jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Compare commits

base: jawz:weekly-2025-10-11
Branches Tags
jawz:main jawz:clean jawz:modules
jawz:weekly-2025-10-29 jawz:weekly-2025-10-11 jawz:weekly-2025-10-06 jawz:weekly-2025-10-04 jawz:weekly-2025-09-30 jawz:weekly-2025-09-29
..
compare: jawz:667b4c7a4614ea70c1b020df41bcc25437f51ded
Branches Tags
jawz:main jawz:clean jawz:modules
jawz:weekly-2025-10-29 jawz:weekly-2025-10-11 jawz:weekly-2025-10-06 jawz:weekly-2025-10-04 jawz:weekly-2025-09-30 jawz:weekly-2025-09-29

25 Commits
weekly-202 ... 667b4c7a46

Author SHA1 Message Date
Danilo Reyes
667b4c7a46 Refactor WireGuard secret paths for Linode configuration 
- Updated secret paths in wireguard-linode.nix and configuration.nix to use 'linode' instead of 'wireguard' for clarity and consistency.
- Adjusted private key file references in wireguard.nix to align with the new secret path structure.
 2025-10-28 13:53:18 -06:00
Danilo Reyes
01284154f7 Update Linode configuration in jawz.nix and adjust SSH settings 
- Changed hostname reference from 'vps' to 'linode' in jawz.nix for improved clarity.
- Modified SSH service configuration in linode's configuration.nix to force start behavior.
 2025-10-28 13:45:11 -06:00
Danilo Reyes
f1d565225a Refactor Linode configuration and update WireGuard settings 
- Renamed SSH match block from 'vps' to 'linode' in jawz.nix for clarity.
- Updated IP addresses in toggles.nix and other configuration files to reflect the new Linode setup.
- Removed deprecated fail2ban configuration from linode's configuration.nix.
- Adjusted WireGuard interface settings to use the correct IP for linode.
- Cleaned up hardware configuration by removing unnecessary GRUB loader settings.
- Updated secrets management in wireguard.yaml to streamline key handling.
 2025-10-28 13:42:23 -06:00
Danilo Reyes
ac48e8c86b Update WireGuard configuration to disable secureHost and adjust private key handling 
- Changed secureHost setting from true to false in toggles.nix.
- Modified wireguard-linode.nix to use a default private key path when secureHost is false, enhancing flexibility in key management.
 2025-10-28 13:31:40 -06:00
Danilo Reyes
431e145992 Add Linode host configuration and WireGuard setup 
- Introduced new configuration files for Linode host, including hardware configuration, toggles, and WireGuard settings.
- Updated flake.nix to include the new images.nix file for Linode image generation.
- Adjusted SSH key paths and secrets management for WireGuard to ensure proper integration with the new host setup.
- Enhanced firewall rules and NAT configuration for WireGuard to improve security and connectivity.
 2025-10-28 13:30:35 -06:00
Danilo Reyes
fd2962c306 nextcloud headers fix
Some checks failed
Weekly NixOS Build & Cache / build-and-cache (push) Failing after 2m4s
Details
2025-10-26 10:08:37 -06:00
Danilo Reyes
87cca163b0 updated collabora docker 2025-10-26 09:59:24 -06:00
Danilo Reyes
cf64ff1616 heartbeat is a boolean 2025-10-25 00:59:37 -06:00
Danilo Reyes
2f6d65b239 atticd fix 2025-10-25 00:52:22 -06:00
Danilo Reyes
6dc429e56c insecure package ughhhh 2025-10-25 00:00:28 -06:00
Danilo Reyes
28ef0d8108 fixes qbittorrent, nextcloud python update, firewall logic
Some checks failed
Weekly NixOS Build & Cache / build-and-cache (push) Failing after 1m55s
Details
2025-10-18 10:12:09 -06:00
Danilo Reyes
0e5e06bcb6 flake update
Some checks failed
Weekly NixOS Build & Cache / build-and-cache (push) Failing after 18m55s
Details
2025-10-13 10:08:02 -06:00
Danilo Reyes
cf4db411e0 Update SSH key paths in core.nix to use relative paths for improved consistency and maintainability.
Some checks failed
Weekly NixOS Build & Cache / build-and-cache (push) Failing after 18m30s
Details
2025-10-12 23:00:45 -06:00
Danilo Reyes
be82c5c477 Refactor configuration files to include 'inputs' parameter for improved modularity and consistency across hosts. 2025-10-12 22:57:24 -06:00
Danilo Reyes
de5ad541b8 Refactor SSH key management to use centralized key retrieval function for nixremote users across configurations. 2025-10-12 20:28:39 -06:00
Danilo Reyes
0f7e28abd0 more migration stuff 2025-10-12 20:24:42 -06:00
Danilo Reyes
30cff89a50 cleaned up duplicated code 2025-10-12 20:03:24 -06:00
Danilo Reyes
e393a4481b reverted server factory 2025-10-12 19:59:46 -06:00
Danilo Reyes
8664061145 further figration 2025-10-12 14:12:19 -06:00
Danilo Reyes
c3d20aa28f part 3 of the flake-parts migration 2025-10-12 14:02:09 -06:00
Danilo Reyes
11fd8e0440 refractor shell configurations with flake-parts 2025-10-12 13:51:45 -06:00
Danilo Reyes
6f97b24115 flake parts, migrated modules 2025-10-12 13:41:48 -06:00
Danilo Reyes
6497dede6f migration to flake-parts 2025-10-12 13:23:38 -06:00
Danilo Reyes
1b743f9fcc moved some emulators to retroarch cores 2025-10-12 12:58:02 -06:00
Danilo Reyes
6216d19d0b gonna give pop-shell a go 2025-10-12 12:57:50 -06:00
83 changed files with 980 additions and 551 deletions
Expand all files Collapse all files

25
config/base.nix
View File

@@ -75,6 +75,7 @@
"dotnet-runtime-6.0.36"
"dotnet-sdk-wrapped-6.0.428"
"dotnet-sdk-6.0.428"
"mbedtls-2.28.10"
];
};
nix = {
@@ -124,29 +125,7 @@
sops
;
};
variables =
let
XDG_DATA_HOME = "\${HOME}/.local/share";
XDG_CONFIG_HOME = "\${HOME}/.config";
XDG_CACHE_HOME = "\${HOME}/.cache";
in
{
# PATH
inherit XDG_DATA_HOME XDG_CONFIG_HOME XDG_CACHE_HOME;
XDG_BIN_HOME = "\${HOME}/.local/bin";
XDG_STATE_HOME = "\${HOME}/.local/state";
# DEV PATH
PSQL_HISTORY = "${XDG_DATA_HOME}/psql_history";
REDISCLI_HISTFILE = "${XDG_DATA_HOME}/redis/rediscli_history";
WINEPREFIX = "${XDG_DATA_HOME}/wine";
# OPTIONS
ELECTRUMDIR = "${XDG_DATA_HOME}/electrum";
WGETRC = "${XDG_CONFIG_HOME}/wgetrc";
XCOMPOSECACHE = "${XDG_CACHE_HOME}/X11/xcompose";
"_JAVA_OPTIONS" = "-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java";
ORG_DEVICE = "workstation";
PATH = [ "\${HOME}/.local/bin" ];
};
variables = inputs.self.lib.xdgEnvironment;
};
programs = {
nh = {

17
config/home-manager.nix
View File

@@ -14,22 +14,7 @@ let
${pokemon-colorscripts}/bin/pokemon-colorscripts -r --no-title
export command_timeout=60
'';
commonAliases = {
cp = "cp -i";
mv = "mv -i";
mkdir = "mkdir -p";
mkcd = "(){ mkdir -p \"$1\" && cd \"$1\" }";
copy = "xclip -selection clipboard";
cdp = "pwd | copy";
cfp = "(){ readlink -f \"$1\" | copy }";
".." = "cd ..";
"..." = "cd ../..";
".3" = "cd ../../..";
".4" = "cd ../../../..";
".5" = "cd ../../../../..";
c = "cat";
sc = "systemctl --user";
jc = "journalctl --user -xefu";
commonAliases = inputs.self.lib.commonAliases // {
open-gallery = ''
cd /srv/pool/scrapping/JawZ/gallery-dl &&
xdg-open "$(${fd}/bin/fd . ./ Husbands wikifeet -tdirectory -d 1 | ${fzf}/bin/fzf -i)"'';

34
config/jawz.nix
View File

@@ -1,11 +1,12 @@
{ config, lib, ... }:
{
config,
lib,
inputs,
...
}:
let
inherit (config.networking) hostName;
nixosHosts =
lib.attrNames config.my.ips
|> lib.filter (
name: !(lib.hasPrefix "wg-" name) && name != "vps" && name != "router" && name != hostName
);
nixosHosts = inputs.self.lib.getNixosHosts config.my.ips hostName lib;
nixosHostsMatch = lib.concatStringsSep " " nixosHosts;
in
{
@@ -30,9 +31,8 @@ in
programs.ssh = lib.mkIf config.my.secureHost {
enable = true;
matchBlocks = {
vps = {
hostname = config.my.ips.vps;
user = "fedora";
linode = {
hostname = config.my.ips.linode;
port = 3456;
identityFile = config.sops.secrets."private_keys/${hostName}".path;
};
@@ -67,14 +67,14 @@ in
"plugdev"
"bluetooth"
];
openssh.authorizedKeys.keyFiles = [
../secrets/ssh/ed25519_deacero.pub
../secrets/ssh/ed25519_workstation.pub
../secrets/ssh/ed25519_server.pub
../secrets/ssh/ed25519_miniserver.pub
../secrets/ssh/ed25519_galaxy.pub
../secrets/ssh/ed25519_phone.pub
../secrets/ssh/ed25519_vps.pub
openssh.authorizedKeys.keyFiles = inputs.self.lib.getSshKeys [
"deacero"
"workstation"
"server"
"miniserver"
"galaxy"
"phone"
"linode"
];
};
}

1
environments/gnome.nix
View File

@@ -40,6 +40,7 @@
gamemode-shell-extension # I guess I'm a gamer now?
burn-my-windows # special effects for when closing windows
pano # clipboard manager
pop-shell
;
};
}

10
environments/hyprland.nix
View File

@@ -23,13 +23,11 @@ in
wl-clipboard-rs
wf-recorder
grimblast # screenshots
mako # notification daemon
libnotify # dependency of mako
swaylock-effects # screen locker
yazi # file manager
imv # images
playerctl # media player control
;
};
@@ -78,27 +76,22 @@ in
"${mod}, bracketright, changegroupactive, f"
"${mod}, S, exec, wofi --show drun icons"
"${mod}, P, pin, active"
"${mod}, left, movefocus, l"
"${mod}, right, movefocus, r"
"${mod}, up, movefocus, u"
"${mod}, down, movefocus, d"
"${mod}, h, movefocus, l"
"${mod}, l, movefocus, r"
"${mod}, k, movefocus, u"
"${mod}, j, movefocus, d"
"${mod} SHIFT, left, movewindow, l"
"${mod} SHIFT, right, movewindow, r"
"${mod} SHIFT, up, movewindow, u"
"${mod} SHIFT, down, movewindow, d"
"${mod} SHIFT, h, movewindow, l"
"${mod} SHIFT, l, movewindow, r"
"${mod} SHIFT, k, movewindow, u"
"${mod} SHIFT, j, movewindow, d"
"${mod}, 1, workspace, 1"
"${mod}, 2, workspace, 2"
"${mod}, 3, workspace, 3"
@@ -119,7 +112,6 @@ in
"${mod} SHIFT, 8, movetoworkspace, 8"
"${mod} SHIFT, 9, movetoworkspace, 9"
"${mod} SHIFT, 0, movetoworkspace, 10"
"${mod}, F3, exec, grimblast save area ~/Pictures/screenshots/$(date +'%Y-%m-%d_%H-%M-%S').png"
"${mod} SHIFT, F3, exec, grimblast save screen ~/Pictures/screenshots/$(date +'%Y-%m-%d_%H-%M-%S').png"
];
@@ -128,12 +120,10 @@ in
"${mod} SHIFT, l, moveactive, 20 0"
"${mod} SHIFT, k, moveactive, 0 -20"
"${mod} SHIFT, j, moveactive, 0 20"
"${mod} CTRL, l, resizeactive, 30 0"
"${mod} CTRL, h, resizeactive, -30 0"
"${mod} CTRL, k, resizeactive, 0 -10"
"${mod} CTRL, j, resizeactive, 0 10"
",XF86AudioRaiseVolume, exec, wpctl set-volume -l 1.4 @DEFAULT_AUDIO_SINK@ 5%+"
",XF86AudioLowerVolume, exec, wpctl set-volume -l 1.4 @DEFAULT_AUDIO_SINK@ 5%-"
];

2
environments/waybar-style.nix
View File

@@ -30,12 +30,10 @@ in
border: none;
min-width: 20px;
}
#workspaces button.active {
background: #${colors.base02};
color: #${colors.base05};
}
#workspaces button:hover {
background: #${colors.base01};
color: #${colors.base04};

137
flake.lock generated
View File

@@ -20,11 +20,11 @@
]
},
"locked": {
"lastModified": 1759499898,
"narHash": "sha256-UNzYHLWfkSzLHDep5Ckb5tXc0fdxwPIrT+MY4kpQttM=",
"lastModified": 1760101617,
"narHash": "sha256-8jf/3ZCi+B7zYpIyV04+3wm72BD7Z801IlOzsOACR7I=",
"owner": "hyprwm",
"repo": "aquamarine",
"rev": "655e067f96fd44b3f5685e17f566b0e4d535d798",
"rev": "1826a9923881320306231b1c2090379ebf9fa4f8",
"type": "github"
},
"original": {
@@ -54,16 +54,17 @@
"base16-fish": {
"flake": false,
"locked": {
"lastModified": 1622559957,
"narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
"lastModified": 1754405784,
"narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=",
"owner": "tomyun",
"repo": "base16-fish",
"rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
"rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
"type": "github"
},
"original": {
"owner": "tomyun",
"repo": "base16-fish",
"rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
"type": "github"
}
},
@@ -215,11 +216,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1759362264,
"narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=",
"lastModified": 1760948891,
"narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "758cf7296bee11f1706a574c77d072b8a7baa881",
"rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
"type": "github"
},
"original": {
@@ -232,6 +233,24 @@
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1760813311,
"narHash": "sha256-lbHQ7FXGzt6/IygWvJ1lCq+Txcut3xYYd6VIpF1ojkg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "4e627ac2e1b8f1de7f5090064242de9a259dbbc8",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_3"
},
"locked": {
"lastModified": 1712014858,
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
@@ -245,7 +264,7 @@
"type": "indirect"
}
},
"flake-parts_3": {
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": [
"nur",
@@ -266,7 +285,7 @@
"type": "github"
}
},
"flake-parts_4": {
"flake-parts_5": {
"inputs": {
"nixpkgs-lib": [
"stylix",
@@ -442,11 +461,11 @@
]
},
"locked": {
"lastModified": 1759490292,
"narHash": "sha256-T6iWzDOXp8Wv0KQOCTHpBcmAOdHJ6zc/l9xaztW6Ivc=",
"lastModified": 1760445448,
"narHash": "sha256-fXGjL6dw31FPFRrmIemzGiNSlfvEJTJNsmadZi+qNhI=",
"owner": "hyprwm",
"repo": "hyprgraphics",
"rev": "9431db625cd9bb66ac55525479dce694101d6d7a",
"rev": "50fb9f069219f338a11cf0bcccb9e58357d67757",
"type": "github"
},
"original": {
@@ -473,11 +492,11 @@
"xdph": "xdph"
},
"locked": {
"lastModified": 1760143218,
"narHash": "sha256-OhJPROcRcwBkjOKkXr/f3/7wuSjhAIqr8WfmEUF9Uuo=",
"lastModified": 1761340761,
"narHash": "sha256-j12amQpLU23PbblMzw8Tt4whr2PxjP6XXYH99uYGFGc=",
"owner": "hyprwm",
"repo": "Hyprland",
"rev": "d599513d4a72d66ac62ffdedc41d6653fa81b39e",
"rev": "da04afa44e7545771b08f8e0defd2cd1810f1613",
"type": "github"
},
"original": {
@@ -498,11 +517,11 @@
]
},
"locked": {
"lastModified": 1749046714,
"narHash": "sha256-kymV5FMnddYGI+UjwIw8ceDjdeg7ToDVjbHCvUlhn14=",
"lastModified": 1759610243,
"narHash": "sha256-+KEVnKBe8wz+a6dTLq8YDcF3UrhQElwsYJaVaHXJtoI=",
"owner": "hyprwm",
"repo": "hyprland-protocols",
"rev": "613878cb6f459c5e323aaafe1e6f388ac8a36330",
"rev": "bd153e76f751f150a09328dbdeb5e4fab9d23622",
"type": "github"
},
"original": {
@@ -681,17 +700,17 @@
},
"nix-gaming": {
"inputs": {
"flake-parts": "flake-parts",
"flake-parts": "flake-parts_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1760146997,
"narHash": "sha256-x2sF8Q4tWz3DI166s+KFDXySrK+cN+/YEd3DfhnhBLQ=",
"lastModified": 1761356901,
"narHash": "sha256-YDySchURSJrS1P8zuzmFqypUS7shY6//0e0JiMZeLSI=",
"owner": "fufexan",
"repo": "nix-gaming",
"rev": "ad505387568d024654da88fef03d9c5319cba92f",
"rev": "a8635e459ff96acbd156a8de613b99d9d6b3676a",
"type": "github"
},
"original": {
@@ -768,6 +787,21 @@
}
},
"nixpkgs-lib_2": {
"locked": {
"lastModified": 1754788789,
"narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-lib_3": {
"locked": {
"dir": "lib",
"lastModified": 1711703276,
@@ -787,11 +821,11 @@
},
"nixpkgs-small": {
"locked": {
"lastModified": 1760081104,
"narHash": "sha256-n9NgHBtZgLrT1FtJ2W9AvVKM7bXWBgqw/is739m72WQ=",
"lastModified": 1761294158,
"narHash": "sha256-woFH58dy/EDeL1Li4IarZE9+0p0zdPmCsxCvKA7oYu4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "872106a411643f96e2c9576d247cf96e7c8c1b97",
"rev": "e7b2e554a77018dec2f259b782d062500c133d49",
"type": "github"
},
"original": {
@@ -803,11 +837,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1760038930,
"narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=",
"lastModified": 1761114652,
"narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3",
"rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
"type": "github"
},
"original": {
@@ -819,11 +853,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1759994382,
"narHash": "sha256-wSK+3UkalDZRVHGCRikZ//CyZUJWDJkBDTQX1+G77Ow=",
"lastModified": 1761173472,
"narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5da4a26309e796daa7ffca72df93dbe53b8164c7",
"rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb",
"type": "github"
},
"original": {
@@ -835,7 +869,7 @@
},
"nixtendo-switch": {
"inputs": {
"flake-parts": "flake-parts_2",
"flake-parts": "flake-parts_3",
"nixpkgs": [
"nixpkgs"
]
@@ -856,17 +890,17 @@
},
"nur": {
"inputs": {
"flake-parts": "flake-parts_3",
"flake-parts": "flake-parts_4",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1760150127,
"narHash": "sha256-McDmxx/bruodgHLD4sFIl0fKkEkNj5VE3DglImfslrk=",
"lastModified": 1761364085,
"narHash": "sha256-4BKMXhQ8SSYOo9NoK221fVYM86xMw5smoqHvwmLaDEo=",
"owner": "nix-community",
"repo": "nur",
"rev": "886a5646695563cbae3c1e10369c6070c7645e73",
"rev": "e9f1e9e9cb027dd87785534261d0feb0097dfcfa",
"type": "github"
},
"original": {
@@ -911,11 +945,11 @@
]
},
"locked": {
"lastModified": 1758108966,
"narHash": "sha256-ytw7ROXaWZ7OfwHrQ9xvjpUWeGVm86pwnEd1QhzawIo=",
"lastModified": 1760663237,
"narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "54df955a695a84cd47d4a43e08e1feaf90b1fd9b",
"rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37",
"type": "github"
},
"original": {
@@ -943,6 +977,7 @@
"root": {
"inputs": {
"doom-emacs": "doom-emacs",
"flake-parts": "flake-parts",
"fonts": "fonts",
"home-manager": "home-manager",
"hyprland": "hyprland",
@@ -968,11 +1003,11 @@
]
},
"locked": {
"lastModified": 1759635238,
"narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=",
"lastModified": 1760998189,
"narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "6e5a38e08a2c31ae687504196a230ae00ea95133",
"rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3",
"type": "github"
},
"original": {
@@ -988,7 +1023,7 @@
"base16-helix": "base16-helix",
"base16-vim": "base16-vim",
"firefox-gnome-theme": "firefox-gnome-theme",
"flake-parts": "flake-parts_4",
"flake-parts": "flake-parts_5",
"gnome-shell": "gnome-shell",
"nixpkgs": [
"nixpkgs"
@@ -1002,11 +1037,11 @@
"tinted-zed": "tinted-zed"
},
"locked": {
"lastModified": 1759596342,
"narHash": "sha256-1Eda1V8pjpviMdBTdDXrFp7jkaUokIgXgBYTZyzDODk=",
"lastModified": 1760478648,
"narHash": "sha256-Y4l+Y3zUvqIDbyLrtOrzNvp1o50Fp9TYK+iwtwweFU4=",
"owner": "danth",
"repo": "stylix",
"rev": "4d065856e936fc6a99ba55d39ac2df9ded6bedbe",
"rev": "1ec254101285777db13922303cc47ded06e10bb3",
"type": "github"
},
"original": {
@@ -1259,11 +1294,11 @@
]
},
"locked": {
"lastModified": 1755354946,
"narHash": "sha256-zdov5f/GcoLQc9qYIS1dUTqtJMeDqmBmo59PAxze6e4=",
"lastModified": 1760713634,
"narHash": "sha256-5HXelmz2x/uO26lvW7MudnadbAfoBnve4tRBiDVLtOM=",
"owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland",
"rev": "a10726d6a8d0ef1a0c645378f983b6278c42eaa0",
"rev": "753bbbdf6a052994da94062e5b753288cef28dfb",
"type": "github"
},
"original": {

79
flake.nix
View File

@@ -1,6 +1,7 @@
{
description = "JawZ NixOS flake setup";
inputs = {
flake-parts.url = "github:hercules-ci/flake-parts";
nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.05";
nixpkgs-small.url = "github:nixos/nixpkgs?ref=nixos-25.05-small";
nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable";
@@ -59,76 +60,14 @@
};
};
outputs =
{ self, jawz-scripts, ... }@inputs:
let
inherit (self) outputs;
system = "x86_64-linux";
mkpkgs =
repo:
import repo {
inherit system;
config.allowUnfree = true;
};
langList = builtins.filter (name: name != "emacs") (
builtins.map (file: builtins.replaceStrings [ ".nix" ] [ "" ] (baseNameOf file)) (
builtins.attrNames (builtins.readDir ./modules/dev)
)
);
commonModules = name: [
{
nixpkgs.overlays = [
(import ./config/overlay.nix { inherit mkpkgs inputs; })
inputs.doom-emacs.overlays.default
inputs:
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
imports = [
./parts/core.nix
./parts/hosts.nix
./parts/packages.nix
./parts/devshells.nix
./parts/images.nix
];
}
{
nix.registry = {
jawz.flake = self;
unstable.flake = inputs.nixpkgs-unstable;
};
}
./hosts/${name}/configuration.nix
inputs.nur.modules.nixos.default
inputs.sops-nix.nixosModules.sops
inputs.stylix.nixosModules.stylix
inputs.nixtendo-switch.nixosModules.nixtendo-switch
];
createConfig =
name: local-nixpkgs:
let
lib = local-nixpkgs.lib // inputs.home-manager.lib;
in
lib.nixosSystem {
inherit system;
specialArgs = {
inherit inputs outputs;
};
modules = commonModules name;
};
in
{
nixosConfigurations = {
workstation = createConfig "workstation" inputs.nixpkgs;
miniserver = createConfig "miniserver" inputs.nixpkgs-small;
server = createConfig "server" inputs.nixpkgs-small;
galaxy = createConfig "galaxy" inputs.nixpkgs-small;
emacs = createConfig "emacs" inputs.nixpkgs;
};
packages.${system} = (jawz-scripts.packages.${system} or { }) // {
emacs-vm = inputs.nixos-generators.nixosGenerate {
inherit system;
specialArgs = {
inherit inputs outputs;
};
modules = commonModules "emacs";
format = "vm";
};
};
devShells.${system} = builtins.listToAttrs (
map (name: {
inherit name;
value = self.nixosConfigurations.emacs.config.devShells.${name};
}) langList
);
};
}

47
hosts/linode/configuration.nix Normal file
View File

@@ -0,0 +1,47 @@
{
lib,
pkgs,
config,
inputs,
...
}:
{
imports = [
./hardware-configuration.nix
./wireguard-linode.nix
../../config/base.nix
inputs.nixos-generators.nixosModules.linode
];
my = import ./toggles.nix { inherit config inputs; } // {
nix.cores = 2;
users.nixremote.enable = false;
network.firewall = {
enabledServicePorts = true;
additionalPorts = [ ];
};
};
networking.hostName = "linode";
services.openssh = {
enable = true;
openFirewall = true;
startWhenNeeded = lib.mkForce false;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
KbdInteractiveAuthentication = false;
};
};
environment.systemPackages = builtins.attrValues {
inherit (pkgs)
htop
iotop
tcpdump
wireguard-tools
;
};
system.autoUpgrade = {
enable = true;
dates = "weekly";
allowReboot = true;
};
}

43
hosts/linode/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,43 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
tmp.cleanOnBoot = true;
kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.tcp_syncookies" = 1;
};
kernelModules = [
"virtio_pci"
"virtio_blk"
"virtio_net"
];
initrd = {
availableKernelModules = [
"virtio_pci"
"virtio_scsi"
"virtio_blk"
"virtio_net"
"9p"
"9pnet_virtio"
];
kernelModules = [ ];
};
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/sda";
fsType = "ext4";
};
swapDevices = [ { device = "/dev/sdb"; } ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.enableRedistributableFirmware = true;
}

16
hosts/linode/toggles.nix Normal file
View File

@@ -0,0 +1,16 @@
_: {
timeZone = "America/Mexico_City";
services = {
network.enable = true;
wireguard.enable = true;
};
secureHost = false;
interfaces.linode = "eth0";
ips = {
linode = "51.222.141.104";
wg-linode = "10.77.0.1";
wg-server = "10.77.0.2";
wg-friend1 = "10.8.0.2";
wg-friends = "10.8.0.0";
};
}

76
hosts/linode/wireguard-linode.nix Normal file
View File

@@ -0,0 +1,76 @@
{
config,
lib,
pkgs,
...
}:
{
config = lib.mkIf config.my.services.wireguard.enable {
sops.secrets."linode/linode/private" = lib.mkIf config.my.secureHost {
sopsFile = ../../secrets/wireguard.yaml;
};
networking = {
nat = {
enable = true;
externalInterface = config.my.interfaces.${config.networking.hostName};
internalInterfaces = [ "wg0" ];
};
firewall = {
allowedUDPPorts = [ 51820 ];
extraCommands = ''
iptables -I FORWARD 1 -s ${config.my.ips.wg-friend1} -d ${config.my.ips.wg-server} -p tcp --dport 22000 -j ACCEPT
iptables -I FORWARD 2 -s ${config.my.ips.wg-server} -d ${config.my.ips.wg-friend1} -p tcp --sport 22000 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -s ${config.my.ips.wg-friends}/24 -d 10.77.0.0/24 -j DROP
iptables -I FORWARD 4 -s 10.77.0.0/24 -d ${config.my.ips.wg-friends}/24 -j DROP
iptables -A FORWARD -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
'';
extraStopCommands = ''
iptables -D FORWARD -s ${config.my.ips.wg-friend1} -d ${config.my.ips.wg-server} -p tcp --dport 22000 -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -s ${config.my.ips.wg-server} -d ${config.my.ips.wg-friend1} -p tcp --sport 22000 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -s ${config.my.ips.wg-friends}/24 -d 10.77.0.0/24 -j DROP 2>/dev/null || true
iptables -D FORWARD -s 10.77.0.0/24 -d ${config.my.ips.wg-friends}/24 -j DROP 2>/dev/null || true
iptables -D FORWARD -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
'';
};
wireguard.interfaces.wg0 = {
ips = [
"${config.my.ips.wg-linode}/24"
"${config.my.ips.wg-friends}/24"
];
listenPort = 51820;
privateKeyFile =
if config.my.secureHost then
config.sops.secrets."linode/linode/private".path
else
"/var/lib/wireguard/private.key";
postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j MASQUERADE";
postShutdown = "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j MASQUERADE 2>/dev/null || true";
peers = [
{
publicKey = "OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4=";
allowedIPs = [ "${config.my.ips.wg-server}/32" ];
}
{
publicKey = "rFgT6TXzRazK6GMazMNGjtOvzAAPST0LvCfN7QXsLho=";
allowedIPs = [ "${config.my.ips.wg-friend1}/32" ];
}
];
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
environment.systemPackages = [ pkgs.wireguard-tools ];
};
}

10
hosts/miniserver/configuration.nix
View File

@@ -1,17 +1,17 @@
{ config, ... }:
{ config, inputs, ... }:
{
imports = [
./hardware-configuration.nix
../../config/base.nix
../../config/stylix.nix
];
my = import ./toggles.nix // {
my = import ./toggles.nix { inherit inputs; } // {
nix.cores = 3;
nix.maxJobs = 8;
users.nixremote.enable = true;
users.nixremote.authorizedKeys = [
../../secrets/ssh/ed25519_nixworkstation.pub
../../secrets/ssh/ed25519_nixserver.pub
users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
"nixworkstation"
"nixserver"
];
};
nix.buildMachines =

14
hosts/miniserver/toggles.nix
View File

@@ -1,16 +1,6 @@
{ inputs }:
let
mkEnabled = name: {
inherit name;
value.enable = true;
};
mkEnabledWithProxy = name: {
inherit name;
value = {
enable = true;
enableProxy = true;
};
};
enableList = func: list: list |> map func |> builtins.listToAttrs;
inherit (inputs.self.lib) mkEnabled mkEnabledWithProxy enableList;
in
{
emacs.enable = true;

19
hosts/server/configuration.nix
View File

@@ -2,6 +2,7 @@
pkgs,
config,
lib,
inputs,
...
}:
{
@@ -10,12 +11,12 @@
../../config/base.nix
../../config/stylix.nix
];
my = import ./toggles.nix { inherit config; } // {
my = import ./toggles.nix { inherit config inputs; } // {
nix.cores = 6;
users.nixremote.enable = true;
users.nixremote.authorizedKeys = [
../../secrets/ssh/ed25519_nixworkstation.pub
../../secrets/ssh/ed25519_nixminiserver.pub
users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
"nixworkstation"
"nixminiserver"
];
network.firewall.enabledServicePorts = true;
network.firewall.additionalPorts = [
@@ -36,7 +37,7 @@
supportedFeatures = config.my.nix.features;
}
];
sops.secrets."vps/home/private" = lib.mkIf config.my.secureHost {
sops.secrets."linode/server/private" = lib.mkIf config.my.secureHost {
sopsFile = ../../secrets/wireguard.yaml;
};
networking = {
@@ -47,14 +48,14 @@
};
wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
ips = [ "${config.my.ips.wg-server}/32" ];
privateKeyFile = config.sops.secrets."vps/home/private".path;
privateKeyFile = config.sops.secrets."linode/server/private".path;
peers = [
{
publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
endpoint = "${config.my.ips.vps}:51820";
endpoint = "${config.my.ips.linode}:51820";
allowedIPs = [
"${config.my.ips.wg-vps}/32"
"${config.my.ips.wg-friends}/24" # all friends
"${config.my.ips.wg-linode}/32"
"${config.my.ips.wg-friends}/24"
];
persistentKeepalive = 25;
}

16
hosts/server/toggles.nix
View File

@@ -1,17 +1,7 @@
{ config }:
{ config, inputs }:
let
mkEnabled = name: {
inherit name;
value.enable = true;
};
mkEnabledIp = name: {
inherit name;
value = {
enable = true;
ip = config.my.ips.wg-server;
};
};
enableList = func: list: list |> map func |> builtins.listToAttrs;
inherit (inputs.self.lib) mkEnabled enableList;
mkEnabledIp = inputs.self.lib.mkEnabledIp config.my.ips.wg-server;
in
{
mainServer = "server";

9
hosts/workstation/configuration.nix
View File

@@ -1,6 +1,7 @@
{
pkgs,
config,
inputs,
...
}:
let
@@ -22,13 +23,13 @@ in
../../config/stylix.nix
../../environments/gnome.nix
];
my = import ./toggles.nix // {
my = import ./toggles.nix { inherit inputs; } // {
nix.cores = 8;
nix.maxJobs = 8;
users.nixremote.enable = true;
users.nixremote.authorizedKeys = [
../../secrets/ssh/ed25519_nixserver.pub
../../secrets/ssh/ed25519_nixminiserver.pub
users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
"nixserver"
"nixminiserver"
];
};
home-manager.users.jawz = {

7
hosts/workstation/toggles.nix
View File

@@ -1,9 +1,6 @@
{ inputs }:
let
mkEnabled = name: {
inherit name;
value.enable = true;
};
enableList = func: list: list |> map func |> builtins.listToAttrs;
inherit (inputs.self.lib) mkEnabled enableList;
in
{
stylix.enable = true;

20
modules/apps/gaming.nix
View File

@@ -5,6 +5,21 @@
pkgs,
...
}:
let
retroarchWithCores = pkgs.retroarch.withCores (
cores:
builtins.attrValues {
inherit (cores)
mgba # gba
pcsx2 # ps2
dolphin # wii / gamecube
snes9x2010 # snes
desmume # nintendo ds
citra # 3ds
;
}
);
in
{
imports = [ inputs.nix-gaming.nixosModules.platformOptimizations ];
options.my.apps = {
@@ -36,6 +51,7 @@
# };
};
users.users.jawz.packages = builtins.attrValues {
inherit retroarchWithCores;
inherit (pkgs)
shipwright # zelda OoT port
mangohud # fps & stats overlay
@@ -47,12 +63,8 @@
ns-usbloader # load games into my switch
# emulators
rpcs3 # ps3
pcsx2 # ps2
cemu # wii u
dolphin-emu # wii
snes9x-gtk # snes
ryubing # switch
azahar # 3Ds
prismlauncher # minecraft launcher with jdk overlays
;
};

5
modules/dev/emacs.nix
View File

@@ -1,5 +1,6 @@
{
config,
inputs,
lib,
pkgs,
...
@@ -14,7 +15,9 @@
"doom/templates/programming.org".source = ../../dotfiles/doom/templates/programming.org;
};
services.lorri.enable = true;
programs.${config.my.shell.type}.shellAliases = {
programs.${config.my.shell.type}.shellAliases =
inputs.self.lib.mergeAliases inputs.self.lib.commonAliases
{
edit = "emacsclient -t";
e = "edit";
};

5
modules/dev/nix.nix
View File

@@ -1,5 +1,6 @@
{
config,
inputs,
lib,
pkgs,
...
@@ -33,7 +34,9 @@ in
};
config = lib.mkIf config.my.dev.nix.enable {
users.users.jawz = { inherit packages; };
home-manager.users.jawz.programs.${shellType}.shellAliases = {
home-manager.users.jawz.programs.${shellType}.shellAliases =
inputs.self.lib.mergeAliases inputs.self.lib.commonAliases
{
nixformat = ''
deadnix -e && \
nix run nixpkgs#nixfmt-tree && \

54
modules/factories/mkserver.nix
View File

@@ -53,58 +53,8 @@ let
default = null;
};
};
proxy = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
http2 = true;
};
proxyReverse =
cfg:
proxy {
"/" = {
proxyPass = "http://${cfg.ip}:${toString cfg.port}/";
proxyWebsockets = cfg.enableSocket;
};
};
proxyReverseFix =
cfg:
let
useLocalhost = cfg.hostName == config.networking.hostName;
localHeaders = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
in
proxyReverse cfg
// {
extraConfig = ''
${if useLocalhost then localHeaders else ""}
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_redirect off;
proxy_http_version 1.1;
'';
};
proxyReversePrivate =
cfg:
proxyReverse cfg
// {
extraConfig = ''
ssl_verify_client on;
ssl_client_certificate ${cfg.certPath};
error_page 403 /403.html;
'';
};
in
{
inherit
mkOptions
proxy
proxyReverse
proxyReverseFix
proxyReversePrivate
;
inherit mkOptions;
mkServerOptions = mkOptions;
}

73
modules/modules.nix
View File

@@ -1,23 +1,23 @@
{ lib, config, ... }:
{
lib,
config,
inputs,
...
}:
let
filterNames = file: file != "librewolf.nix";
autoImport =
dir:
builtins.readDir ./${dir}
|> builtins.attrNames
|> builtins.filter (file: builtins.match ".*\\.nix" file != null && filterNames file)
|> map (file: ./${dir}/${file});
in
{
imports =
autoImport "apps"
++ autoImport "dev"
++ autoImport "scripts"
++ autoImport "servers"
++ autoImport "services"
++ autoImport "shell"
++ autoImport "network"
inputs.self.lib.autoImport ./apps filterNames
++ inputs.self.lib.autoImport ./dev filterNames
++ inputs.self.lib.autoImport ./scripts filterNames
++ inputs.self.lib.autoImport ./servers filterNames
++ inputs.self.lib.autoImport ./services filterNames
++ inputs.self.lib.autoImport ./shell filterNames
++ inputs.self.lib.autoImport ./network filterNames
++ [
./factories/mkscript.nix
./nix/build.nix
./users/nixremote.nix
];
@@ -49,8 +49,8 @@ in
server = "192.168.100.15";
miniserver = "192.168.1.100";
workstation = "192.168.100.18";
vps = "51.222.141.104";
wg-vps = "10.77.0.1";
linode = "51.222.141.104";
wg-linode = "10.77.0.1";
wg-server = "10.77.0.2";
wg-friend1 = "10.8.0.2";
wg-friends = "10.8.0.0";
@@ -63,6 +63,7 @@ in
server = "enp0s31f6";
miniserver = "enp2s0";
workstation = "enp5s0";
linode = "eth0";
};
description = "Set of network interface names for all my computers.";
};
@@ -105,39 +106,45 @@ in
enableProxy = lib.mkEnableOption "nginx reverse proxy for services";
};
config = {
assertions = [
assertions =
# PostgreSQL dependency assertions
inputs.self.lib.mkPostgresDependencies config [
{
assertion = config.my.servers.nextcloud.enable -> config.my.servers.postgres.enable;
message = "Nextcloud requires PostgreSQL to be enabled";
service = "nextcloud";
name = "Nextcloud";
}
{
assertion = config.my.servers.vaultwarden.enable -> config.my.servers.postgres.enable;
message = "Vaultwarden requires PostgreSQL to be enabled";
service = "vaultwarden";
name = "Vaultwarden";
}
{
assertion = config.my.servers.firefly-iii.enable -> config.my.servers.postgres.enable;
message = "Firefly III requires PostgreSQL to be enabled";
service = "firefly-iii";
name = "Firefly III";
}
{
assertion = config.my.servers.mealie.enable -> config.my.servers.postgres.enable;
message = "Mealie requires PostgreSQL to be enabled";
service = "mealie";
name = "Mealie";
}
{
assertion = config.my.servers.shiori.enable -> config.my.servers.postgres.enable;
message = "Shiori requires PostgreSQL to be enabled";
service = "shiori";
name = "Shiori";
}
{
assertion = config.my.servers.ryot.enable -> config.my.servers.postgres.enable;
message = "Ryot requires PostgreSQL to be enabled";
service = "ryot";
name = "Ryot";
}
{
assertion = config.my.servers.synapse.enable -> config.my.servers.postgres.enable;
message = "Matrix Synapse requires PostgreSQL to be enabled";
service = "synapse";
name = "Matrix Synapse";
}
{
assertion = config.my.servers.gitea.enable -> config.my.servers.postgres.enable;
message = "Gitea requires PostgreSQL to be enabled";
service = "gitea";
name = "Gitea";
}
]
++
# Other assertions
[
{
assertion =
config.my.enableProxy

44
modules/network/firewall.nix
View File

@@ -1,18 +1,24 @@
{ lib, config, ... }:
{
lib,
config,
inputs,
...
}:
let
nativeServicesWithOpenFirewall = [
"adguardhome"
"plex"
"nix-serve"
"radarr"
"sonarr"
"jellyfin"
"prowlarr"
"bazarr"
"stash"
"ombi"
"flaresolverr"
firewallBlacklist = [
"sabnzbd"
"lidarr"
"maloja"
"tranga"
"flame"
"flameSecret"
"ryot"
"drpp"
"metube"
"multi-scrobbler"
"plex-discord-bot"
];
nativeServicesWithOpenFirewall = inputs.self.lib.getServicesWithNativeFirewall config firewallBlacklist;
servicesConfig = lib.listToAttrs (
map (serviceName: {
name = serviceName;
@@ -37,17 +43,7 @@ in
config = lib.mkIf config.my.network.firewall.enabledServicePorts {
services = servicesConfig;
networking.firewall.allowedTCPPorts =
config.my.network.firewall.staticPorts
++ config.my.network.firewall.additionalPorts
++ (
config.my.servers
|> lib.filterAttrs (
name: srv:
(srv.enable or false) && (srv ? port) && !(builtins.elem name nativeServicesWithOpenFirewall)
)
|> lib.attrValues
|> map (srv: srv.port)
)
inputs.self.lib.generateFirewallPorts config nativeServicesWithOpenFirewall lib
++ (lib.optionals config.services.nginx.enable [
config.services.nginx.defaultHTTPListenPort
config.services.nginx.defaultSSLListenPort

14
modules/network/nginx.nix
View File

@@ -1,6 +1,10 @@
{ lib, config, ... }:
{
lib,
config,
inputs,
...
}:
let
setup = import ../factories/mkserver.nix { inherit lib config; };
proxyReverseServices = [
"firefox-syncserver"
"readeck"
@@ -44,11 +48,11 @@ let
cfg = config.my.servers.${serviceName};
proxyFunc =
if serviceConfig.type == "proxyReverse" then
setup.proxyReverse
inputs.self.lib.proxyReverse
else if serviceConfig.type == "proxyReverseFix" then
setup.proxyReverseFix
inputs.self.lib.proxyReverseFix
else if serviceConfig.type == "proxyReversePrivate" then
setup.proxyReversePrivate
inputs.self.lib.proxyReversePrivate
else
throw "Unknown proxy type: ${serviceConfig.type}";
in

27
modules/scripts/download.nix
View File

@@ -6,7 +6,6 @@
...
}:
{
imports = [ ../factories/mkscript.nix ];
options.my.units = {
download.enable = lib.mkEnableOption "media download automation scripts";
downloadManga.enable = lib.mkEnableOption "manga download automation";
@@ -17,32 +16,26 @@
in
{
home-manager.users.jawz.programs.${config.my.shell.type} = {
shellAliases = {
shellAliases = inputs.self.lib.mergeAliases inputs.self.lib.commonAliases {
dl = "${download}/bin/download -u jawz -i";
comic = ''dl "$(cat "$LC" | fzf --multi --exact -i)"'';
gallery = ''dl "$(cat "$LW" | fzf --multi --exact -i)"'';
};
}
// (
if config.my.shell.type == "bash" then
{
initExtra = ''
//
inputs.self.lib.shellConditional config.my.shell.type
''
list_root=$XDG_CONFIG_HOME/jawz/lists/jawz
export LW=$list_root/watch.txt
export LI=$list_root/instant.txt
export LC=$list_root/comic.txt
''
''
list_root=$XDG_CONFIG_HOME/jawz/lists/jawz
export LW=$list_root/watch.txt
export LI=$list_root/instant.txt
export LC=$list_root/comic.txt
'';
}
else
{
initContent = ''
list_root=$XDG_CONFIG_HOME/jawz/lists/jawz
export LW=$list_root/watch.txt
export LI=$list_root/instant.txt
export LC=$list_root/comic.txt
'';
}
);
systemd.user = {
services =
let

1
modules/scripts/ffmpeg4discord.nix
View File

@@ -1,6 +1,5 @@
{ inputs, lib, ... }:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.ffmpeg4discord = {
enable = lib.mkDefault false;
install = true;

1
modules/scripts/ffmpreg.nix
View File

@@ -1,6 +1,5 @@
{ inputs, lib, ... }:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.ffmpreg = {
enable = lib.mkDefault false;
install = true;

1
modules/scripts/find-dup-episode.nix
View File

@@ -1,6 +1,5 @@
{ inputs, lib, ... }:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.find-dup-episodes = {
enable = lib.mkDefault false;
install = true;

1
modules/scripts/library-report.nix
View File

@@ -1,6 +1,5 @@
{ inputs, lib, ... }:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.library-report = {
enable = lib.mkDefault false;
install = true;

1
modules/scripts/manage-library.nix
View File

@@ -1,6 +1,5 @@
{ inputs, lib, ... }:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.manage-library = {
enable = lib.mkDefault false;
install = true;

1
modules/scripts/pika-list.nix
View File

@@ -1,6 +1,5 @@
{ inputs, lib, ... }:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.pika-list = {
enable = lib.mkDefault false;
install = true;

1
modules/scripts/run.nix
View File

@@ -1,6 +1,5 @@
{ inputs, lib, ... }:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.run = {
enable = lib.mkDefault false;
install = true;

1
modules/scripts/split-dir.nix
View File

@@ -1,6 +1,5 @@
{ inputs, lib, ... }:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.split-dir = {
enable = lib.mkDefault false;
install = true;

1
modules/scripts/stream-dl.nix
View File

@@ -6,7 +6,6 @@
...
}:
{
imports = [ ../factories/mkscript.nix ];
options.my.units.stream-dl.enable = lib.mkEnableOption "streaming media download service";
config =
let

1
modules/scripts/tasks.nix
View File

@@ -1,6 +1,5 @@
{ inputs, lib, ... }:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.tasks = {
enable = lib.mkDefault false;
install = true;

1
modules/scripts/tuh-activity-logger.nix
View File

@@ -1,6 +1,5 @@
{ inputs, lib, ... }:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.tuh-activity-logger = {
enable = lib.mkDefault false;
install = true;

1
modules/scripts/update-dns.nix
View File

@@ -6,7 +6,6 @@
...
}:
{
imports = [ ../factories/mkscript.nix ];
config = lib.mkIf config.my.secureHost {
sops.secrets = {
cloudflare-api.sopsFile = ../../secrets/env.yaml;

1
modules/scripts/update-org-agenda-cache.nix
View File

@@ -5,7 +5,6 @@
...
}:
{
imports = [ ../factories/mkscript.nix ];
config.my.scripts.update-org-agenda-cache = {
enable = lib.mkDefault false;
install = config.my.emacs.enable;

16
modules/servers/atticd.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.atticd;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.atticd;
in
{
options.my.servers.atticd = setup.mkOptions "atticd" "cache" 2343;
@@ -13,6 +17,7 @@ in
settings = {
listen = "[::]:${toString cfg.port}";
jwt = { };
database.heartbeat = true; # 5 minutes
chunking = {
nar-size-threshold = 64 * 1024; # 64 KiB
min-size = 16 * 1024; # 16 KiB
@@ -29,5 +34,12 @@ in
};
};
};
systemd.services.atticd = {
serviceConfig = {
TimeoutStartSec = "15min";
TimeoutStopSec = "5min";
MemoryMax = "4G";
};
};
};
}

8
modules/servers/audiobookshelf.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.audiobookshelf;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.audiobookshelf;
in
{
options.my.servers.audiobookshelf = setup.mkOptions "audiobookshelf" "audiobooks" 5687;

8
modules/servers/bazarr.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.bazarr;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.bazarr;
in
{
options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort;

8
modules/servers/drpp.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.drpp;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.drpp;
in
{
options.my.servers.drpp = setup.mkOptions "drpp" "drpp" 0;

8
modules/servers/firefox-syncserver.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.firefox-syncserver;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.firefox-syncserver;
in
{
options.my.servers.firefox-syncserver = setup.mkOptions "firefox-syncserver" "sync" 4233;

6
modules/servers/flame.nix
View File

@@ -1,4 +1,8 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.flame;
cfgS = config.my.servers.flameSecret;

2
modules/servers/gitea.nix
View File

@@ -5,8 +5,8 @@
...
}:
let
cfg = config.my.servers.gitea;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.gitea;
in
{
imports = [

8
modules/servers/homepage.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.homepage;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.homepage;
in
{
options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;

2
modules/servers/jellyfin.nix
View File

@@ -8,6 +8,7 @@
let
cfg = config.my.servers.jellyfin;
inherit (inputs.jawz-scripts.packages.x86_64-linux) sub-sync;
setup = import ../factories/mkserver.nix { inherit lib config; };
sub-sync-path = [
pkgs.nix
pkgs.bash
@@ -19,7 +20,6 @@ let
pkgs.gum
sub-sync
];
setup = import ../factories/mkserver.nix { inherit lib config; };
in
{
options.my.servers.jellyfin = setup.mkOptions "jellyfin" "flix" 8096;

8
modules/servers/kavita.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.kavita;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.kavita;
in
{
options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;

8
modules/servers/lidarr.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.lidarr;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.lidarr;
in
{
options.my.servers.lidarr = setup.mkOptions "lidarr" "music" 8686;

8
modules/servers/maloja.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.maloja;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.maloja;
in
{
options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010;

8
modules/servers/mealie.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.mealie;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.mealie;
in
{
options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925;

8
modules/servers/metube.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.metube;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.metube;
in
{
options.my.servers.metube = setup.mkOptions "metube" "bajameesta" 8881;

8
modules/servers/microbin.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.microbin;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.microbin;
in
{
options.my.servers.microbin = setup.mkOptions "microbin" "copy" 8086;

8
modules/servers/multi-scrobbler.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.multi-scrobbler;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.multi-scrobbler;
in
{
options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078;

43
modules/servers/nextcloud.nix
View File

@@ -6,6 +6,7 @@
...
}:
let
setup = import ../factories/mkserver.nix { inherit lib config; };
commonProxyConfig = ''
proxy_set_header Host $host;
'';
@@ -28,10 +29,9 @@ let
};
}
);
pytensorflow = pkgs.python311.withPackages (ps: [ ps.tensorflow ]);
pytensorflow = pkgs.python3.withPackages (ps: [ ps.tensorflow ]);
cfg = config.my.servers.nextcloud;
cfgC = config.my.servers.collabora;
setup = import ../factories/mkserver.nix { inherit lib config; };
in
{
options.my.servers = {
@@ -175,6 +175,14 @@ in
];
#vps
serverAliases = [ "cloud.rotehaare.art" ];
extraConfig = ''
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
'';
locations = {
"/".proxyWebsockets = true;
"~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" =
@@ -187,6 +195,11 @@ in
http2 = true;
locations = {
# static files
"^~ /browser" = {
proxyPass = cfgC.local;
extraConfig = commonProxyConfig;
};
# Legacy static files (for compatibility)
"^~ /loleaflet" = {
proxyPass = cfgC.local;
extraConfig = commonProxyConfig;
@@ -202,11 +215,21 @@ in
extraConfig = commonProxyConfig;
};
# download, presentation, image upload and websocket
"~ ^/cool" = {
proxyPass = cfgC.local;
extraConfig = commonWebsocketConfig;
};
# Legacy websocket (for compatibility)
"~ ^/lool" = {
proxyPass = cfgC.local;
extraConfig = commonWebsocketConfig;
};
# Admin Console websocket
"^~ /cool/adminws" = {
proxyPass = cfgC.local;
extraConfig = commonWebsocketConfig;
};
# Legacy Admin Console websocket (for compatibility)
"^~ /lool/adminws" = {
proxyPass = cfgC.local;
extraConfig = commonWebsocketConfig;
@@ -231,23 +254,23 @@ in
};
collabora = lib.mkIf cfgC.enable {
autoStart = true;
image = "collabora/code";
imageFile = pkgs.dockerTools.pullImage {
imageName = "collabora/code";
imageDigest = "sha256:aab41379baf5652832e9237fcc06a768096a5a7fccc66cf8bd4fdb06d2cbba7f";
sha256 = "sha256-M66lynhzaOEFnE15Sy1N6lBbGDxwNw6ap+IUJAvoCLs=";
};
image = "collabora/code:latest";
ports = [ "9980:9980" ];
environment = {
TZ = config.my.timeZone;
domain = cfg.host;
aliasgroup1 = "${cfg.host}:443";
aliasgroup2 = "cloud.rotehaare.art:443";
aliasgroup1 = "${cfg.url}:443";
aliasgroup2 = "https://cloud.rotehaare.art:443";
server_name = cfgC.host;
dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru";
extra_params = ''
--o:ssl.enable=false
--o:ssl.termination=true
--o:remote_font_config.url=${cfg.url}/apps/richdocuments/settings/fonts.json
--o:logging.level=information
'';
DONT_GEN_SSL_CERT = "1";
SLEEPFORDEBUGGER = "0";
};
extraOptions = [
"--cap-add"

2
modules/servers/nix-serve.nix
View File

@@ -5,8 +5,8 @@
...
}:
let
cfg = config.my.servers.nix-serve;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.nix-serve;
in
{
options.my.servers.nix-serve = setup.mkOptions "nix-serve" "cache" 5000;

8
modules/servers/ombi.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.ombi;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.ombi;
in
{
options.my.servers.ombi = setup.mkOptions "ombi" "requests" 3425;

8
modules/servers/plex-discord-bot.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.plex-discord-bot;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.plex-discord-bot;
name = "plex-discord-bot";
in
{

2
modules/servers/plex.nix
View File

@@ -4,8 +4,8 @@
...
}:
let
cfg = config.my.servers.plex;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.plex;
in
{
options.my.servers.plex = setup.mkOptions "plex" "plex" 32400;

2
modules/servers/portfolio.nix
View File

@@ -4,8 +4,8 @@
...
}:
let
cfg = config.my.websites.portfolio;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.websites.portfolio;
in
{
options.my.websites.portfolio = setup.mkOptions "portfolio" "portfolio" 0;

2
modules/servers/prowlarr.nix
View File

@@ -4,8 +4,8 @@
...
}:
let
cfg = config.my.servers.prowlarr;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.prowlarr;
in
{
options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;

12
modules/servers/qbittorrent.nix
View File

@@ -1,8 +1,8 @@
{
inputs,
lib,
config,
pkgs,
inputs,
...
}:
let
@@ -36,6 +36,10 @@ let
;
}
);
torrentCompletionScript = pkgs.writeShellScript "qbit-torrent-completion" ''
chown jawz:piracy -R "$1"
chmod -R 775 "$1"
'';
in
{
options.my.servers = {
@@ -50,6 +54,7 @@ in
};
};
config = lib.mkIf (config.my.servers.qbittorrent.enable && config.my.secureHost) {
my.network.firewall.additionalPorts = [ config.my.servers.qbittorrent.port ];
home-manager.users.jawz.xdg.dataFile.vuetorrent.source = vuetorrent;
sops.secrets =
let
@@ -72,7 +77,10 @@ in
"unpackerr/radarr-api" = mkUnpackerrSecret;
};
systemd = {
packages = [ pkgs.qbittorrent-nox ];
packages = [
pkgs.qbittorrent-nox
torrentCompletionScript
];
services."qbittorrent-nox@jawz" = {
enable = true;
overrideStrategy = "asDropin";

8
modules/servers/radarr.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.radarr;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.radarr;
in
{
options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;

8
modules/servers/readeck.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.readeck;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.readeck;
in
{
options.my.servers.readeck = setup.mkOptions "readeck" "laters" 9546;

8
modules/servers/ryot.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.ryot;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.ryot;
in
{
options.my.servers.ryot = setup.mkOptions "ryot" "tracker" 8765;

1
modules/servers/sabnzbd.nix
View File

@@ -12,6 +12,7 @@ in
};
};
config = lib.mkIf cfg.enable {
my.network.firewall.additionalPorts = [ cfg.port ];
services.sabnzbd = {
inherit (cfg) enable;
group = "piracy";

8
modules/servers/shiori.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.shiori;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.shiori;
in
{
options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368;

8
modules/servers/sonarr.nix
View File

@@ -1,7 +1,11 @@
{ lib, config, ... }:
{
lib,
config,
...
}:
let
cfg = config.my.servers.sonarr;
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.sonarr;
in
{
options.my.servers.sonarr = setup.mkOptions "sonarr" "series" 8989;

2
modules/servers/stash.nix
View File

@@ -5,9 +5,9 @@
...
}:
let
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.stash;
cfgS = config.services.stash;
setup = import ../factories/mkserver.nix { inherit lib config; };
stashPythonFHS = pkgs.buildFHSEnv {
name = "stash-python-fhs";
targetPkgs =

2
modules/servers/synapse.nix
View File

@@ -5,10 +5,10 @@
...
}:
let
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.synapse;
cfgE = config.my.servers.element;
domain = "wedsgk5ac2qcaf9yb.click";
setup = import ../factories/mkserver.nix { inherit lib config; };
clientConfig."m.homeserver".base_url = cfg.url;
serverConfig."m.server" = "${cfg.host}:443";
mkWellKnown = data: ''

6
modules/servers/tranga.nix
View File

@@ -1,4 +1,8 @@
{ config, lib, ... }:
{
config,
lib,
...
}:
let
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.tranga;

12
modules/services/wireguard.nix
View File

@@ -11,7 +11,7 @@ in
{
options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration";
config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) {
sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml;
sops.secrets."server/private".sopsFile = ../../secrets/wireguard.yaml;
networking = {
firewall.allowedUDPPorts = [ port ];
nat = {
@@ -22,13 +22,9 @@ in
wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = port;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE
'';
privateKeyFile = config.sops.secrets."wireguard/private".path;
postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE";
postShutdown = "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE";
privateKeyFile = config.sops.secrets."server/private".path;
peers = [
{
publicKey = "ciupBjCcIpd3K5vlzNMJC8iiyNqB9xXwkSC6UXPKP3g=";

3
modules/shell/multimedia.nix
View File

@@ -1,5 +1,6 @@
{
config,
inputs,
lib,
pkgs,
...
@@ -24,7 +25,7 @@
};
gallery-dl = {
enable = true;
settings = import ../../dotfiles/gallery-dl.nix;
settings = inputs.self.lib.importDotfile ../../dotfiles/gallery-dl.nix;
};
${config.my.shell.type} = {
initExtra = lib.mkAfter ''

26
modules/shell/tools.nix
View File

@@ -57,7 +57,7 @@ in
};
};
${shellType} = {
shellAliases = {
shellAliases = inputs.self.lib.mergeAliases inputs.self.lib.commonAliases {
cd = "z";
hh = "hstr";
ls = "eza --icons --group-directories-first";
@@ -70,26 +70,20 @@ in
uniq --count | sort -rn'';
};
}
// (
if shellType == "bash" then
{
initExtra = ''
//
inputs.self.lib.shellConditional shellType
''
if command -v fzf-share >/dev/null; then
source "$(fzf-share)/key-bindings.bash"
source "$(fzf-share)/completion.bash"
fi
''
''
if command -v fzf-share >/dev/null; then
source "$(fzf-share)/key-bindings.bash"
source "$(fzf-share)/completion.bash"
fi
'';
}
else
{
initContent = ''
if command -v fzf-share >/dev/null; then
source "$(fzf-share)/key-bindings.bash"
source "$(fzf-share)/completion.bash"
fi
'';
}
);
};
programs = {
starship.enable = true;

15
modules/users/nixremote.nix
View File

@@ -1,13 +1,18 @@
{ lib, config, ... }:
{
lib,
config,
inputs,
...
}:
{
options.my.users.nixremote = {
enable = lib.mkEnableOption "nixremote user for distributed builds";
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [
../../secrets/ssh/ed25519_nixworkstation.pub
../../secrets/ssh/ed25519_nixserver.pub
../../secrets/ssh/ed25519_nixminiserver.pub
default = inputs.self.lib.getSshKeys [
"nixworkstation"
"nixserver"
"nixminiserver"
];
description = "List of SSH public key files to authorize for nixremote user";
};

216
parts/core.nix Normal file
View File

@@ -0,0 +1,216 @@
{ inputs, ... }:
let
system = "x86_64-linux";
mkpkgs =
repo:
import repo {
inherit system;
config.allowUnfree = true;
};
in
{
systems = [ system ];
flake = {
lib = {
commonModules = name: [
../hosts/${name}/configuration.nix
inputs.nur.modules.nixos.default
inputs.sops-nix.nixosModules.sops
inputs.stylix.nixosModules.stylix
inputs.nixtendo-switch.nixosModules.nixtendo-switch
{
nixpkgs.overlays = [
(import ../config/overlay.nix { inherit mkpkgs inputs; })
inputs.doom-emacs.overlays.default
];
}
{
nix.registry = {
jawz.flake = inputs.self;
unstable.flake = inputs.nixpkgs-unstable;
};
}
];
createConfig =
name: local-nixpkgs:
let
lib = local-nixpkgs.lib // inputs.home-manager.lib;
in
lib.nixosSystem {
inherit system;
modules = inputs.self.lib.commonModules name;
specialArgs = {
inherit inputs;
outputs = inputs.self;
};
};
langList =
builtins.readDir ../modules/dev
|> builtins.attrNames
|> map (file: baseNameOf file |> builtins.replaceStrings [ ".nix" ] [ "" ])
|> builtins.filter (name: name != "emacs");
autoImport =
dir: filterFn:
builtins.readDir dir
|> builtins.attrNames
|> builtins.filter (file: builtins.match ".*\\.nix" file != null && filterFn file)
|> map (file: dir + "/${file}");
proxy = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
http2 = true;
};
proxyReverse =
cfg:
inputs.self.lib.proxy {
"/" = {
proxyPass = "http://${cfg.ip}:${toString cfg.port}/";
proxyWebsockets = cfg.enableSocket or false;
};
};
proxyReverseFix =
cfg:
let
useLocalhost = cfg.hostName == cfg.hostName;
localHeaders = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
in
inputs.self.lib.proxyReverse cfg
// {
extraConfig = ''
${if useLocalhost then localHeaders else ""}
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_redirect off;
proxy_http_version 1.1;
'';
};
proxyReversePrivate =
cfg:
inputs.self.lib.proxyReverse cfg
// {
extraConfig = ''
ssl_verify_client on;
ssl_client_certificate ${cfg.certPath};
error_page 403 /403.html;
'';
};
commonAliases = {
cp = "cp -i";
mv = "mv -i";
mkdir = "mkdir -p";
mkcd = "(){ mkdir -p \"$1\" && cd \"$1\" }";
copy = "xclip -selection clipboard";
cdp = "pwd | copy";
cfp = "(){ readlink -f \"$1\" | copy }";
".." = "cd ..";
"..." = "cd ../..";
".3" = "cd ../../..";
".4" = "cd ../../../..";
".5" = "cd ../../../../..";
c = "cat";
sc = "systemctl --user";
jc = "journalctl --user -xefu";
};
xdgEnvironment =
let
XDG_DATA_HOME = "\${HOME}/.local/share";
XDG_CONFIG_HOME = "\${HOME}/.config";
XDG_CACHE_HOME = "\${HOME}/.cache";
in
{
inherit XDG_DATA_HOME XDG_CONFIG_HOME XDG_CACHE_HOME;
XDG_BIN_HOME = "\${HOME}/.local/bin";
XDG_STATE_HOME = "\${HOME}/.local/state";
PSQL_HISTORY = "${XDG_DATA_HOME}/psql_history";
REDISCLI_HISTFILE = "${XDG_DATA_HOME}/redis/rediscli_history";
WINEPREFIX = "${XDG_DATA_HOME}/wine";
ELECTRUMDIR = "${XDG_DATA_HOME}/electrum";
WGETRC = "${XDG_CONFIG_HOME}/wgetrc";
XCOMPOSECACHE = "${XDG_CACHE_HOME}/X11/xcompose";
"_JAVA_OPTIONS" = "-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java";
ORG_DEVICE = "workstation";
PATH = [ "\${HOME}/.local/bin" ];
};
getNixosHosts =
ips: hostName: lib:
builtins.attrNames ips
|> builtins.filter (
name: !(lib.hasPrefix "wg-" name) && name != "linode" && name != "router" && name != hostName
);
shellConditional =
shellType: bashContent: zshContent:
if shellType == "bash" then { initExtra = bashContent; } else { initContent = zshContent; };
mergeAliases = baseAliases: extraAliases: baseAliases // extraAliases;
importDotfile = path: import path;
getServicesWithNativeFirewall =
config: blacklist:
config.my.servers
|> builtins.attrNames
|> builtins.filter (
name:
(config.my.servers.${name}.enable or false)
&& !(builtins.elem name blacklist)
&& builtins.hasAttr name config.services
&& (config.services.${name} ? openFirewall)
);
generateFirewallPorts =
config: nativeServices: lib:
config.my.network.firewall.staticPorts
++ config.my.network.firewall.additionalPorts
++ (
config.my.servers
|> lib.filterAttrs (
name: srv: (srv.enable or false) && (srv ? port) && !(builtins.elem name nativeServices)
)
|> lib.attrValues
|> map (srv: srv.port)
);
mkEnabled = name: {
inherit name;
value.enable = true;
};
mkEnabledWithProxy = name: {
inherit name;
value = {
enable = true;
enableProxy = true;
};
};
mkEnabledIp = ip: name: {
inherit name;
value = {
enable = true;
inherit ip;
};
};
enableList = func: list: list |> map func |> builtins.listToAttrs;
mkPostgresDependency = config: serviceName: displayName: {
assertion = config.my.servers.${serviceName}.enable -> config.my.servers.postgres.enable;
message = "${displayName} requires PostgreSQL to be enabled";
};
mkPostgresDependencies =
config: serviceMap:
serviceMap |> map (entry: inputs.self.lib.mkPostgresDependency config entry.service entry.name);
sshKeys = {
deacero = ../secrets/ssh/ed25519_deacero.pub;
workstation = ../secrets/ssh/ed25519_workstation.pub;
server = ../secrets/ssh/ed25519_server.pub;
miniserver = ../secrets/ssh/ed25519_miniserver.pub;
galaxy = ../secrets/ssh/ed25519_galaxy.pub;
phone = ../secrets/ssh/ed25519_phone.pub;
linode = ../secrets/ssh/ed25519_linode.pub;
emacs = ../secrets/ssh/ed25519_emacs.pub;
nixworkstation = ../secrets/ssh/ed25519_nixworkstation.pub;
nixserver = ../secrets/ssh/ed25519_nixserver.pub;
nixminiserver = ../secrets/ssh/ed25519_nixminiserver.pub;
};
getSshKeys = keyNames: keyNames |> map (name: inputs.self.lib.sshKeys.${name});
};
};
}

12
parts/devshells.nix Normal file
View File

@@ -0,0 +1,12 @@
{ inputs, ... }:
{
perSystem = _: {
devShells =
inputs.self.lib.langList
|> map (name: {
inherit name;
value = inputs.self.nixosConfigurations.emacs.config.devShells.${name};
})
|> builtins.listToAttrs;
};
}

11
parts/hosts.nix Normal file
View File

@@ -0,0 +1,11 @@
{ inputs, ... }:
{
flake.nixosConfigurations = {
workstation = inputs.self.lib.createConfig "workstation" inputs.nixpkgs;
miniserver = inputs.self.lib.createConfig "miniserver" inputs.nixpkgs-small;
server = inputs.self.lib.createConfig "server" inputs.nixpkgs-small;
galaxy = inputs.self.lib.createConfig "galaxy" inputs.nixpkgs-small;
emacs = inputs.self.lib.createConfig "emacs" inputs.nixpkgs;
linode = inputs.self.lib.createConfig "linode" inputs.nixpkgs-small;
};
}

5
parts/images.nix Normal file
View File

@@ -0,0 +1,5 @@
{ inputs, ... }:
{
flake.packages.x86_64-linux.linode-image =
inputs.self.nixosConfigurations.linode.config.system.build.linodeImage;
}

18
parts/packages.nix Normal file
View File

@@ -0,0 +1,18 @@
{ inputs, ... }:
{
perSystem =
{ system, ... }:
{
packages = (inputs.jawz-scripts.packages.${system} or { }) // {
emacs-vm = inputs.nixos-generators.nixosGenerate {
inherit system;
modules = inputs.self.lib.commonModules "emacs";
format = "vm";
specialArgs = {
inherit inputs;
outputs = inputs.self;
};
};
};
};
}

0
secrets/ssh/ed25519_vps.pub → secrets/ssh/ed25519_linode.pub
View File

22
secrets/wireguard.yaml
View File

@@ -1,13 +1,13 @@
wireguard:
private: ENC[AES256_GCM,data:wwggc9T88gK/EMmjPauf14DZGUnfipBpfN3FnlPhsO6FtVmK2aad/D0/Rqw=,iv:Q15iiEOFRa3bPf7NfZcEZOgEqnjIJPenYgE6c6HRYI8=,tag:x+auLhc/FDhxZxzWmcrX9Q==,type:str]
public: ENC[AES256_GCM,data:uelp1opnLR5EfvNBSA3Sk33ktMoG6+Pvj7oKYtdlCpXMZel9O8G7P4X5S2M=,iv:AQECJmnXSc2MM0pT8ZJtA51pn+tvhhyAxFDMBH/H6wA=,tag:yWsnQbHaeiXyPLbpxMZwsg==,type:str]
vps:
server:
private: ENC[AES256_GCM,data:wrP/069tuQs3ObYE8Q0MNVxe3+4vZ2HIImoIdZpj1uPgdBknboX1wmANv/k=,iv:FJL5KumHos8PoXra+BB2Uc6YedsF6MD3wWyuugXzJ+E=,tag:nVuTrW2P7JvnWnv6H1SmdQ==,type:str]
public: ENC[AES256_GCM,data:YnKOf9725v9FkzdNPDVf/iinMbY/YWn6ksqEz+mpB4KHVlOvpbV6vLSKRcs=,iv:aWQNy6mT4sxVbzaXKgRzZ9XVsiBCRsOlLORRqC+uiKE=,tag:mLWv6mr3VVfw0J5BrqByXg==,type:str]
private: ENC[AES256_GCM,data:8/wwIn29F5DxRIjFz51GgBUmAdaOeyS4cDN/vFzypagyNyOJ1VygiT1NXMA=,iv:uUk55wrayGJ6YRNC67z51T4DW6r/LVOol39/JJKYZxg=,tag:uuAuAqzTUOJjkLsDrZig2A==,type:str]
public: ENC[AES256_GCM,data:J3j3AlG2liVRZERvlpClWekGa4AZWBfACe9J5YegzG1liU5/ZkPzMOzdf4I=,iv:8o9IpQWh0QtdwDj1knpsEOrPLorSZPQKiO8QJxBlPco=,tag:QDHai1bzFXS7vuTpIJqClA==,type:str]
linode:
server:
private: ENC[AES256_GCM,data:ReI4nnGcR4GbLuQOkosYG9CtQWc/YSV/BVVwY2lfM9miskRIh+aw4kudSNM=,iv:B2JrRpD7tYF+PtdQddyzUl0kp36VVXSNFrHOAoUgwA4=,tag:GV3joCZbl85tvlMAq/Kqug==,type:str]
public: ENC[AES256_GCM,data:VKYak059lumcQy3QtCanYwBwmsKkkSVEQilOu+KUYmMykirV+DUpI23jloY=,iv:5NYbyrMQTlC8qp/fmGToK+ZpKhDcP8UWbmRNoWzn64k=,tag:fi46BRJAksrUuDYP+5Nvmw==,type:str]
home:
private: ENC[AES256_GCM,data:YZ0jvBzkMv8Bwc9u3LDJzwSqQvPj8wPUxTIeBFiLYVQQIBjm8aS1dTYuPvo=,iv:mXuW7TVERxOMmGIit3a7Spmbk/EgYuGkO66AWJUnMF0=,tag:xM7C3F3JCiud/A9yPD5ydQ==,type:str]
public: ENC[AES256_GCM,data:DcwAHhHjIxFqRL5h7p/0nkFnWiI/iqR8Fws6AuFaxjgUHKYd/6l3D6q/O/0=,iv:bBJ0bsKRiGQUSlRmHqeLQWkOIUNfG5VVpuV6MOtKZO0=,tag:harMG6GDIfclmSq3D36bTw==,type:str]
private: ENC[AES256_GCM,data:Bo3Hzd9Xh4kufO8G4J6Gm2znsUcBc25OlB+ECI4u2roeo7QgQpRXxa8RamM=,iv:0D+FmQxqyZZeCA+iA/gMp0soZ2LtM9fNTP6hGIVrNaM=,tag:Bk18KYKZEDWBBEK5dHKO6w==,type:str]
public: ENC[AES256_GCM,data:sHXh/i9nBHgpgsBVPgvpiEJIHIXzlCa3EhG/eFYL1tKz6Iabcr4bnAUbe08=,iv:V6eSlQRenSCz5VRJMQTXafIb2TTB33p7jzOkixSwIM0=,tag:tjutVj+K6CdtN/FOZqqaHw==,type:str]
sops:
age:
- recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
@@ -46,7 +46,7 @@ sops:
KzZFSWprL0l0MDdVdEVKbEV5eklZdTAK/1ZyGvElfp+LVloSR6aJUtvrgU0CrzaJ
SQtO7vc4oDedkiTz6LKySta+uyn3e17Jzdyy9nU2D/Q5X+CpKGP3cg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-08T00:14:52Z"
mac: ENC[AES256_GCM,data:O2herKRy4k9ZMuPzzPF5QlBC2isXdRoIsbYLJ/6X7esxtxxgNuAljx4SCR6UMT7pl3G2E33cnnBEkuAIy6SMXOaZNfOuAEJXaCwpRwCXu26lrcTf6n7UdP36GWfIRsR4utD5/vv66ch6MqmQWkW7E5zydy5dOv+BJ4XS/50OUQs=,iv:TscYNQaeI+mBxyobxI1O4wUzRtA27pvjXz27kqMJhA0=,tag:zx/xrYAWJCxYz5HRTKzYfQ==,type:str]
lastmodified: "2025-10-28T19:42:02Z"
mac: ENC[AES256_GCM,data:b6/AkxnYppuHIU2oOqOZFizfqhwGjHquzhaeKnBhinXUqmAwoYRgHH54w951HR0Qp9IXu4P7BmlmqET2IhtIXjTtfkDOz9LUUJT0kRmpW5uyXcgiaPQWFFT1r3FnUNPla1O3mBpaT8FD1LVZunEGJ7o3smHJ8aXStbV3RIwdUsQ=,iv:4yCLwkTxW9wMFyoUK9WvaRR+GI1r884uGRKLvmzVF2I=,tag:wLk0v/f06rLczCX+/UN4Ng==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.11.0