From 81a348a442996b56c85143b01ad4720b7d3046f0 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Sun, 24 Sep 2023 18:15:29 -0600 Subject: [PATCH] renamed computers --- server/.gitignore | 4 + server/configuration.org | 1003 +++++++++++++++++ .../hardware-configuration.nix | 0 {workstation => server}/nginx.nix | 0 {workstation => server}/openldap.nix | 0 {workstation => server}/secrets.nix_wip | 0 {workstation => server}/servers.nix | 0 workstation/configuration.org | 619 ++++++---- workstation/fstab.nix | 91 ++ 9 files changed, 1476 insertions(+), 241 deletions(-) create mode 100644 server/.gitignore create mode 100755 server/configuration.org rename {workstation => server}/hardware-configuration.nix (100%) rename {workstation => server}/nginx.nix (100%) rename {workstation => server}/openldap.nix (100%) rename {workstation => server}/secrets.nix_wip (100%) rename {workstation => server}/servers.nix (100%) mode change 100755 => 100644 workstation/configuration.org create mode 100644 workstation/fstab.nix diff --git a/server/.gitignore b/server/.gitignore new file mode 100644 index 0000000..985d863 --- /dev/null +++ b/server/.gitignore @@ -0,0 +1,4 @@ +/dotfiles/*.Appimage +/scripts/download/.direnv/ +/configuration.nix +/scripts/PureRef-1.11.1_x64.Appimage diff --git a/server/configuration.org b/server/configuration.org new file mode 100755 index 0000000..56f1c95 --- /dev/null +++ b/server/configuration.org @@ -0,0 +1,1003 @@ +#+TITLE: JawZ NixOS server configuration +#+AUTHOR: Danilo Reyes +#+PROPERTY: header-args :tangle configuration.nix +#+auto_tangle: t + +* TODO [0/6] +- [ ] System configurations [0/8] + - [ ] fail2ban +- [ ] Misc [0/3] + - [ ] Figure out how to get rid of xterm + + +* DECLARATION +Here I will declare the dependencies and variables that will be used multiple +times through the config file, such as the current version of NixOS, +repositories and even some scripts that will be reused on systemd +configurations. + +- version: used by both NixOS and home-manager to dictate the state repository + from which to pull configurations, modules and packages. +- myEmail myName: used by git and acme +- cpuArchitecture: used by NixOS to optimize the compiled binaries to my current + CPU specifications. +- home-manager: the channel containing the packages matching the NixOS state + version, with a commented out to the unstable master. +- unstable: a sort of overlay that allows to prepend "unstable" to a package, + to pull from the unstable channel rather than precompiled binaries on a case + by case use. +- jawz*: scripts that will be reused multiple times through the config, such as + on systemd, and as such this feels like a safe way to compile them only once. + +#+begin_src nix +{ config, pkgs, lib, ... }: +let + version = "23.05"; + myEmail = "CaptainJawZ@outlook.com"; + myName = "Danilo Reyes"; + cpuArchitecture = "skylake"; + home-manager = builtins.fetchTarball + # "https://github.com/nix-community/home-manager/archive/master.tar.gz"; + "https://github.com/nix-community/home-manager/archive/release-${version}.tar.gz"; + unstable = import + (builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") { + config = config.nixpkgs.config; + }; + jawzManageLibrary = pkgs.writeScriptBin + "manage-library" (builtins.readFile ../scripts/manage-library.sh); + jawzTasks = pkgs.writeScriptBin + "tasks" (builtins.readFile ../scripts/tasks.sh); +in +{ # Remember to close this bracket at the end of the document +#+end_src + +These are files and modules which get loaded onto the configuration file, in the +future I may segment this file into different modules once it becomes too +cluttered, for example, I may create a module for systemd units. + +- agenix: an encryption system which cleans up the nix-configuration files from +passwords and other secrets. + +#+begin_src nix +imports = [ + ./hardware-configuration.nix + ./servers.nix + # ./openldap.nix + # + (import "${home-manager}/nixos") +]; +#+end_src + +* SYSTEM CONFIGURATION +** NETWORKING +Sets sensible networking options, such as setting up a hostname, and creating a +hosts file with the static IP and hostname of other devices on my network. + +Also open ports on the firewall for LAN connectivity, and well keeping commented +what each port does, I declared the firwewall ports with variables, because I +can not be bothered to figure out whether I need TCP or UDP so let's open both, +and repetition is maddening. + +#+begin_src nix +powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; +networking = { + useDHCP = lib.mkDefault true; + enableIPv6 = false; + hostName = "server"; + networkmanager.enable = true; + extraHosts = '' + 192.168.1.64 workstation + ''; + firewall = let + open_firewall_ports = [ + 6969 # HentaiAtHome + 51413 # torrent sedding + 9091 # qbittorrent + 2049 # nfs + ]; + open_firewall_port_ranges = [ ]; + in + { + enable = true; + allowedTCPPorts = open_firewall_ports; + allowedUDPPorts = open_firewall_ports; + allowedTCPPortRanges = open_firewall_port_ranges; + allowedUDPPortRanges = open_firewall_port_ranges; + }; +}; +#+end_src + +** TIMEZONE & LOCALE +For some reason, useXkbConfig throws an error when building the system, either +way it is an unnecessary setting as my keyboards are the default en_US, only +locale set to Canadian out because I prefer how it displays the date. +LC_MONETARY, it's also a personal preference. + +#+begin_src nix +time.timeZone = "America/Mexico_City"; +i18n = { + defaultLocale = "en_CA.UTF-8"; + extraLocaleSettings = { + LC_MONETARY = "es_MX.UTF-8"; + }; +}; +console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + # useXkbConfig = true; # use xkbOptions in tty. +}; +#+end_src + +** SYSTEM/NIX CONFIGURATIONS +The first setting creates a copy the NixOS configuration file and link it from +the resulting system (/run/current-system/configuration.nix). This is useful in +case you accidentally delete configuration.nix. + +The version value determines the NixOS release from which the default settings for +stateful data, like file locations and database versions on your system. +It‘s perfectly fine and recommended to leave this value at the release version +of the first install of this system. + +Lastly I configure in here cachix repositories, which is a website that keeps a +cache of nixbuilds for easy quick deployments without having to compile +everything from scratch. + +- gc: automatically garbage-collects. +- auto-optimise-store: hard-links binaries whenever possible. +- system-features: features present on compiling time. + +#+begin_src nix +system = { + copySystemConfiguration = true; + stateVersion = "${version}"; +}; +nix = let featuresList = [ + "nixos-test" + "benchmark" + "big-parallel" + "kvm" + "gccarch-${cpuArchitecture}" + "gccarch-znver3" + ]; + in { + gc = { + automatic = true; + dates = "weekly"; + }; + # buildMachines = [ { + # hostName = "workstation"; + # system = "x86_64-linux"; + # sshUser = "nixremote"; + # maxJobs = 4; + # speedFactor = 1; + # supportedFeatures = featuresList; + # } ]; + distributedBuilds = true; + settings = { + cores = 6; + auto-optimise-store = true; + system-features = featuresList; + substituters = [ + "https://nix-gaming.cachix.org" + "https://nixpkgs-python.cachix.org" + "https://devenv.cachix.org" + "https://cuda-maintainers.cachix.org" + ]; + trusted-public-keys = [ + "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4=" + "nixpkgs-python.cachix.org-1:hxjI7pFxTyuTHn2NkvWCrAUcNZLNS3ZAvfYNuYifcEU=" + "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" + "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E=" + ]; + }; +}; +#+end_src + +* DISPLAY MANAGER +Rather than having the server be completely headless, temporarily I'm enabling +xfce as a minimal display manager. + +#+begin_src nix +services = { + xserver = { + enable = true; + displayManager.defaultSession = "xfce"; + videoDrivers = [ "nvidia" ]; + desktopManager = { + xfce.enable = true; + xterm.enable = false; + }; + layout = "us"; + }; +}; +#+end_src + +* SOUND +In order to avoid issues with PipeWire, the wiki recommends to disable +pulseaudio. This is a basic PipeWire configuration that can support alsa/pulse +backends. + +#+begin_src nix +hardware.pulseaudio.enable = false; +sound.enable = false; +services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; +}; +#+end_src + +* SECURITY +Disabled password in sudo for commodity, but this is obviously not recommended, +regarding rkit, that setting enables pipewire to run with real-time +capabilities. And lastly, the acme settings are for signing certificates. + +The pam limits exists so NixOS can compile the entire system without running +into "Too many files open" errors. + +#+begin_src nix +security = { + rtkit.enable = true; + sudo = { + enable = true; + wheelNeedsPassword = false; + }; + pam.loginLimits = [{ + domain = "*"; + type = "soft"; + item = "nofile"; + value = "8192"; + }]; +}; +#+end_src + +* NIXPKGS SETTINGS +Allow non-free, sadly is a requirement for some of my drivers, besides that, +here is a good place to declare some package overrides as well as permit unsafe +packages. + +localSystem allows me to compile the entire operating system optimized to my CPU +architecture and other build flags. + +=note= if using gcc.arch flags, comment out hostPlatform and viceversa. + +#+begin_src nix +nixpkgs = { + hostPlatform = lib.mkDefault "x86_64-linux"; + config.allowUnfree = true; + # localSystem = { + # gcc.arch = cpuArchitecture; + # gcc.tune = cpuArchitecture; + # system = "x86_64-linux"; + # }; +}; +#+end_src + +* NORMAL USERS +Being part of the "wheel" group, means that the user has root privileges. The +piracy.gid is so I have read/write access permissions on all the hard drives +split among my multiple systems, the rest of the groups are self explanatory. + +- nixremote: is a low-privilege user set exclusively with the intention to be a + proxy to build the nix-store remotely. + +#+begin_src nix +users = { + groups.nixremote = { + name = "nixremote"; + gid = 555; + }; + users.nixremote = { + isNormalUser = true; + createHome = true; + group = "nixremote"; + home = "/var/nixremote/"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICiyTwryzw8CblPldplDpVUkXD9C1fXVgO8LeXdE5cuR root@battlestation" + ]; + }; +}; +users.users.jawz = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "docker" + "scanner" "lp" "piracy" "kavita" + "render" "video" + ]; + initialPassword = "password"; + openssh = { + authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5GaQM4N+yGAByibOFQOBVMV/6TjOfaGIP+NunMiK76 gpodeacero\cdreyes@100CDREYES" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDXxfFRSgII4w/S1mrekPQdfXNifqRxwJa0wpQo72wB jawz@workstation"; + ]; + }; +#+end_src + +This section of the document categorizes and organizes all he packages that I +want installed, attempting to group them as dependencies of others when +necessary. + +* USER PACKAGES +This section of the document categorizes and organizes all he packages that I +want installed, attempting to group them as dependencies of others when +necessary. + +Begin the block to install user packages. + +#+begin_src nix +packages = (with pkgs; [ +#+end_src + +cli and tui packages, which on their own right are as or more powerful than the +packages on the previous section. + +=note= exa is no longer maintained, and will soon be replaced by eza, a maintained +fork. +** COMMAND-LINE PACKAGES + +#+begin_src nix +unstable.yt-dlp # downloads videos from most video websites +unstable.gallery-dl # similar to yt-dlp but for most image gallery websites + +fd # modern find, faster searches +fzf # fuzzy finder! super cool and useful +gdu # disk-space utility, somewhat useful +du-dust # rusty du +trashy # oop! didn't meant to delete that +unstable.eza # like ls but with colors +rmlint # probably my favourite app, amazing dupe finder that integrates well with BTRFS +#+end_src + +** MY SCRIPTS +Here I compile my own scripts into binaries + +#+begin_src nix +jawzManageLibrary +jawzTasks +(writeScriptBin "ffmpeg4discord" (builtins.readFile ../scripts/ffmpeg4discord.py)) +(writeScriptBin "ffmpreg" (builtins.readFile ../scripts/ffmpreg.sh)) +(writeScriptBin "chat-dl" (builtins.readFile ../scripts/chat-dl.sh)) +(writeScriptBin "split-dir" (builtins.readFile ../scripts/split-dir.sh)) +(writeScriptBin "pika-list" (builtins.readFile ../scripts/pika-list.sh)) +(writeScriptBin "run" (builtins.readFile ../scripts/run.sh)) +#+end_src + +** DEVELOPMENT PACKAGES +Assorted development packages and libraries, categorized by languages. + +#+begin_src nix +# required (optionally) by doom emacs, but still are rather useful +tree-sitter # code parsing based on symbols and shit, I do not get it +graphviz # graphs +tetex +# languagetool # proofreader for English +# these two are for doom everywhere +xorg.xwininfo +xdotool +xclip + +tldr # man for retards +exercism # learn to code + +# SH +bats # testing system, required by Exercism +bashdb # autocomplete +shellcheck # linting +shfmt # a shell parser and formatter + +# NIX +expect # keep color when nom'ing +nix-output-monitor # autistic nix builds +nixfmt # linting +cachix # why spend time compiling? + +# PYTHON. +python3 # base language +pipenv # python development workflow for humans +# poetry # dependency management made easy + +# C# & Rust +# omnisharp-roslyn # c# linter and code formatter + +# HASKELL +# cabal-install # haskell interface + +# JS +nodejs # not as bad as I thought +#+end_src + +** PYTHON + +#+begin_src nix +]) ++ (with pkgs.python3Packages; [ + flake8 # wraper for pyflakes, pycodestyle and mccabe + isort # sort Python imports + nose # testing and running python scripts + pyflakes # checks source code for errors + pytest # framework for writing tests + speedtest-cli # check internet speed from the comand line + editorconfig # follow rules of contributin + black # Python code formatter + pylint # bug and style checker for python + (buildPythonApplication rec { + pname = "download"; + version = "1.5"; + src = ../scripts/download/.; + doCheck = false; + buildInputs = [ setuptools ]; + propagatedBuildInputs = + [ pyyaml types-pyyaml ]; + }) + (buildPythonApplication rec { + pname = "ffpb"; + version = "0.4.1"; + src = fetchPypi { + inherit pname version; + sha256 = "sha256-7eVqbLpMHS1sBw2vYS4cTtyVdnnknGtEI8190VlXflk="; + }; + doCheck = false; + buildInputs = [ setuptools ]; + propagatedBuildInputs = + [ tqdm ]; + }) + # (buildPythonApplication rec { + # pname = "qbit_manage"; + # version = "4.0.3"; + # src = fetchPypi { + # inherit pname version; + # sha256 = "sha256-7eVqbLpMHS1sBw2vYS4cTtyVdnnknGtEI8190VlXflk="; + # }; + # doCheck = true; + # buildInputs = [ setuptools ]; + # propagatedBuildInputs = + # [ gitpython requests retrying ruamel-yaml schedule unstable.qbittorrent-api ]; + # }) +#+end_src + +** NODEJS PACKAGES +Mostly language servers and linters. + +#+begin_src nix +]) ++ (with pkgs.nodePackages; [ + # Language servers + dockerfile-language-server-nodejs + yaml-language-server + bash-language-server + vscode-json-languageserver + pyright + + markdownlint-cli # Linter + prettier # Linter + pnpm # Package manager +#+end_src + +** HUNSPELL +These dictionaries work with Firefox, Doom Emacs and LibreOffice. + +#+begin_src nix +hunspell +hunspellDicts.it_IT +hunspellDicts.es_MX +hunspellDicts.en_CA +#+end_src + +** CUSTOMIZATION PACKAGES +Themes and other customization, making my DE look the way I want is one of the +main draws of Linux for me. + +#+begin_src nix +# Fonts +(nerdfonts.override { + fonts = [ "Agave" "CascadiaCode" "SourceCodePro" + "Ubuntu" "FiraCode" "Iosevka" ]; +}) +symbola +#+end_src + +** CLOSING USER PACKAGES + +#+begin_src nix +]); }; # <--- end of package list +#+end_src + +* HOME-MANAGER +** HOME-MANAGER SETTINGS +These make it so packages install to '/etc' rather than the user home directory, +also allow for upgrades when rebuilding the system. + +#+begin_src nix +home-manager = { + useUserPackages = true; + useGlobalPkgs = true; + users.jawz = { config, pkgs, ... }:{ + home.stateVersion = "${version}"; +#+end_src + +** DOTFILES +I opted out of using home-manager to declare my package environment, and instead +I use it exclusively for setting up my dotfiles. + +*** BASH +Declares my .bashrc file, and sets up some environment and functions. + +#+begin_src nix +programs.bash = { + enable = true; + historyFile = "\${XDG_STATE_HOME}/bash/history"; + historyControl = [ "erasedups" "ignorespace" ]; + shellAliases = { + hh = "hstr"; + ls = "eza --icons --group-directories-first"; + edit = "emacsclient -t"; + comic = "download -u jawz -i \"$(cat $LC | fzf --multi --exact -i)\""; + gallery = "download -u jawz -i \"$(cat $LW | fzf --multi --exact -i)\""; + cp = "cp -i"; + mv = "mv -i"; + mkcd = "mkdir -pv \"$1\" && cd \"$1\" || exit"; + mkdir = "mkdir -p"; + rm = "trash"; + ".." = "cd .."; + "..." = "cd ../.."; + ".3" = "cd ../../.."; + ".4" = "cd ../../../.."; + ".5" = "cd ../../../../.."; + dl = "download -u jawz -i"; + e = "edit"; + c = "cat"; + f = "fzf --multi --exact -i"; + sc = "systemctl --user"; + jc = "journalctl --user -xefu"; + open-gallery = "cd /mnt/disk2/scrapping/JawZ/gallery-dl && xdg-open $(fd . ./ Husbands -tdirectory -d 1 | fzf -i)\""; + unique-extensions = "fd -tf | rev | cut -d. -f1 | rev | tr '[:upper:]' '[:lower:]' | sort | uniq --count | sort -rn"; + }; + enableVteIntegration = true; + initExtra = '' + $HOME/.local/bin/pokemon-colorscripts -r --no-title + # Lists + list_root="${config.xdg.configHome}"/jawz/lists/jawz + export LW=$list_root/watch.txt + export LI=$list_root/instant.txt + export LC=$list_root/comic.txt + export command_timeout=30 + + if command -v fzf-share >/dev/null; then + source "$(fzf-share)/key-bindings.bash" + source "$(fzf-share)/completion.bash" + fi + + nixos-reload () { + nixfmt /home/jawz/Development/NixOS/workstation/*.nix + sudo nixos-rebuild switch -I nixos-config=/home/jawz/Development/NixOS/workstation/configuration.nix + } + ''; +}; +#+end_src + +*** XDG +Configurations for XDG directories, as well as installing dotfiles from the +sub-directory on this repository. + +#+begin_src nix +xdg = { + enable = true; + userDirs = { + enable = true; + createDirectories = false; + desktop = "${config.home.homeDirectory}"; + documents = "${config.home.homeDirectory}/Documents"; + download = "${config.home.homeDirectory}/Downloads"; + music = "${config.home.homeDirectory}/Music"; + pictures = "${config.home.homeDirectory}/Pictures"; + templates = "${config.xdg.dataHome}/Templates"; + videos = "${config.home.homeDirectory}/Videos"; + }; + configFile = { + "wgetrc".source = ../dotfiles/wget/wgetrc; + "configstore/update-notifier-npm-check.json".source = ../dotfiles/npm/update-notifier-npm-check.json; + "npm/npmrc".source = ../dotfiles/npm/npmrc; + "gallery-dl/config.json".source = ../dotfiles/gallery-dl/config.json; + "htop/htoprc".source = ../dotfiles/htop/htoprc; + }; +}; +#+end_src + +** HOME-MANAGER PROGRAMS +Program declarations that are exclusive to home-manager, declaring packages this +way allows for extra configuration and integration beyond installing the +packages on the user environment, it's the only exception I make to installing +packages through home-manager. + +#+begin_src nix +programs = { + hstr.enable = true; + emacs.enable = true; + direnv = { + enable = true; + enableBashIntegration = true; + nix-direnv.enable = true; + }; + bat = { + enable = true; + config = { + pager = "less -FR"; + theme = "base16"; + }; + extraPackages = with pkgs.bat-extras; [ + batman # man pages + batpipe # piping + batgrep # ripgrep + batdiff # this is getting crazy! + batwatch # probably my next best friend + prettybat # trans your sourcecode! + ]; + }; + git = { + enable = true; + userName = "${myName}"; + userEmail = "${myEmail}"; + }; + htop = { + enable = true; + package = pkgs.htop-vim; + }; +}; +#+end_src + +** HOME-MANAGER USER-SERVICES +Lorri helps optimize emacs compilations, and the declaring emacs as a service +through home-manager fixes the bug where emacs loads so quickly that can not +connect to a graphic environment unless restarting the systemd service. + +#+begin_src nix +services = { + lorri.enable = true; + emacs = { + enable = true; + defaultEditor = true; + package = pkgs.emacs; + }; +}; +#+end_src + +** CLOSING HOME-MANAGER + +#+begin_src nix +}; }; +#+end_src + +* ENVIRONMENT +These are a MUST to ensure the optimal function of nix, without these, recovery +may be challenging. + +The environment.etc block allows for bluetooth devices to control volume, pause, +and other things through the headset controls. + +Declare environment variables whose function is mostly to clear-up the $HOME +directory from as much bloat as possible, as well as some minor graphical tweaks +some applications use. + +#+begin_src nix +environment = { + systemPackages = with pkgs; [ + wget + jellyfin-ffmpeg # coolest video converter! + dlib + ]; + variables = rec { + # PATH + XDG_CACHE_HOME = "\${HOME}/.cache"; + XDG_CONFIG_HOME = "\${HOME}/.config"; + XDG_BIN_HOME = "\${HOME}/.local/bin"; + XDG_DATA_HOME = "\${HOME}/.local/share"; + XDG_STATE_HOME = "\${HOME}/.local/state"; + + # DEV PATH + CABAL_DIR = "${XDG_CACHE_HOME}/cabal"; + CARGO_HOME = "${XDG_DATA_HOME}/cargo"; + GEM_HOME = "${XDG_DATA_HOME}/ruby/gems"; + GEM_PATH = "${XDG_DATA_HOME}/ruby/gems"; + GEM_SPEC_CACHE = "${XDG_DATA_HOME}/ruby/specs"; + GOPATH = "${XDG_DATA_HOME}/go"; + NPM_CONFIG_USERCONFIG = "${XDG_CONFIG_HOME}/npm/npmrc"; + PNPM_HOME = "${XDG_DATA_HOME}/pnpm"; + PSQL_HISTORY="${XDG_DATA_HOME}/psql_history"; + REDISCLI_HISTFILE="${XDG_DATA_HOME}/redis/rediscli_history"; + WINEPREFIX="${XDG_DATA_HOME}/wine"; + + # OPTIONS + HISTFILE = "${XDG_STATE_HOME}/bash/history"; + LESSHISTFILE = "-"; + GHCUP_USE_XDG_DIRS = "true"; + RIPGREP_CONFIG_PATH = "${XDG_CONFIG_HOME}/ripgrep/ripgreprc"; + ELECTRUMDIR = "${XDG_DATA_HOME}/electrum"; + VISUAL = "emacsclient -ca emacs"; + WGETRC = "${XDG_CONFIG_HOME}/wgetrc"; + XCOMPOSECACHE = "${XDG_CACHE_HOME}/X11/xcompose"; + "_JAVA_OPTIONS" = "-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java"; + DOCKER_CONFIG="${XDG_CONFIG_HOME}/docker"; + + # NVIDIA + CUDA_CACHE_PATH = "${XDG_CACHE_HOME}/nv"; + + # Themes + # WEBKIT_DISABLE_COMPOSITING_MODE = "1"; + CALIBRE_USE_SYSTEM_THEME = "1"; + + PATH = [ + "\${HOME}/.local/bin" + "\${XDG_CONFIG_HOME}/emacs/bin" + "\${XDG_DATA_HOME}/npm/bin" + "\${XDG_DATA_HOME}/pnpm" + ]; + }; +}; +#+end_src + +* SNAPRAID +It's a parity raid utility which creates a scheme similar to what UNRAID +offered, except not in real time, I schedule it to run every night, so it keeps +my files sync, while it is possible to use snapraid as a solution to keep a +historic backup of your files, I am more concerned with the whole disk recovery +in case of failure, as such a frequent sync fits my preferences. + +#+begin_src nix +snapraid = { + enable = true; + touchBeforeSync = true; + sync.interval = "02:00"; + scrub = { + plan = 10; + olderThan = 10; + interval = "4:00"; + }; + parityFiles = [ + "/mnt/parity/snapraid.parity" + ]; + extraConfig = '' + autosave 5000 + ''; + exclude = [ + "/tmp/" + "/lost+found/" + "/multimedia/downloads/" + "/scrapping/nextcloud/" + "/backups/" + "/glue/Spankbank/____UNORGANIZED/Chaturbate/" + "/nextcloud/nextcloud.log" + ]; + dataDisks = { + d1 = "/mnt/disk1/"; + d2 = "/mnt/disk2/"; + }; + contentFiles = [ + "/var/snapraid.content" + "/mnt/disk1/snapraid.content" + "/mnt/disk2/snapraid.content" + ]; +}; +#+end_src + +* PROGRAMS +Some programs get enabled and installed through here, as well as the activation +of some services. + +#+begin_src nix +programs = { + starship.enable = true; + fzf.fuzzyCompletion = true; + neovim = { + enable = true; + vimAlias = true; + }; + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + msmtp = { + enable = true; + accounts.default = { + auth = true; + host = "smtp.gmail.com"; + port = 587; + tls = true; + from = "stunner6399@gmail.com"; + user = "stunner6399@gmail.com"; + password = "eqyctcgjdykqeuwt"; + }; + }; +}; +#+end_src + +* SERVICES +Miscellaneous services, most of which are managed by systemd. + +- minidlna: allows me to watch my media on my tv. +- avahi: allows to discover/connect to devices through their hostname on the + same network. +- fstrim/btrfs: file-system services. +- psd: profile-sync-daemon, loads the chrome/firefox profile to ram. + +#+begin_src nix +services = { + minidlna = { + enable = true; + openFirewall = true; + settings = { + inotify = "yes"; + media_dir = [ + "/mnt/disk2/glue" + "/mnt/seedbox/glue" + "/mnt/disk1/multimedia/downloads" + ]; + }; + }; + avahi = { + enable = true; + nssmdns = true; + }; + fstrim.enable = true; + btrfs.autoScrub = { + enable = true; + fileSystems = [ + "/" + "/mnt/disk1" + "/mnt/disk2" + ]; + }; + openssh = { + enable = true; + openFirewall = true; + startWhenNeeded = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; +}; +#+end_src + +* SYSTEMD +Home-manager, is not as flushed out when it comes to creating systemd units, so +the best way to define them for now, is using nix. + +#+begin_src nix +systemd = { + packages = [ pkgs.qbittorrent-nox ]; + services = { + "qbittorrent-nox@jawz" = { + enable = true; + overrideStrategy = "asDropin"; + wantedBy = [ "multi-user.target" ]; + }; + }; + timers = { }; + user = { + services = { + HentaiAtHome = { + enable = true; + restartIfChanged = true; + description = "Run hentai@home server"; + wantedBy = [ "default.target" ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + WorkingDirectory="/mnt/hnbox"; + ExecStart = "${pkgs.HentaiAtHome}/bin/HentaiAtHome"; + }; + }; + unpackerr = { + enable = true; + restartIfChanged = true; + description = "Run unpackerr"; + wantedBy = [ "default.target" ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + ExecStart = "${pkgs.unpackerr}/bin/unpackerr -c /home/jawz/.config/unpackerr.conf"; + }; + }; + manage-library = { + enable = true; + restartIfChanged = true; + description = "Run the manage library bash script"; + wantedBy = [ "default.target" ]; + path = [ + pkgs.bash + pkgs.nix + jawzManageLibrary + ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + ExecStart = "${jawzManageLibrary}/bin/manage-library"; + }; + }; + tasks = { + restartIfChanged = true; + description = "Run a tasks script which keeps a lot of things organized"; + wantedBy = [ "default.target" ]; + path = [ + pkgs.bash + pkgs.nix + jawzTasks + ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + ExecStart = "${jawzTasks}/bin/tasks"; + }; + }; + qbit_manage = let qbit_dir = "/home/jawz/Development/Git/qbit_manage"; in { + restartIfChanged = true; + description = "Tidy up my torrents"; + wantedBy = [ "default.target" ]; + path = [ + pkgs.python3 + pkgs.pipenv + ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + ExecStart = "${qbit_dir}/.venv/bin/python3 ${qbit_dir}/qbit_manage.py -r -c ${qbit_dir}/config.yml"; + }; + }; + }; + timers = { + tasks = { + enable = true; + description = "Run a tasks script which keeps a lot of things organized"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "*:0/10"; + }; + }; + qbit_manage = { + enable = true; + description = "Tidy up my torrents"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "*:0/10"; + }; + }; + }; + }; +}; +#+end_src + +* FONTCONFIG +If enabled, a Fontconfig configuration file will point to a set of default +fonts. If you don not care about running X11 applications or any other program +that uses Fontconfig, you can turn this option off and prevent a dependency on +all those fonts. +=tip= once that Wayland is ready for deployment, I probably can remove this +setting. + +#+begin_src nix +fonts.fontconfig.enable = true; +#+end_src + +* HARDWARE +Computer-specific hardware settings. The power management settings are +defaulted to "performance". + +- nvidia: GPU drivers. +- cpu.intel: microcode patches. + +#+begin_src nix +hardware = { + nvidia = { + modesetting.enable = true; + powerManagement.enable = true; + }; + cpu.intel.updateMicrocode = lib.mkDefault true; + opengl = { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; +}; +#+end_src + +* CLOSE SYSTEM +#+begin_src nix +} +#+end_src diff --git a/workstation/hardware-configuration.nix b/server/hardware-configuration.nix similarity index 100% rename from workstation/hardware-configuration.nix rename to server/hardware-configuration.nix diff --git a/workstation/nginx.nix b/server/nginx.nix similarity index 100% rename from workstation/nginx.nix rename to server/nginx.nix diff --git a/workstation/openldap.nix b/server/openldap.nix similarity index 100% rename from workstation/openldap.nix rename to server/openldap.nix diff --git a/workstation/secrets.nix_wip b/server/secrets.nix_wip similarity index 100% rename from workstation/secrets.nix_wip rename to server/secrets.nix_wip diff --git a/workstation/servers.nix b/server/servers.nix similarity index 100% rename from workstation/servers.nix rename to server/servers.nix diff --git a/workstation/configuration.org b/workstation/configuration.org old mode 100755 new mode 100644 index 56f1c95..1f5e252 --- a/workstation/configuration.org +++ b/workstation/configuration.org @@ -1,15 +1,17 @@ -#+TITLE: JawZ NixOS server configuration +#+TITLE: JawZ NixOS workstation configuration #+AUTHOR: Danilo Reyes #+PROPERTY: header-args :tangle configuration.nix #+auto_tangle: t * TODO [0/6] - [ ] System configurations [0/8] - - [ ] fail2ban + - [ ] Bluetooth multiple devices + pass-through +- [ ] dotfiles [0/4] + - [ ] migrate config to home-manager + - [ ] migrate dconf to home-manager - [ ] Misc [0/3] - [ ] Figure out how to get rid of xterm - * DECLARATION Here I will declare the dependencies and variables that will be used multiple times through the config file, such as the current version of NixOS, @@ -26,25 +28,29 @@ configurations. - unstable: a sort of overlay that allows to prepend "unstable" to a package, to pull from the unstable channel rather than precompiled binaries on a case by case use. +- nixGaming: a channel containing some tweaks and optimized packages for gaming. - jawz*: scripts that will be reused multiple times through the config, such as on systemd, and as such this feels like a safe way to compile them only once. + #+begin_src nix -{ config, pkgs, lib, ... }: +{ config, lib, pkgs, ... }: let version = "23.05"; myEmail = "CaptainJawZ@outlook.com"; myName = "Danilo Reyes"; - cpuArchitecture = "skylake"; + cpuArchitecture = "znver3"; home-manager = builtins.fetchTarball # "https://github.com/nix-community/home-manager/archive/master.tar.gz"; "https://github.com/nix-community/home-manager/archive/release-${version}.tar.gz"; unstable = import - (builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") { + (builtins.fetchTarball + "https://github.com/nixos/nixpkgs/tarball/master") { config = config.nixpkgs.config; }; - jawzManageLibrary = pkgs.writeScriptBin - "manage-library" (builtins.readFile ../scripts/manage-library.sh); + nixGaming = import + (builtins.fetchTarball + "https://github.com/fufexan/nix-gaming/archive/master.tar.gz"); jawzTasks = pkgs.writeScriptBin "tasks" (builtins.readFile ../scripts/tasks.sh); in @@ -57,14 +63,15 @@ cluttered, for example, I may create a module for systemd units. - agenix: an encryption system which cleans up the nix-configuration files from passwords and other secrets. +- pipewireLowLatency: better sound for games, but also, music sounds a bit less + compressed, who knows, I'm half deaf. #+begin_src nix imports = [ - ./hardware-configuration.nix - ./servers.nix - # ./openldap.nix # + ./fstab.nix (import "${home-manager}/nixos") + nixGaming.nixosModules.pipewireLowLatency ]; #+end_src @@ -79,30 +86,28 @@ can not be bothered to figure out whether I need TCP or UDP so let's open both, and repetition is maddening. #+begin_src nix -powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; networking = { useDHCP = lib.mkDefault true; - enableIPv6 = false; - hostName = "server"; + hostName = "workstation"; networkmanager.enable = true; extraHosts = '' - 192.168.1.64 workstation + 192.168.1.69 server ''; firewall = let - open_firewall_ports = [ - 6969 # HentaiAtHome - 51413 # torrent sedding - 9091 # qbittorrent - 2049 # nfs + openFirewallPorts = [ + 7860 # gpt + 6674 # ns-usbloader + ]; + openFirewallPortRanges = [ + { from = 1714; to = 1764; } # kdeconnect ]; - open_firewall_port_ranges = [ ]; in { enable = true; - allowedTCPPorts = open_firewall_ports; - allowedUDPPorts = open_firewall_ports; - allowedTCPPortRanges = open_firewall_port_ranges; - allowedUDPPortRanges = open_firewall_port_ranges; + allowedTCPPorts = openFirewallPorts; + allowedUDPPorts = openFirewallPorts; + allowedTCPPortRanges = openFirewallPortRanges; + allowedUDPPortRanges = openFirewallPortRanges; }; }; #+end_src @@ -157,24 +162,24 @@ nix = let featuresList = [ "big-parallel" "kvm" "gccarch-${cpuArchitecture}" - "gccarch-znver3" + "gccarch-skylake" ]; in { gc = { automatic = true; dates = "weekly"; }; - # buildMachines = [ { - # hostName = "workstation"; - # system = "x86_64-linux"; - # sshUser = "nixremote"; - # maxJobs = 4; - # speedFactor = 1; - # supportedFeatures = featuresList; - # } ]; + buildMachines = [ { + hostName = "server"; + system = "x86_64-linux"; + sshUser = "nixremote"; + maxJobs = 4; + speedFactor = 1; + supportedFeatures = featuresList; + } ]; distributedBuilds = true; settings = { - cores = 6; + cores = 12; auto-optimise-store = true; system-features = featuresList; substituters = [ @@ -193,23 +198,58 @@ nix = let featuresList = [ }; #+end_src -* DISPLAY MANAGER -Rather than having the server be completely headless, temporarily I'm enabling -xfce as a minimal display manager. +* GNOME +At the time of writing this file, I require of X11, as the NVIDIA support for +Wayland is not perfect yet. At the time being, the ability to switch through +GDM from Wayland to XORG, it's pretty handy, but in the future these settings +will require an update. + +Sets up GNOME as the default desktop environment, while excluding some +undesirable packages from installing. + +Lastly, since there is not a dedicated customization module per-say I setup qt +options in here, for the sake of gnome consistency. + #+begin_src nix services = { xserver = { - enable = true; - displayManager.defaultSession = "xfce"; videoDrivers = [ "nvidia" ]; + enable = true; + displayManager.gdm.enable = true; desktopManager = { - xfce.enable = true; - xterm.enable = false; + gnome.enable = true; }; layout = "us"; + libinput.enable = true; }; }; + +environment.gnome.excludePackages = (with pkgs; [ + gnome-photos + gnome-tour + gnome-text-editor + gnome-connections + # gnome-shell-extensions + baobab +]) +++ (with pkgs.gnome; [ + # totem + gedit + gnome-music + epiphany + gnome-characters + yelp + gnome-font-viewer + cheese +]); + +# Sets up QT to use adwaita themes. +qt = { + enable = true; + # platformTheme = "gnome"; + style = "adwaita-dark"; +}; #+end_src * SOUND @@ -217,14 +257,31 @@ In order to avoid issues with PipeWire, the wiki recommends to disable pulseaudio. This is a basic PipeWire configuration that can support alsa/pulse backends. +lowLatency is a module of nix-gaming, and hardware bluetooth settings are there +to allegedly improve the quality of bluetooth in the system, to this day, +bluetooth and I remain enemies. + #+begin_src nix -hardware.pulseaudio.enable = false; sound.enable = false; services.pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; + lowLatency = { + enable = true; + quantum = 64; + rate = 48000; + }; +}; +hardware = { + pulseaudio.enable = false; + bluetooth.enable = true; + bluetooth.settings = { + General = { + Enable = "Source,Sink,Media,Socket"; + }; + }; }; #+end_src @@ -279,43 +336,23 @@ Being part of the "wheel" group, means that the user has root privileges. The piracy.gid is so I have read/write access permissions on all the hard drives split among my multiple systems, the rest of the groups are self explanatory. -- nixremote: is a low-privilege user set exclusively with the intention to be a - proxy to build the nix-store remotely. - #+begin_src nix users = { - groups.nixremote = { - name = "nixremote"; - gid = 555; - }; - users.nixremote = { - isNormalUser = true; - createHome = true; - group = "nixremote"; - home = "/var/nixremote/"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICiyTwryzw8CblPldplDpVUkXD9C1fXVgO8LeXdE5cuR root@battlestation" - ]; - }; -}; -users.users.jawz = { + groups = { piracy.gid = 985; }; + users.jawz = { isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" "docker" - "scanner" "lp" "piracy" "kavita" - "render" "video" + extraGroups = [ "wheel" "networkmanager" "scanner" + "lp" "piracy" "kavita" "video" "docker" ]; initialPassword = "password"; openssh = { - authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5GaQM4N+yGAByibOFQOBVMV/6TjOfaGIP+NunMiK76 gpodeacero\cdreyes@100CDREYES" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDXxfFRSgII4w/S1mrekPQdfXNifqRxwJa0wpQo72wB jawz@workstation"; + authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5GaQM4N+yGAByibOFQOBVMV/6TjOfaGIP+NunMiK76 gpodeacero\cdreyes@100CDREYES" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZ/TtwLIR/JNp1Sr3TLV/eQK52n2htF8sg/RYfz60z3 jawz@server" ]; }; #+end_src -This section of the document categorizes and organizes all he packages that I -want installed, attempting to group them as dependencies of others when -necessary. - * USER PACKAGES This section of the document categorizes and organizes all he packages that I want installed, attempting to group them as dependencies of others when @@ -327,12 +364,145 @@ Begin the block to install user packages. packages = (with pkgs; [ #+end_src +** GUI PACKAGES +All of my GUI applications categorized to make it easier to identify what each +application does, and the justification for is existence on my system. + +*** ART AND DEVELOPMENT +Art and development applications are together, as a game-developer one of my +goals is to create a workflow between this ecosystem of applications. + +#+begin_src nix +godot_4 # game development +gdtoolkit # gdscript language server +blender # cgi animation and sculpting + +gimp # the coolest bestest art program to never exist +krita # art to your heart desire! +mypaint # not the best art program +mypaint-brushes # but it's got some +mypaint-brushes1 # nice damn brushes +# drawpile # arty party with friends!! + +pureref # create inspiration/reference boards +#+end_src + +*** GAMING +So far gaming has been a lot less painful than I could have originally +anticipated, most everything seems to run seamlessly. + +Most packages on this section are set to unstable so we compile the newest +possible binaries, which is handy mostly for frequently developed emulators. + +I never figured out why, but lutris will give me wine errors unless both wine64 +and wineWow are installed. + +=note= Steam is setup way later on the config file. +=note= Roblox uninstalled as there is ongoing drama regarding Linux users. + +#+begin_src nix +(lutris.override { + extraPkgs = pkgs: [ + winetricks + wine64Packages.stable + wineWowPackages.stable + ]; +}) +# nixGaming.packages.${pkgs.hostPlatform.system}.wine-tkg +# nixGaming.packages.${pkgs.hostPlatform.system}.wine-discord-ipc-bridge +# vulkan-tools # needed? stuff for vulkan drivers I suppose +unstable.heroic # install epic games +gamemode # optimizes linux to have better gaming performance +# grapejuice # roblox manager +# minecraft # minecraft official launcher +parsec-bin # remote gaming with friends +protonup-qt # update proton-ge +unstable.ns-usbloader # load games into my switch + +# emulators +unstable.rpcs3 # ps3 emulator +unstable.pcsx2 # ps2 emulator +unstable.cemu # wii u emulator +unstable.dolphin-emu # wii emulator +unstable.citra-nightly # 3Ds emulator +unstable.snes9x-gtk # snes emulator +#+end_src + +*** PRODUCTIVITY +An assorted list of productivity-oriented apps which I will never use. + +#+begin_src nix +libreoffice-fresh # office, but based +calibre # ugly af eBook library manager +foliate # gtk eBook reader +newsflash # feed reader, syncs with nextcloud +wike # gtk wikipedia wow! +denaro # manage your finances +furtherance # I made this one tehee track time utility +gnome.simple-scan # scanner +#+end_src + +*** MISC +Most of these apps, are part of the gnome circle, and I decide to install them +if just for a try and play a little. Most are kept commented out as an archive, +so I remember their names in case I want to check them out or recommend them to +someone. + +#+begin_src nix +blanket # background noise +pika-backup # backups +metadata-cleaner # remove any metadata and geolocation from files +# sequeler # friendly SQL client +# czkawka # duplicate finder +# celeste # sync tool for any cloud provider +#+end_src + +*** MULTIMEDIA +Overwhelmingly player applications, used for videos and music, while most of my +consumption has moved towards jellyfin, it's still worth the install of most +of these, for now. + +#+begin_src nix +celluloid # video player +cozy # audiobooks player +komikku # manga & comic GUI downloader +gnome-podcasts # podcast player +handbrake # video converter, may be unnecessary +curtail # image compressor +pitivi # video editor +identity # compare images or videos +gnome-obfuscate # censor private information +mousai # poor man shazam +tagger # tag music files +obs-studio # screen recorder & streamer +shortwave # listen to world radio +nextcloud-client # self-hosted google-drive alternative +#+end_src + +*** WEB +Stuff that I use to interact with the web, web browsers, chats, download +managers, etc. + +#+begin_src nix +firefox # web browser that allows to disable spyware +tor-browser-bundle-bin # dark web, so dark! +chromium # web browser with spyware included +telegram-desktop # furry chat +nicotine-plus # remember Ares? +warp # never used, but supposedly cool for sharing files +(pkgs.discord.override { + # withOpenASAR = true; + withVencord = true; +}) +# hugo # website engine +#+end_src + +** COMMAND-LINE PACKAGES cli and tui packages, which on their own right are as or more powerful than the packages on the previous section. =note= exa is no longer maintained, and will soon be replaced by eza, a maintained fork. -** COMMAND-LINE PACKAGES #+begin_src nix unstable.yt-dlp # downloads videos from most video websites @@ -340,28 +510,32 @@ unstable.gallery-dl # similar to yt-dlp but for most image gallery websites fd # modern find, faster searches fzf # fuzzy finder! super cool and useful -gdu # disk-space utility, somewhat useful -du-dust # rusty du -trashy # oop! didn't meant to delete that +gdu # disk-space utility checker, somewhat useful +du-dust # rusty du similar to gdu +ripgrep # modern grep +trashy # oop! did not meant to delete that unstable.eza # like ls but with colors +gocryptfs # encrypted filesystem! shhh!!! rmlint # probably my favourite app, amazing dupe finder that integrates well with BTRFS + +ffmpeg # not ffmpreg, the coolest video conversion tool! +# torrenttools # create torrent files from the terminal! +# vcsi # video thumbnails for torrents, can I replace it with ^? #+end_src -** MY SCRIPTS -Here I compile my own scripts into binaries +*** MY SCRIPTS +Here I compile my own scripts into binaries. #+begin_src nix -jawzManageLibrary jawzTasks (writeScriptBin "ffmpeg4discord" (builtins.readFile ../scripts/ffmpeg4discord.py)) (writeScriptBin "ffmpreg" (builtins.readFile ../scripts/ffmpreg.sh)) -(writeScriptBin "chat-dl" (builtins.readFile ../scripts/chat-dl.sh)) (writeScriptBin "split-dir" (builtins.readFile ../scripts/split-dir.sh)) -(writeScriptBin "pika-list" (builtins.readFile ../scripts/pika-list.sh)) (writeScriptBin "run" (builtins.readFile ../scripts/run.sh)) +(writeScriptBin "pika-list" (builtins.readFile ../scripts/pika-list.sh)) #+end_src -** DEVELOPMENT PACKAGES +*** DEVELOPMENT PACKAGES Assorted development packages and libraries, categorized by languages. #+begin_src nix @@ -403,9 +577,10 @@ pipenv # python development workflow for humans # JS nodejs # not as bad as I thought +# jq # linting #+end_src -** PYTHON +*** PYTHON #+begin_src nix ]) ++ (with pkgs.python3Packages; [ @@ -439,21 +614,9 @@ nodejs # not as bad as I thought propagatedBuildInputs = [ tqdm ]; }) - # (buildPythonApplication rec { - # pname = "qbit_manage"; - # version = "4.0.3"; - # src = fetchPypi { - # inherit pname version; - # sha256 = "sha256-7eVqbLpMHS1sBw2vYS4cTtyVdnnknGtEI8190VlXflk="; - # }; - # doCheck = true; - # buildInputs = [ setuptools ]; - # propagatedBuildInputs = - # [ gitpython requests retrying ruamel-yaml schedule unstable.qbittorrent-api ]; - # }) #+end_src -** NODEJS PACKAGES +*** NODEJS PACKAGES Mostly language servers and linters. #+begin_src nix @@ -471,7 +634,7 @@ Mostly language servers and linters. #+end_src ** HUNSPELL -These dictionaries work with Firefox, Doom Emacs and LibreOffice. +These dictionaries are compatible with Firefox, Doom Emacs and LibreOffice. #+begin_src nix hunspell @@ -485,18 +648,47 @@ Themes and other customization, making my DE look the way I want is one of the main draws of Linux for me. #+begin_src nix +# Themes +adw-gtk3 +gnome.gnome-tweaks # tweaks for the gnome desktop environment +# gradience # theme customizer, allows you to modify adw-gtk3 themes + # Fonts (nerdfonts.override { fonts = [ "Agave" "CascadiaCode" "SourceCodePro" "Ubuntu" "FiraCode" "Iosevka" ]; }) symbola +(papirus-icon-theme.override { + color = "adwaita"; +}) #+end_src -** CLOSING USER PACKAGES +** GNOME EXTENSIONS +The last line can be commented to allow for the installation of gnome-extensions +from the unstable channel. #+begin_src nix -]); }; # <--- end of package list +# lm_sensors # for extension, displays cpu temp +libgda # for pano shell extension +]) ++ (with pkgs.gnomeExtensions; [ + appindicator # applets for open applications + panel-scroll # scroll well to change workspaces + reading-strip # like putting a finger on every line I read + tactile # window manager + pano # clipboard manager + # freon # hardware temperature monitor + # blur-my-shell # make the overview more visually appealing + # gamemode # I guess I'm a gamer now? + # burn-my-windows + # forge # window manager +# ]) ++ (with unstable.pkgs.gnomeExtensions; [ +#+end_src + +** CLOSE USER PACKAGES + +#+begin_src nix +]); }; };# <--- end of package list #+end_src * HOME-MANAGER @@ -546,11 +738,15 @@ programs.bash = { f = "fzf --multi --exact -i"; sc = "systemctl --user"; jc = "journalctl --user -xefu"; - open-gallery = "cd /mnt/disk2/scrapping/JawZ/gallery-dl && xdg-open $(fd . ./ Husbands -tdirectory -d 1 | fzf -i)\""; - unique-extensions = "fd -tf | rev | cut -d. -f1 | rev | tr '[:upper:]' '[:lower:]' | sort | uniq --count | sort -rn"; + open-gallery = "cd /mnt/disk2/scrapping/JawZ/gallery-dl \ + && xdg-open \"$(fd . ./ Husbands -tdirectory -d 1 | fzf -i)\""; + unique-extensions = "fd -tf | rev | cut -d. -f1 | rev \ + | tr '[:upper:]' '[:lower:]' | sort \ + | uniq --count | sort -rn"; }; enableVteIntegration = true; initExtra = '' + ,#+begin_src bash $HOME/.local/bin/pokemon-colorscripts -r --no-title # Lists list_root="${config.xdg.configHome}"/jawz/lists/jawz @@ -565,8 +761,12 @@ programs.bash = { fi nixos-reload () { - nixfmt /home/jawz/Development/NixOS/workstation/*.nix - sudo nixos-rebuild switch -I nixos-config=/home/jawz/Development/NixOS/workstation/configuration.nix + NIXOSDIR=/home/jawz/Development/NixOS + nix-store --add-fixed sha256 $NIXOSDIR/scripts/PureRef-1.11.1_x64.Appimage + nixfmt $NIXOSDIR/battlestation/*.nix + sudo unbuffer nixos-rebuild switch -I \ + nixos-config=$NIXOSDIR/battlestation/configuration.nix \ + |& nom } ''; }; @@ -654,6 +854,7 @@ services = { enable = true; defaultEditor = true; package = pkgs.emacs; + startWithUserSession = "graphical"; }; }; #+end_src @@ -677,10 +878,19 @@ some applications use. #+begin_src nix environment = { + etc = { + "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = '' + bluez_monitor.properties = { + ["bluez5.enable-sbc-xq"] = true, + ["bluez5.enable-msbc"] = true, + ["bluez5.enable-hw-volume"] = true, + ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]" + } + ''; + }; systemPackages = with pkgs; [ wget - jellyfin-ffmpeg # coolest video converter! - dlib + gwe ]; variables = rec { # PATH @@ -732,50 +942,6 @@ environment = { }; #+end_src -* SNAPRAID -It's a parity raid utility which creates a scheme similar to what UNRAID -offered, except not in real time, I schedule it to run every night, so it keeps -my files sync, while it is possible to use snapraid as a solution to keep a -historic backup of your files, I am more concerned with the whole disk recovery -in case of failure, as such a frequent sync fits my preferences. - -#+begin_src nix -snapraid = { - enable = true; - touchBeforeSync = true; - sync.interval = "02:00"; - scrub = { - plan = 10; - olderThan = 10; - interval = "4:00"; - }; - parityFiles = [ - "/mnt/parity/snapraid.parity" - ]; - extraConfig = '' - autosave 5000 - ''; - exclude = [ - "/tmp/" - "/lost+found/" - "/multimedia/downloads/" - "/scrapping/nextcloud/" - "/backups/" - "/glue/Spankbank/____UNORGANIZED/Chaturbate/" - "/nextcloud/nextcloud.log" - ]; - dataDisks = { - d1 = "/mnt/disk1/"; - d2 = "/mnt/disk2/"; - }; - contentFiles = [ - "/var/snapraid.content" - "/mnt/disk1/snapraid.content" - "/mnt/disk2/snapraid.content" - ]; -}; -#+end_src - * PROGRAMS Some programs get enabled and installed through here, as well as the activation of some services. @@ -792,17 +958,17 @@ programs = { enable = true; enableSSHSupport = true; }; - msmtp = { + geary = { enable = true; - accounts.default = { - auth = true; - host = "smtp.gmail.com"; - port = 587; - tls = true; - from = "stunner6399@gmail.com"; - user = "stunner6399@gmail.com"; - password = "eqyctcgjdykqeuwt"; - }; + }; + steam = { + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + }; + kdeconnect = { + enable = true; + package = pkgs.gnomeExtensions.gsconnect; }; }; #+end_src @@ -810,39 +976,35 @@ programs = { * SERVICES Miscellaneous services, most of which are managed by systemd. -- minidlna: allows me to watch my media on my tv. - avahi: allows to discover/connect to devices through their hostname on the same network. - fstrim/btrfs: file-system services. +- hardware.openrgb: enables to tune hardware RGB. - psd: profile-sync-daemon, loads the chrome/firefox profile to ram. #+begin_src nix services = { - minidlna = { + printing = { enable = true; - openFirewall = true; - settings = { - inotify = "yes"; - media_dir = [ - "/mnt/disk2/glue" - "/mnt/seedbox/glue" - "/mnt/disk1/multimedia/downloads" - ]; - }; + drivers = [ pkgs.hplip pkgs.hplipWithPlugin ]; }; avahi = { enable = true; nssmdns = true; }; + psd.enable = true; fstrim.enable = true; btrfs.autoScrub = { enable = true; fileSystems = [ "/" - "/mnt/disk1" - "/mnt/disk2" ]; }; + hardware.openrgb = { + enable = true; + package = unstable.openrgb; + motherboard = "amd"; + }; openssh = { enable = true; openFirewall = true; @@ -861,56 +1023,10 @@ the best way to define them for now, is using nix. #+begin_src nix systemd = { - packages = [ pkgs.qbittorrent-nox ]; - services = { - "qbittorrent-nox@jawz" = { - enable = true; - overrideStrategy = "asDropin"; - wantedBy = [ "multi-user.target" ]; - }; - }; + services = { }; timers = { }; user = { services = { - HentaiAtHome = { - enable = true; - restartIfChanged = true; - description = "Run hentai@home server"; - wantedBy = [ "default.target" ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - WorkingDirectory="/mnt/hnbox"; - ExecStart = "${pkgs.HentaiAtHome}/bin/HentaiAtHome"; - }; - }; - unpackerr = { - enable = true; - restartIfChanged = true; - description = "Run unpackerr"; - wantedBy = [ "default.target" ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${pkgs.unpackerr}/bin/unpackerr -c /home/jawz/.config/unpackerr.conf"; - }; - }; - manage-library = { - enable = true; - restartIfChanged = true; - description = "Run the manage library bash script"; - wantedBy = [ "default.target" ]; - path = [ - pkgs.bash - pkgs.nix - jawzManageLibrary - ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${jawzManageLibrary}/bin/manage-library"; - }; - }; tasks = { restartIfChanged = true; description = "Run a tasks script which keeps a lot of things organized"; @@ -926,20 +1042,6 @@ systemd = { ExecStart = "${jawzTasks}/bin/tasks"; }; }; - qbit_manage = let qbit_dir = "/home/jawz/Development/Git/qbit_manage"; in { - restartIfChanged = true; - description = "Tidy up my torrents"; - wantedBy = [ "default.target" ]; - path = [ - pkgs.python3 - pkgs.pipenv - ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${qbit_dir}/.venv/bin/python3 ${qbit_dir}/qbit_manage.py -r -c ${qbit_dir}/config.yml"; - }; - }; }; timers = { tasks = { @@ -950,14 +1052,6 @@ systemd = { OnCalendar = "*:0/10"; }; }; - qbit_manage = { - enable = true; - description = "Tidy up my torrents"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*:0/10"; - }; - }; }; }; }; @@ -980,24 +1074,67 @@ Computer-specific hardware settings. The power management settings are defaulted to "performance". - nvidia: GPU drivers. -- cpu.intel: microcode patches. +- sane: hp scanner drivers. +- cpu.amd: microcode patches. +- opentabletdriver: overrides the default generic nvidia drivers. +- opengl: required for gaming, as pug drivers as well as video acceleration. #+begin_src nix +powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; hardware = { + cpu.amd.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; nvidia = { modesetting.enable = true; powerManagement.enable = true; }; - cpu.intel.updateMicrocode = lib.mkDefault true; + sane = { + enable = true; + extraBackends = [ pkgs.hplip pkgs.hplipWithPlugin ]; + }; + opentabletdriver = { + enable = true; + package = unstable.opentabletdriver; + daemon.enable = false; + }; opengl = { enable = true; driSupport = true; driSupport32Bit = true; + extraPackages = with pkgs; [ + nvidia-vaapi-driver + vaapiVdpau + libvdpau-va-gl + ]; }; }; +### TEMPORARY PATCH, pinning up the linux kernel due to a bug with newer versions. +boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_1.override { + argsOverride = rec { + src = pkgs.fetchurl { + url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz"; + sha256 = "Vnc3mQ28kmWWageGOSghqfpVn9NGSU/R7/BQ2+s4OlI="; + }; + version = "6.1.52"; + modDirVersion = "6.1.52"; + }; + }); +#+end_src + +* DOCKER +Basic docker settings to be able to run some images, although most docker images +run on my server. + +#+begin_src nix +virtualisation.docker = { + enable = true; + storageDriver = "btrfs"; + enableNvidia = true; +}; #+end_src * CLOSE SYSTEM #+begin_src nix } #+end_src + diff --git a/workstation/fstab.nix b/workstation/fstab.nix new file mode 100644 index 0000000..3d7a054 --- /dev/null +++ b/workstation/fstab.nix @@ -0,0 +1,91 @@ +{ config, pkgs, modulesPath, ... }: { + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + boot = { + #plymouth = { enable = true; }; + loader = { + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot/efi"; + }; + grub = { + enable = true; + device = "nodev"; + efiSupport = true; + enableCryptodisk = true; + }; + }; + initrd.luks.devices = { + nvme = { + + device = "/dev/disk/by-uuid/e9618e85-a631-4374-b2a4-22c376d6e41b"; + preLVM = true; + }; + }; + kernelModules = [ "kvm-intel" ]; + kernel.sysctl = { "vm.swappiness" = 80; }; + extraModulePackages = [ ]; + initrd = { + availableKernelModules = + [ "xhci_pci" "ahci" "usbhid" "nvme" "usb_storage" "sd_mod" ]; + kernelModules = [ ]; + }; + }; + + fileSystems = let + mount = disk: { + device = "workstation:/${disk}"; + fsType = "nfs"; + }; + in { + "/mnt/disk1" = mount "disk1" // { }; + "/mnt/disk2" = mount "disk2" // { }; + "/mnt/jawz" = mount "jawz" // { }; + "/mnt/seedbox" = mount "seedbox" // { }; + + "/" = { + device = "/dev/mapper/nvme"; + fsType = "btrfs"; + options = [ + "subvol=nixos" + "ssd" + "compress=zstd:3" + "x-systemd.device-timeout=0" + "space_cache=v2" + "commit=120" + "datacow" + "noatime" + ]; + }; + "/home" = { + device = "/dev/mapper/nvme"; + fsType = "btrfs"; + options = [ + "subvol=home" + "ssd" + "compress=zstd:3" + "x-systemd.device-timeout=0" + "space_cache=v2" + "commit=120" + "datacow" + ]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/ac6d349a-96b9-499e-9009-229efd7743a5"; + fsType = "ext4"; + }; + "/boot/efi" = { + device = "/dev/disk/by-uuid/B05D-B5FB"; + fsType = "vfat"; + }; + + }; + swapDevices = [{ + device = "/dev/disk/by-partuuid/c1bd22d7-e62c-440a-88d1-6464be1aa1b0"; + randomEncryption = { + enable = true; + cipher = "aes-xts-plain64"; + keySize = 512; + sectorSize = 4096; + }; + }]; +}