc 'CREATE DATABASE \"${db.value.database}\"${initializeFlag}'"
# set user password
+ "\n"
+ "$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\""
# set db owner
+ "\n"
+ "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d"
+ " WHERE d.datname = '${db.value.database}' ORDER BY 1\""
+ " | grep -E '^${db.value.user}$' -q"
+ " || $PSQL -tAc \"ALTER DATABASE ${db.value.database} OWNER TO ${db.value.user}\"")
(attrsToList postgresql.instances))); (attrsToList postgresql.instances)));
sops.secrets = listToAttrs (map sops.secrets = listToAttrs (map
(db: { name = "postgresql/${db.value.user}"; value.owner = inputs.config.users.users.postgres.name; }) (db: { name = "postgresql/${db.value.user}"; value.owner = inputs.config.users.users.postgres.name; })

6
modules/services/rsshub.nix
View File

@@ -52,7 +52,11 @@ inputs:
"youtube-key" "youtube-client-id" "youtube-client-secret" "youtube-refresh-token" "youtube-key" "youtube-client-id" "youtube-client-secret" "youtube-refresh-token"
])); ]));
}; };
users = { users.rsshub = { isSystemUser = true; group = "rsshub"; }; groups.rsshub = {}; }; users =
{
users.rsshub = { uid = inputs.config.nixos.system.user.user.rsshub; group = "rsshub"; isSystemUser = true; };
groups.rsshub.gid = inputs.config.nixos.system.user.group.rsshub;
};
nixos.services = nixos.services =
{ {
redis.instances.rsshub.port = 7116; redis.instances.rsshub.port = 7116;

1
modules/services/send.nix
View File

@@ -49,7 +49,6 @@ inputs:
}; };
redis.instances.send = { user = "root"; port = 9184; }; redis.instances.send = { user = "root"; port = 9184; };
}; };
# TODO: root docker use config of rootless docker?
virtualization.docker.enable = true; virtualization.docker.enable = true;
}; };
}; };

2
modules/services/snapper.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.services.snapper = let inherit (inputs.lib) mkOption types; in options.nixos.services.snapper = let inherit (inputs.lib) mkOption types; in
{ {
enable = mkOption { type = types.bool; default = false; }; enable = mkOption { type = types.bool; default = false; };
configs = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; }; configs = mkOption { type = types.attrsOf types.nonEmptyStr; default.persistent = "/nix/persistent"; };
}; };
config = config =
let let

377
modules/services/synapse.nix
View File

@@ -1,111 +1,316 @@
# port from nixpkgs#70dc536a
inputs: inputs:
{ {
options.nixos.services.synapse = let inherit (inputs.lib) mkOption types; in options.nixos.services.synapse.instances = let inherit (inputs.lib) mkOption types; in mkOption
{ {
enable = mkOption { type = types.bool; default = false; }; type = types.attrsOf (types.submodule (submoduleInputs: { options =
autoStart = mkOption { type = types.bool; default = true; }; {
port = mkOption { type = types.ints.unsigned; default = 8008; }; autoStart = mkOption { type = types.bool; default = true; };
hostname = mkOption { type = types.nonEmptyStr; default = "synapse.chn.moe"; }; port = mkOption { type = types.ints.unsigned; default = 8008; };
redisPort = mkOption { type = types.ints.unsigned; default = 6379; };
slidingSyncPort = mkOption { type = types.ints.unsigned; default = 9000; };
hostname = mkOption
{
type = types.nonEmptyStr;
default = "${submoduleInputs.config._module.args.name}.chn.moe";
};
matrixHostname = mkOption { type = types.nonEmptyStr; default = "chn.moe"; };
slidingSyncHostname = mkOption
{
type = types.nonEmptyStr;
default = "syncv3.${submoduleInputs.config.hostname}";
};
# , synapse_homeserver --config-path homeserver.yaml --generate-config --report-stats=yes --server-name xxx
};}));
default = {};
}; };
config = config =
let let
inherit (inputs.config.nixos.services) synapse; inherit (inputs.config.nixos.services) synapse;
inherit (inputs.lib) mkIf; inherit (inputs.lib) mkIf mkMerge;
inherit (builtins) map listToAttrs; inherit (builtins) map listToAttrs replaceStrings concatLists;
in mkIf synapse.enable inherit (inputs.localLib) attrsToList;
in
{ {
services.matrix-synapse = users = mkMerge (map
{ (instance:
enable = true;
settings =
{ {
server_name = synapse.hostname; users."synapse-${instance.name}" =
listeners =
[{
bind_addresses = [ "0.0.0.0" ];
port = 8008;
resources = [{ names = [ "client" "federation" ]; compress = false; }];
tls = false;
type = "http";
x_forwarded = true;
}];
database.name = "psycopg2";
admin_contact = "mailto:chn@chn.moe";
enable_registration = true;
registrations_require_3pid = [ "email" ];
turn_uris = [ "turns:coturn.chn.moe" "turn:coturn.chn.moe" ];
max_upload_size = "1024M";
web_client_location = "https://element.chn.moe/";
serve_server_wellknown = true;
report_stats = true;
trusted_key_servers = [{ server_name = "matrix.org"; }];
suppress_key_server_warning = true;
log_config = (inputs.pkgs.formats.yaml {}).generate "log.yaml"
{ {
version = 1; uid = inputs.config.nixos.system.user.user."synapse-${instance.name}";
formatters.precise.format = group = "synapse-${instance.name}";
"%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s"; home = "/var/lib/synapse/${instance.name}";
handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; }; createHome = true;
root = { level = "INFO"; handlers = [ "console" ]; }; isSystemUser = true;
disable_existing_loggers = true; shell = "${inputs.pkgs.bash}/bin/bash";
}; };
}; groups."synapse-${instance.name}".gid = inputs.config.nixos.system.user.group."synapse-${instance.name}";
extraConfigFiles = [ inputs.config.sops.templates."synapse/password.yaml".path ]; })
}; (attrsToList synapse.instances));
sops = systemd = mkMerge (map
{ (instance: let workdir = "/var/lib/synapse/${instance.name}"; in
templates."synapse/password.yaml" =
{ {
owner = inputs.config.systemd.services.matrix-synapse.serviceConfig.User; services =
group = inputs.config.systemd.services.matrix-synapse.serviceConfig.Group;
content = builtins.readFile ((inputs.pkgs.formats.yaml {}).generate "password.yaml"
{ {
database = "synapse-${instance.name}" =
{ let
name = "psycopg2"; package = inputs.pkgs.matrix-synapse.override
args = { extras = [ "url-preview" "postgres" "redis" ]; plugins = []; };
config = inputs.config.sops.templates."synapse/${instance.name}/config.yaml".path;
homeserver = "${package}/bin/synapse_homeserver";
in
{ {
user = "synapse"; description = "synapse-${instance.name}";
password = inputs.config.sops.placeholder."postgresql/synapse"; enable = instance.value.autoStart;
database = "synapse"; after = [ "network-online.target" "postgresql.service" ];
host = "127.0.0.1"; requires = [ "postgresql.service" ];
port = "5432"; wantedBy = [ "multi-user.target" ];
serviceConfig =
{
ExecStart = "${homeserver} --config-path ${config} --keys-directory ${workdir}";
Type = "notify";
User = "synapse-${instance.name}";
Group = "synapse-${instance.name}";
WorkingDirectory = workdir;
ExecReload = "${inputs.pkgs.util-linux}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
UMask = "0077";
CapabilityBoundingSet = [ "" ];
# hardening
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ workdir ];
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
};
}; };
allow_unsafe_locale = true; "synapse-sliding-sync-${instance.name}" =
};
turn_shared_secret = inputs.config.sops.placeholder."synapse/coturn";
registration_shared_secret = inputs.config.sops.placeholder."synapse/registration";
macaroon_secret_key = inputs.config.sops.placeholder."synapse/macaroon";
form_secret = inputs.config.sops.placeholder."synapse/form";
signing_key_path = inputs.config.sops.secrets."synapse/signing-key".path;
email =
{ {
smtp_host = "mail.chn.moe"; after = [ "synapse-${instance.name}.service" ];
smtp_port = 25; wants = [ "synapse-${instance.name}.service" ];
smtp_user = "bot@chn.moe"; wantedBy = [ "multi-user.target" ];
smtp_pass = inputs.config.sops.placeholder."mail/bot"; serviceConfig =
require_transport_security = true; {
notif_from = "Your Friendly %(app)s homeserver <bot@chn.moe>"; User = "synapse-${instance.name}";
app_name = "Haonan Chen's synapse"; Group = "synapse-${instance.name}";
EnvironmentFile = inputs.config.sops.templates."synapse/${instance.name}-sliding-sync/env".path;
ExecStart = inputs.lib.getExe inputs.pkgs.matrix-sliding-sync;
WorkingDirectory = workdir + "-sliding-sync";
Restart = "on-failure";
RestartSec = "1s";
};
}; };
}); };
}; tmpfiles.rules =
secrets = (listToAttrs (map [
(secret: { name = "synapse/${secret}"; value = {}; }) "d /var/lib/synapse 0755 root root"
[ "coturn" "registration" "macaroon" "form" ])) "d ${workdir} 0700 synapse-${instance.name} synapse-${instance.name}"
// { "synapse/signing-key".owner = inputs.config.systemd.services.matrix-synapse.serviceConfig.User; } "Z ${workdir} - synapse-${instance.name} synapse-${instance.name}"
// { "mail/bot" = {}; }; "d ${workdir}-sliding-sync 0700 synapse-${instance.name} synapse-${instance.name}"
}; "Z ${workdir}-sliding-sync - synapse-${instance.name} synapse-${instance.name}"
];
})
(attrsToList synapse.instances));
sops = mkMerge (map
(instance:
{
templates =
{
"synapse/${instance.name}/config.yaml" =
{
owner = "synapse-${instance.name}";
group = "synapse-${instance.name}";
content =
let
inherit (inputs.config.sops) placeholder;
in builtins.readFile ((inputs.pkgs.formats.yaml {}).generate "${instance.name}.yaml"
{
server_name = instance.value.matrixHostname;
public_baseurl = "https://${instance.value.hostname}/";
listeners =
[{
bind_addresses = [ "127.0.0.1" ];
inherit (instance.value) port;
resources = [{ names = [ "client" "federation" ]; compress = false; }];
tls = false;
type = "http";
x_forwarded = true;
}];
database =
{
name = "psycopg2";
args =
{
user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
password = placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
database = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
host = "127.0.0.1";
port = "5432";
};
allow_unsafe_locale = true;
};
redis =
{
enabled = true;
port = instance.value.redisPort;
password = placeholder."redis/synapse-${instance.name}";
};
turn_shared_secret = placeholder."synapse/${instance.name}/coturn";
registration_shared_secret = placeholder."synapse/${instance.name}/registration";
macaroon_secret_key = placeholder."synapse/${instance.name}/macaroon";
form_secret = placeholder."synapse/${instance.name}/form";
signing_key_path = inputs.config.sops.secrets."synapse/${instance.name}/signing-key".path;
email =
{
smtp_host = "mail.chn.moe";
smtp_port = 25;
smtp_user = "bot@chn.moe";
smtp_pass = placeholder."mail/bot";
require_transport_security = true;
notif_from = "Your Friendly %(app)s homeserver <bot@chn.moe>";
app_name = "Haonan Chen's synapse";
};
admin_contact = "mailto:chn@chn.moe";
enable_registration = true;
registrations_require_3pid = [ "email" ];
turn_uris = [ "turns:coturn.chn.moe" "turn:coturn.chn.moe" ];
max_upload_size = "1024M";
web_client_location = "https://element.chn.moe/";
extra_well_known_client_content."org.matrix.msc3575.proxy".url =
"https://${instance.value.slidingSyncHostname}";
report_stats = true;
trusted_key_servers =
[{
server_name = "matrix.org";
verify_keys."ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
}];
suppress_key_server_warning = true;
log_config = (inputs.pkgs.formats.yaml {}).generate "log.yaml"
{
version = 1;
formatters.precise.format =
"%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; };
root = { level = "INFO"; handlers = [ "console" ]; };
disable_existing_loggers = true;
};
pid_file = "/run/synapse-${instance.name}.pid";
media_store_path = "/var/lib/synapse/${instance.name}/media_store";
presence.enabled = true;
url_preview_enabled = true;
url_preview_ip_range_blacklist =
[
"10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24"
"192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32"
"203.0.113.0/24" "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
];
max_image_pixels = "32M";
dynamic_thumbnails = false;
});
};
"synapse/${instance.name}-sliding-sync/env" =
{
owner = "synapse-${instance.name}";
group = "synapse-${instance.name}";
content =
let
inherit (inputs.config.sops) placeholder;
pgString = "postgresql://"
+ "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"
+ ":${placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"}"
+ "@127.0.0.1:5432"
+ "/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}_sliding_sync"
+ "?sslmode=disable";
in
''
SYNCV3_SERVER=https://${instance.value.hostname}
SYNCV3_DB=${pgString}
SYNCV3_SECRET=${placeholder."synapse/${instance.name}/sliding-sync"}
SYNCV3_BINDADDR=127.0.0.1:${toString instance.value.slidingSyncPort}
'';
};
};
secrets = (listToAttrs (map
(secret: { name = "synapse/${instance.name}/${secret}"; value = {}; })
[ "coturn" "registration" "macaroon" "form" "sliding-sync" ]))
// { "synapse/${instance.name}/signing-key".owner = "synapse-${instance.name}"; }
// { "mail/bot" = {}; };
})
(attrsToList synapse.instances));
nixos.services = nixos.services =
{ {
postgresql = { enable = true; instances.synapse = {}; }; postgresql =
{
enable = mkIf (synapse.instances != {}) true;
instances = listToAttrs (concatLists (map
(instance:
[
{
name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
value.initializeFlags = { TEMPLATE = "template0"; LC_CTYPE = "C"; LC_COLLATE = "C"; };
}
{
name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}_sliding_sync";
value.user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
}
])
(attrsToList synapse.instances)));
};
redis.instances = listToAttrs (map
(instance: { name = "synapse-${instance.name}"; value.port = instance.value.redisPort; })
(attrsToList synapse.instances));
nginx = nginx =
{ {
enable = true; enable = mkIf (synapse.instances != {}) true;
https.${synapse.hostname}.location."/".proxy = https = listToAttrs (concatLists (map
{ upstream = "http://127.0.0.1:${toString synapse.port}"; websocket = true; }; (instance: with instance.value;
[
{
name = hostname;
value.location =
{
"/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
"/.well-known/matrix/server".static =
{
root = builtins.toString (inputs.pkgs.writeTextFile
{
name = "server";
text = builtins.toJSON
{
"m.server" = "${hostname}:443";
};
destination = "/.well-known/matrix/server";
});
};
};
}
{
name = slidingSyncHostname;
value.location."/".proxy =
{ upstream = "http://127.0.0.1:${toString slidingSyncPort}"; websocket = true; };
}
])
(attrsToList synapse.instances)));
}; };
}; };
systemd.services.matrix-synapse.enable = synapse.autoStart;
}; };
} }

15
modules/services/vaultwarden.nix
View File

@@ -53,15 +53,9 @@ inputs:
SMTP_PASSWORD=${placeholder."mail/bot"} SMTP_PASSWORD=${placeholder."mail/bot"}
''; '';
}; };
secrets = listToAttrs (map secrets = listToAttrs (map (secret: { name = secret; value = {}; }) [ "vaultwarden/admin_token" "mail/bot" ]);
(secret: { name = secret; value = {}; })
[ "vaultwarden/admin_token" "mail/bot" ]);
};
systemd.services.vaultwarden =
{
enable = vaultwarden.autoStart;
after = [ "postgresql.service" ];
}; };
systemd.services.vaultwarden = { enable = vaultwarden.autoStart; after = [ "postgresql.service" ]; };
nixos.services = nixos.services =
{ {
postgresql = { enable = true; instances.vaultwarden = {}; }; postgresql = { enable = true; instances.vaultwarden = {}; };
@@ -88,10 +82,7 @@ inputs:
{ {
name = location; name = location;
value.proxy = value.proxy =
{ { upstream = "http://127.0.0.1:${toString vaultwarden.websocketPort}"; websocket = true; };
upstream = "http://127.0.0.1:${toString vaultwarden.websocketPort}";
websocket = true;
};
}) })
[ "/notifications/hub" ]) [ "/notifications/hub" ])
); );

47
modules/services/wireguard.nix Normal file
View File

@@ -0,0 +1,47 @@
inputs:
{
options.nixos.services.wireguard = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
peers = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; default = []; };
# wg genkey | wg pubkey
publicKey = mkOption { type = types.nonEmptyStr; };
wireguardIp = mkOption { type = types.nonEmptyStr; };
externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
lighthouse = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) wireguard;
inherit (builtins) map toString;
in mkIf wireguard.enable
{
networking =
let
# if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
port = 51820 + (if inputs.config.nixos.services.xrayClient.enable then 1 else 0);
in
{
firewall = { allowedUDPPorts = [ port ]; trustedInterfaces = [ "wireguard" ]; };
wireguard.interfaces.wireguard =
{
ips = [ "${wireguard.wireguardIp}/24" ];
listenPort = port;
privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
peers = map
(peer:
{
publicKey = peer.publicKey;
allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:51820";
persistentKeepalive = 3;
})
(map
(peer: inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard)
wireguard.peers);
};
};
sops.secrets."wireguard/privateKey" = {};
};
}

191
modules/services/xray.nix
View File

@@ -24,7 +24,7 @@ inputs:
inherit (inputs.lib) mkMerge mkIf; inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) stripeTabs attrsToList; inherit (inputs.localLib) stripeTabs attrsToList;
inherit (inputs.config.nixos.services) xrayClient xrayServer; inherit (inputs.config.nixos.services) xrayClient xrayServer;
inherit (builtins) map listToAttrs toString genList length; inherit (builtins) map listToAttrs toString genList length concatStringsSep;
in mkMerge in mkMerge
[ [
( (
@@ -220,99 +220,90 @@ inputs:
{ {
Type = "simple"; Type = "simple";
RemainAfterExit = true; RemainAfterExit = true;
ExecStart = inputs.pkgs.writeShellScript "v2ray-forwarder.start" ExecStart = inputs.pkgs.writeShellScript "v2ray-forwarder.start" (concatStringsSep "\n"
'' (
${ipset} create lo_net hash:net [ "${ipset} create lo_net hash:net" ]
${ipset} add lo_net 0.0.0.0/8 ++ (map (host: "${ipset} add lo_net ${host}")
${ipset} add lo_net 10.0.0.0/8 [
${ipset} add lo_net 100.64.0.0/10 "0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12"
${ipset} add lo_net 127.0.0.0/8 "192.0.0.0/24" "192.88.99.0/24" "192.168.0.0/16" "59.77.0.143" "198.18.0.0/15"
${ipset} add lo_net 169.254.0.0/16 "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "240.0.0.0/4" "255.255.255.255/32"
${ipset} add lo_net 172.16.0.0/12 ])
${ipset} add lo_net 192.0.0.0/24 ++ [
${ipset} add lo_net 192.88.99.0/24 "${ipset} create xmu_net hash:net"
${ipset} add lo_net 192.168.0.0/16 "${ipset} create noproxy_net hash:net"
${ipset} add lo_net 59.77.0.143 "${ipset} add noproxy_net 223.5.5.5"
${ipset} add lo_net 198.18.0.0/15 "${ipset} create noproxy_src_net hash:net"
${ipset} add lo_net 198.51.100.0/24 "${ipset} create proxy_net hash:net"
${ipset} add lo_net 203.0.113.0/24 "${ipset} add proxy_net 8.8.8.8"
${ipset} add lo_net 224.0.0.0/4 ]
${ipset} add lo_net 240.0.0.0/4 ++ [
${ipset} add lo_net 255.255.255.255/32 "${iptables} -t mangle -N v2ray -w"
"${iptables} -t mangle -A PREROUTING -j v2ray -w"
${ipset} create xmu_net hash:net ]
++ (map (action: "${iptables} -t mangle -A v2ray ${action} -w")
${ipset} create noproxy_net hash:net [
${ipset} add noproxy_net 223.5.5.5 "-m set --match-set noproxy_src_net src -j RETURN"
"-m set --match-set xmu_net dst -p tcp -j TPROXY --on-port ${xmuPort} --tproxy-mark 1/1"
${ipset} create noproxy_src_net hash:net "-m set --match-set xmu_net dst -p udp -j TPROXY --on-port ${xmuPort} --tproxy-mark 1/1"
"-m set --match-set noproxy_net dst -j RETURN"
${ipset} create proxy_net hash:net "-m set --match-set proxy_net dst -p tcp -j TPROXY --on-port ${proxyPort} --tproxy-mark 1/1"
${ipset} add proxy_net 8.8.8.8 "-m set --match-set proxy_net dst -p udp -j TPROXY --on-port ${proxyPort} --tproxy-mark 1/1"
"-m set --match-set lo_net dst -j RETURN"
${iptables} -t mangle -N v2ray -w "-p tcp -j TPROXY --on-port ${autoPort} --tproxy-mark 1/1"
${iptables} -t mangle -A PREROUTING -j v2ray -w "-p udp -j TPROXY --on-port ${autoPort} --tproxy-mark 1/1"
${iptables} -t mangle -A v2ray -m set --match-set noproxy_src_net src -j RETURN -w ])
${iptables} -t mangle -A v2ray -m set --match-set xmu_net dst -p tcp \ ++ [
-j TPROXY --on-port ${xmuPort} --tproxy-mark 1/1 -w "${iptables} -t mangle -N v2ray_mark -w"
${iptables} -t mangle -A v2ray -m set --match-set xmu_net dst -p udp \ "${iptables} -t mangle -A OUTPUT -j v2ray_mark -w"
-j TPROXY --on-port ${xmuPort} --tproxy-mark 1/1 -w ]
${iptables} -t mangle -A v2ray -m set --match-set noproxy_net dst -j RETURN -w ++ (map (action: "${iptables} -t mangle -A v2ray_mark ${action} -w")
${iptables} -t mangle -A v2ray -m set --match-set proxy_net dst -p tcp \ (
-j TPROXY --on-port ${proxyPort} --tproxy-mark 1/1 -w (if inputs.config.nixos.system.networking.nebula.enable then
${iptables} -t mangle -A v2ray -m set --match-set proxy_net dst -p udp \ let user = inputs.config.systemd.services."nebula@nebula".serviceConfig.User;
-j TPROXY --on-port ${proxyPort} --tproxy-mark 1/1 -w in [ "-m owner --uid-owner $(id -u ${user}) -j RETURN" ]
${iptables} -t mangle -A v2ray -m set --match-set lo_net dst -j RETURN -w else [])
${iptables} -t mangle -A v2ray -p tcp -j TPROXY --on-port ${autoPort} --tproxy-mark 1/1 -w ++ [
${iptables} -t mangle -A v2ray -p udp -j TPROXY --on-port ${autoPort} --tproxy-mark 1/1 -w "-m owner --uid-owner $(id -u v2ray) -j RETURN"
"-m set --match-set noproxy_src_net src -j RETURN"
${iptables} -t mangle -N v2ray_mark -w "-m set --match-set xmu_net dst -p tcp -j MARK --set-mark 1/1"
${iptables} -t mangle -A OUTPUT -j v2ray_mark -w "-m set --match-set xmu_net dst -p udp -j MARK --set-mark 1/1"
${iptables} -t mangle -A v2ray_mark -m owner --uid-owner $(id -u v2ray) -j RETURN -w "-m set --match-set noproxy_net dst -j RETURN"
${ "-m set --match-set proxy_net dst -p tcp -j MARK --set-mark 1/1"
if inputs.config.nixos.system.networking.nebula.enable then "-m set --match-set proxy_net dst -p udp -j MARK --set-mark 1/1"
let user = inputs.config.systemd.services."nebula@nebula".serviceConfig.User; in "-m set --match-set lo_net dst -j RETURN"
"${iptables} -t mangle -A v2ray_mark -m owner --uid-owner $(id -u ${user}) -j RETURN -w" "-p tcp -j MARK --set-mark 1/1"
else "" "-p udp -j MARK --set-mark 1/1"
} ]
${iptables} -t mangle -A v2ray_mark -m set --match-set noproxy_src_net src -j RETURN -w ))
${iptables} -t mangle -A v2ray_mark -m set --match-set xmu_net dst -p tcp -j MARK --set-mark 1/1 -w ++ [
${iptables} -t mangle -A v2ray_mark -m set --match-set xmu_net dst -p udp -j MARK --set-mark 1/1 -w "${ip} rule add fwmark 1/1 table 100"
${iptables} -t mangle -A v2ray_mark -m set --match-set noproxy_net dst -j RETURN -w "${ip} route add local 0.0.0.0/0 dev lo table 100"
${iptables} -t mangle -A v2ray_mark -m set --match-set proxy_net dst -p tcp \ ]
-j MARK --set-mark 1/1 -w ));
${iptables} -t mangle -A v2ray_mark -m set --match-set proxy_net dst -p udp \ ExecStop = inputs.pkgs.writeShellScript "v2ray-forwarder.stop" (concatStringsSep "\n"
-j MARK --set-mark 1/1 -w (
${iptables} -t mangle -A v2ray_mark -m set --match-set lo_net dst -j RETURN -w [
${iptables} -t mangle -A v2ray_mark -p tcp -j MARK --set-mark 1/1 -w "${iptables} -t mangle -F v2ray -w"
${iptables} -t mangle -A v2ray_mark -p udp -j MARK --set-mark 1/1 -w "${iptables} -t mangle -D PREROUTING -j v2ray -w"
"${iptables} -t mangle -X v2ray -w"
${ip} rule add fwmark 1/1 table 100 "${iptables} -t mangle -F v2ray_mark -w"
${ip} route add local 0.0.0.0/0 dev lo table 100 "${iptables} -t mangle -D OUTPUT -j v2ray_mark -w"
''; "${iptables} -t mangle -X v2ray_mark -w"
ExecStop = inputs.pkgs.writeShellScript "v2ray-forwarder.stop" "${ip} rule del fwmark 1/1 table 100"
'' "${ip} route del local 0.0.0.0/0 dev lo table 100"
${iptables} -t mangle -F v2ray -w ]
${iptables} -t mangle -D PREROUTING -j v2ray -w ++ (map (set: "${ipset} destroy ${set}")
${iptables} -t mangle -X v2ray -w [ "lo_net" "xmu_net" "noproxy_net" "noproxy_src_net" "proxy_net" ])
));
${iptables} -t mangle -F v2ray_mark -w
${iptables} -t mangle -D OUTPUT -j v2ray_mark -w
${iptables} -t mangle -X v2ray_mark -w
${ip} rule del fwmark 1/1 table 100
${ip} route del local 0.0.0.0/0 dev lo table 100
${ipset} destroy lo_net
${ipset} destroy xmu_net
${ipset} destroy noproxy_net
${ipset} destroy noproxy_src_net
${ipset} destroy proxy_net
'';
}; };
}; };
}; };
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; }; users =
{
users.v2ray = { uid = inputs.config.nixos.system.user.user.v2ray; group = "v2ray"; isSystemUser = true; };
groups.v2ray.gid = inputs.config.nixos.system.user.group.v2ray;
};
environment.etc."resolv.conf".text = "nameserver 127.0.0.1"; environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
} }
) )
@@ -374,11 +365,7 @@ inputs:
port = 4638; port = 4638;
listen = "127.0.0.1"; listen = "127.0.0.1";
protocol = "vless"; protocol = "vless";
settings = settings = { clients = [{ id = "be01f0a0-9976-42f5-b9ab-866eba6ed393"; }]; decryption = "none"; };
{
clients = [{ id = "be01f0a0-9976-42f5-b9ab-866eba6ed393"; }];
decryption = "none";
};
streamSettings.network = "tcp"; streamSettings.network = "tcp";
sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; }; sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; };
tag = "in-localdns"; tag = "in-localdns";
@@ -437,11 +424,7 @@ inputs:
(name: (name:
{ {
name = "xray-server/telegram/${name}"; name = "xray-server/telegram/${name}";
value = value = (let user = inputs.config.users.users.v2ray; in { owner = user.name; inherit (user) group; });
{
owner = inputs.config.users.users.v2ray.name;
group = inputs.config.users.users.v2ray.group;
};
}) })
[ "token" "chat" ])) [ "token" "chat" ]))
// { "xray-server/private-key" = {}; }; // { "xray-server/private-key" = {}; };
@@ -503,7 +486,11 @@ inputs:
timerConfig = { OnCalendar = "*-*-* 0:00:00"; Unit = "xray-stat.service"; }; timerConfig = { OnCalendar = "*-*-* 0:00:00"; Unit = "xray-stat.service"; };
}; };
}; };
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; }; users =
{
users.v2ray = { uid = inputs.config.nixos.system.user.user.v2ray; group = "v2ray"; isSystemUser = true; };
groups.v2ray.gid = inputs.config.nixos.system.user.group.v2ray;
};
nixos.services = nixos.services =
{ {
acme = { enable = true; cert.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; }; acme = { enable = true; cert.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; };

18
modules/services/xrdp.nix
View File

@@ -4,11 +4,7 @@ inputs:
{ {
enable = mkOption { type = types.bool; default = false; }; enable = mkOption { type = types.bool; default = false; };
port = mkOption { type = types.ints.unsigned; default = 3389; }; port = mkOption { type = types.ints.unsigned; default = 3389; };
hostname = mkOption hostname = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
{
type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr);
default = null;
};
}; };
config = config =
let let
@@ -18,12 +14,7 @@ inputs:
[ [
{ {
services.xrdp = services.xrdp =
{ { enable = true; port = xrdp.port; openFirewall = true; defaultWindowManager = "startplasma-x11"; };
enable = true;
port = xrdp.port;
openFirewall = true;
defaultWindowManager = "startplasma-x11";
};
} }
( (
mkIf (xrdp.hostname != null) mkIf (xrdp.hostname != null)
@@ -39,10 +30,7 @@ inputs:
{ {
enable = true; enable = true;
cert.${mainDomain} = cert.${mainDomain} =
{ { domains = xrdp.hostname; group = inputs.config.systemd.services.xrdp.serviceConfig.Group; };
domains = xrdp.hostname;
group = inputs.config.systemd.services.xrdp.serviceConfig.Group;
};
}; };
} }
) )

26
modules/system/default.nix
View File

@@ -14,24 +14,15 @@ inputs:
./systemd.nix ./systemd.nix
./security.nix ./security.nix
./sops.nix ./sops.nix
./user.nix
./sysctl.nix
]; ];
config = config =
{ {
services = services = { dbus.implementation = "broker"; fstrim.enable = true; };
{
dbus.implementation = "broker";
fstrim = { enable = true; interval = "daily"; };
};
time.timeZone = "Asia/Shanghai"; time.timeZone = "Asia/Shanghai";
boot = boot =
{ {
kernel.sysctl =
{
"vm.oom_kill_allocating_task" = true;
"vm.oom_dump_tasks" = false;
"vm.overcommit_memory" = 1;
"kernel.sysrq" = 438;
};
supportedFilesystems = [ "ntfs" ]; supportedFilesystems = [ "ntfs" ];
consoleLogLevel = 7; consoleLogLevel = 7;
}; };
@@ -53,15 +44,18 @@ inputs:
_JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java"; _JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java";
}; };
i18n = i18n =
{ { defaultLocale = "C.UTF-8"; supportedLocales = [ "zh_CN.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" "C.UTF-8/UTF-8" ]; };
defaultLocale = "C.UTF-8";
supportedLocales = [ "zh_CN.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" "C.UTF-8/UTF-8" ];
};
users.mutableUsers = false; users.mutableUsers = false;
# environment.pathsToLink = [ "/include" ]; # environment.pathsToLink = [ "/include" ];
# environment.variables.CPATH = "/run/current-system/sw/include"; # environment.variables.CPATH = "/run/current-system/sw/include";
# environment.variables.LIBRARY_PATH = "/run/current-system/sw/lib"; # environment.variables.LIBRARY_PATH = "/run/current-system/sw/lib";
virtualisation.oci-containers.backend = "docker"; virtualisation.oci-containers.backend = "docker";
home-manager.sharedModules = [{ home.stateVersion = "22.11"; }]; home-manager.sharedModules = [{ home.stateVersion = "22.11"; }];
system =
{
stateVersion = "22.11";
configurationRevision = inputs.topInputs.self.rev or "dirty";
nixos.versionSuffix = inputs.lib.mkForce "";
};
}; };
} }

25
modules/system/fileSystems/default.nix
View File

@@ -40,10 +40,7 @@ inputs:
default = {}; default = {};
}; };
keyFile = mkOption keyFile = mkOption
{ { type = types.path; default = ./. + "/${inputs.config.nixos.system.networking.hostname}.key"; };
type = types.path;
default = ./. + "/${inputs.config.nixos.system.networking.hostname}.key";
};
delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
}; };
}; };
@@ -56,20 +53,14 @@ inputs:
type = types.nullOr (types.str or (types.submodule type = types.nullOr (types.str or (types.submodule
{ {
options = options =
{ { device = mkOption { type = types.nonEmptyStr; }; offset = mkOption { type = types.ints.unsigned; }; };
device = mkOption { type = types.nonEmptyStr; };
offset = mkOption { type = types.ints.unsigned; };
};
})); }));
default = null; default = null;
}; };
rollingRootfs = mkOption rollingRootfs = mkOption
{ {
type = types.nullOr (types.submodule { options = type = types.nullOr (types.submodule { options =
{ { device = mkOption { type = types.nonEmptyStr; }; path = mkOption { type = types.nonEmptyStr; }; }; });
device = mkOption { type = types.nonEmptyStr; };
path = mkOption { type = types.nonEmptyStr; };
}; });
default = null; default = null;
}; };
}; };
@@ -87,13 +78,7 @@ inputs:
(device: (device:
{ {
name = device.value; name = device.value;
value = value = { device = device.name; fsType = "vfat"; neededForBoot = true; options = [ "noatime" ]; };
{
device = device.name;
fsType = "vfat";
neededForBoot = true;
options = [ "noatime" ];
};
}) })
(attrsToList fileSystems.mount.vfat)); (attrsToList fileSystems.mount.vfat));
} }
@@ -207,7 +192,7 @@ inputs:
}; };
}; };
fileSystems = listToAttrs (map fileSystems = listToAttrs (map
(mount: { name = mount; value.options = [ "x-systemd.device-timeout=15min" ]; }) (mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
fileSystems.decrypt.manual.delayedMount); fileSystems.decrypt.manual.delayedMount);
} }
) )

14
modules/system/gui.nix
View File

@@ -2,12 +2,14 @@ inputs:
{ {
options.nixos.system.gui = let inherit (inputs.lib) mkOption types; in options.nixos.system.gui = let inherit (inputs.lib) mkOption types; in
{ {
enable = mkOption { type = types.bool; default = false; }; enable = mkOption
preferred = mkOption { type = types.bool; default = false; }; { type = types.bool; default = builtins.elem "desktop" inputs.config.nixos.packages._packageSets; };
preferred = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.enable; };
autoStart = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; }; autoStart = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
}; };
config = config =
let let
inherit (builtins) map;
inherit (inputs.lib) mkIf; inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.system) gui; inherit (inputs.config.nixos.system) gui;
in mkIf gui.enable in mkIf gui.enable
@@ -29,12 +31,8 @@ inputs:
i18n.inputMethod = i18n.inputMethod =
{ {
enabled = "fcitx5"; enabled = "fcitx5";
fcitx5.addons = with inputs.pkgs; [ fcitx5-rime fcitx5-chinese-addons fcitx5-mozc ]; fcitx5.addons = map (p: inputs.pkgs."fcitx5-${p}") [ "rime" "chinese-addons" "mozc" "nord" "material-color" ];
};
programs =
{
dconf.enable = true;
xwayland.enable = true;
}; };
programs = { dconf.enable = true; xwayland.enable = true; };
}; };
} }

11
modules/system/impermanence.nix
View File

@@ -20,7 +20,7 @@ inputs:
hideMounts = true; hideMounts = true;
directories = directories =
[ [
"/etc/NetworkManager/system-connections" { directory = "/etc/NetworkManager/system-connections"; mode = "0700"; }
"/home" "/home"
"/root" "/root"
"/var/db" "/var/db"
@@ -29,6 +29,7 @@ inputs:
"/var/spool" "/var/spool"
"/var/backup" "/var/backup"
{ directory = "/var/lib/docker/volumes"; mode = "0710"; } { directory = "/var/lib/docker/volumes"; mode = "0710"; }
"/srv"
]; ];
files = files =
[ [
@@ -55,17 +56,15 @@ inputs:
{ {
users.chn = users.chn =
{ {
directories = directories = [ ".cache" ];
[
".cache"
];
}; };
} else {}); } else {});
"${impermanence.nodatacow}" = "${impermanence.nodatacow}" =
{ {
hideMounts = true; hideMounts = true;
directories = directories =
( [{ directory = "/var/log/journal"; user = "root"; group = "systemd-journal"; mode = "u=rwx,g=rx+s,o=rx"; }]
++ (
if inputs.config.nixos.services.postgresql.enable then let user = inputs.config.users.users.postgres; in if inputs.config.nixos.services.postgresql.enable then let user = inputs.config.users.users.postgres; in
[{ directory = "/var/lib/postgresql"; user = user.name; group = user.group; mode = "0750"; }] [{ directory = "/var/lib/postgresql"; user = user.name; group = user.group; mode = "0750"; }]
else [] else []

33
modules/system/initrd.nix
View File

@@ -2,27 +2,32 @@ inputs:
{ {
options.nixos.system.initrd = let inherit (inputs.lib) mkOption types; in options.nixos.system.initrd = let inherit (inputs.lib) mkOption types; in
{ {
network.enable = mkOption { type = types.bool; default = false; };
sshd = sshd =
{ {
enable = mkOption { type = types.bool; default = false; }; enable = mkOption { type = types.bool; default = false; };
hostKeys = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; hostKeys = mkOption
{
type = types.listOf types.nonEmptyStr;
default = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ];
};
}; };
}; };
config = config =
let let
inherit (inputs.config.nixos.system) initrd; inherit (inputs.config.nixos.system) initrd;
in { boot = inherit (inputs.lib) mkIf mkMerge;
{ in mkMerge
initrd = [
{ { boot.initrd.systemd.enable = true; }
systemd.enable = true; (
network = mkIf (initrd.sshd.enable)
{ {
enable = initrd.network.enable; boot =
ssh = { enable = true; hostKeys = initrd.sshd.hostKeys; }; {
}; initrd.network = { enable = true; ssh = { enable = true; hostKeys = initrd.sshd.hostKeys; }; };
}; kernelParams = [ "ip=dhcp" ];
kernelParams = if initrd.network.enable then [ "ip=dhcp" ] else []; };
};}; }
)
];
} }

32
modules/system/kernel.nix
View File

@@ -2,8 +2,7 @@ inputs:
{ {
options.nixos.system.kernel = let inherit (inputs.lib) mkOption types; in options.nixos.system.kernel = let inherit (inputs.lib) mkOption types; in
{ {
useLts = mkOption { type = types.bool; default = false; }; patches = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
patches = mkOption { type = types.listOf (types.enum [ "cjktty" "preempt" ]); default = []; };
modules = modules =
{ {
install = mkOption { type = types.listOf types.str; default = []; }; install = mkOption { type = types.listOf types.str; default = []; };
@@ -28,11 +27,13 @@ inputs:
"virtio_net" "virtio_pci" "xhci_pci" "virtio_ring" "virtio_scsi" "cryptd" "crypto_simd" "libaes" "virtio_net" "virtio_pci" "xhci_pci" "virtio_ring" "virtio_scsi" "cryptd" "crypto_simd" "libaes"
# networking for nas # networking for nas
"igb" "igb"
] ++ kernel.modules.initrd ++ (if (!kernel.useLts) then [ "lenovo-yogabook" ] else []); # yoga
"lenovo_yogabook"
];
extraModulePackages = (with inputs.config.boot.kernelPackages; [ v4l2loopback ]) ++ kernel.modules.install; extraModulePackages = (with inputs.config.boot.kernelPackages; [ v4l2loopback ]) ++ kernel.modules.install;
extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig; extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig;
kernelParams = [ "delayacct" "acpi_osi=Linux" ]; kernelParams = [ "delayacct" "acpi_osi=Linux" ];
kernelPackages = inputs.pkgs."linuxPackages_xanmod${if kernel.useLts then "" else "_latest"}"; kernelPackages = inputs.pkgs.linuxPackages_xanmod_latest;
kernelPatches = kernelPatches =
let let
patches = patches =
@@ -53,23 +54,30 @@ inputs:
hashes = hashes =
{ {
"6.1" = "11ddiammvjxx2m9v32p25l1ai759a1d6xhdpszgnihv7g2fzigf5"; "6.1" = "11ddiammvjxx2m9v32p25l1ai759a1d6xhdpszgnihv7g2fzigf5";
"6.5" = "0ckmbx53js04lrcvcsf8qk935v2pl9w0af2v1mqghfs0krakfgfh"; "6.6" = "19ib0syj3207ifr315gdrnpv6nhh435fmgl05c7k715nng40i827";
}; };
in hashes."${major}.${minor}"; in hashes."${major}.${minor}";
}; };
extraStructuredConfig = extraStructuredConfig =
{ FONT_CJK_16x16 = inputs.lib.kernel.yes; FONT_CJK_32x32 = inputs.lib.kernel.yes; }; { FONT_CJK_16x16 = inputs.lib.kernel.yes; FONT_CJK_32x32 = inputs.lib.kernel.yes; };
}; };
preempt = lantian =
{ {
patch = null; patch = null;
extraStructuredConfig = # pick from xddxdd/nur-packages dce93a
extraStructuredConfig = with inputs.lib.kernel;
{ {
PREEMPT_VOLUNTARY = inputs.lib.mkForce inputs.lib.kernel.no; ACPI_PCI_SLOT = yes;
PREEMPT = inputs.lib.mkForce inputs.lib.kernel.yes; ENERGY_MODEL = yes;
HZ_500 = inputs.lib.mkForce inputs.lib.kernel.no; PARAVIRT_TIME_ACCOUNTING = yes;
HZ_1000 = inputs.lib.mkForce inputs.lib.kernel.yes; PM_AUTOSLEEP = yes;
HZ = inputs.lib.mkForce (inputs.lib.kernel.freeform "1000"); WQ_POWER_EFFICIENT_DEFAULT = yes;
PREEMPT_VOLUNTARY = inputs.lib.mkForce no;
PREEMPT = inputs.lib.mkForce yes;
NO_HZ_FULL = yes;
HZ_1000 = inputs.lib.mkForce yes;
HZ_250 = inputs.lib.mkForce no;
HZ = inputs.lib.mkForce (freeform "1000");
}; };
}; };
}; };

Some files were not shown because too many files have changed in this diff Show More