#+TITLE: JawZ NixOS main Configuration #+AUTHOR: Danilo Reyes #+PROPERTY: header-args :tangle configuration.nix #+auto_tangle: t * TODO [0/6] - [ ] System configurations [0/8] - [ ] fail2ban - [ ] Bluetooth multiple devices + pass-through - [ ] Topgrade (perhaps unnecessary) - [ ] dotfiles [0/4] - [ ] migrate config to home-manager - [ ] migrate share to home-manager - [ ] migrate dconf to home-manager - [-] Migrate apps [3/6] - [-] paru - [ ] appimages - [-] Compile missing apps [1/8] - [-] zap init - [-] font-downloader - [ ] SaveDesktop (flathub) - [ ] gelata - [ ] menulibre - [ ] Misc [0/3] - [ ] Figure out how to get rid of xterm * ABOUT Setting up the document. Also this should allow me to set up variables, and other functions. - Global version number so NixOS and Home-Manager are in sync - The unstable part allows me to build packages from the unstable channel by prepending "unstable" to a package name. - The next part creates a simple build of some of my simple scripts, turning them into binaries which then I can integrate into the nix-store as well as declared systemd units. #+begin_src nix { config, pkgs, ... }: let VERSION = "23.05"; unstable = import (builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") { config = config.nixpkgs.config; }; nix-gaming = import (builtins.fetchTarball "https://github.com/fufexan/nix-gaming/archive/master.tar.gz"); jawz_nextcloud_scrapsync = pkgs.writeScriptBin "nextcloud_scrapsync" (builtins.readFile ./scripts/nextcloud_scrapsync.sh); jawz_manage_library = pkgs.writeScriptBin "manage_library" (builtins.readFile ./scripts/manage_library.sh); jawz_tasks = pkgs.writeScriptBin "tasks" (builtins.readFile ./scripts/tasks.sh); in { # Remember to close this bracket at the end of the document #+end_src * IMPORTS These are files and modules which get loaded onto the configuration file, in the future I may segment this file into different modules once it becomes too cluttered, for example, I may create a module for systemd units. #+begin_src nix imports = [ ./hardware-configuration.nix ./nginx.nix "${nix-gaming}/modules/pipewireLowLatency.nix" ]; #+end_src * SYSTEM CONFIGURATION ** NETWORKING At the moment, I don't have a wireless card on this computer, however as I build a new system, such setting may come in handy. Pick *ONLY ONE* of the below networking options. - *wireless.enable* enables wireless support via wpa_supplicant. - *NetworkManager* it's the default of GNOME, and easiest to use and integrate. #+begin_src nix networking = { hostName = "workstation"; networkmanager.enable = true; }; #+end_src ** TIMEZONE & LOCALE For some reason, useXkbConfig throws an error when building the system, either way it is an unnecessary setting as my keyboards are the default en_US, only locale set to Canadian out because I prefer how it displays the date. #+begin_src nix time.timeZone = "America/Mexico_City"; i18n = { defaultLocale = "en_CA.UTF-8"; extraLocaleSettings = { LC_MONETARY = "es_MX.UTF-8"; }; }; console = { font = "Lat2-Terminus16"; keyMap = "us"; # useXkbConfig = true; # use xkbOptions in tty. }; #+end_src * GNOME At the time of writing this file, I require of X11, as the NVIDIA support for Wayland isn't perfect yet. At the time being, the ability to switch through GDM from Wayland to XORG, it's pretty handy, but in the future these settings will require an update. Sets up GNOME as the default desktop environment, while excluding some undesirable packages from installing. #+begin_src nix services = { xserver = { enable = true; videoDrivers = [ "nvidia" ]; displayManager.gdm.enable = true; desktopManager.gnome.enable = true; layout = "us"; libinput.enable = true; # Wacom required? }; }; environment.gnome.excludePackages = (with pkgs; [ gnome-photos gnome-tour gnome-text-editor gnome-connections # gnome-shell-extensions baobab ]) ++ (with pkgs.gnome; [ # totem gedit gnome-music epiphany gnome-characters yelp gnome-font-viewer cheese ]); # Sets up QT to use adwaita themes. qt = { enable = true; platformTheme = "gnome"; style = "adwaita"; }; #+end_src * SOUND In order to avoid issues with PipeWire, the wiki recommends to disable /sound.enable/ This is a basic PipeWire configuration, in the future stuff like Bluetooth or latency will require expanding these settings. #+begin_src nix hardware.pulseaudio.enable = false; sound.enable = false; security = { rtkit.enable = true; acme = { acceptTerms = true; defaults.email = "captainjawz@outlook.com"; }; }; services.pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; lowLatency = { enable = true; quantum = 64; rate = 48000; }; }; #+end_src * SECURITY Recently, I've gotten frustrated with OpenDoas, as such I've decided to temporarily enable Sudo, but in the future, I plan to revert that decision. ** SUDO Disabled password for commodity, but this is obviously not recommended. #+begin_src nix security.sudo = { enable = true; wheelNeedsPassword = false; }; #+end_src * USER PACKAGES Being part of the "wheel" group, means that the user has root privileges. This allows to install non-free packages, and also a toggle for installing packages from the unstable repository by prepending "unstable" to the package name. #+begin_src nix nixpkgs.config = { allowUnfree = true; packageOverrides = pkgs: { vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; }; permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1u" ]; }; #+end_src This section of the document categorizes and organizes all he packages that I want installed, attempting to group them as dependencies of others when necessary. It has come to my attention, that using home-manager to manage packages, isn't a recommended thing, while in theory there should be no errors with it, being a downstream package there is no warranty that an upstream change will break things with a new upgrade, breaking thus, the declarative nature of NixOs, for that purpose, I have decided to keep home-manager as a module, with the intention of reduce the number of dotfiles, however I will keep it exclusively as a dotfile and service manager. #+begin_src nix users.groups.nextcloud.gid = 990; users.users.nextcloud = { isNormalUser = false; uid = 990; extraGroups = [ "nextcloud" ]; packages = (with pkgs; [ nodejs_14 perl unstable.exiftool ]); }; users.users.jawz = { isNormalUser = true; extraGroups = [ "wheel" "networkmanager" "docker" "scanner" "lp" ]; initialPassword = "password"; openssh = { authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5GaQM4N+yGAByibOFQOBVMV/6TjOfaGIP+NunMiK76 gpodeacero\cdreyes@100CDREYES" ]; }; packages = (with pkgs; [ #+end_src ** GUI PACKAGES All of my GUI applications categorized to make it easier to identify what each application does, and the justification for is existence on my system. *** ART AND DEVELOPMENT Art and development applications are together, as a game-developer one of my goals is to create a workflow between this ecosystem of applications. #+begin_src nix blender # cgi animation and sculpting godot # game development gdtoolkit # gdscript language server krita # art to your heart desire! # drawpile # arty party with friends!! mypaint # not the best art program mypaint-brushes # but it's got some mypaint-brushes1 # nice damn brushes pureref # create inspiration/reference boards gimp # the coolest bestest art program to never exist #+end_src *** GAMING So far gaming has been a lot less painful than I could have originally anticipated, most everything seems to run seamlessly. =note= Roblox uninstalled as there is ongoing drama regarding linux users. #+begin_src nix lutris heroic wine64Packages.full wineWowPackages.full vulkan-tools # nix-gaming.packages.${pkgs.hostPlatform.system}.wine-tkg winetricks # nix-gaming.packages.${pkgs.hostPlatform.system}.wine-discord-ipc-bridge # grapejuice # roblox manager minecraft # minecraft official launcher parsec-bin # remote gaming with friends protonup-qt # update proton-ge renpy #+end_src *** PRODUCTIVITY This is the section where the apps that help me be productive come, a lot of this are not used as often as I wish… #+begin_src nix libreoffice-fresh # office, but based calibre # ugly af eBook library manager foliate # gtk eBook reader newsflash # feed reader, syncs with nextcloud wike # gtk wikipedia wow! unstable.furtherance # I made this one tehee track time utility gnome.simple-scan # scanner #+end_src *** MISC Most of these apps, are part of the gnome circle, and I decide to install them if just for a try and play a little. #+begin_src nix # sequeler # friendly SQL client blanket # background noise czkawka # duplicate finder pika-backup # backups # tilix # used to be my favourite terminal, but it's so outdated, that each time I use it less and less… gnome-obfuscate # censor private information metadata-cleaner # remove any metadata and geolocation from files gnome-recipes # migrate these to mealie and delete denaro # manage your finances # celeste # sync tool for any cloud provider libgda # for pano shell extension #+end_src *** MULTIMEDIA Overwhelmingly player applications, used for videos and music, while most of my consumption has moved towards Danilo-flix, it's still worth the install of most of these, for now. #+begin_src nix celluloid # video player cozy # audiobooks player gnome-podcasts # podcast player handbrake # video converter, may be unnecessary curtail # image compressor pitivi # video editor identity # compare images or videos mousai # poor man shazam tagger # tag music files bottles # wine prefix manager obs-studio # screen recorder & streamer shortwave # listen to world radio nextcloud-client # self-hosted google-drive alternative #+end_src *** WEB Stuff that I use to interact with the web, web browsers, chats, download managers, etc. #+begin_src nix discord # chat telegram-desktop # furry chat google-chrome # web browser with spyware included firefox # web browser that allows to disable spyware # librewolf # no spyware web browser tor-browser-bundle-bin # dark web, so dark! # hugo # website engine nicotine-plus # remember Ares? warp # never used, but supposedly cool for sharing files HentaiAtHome # uh-oh #+end_src ** COMMAND-LINE PACKAGES #+begin_src nix unstable.yt-dlp # downloads videos from most video websites unstable.gallery-dl # similar to yt-dlp but for most image gallery websites gdu # disk-space utility, somewhat useful du-dust # rusty du gocryptfs # encrypted filesystem! shhh!!! exa # like ls but with colors trashy # oop! didn't meant to delete that rmlint # probably my favourite app, amazing dupe finder that integrates well with BTRFS tldr # man for retards vcsi # video thumbnails for torrents, can I replace it with ^? tree-sitter # code parsing, required by Doom emacs torrenttools # create torrent files from the terminal! lm_sensors # for extension, displays cpu temp # My own scripts jawz_manage_library jawz_tasks (writeScriptBin "ffmpeg4discord" (builtins.readFile ./scripts/ffmpeg4discord.py)) (writeScriptBin "ffmpreg" (builtins.readFile ./scripts/ffmpreg.sh)) (writeScriptBin "chat-dl" (builtins.readFile ./scripts/chat-dl.sh)) (writeScriptBin "split_dir" (builtins.readFile ./scripts/split_dir.sh)) (writeScriptBin "pika_list" (builtins.readFile ./scripts/pika_list.sh)) (writeScriptBin "run" (builtins.readFile ./scripts/run.sh)) #+end_src ** DEVELOPMENT PACKAGES #+begin_src nix # required by doom emacs, but still are rather useful. fd # modern find, faster searches fzf # fuzzy finder! super cool and useful ripgrep # modern grep # languagetool # proofreader for English. check if works without the service graphviz # graphs tetex # these two are for doom everywhere # xorg.xwininfo # xdotool # development environment exercism # learn to code # SH bats # testing system, required by Exercism bashdb # autocomplete shellcheck # linting shfmt # a shell parser and formatter file # required by my tasks script? # gnome.zenity # dependency of my scripts xclip # manipulate clipboard from scripts # NIX nixfmt # linting cachix # why spend time compiling? # PYTHON. python3 # base language pipenv # python development workflow for humans poetry # dependency management made easy # C# & Rust # omnisharp-roslyn # c# linter and code formatter # HASKELL # cabal-install # haskell interface # JS nodejs # not as bad as I thought # jq # linting #+end_src ** HUNSPELL These dictionaries work with Firefox, Doom Emacs and LibreOffice. #+begin_src nix hunspell hunspellDicts.it_IT hunspellDicts.es_MX hunspellDicts.en_CA #+end_src ** CUSTOMIZATION PACKAGES Themes and other customization, making my DE look the way I want is one of the main draws of Linux for me. #+begin_src nix # Themes adw-gtk3 # gradience # theme customizer, allows you to modify adw-gtk3 themes gnome.gnome-tweaks # tweaks for the gnome desktop environment qgnomeplatform # Fonts (nerdfonts.override { fonts = [ "Agave" "CascadiaCode" "SourceCodePro" "Ubuntu" "FiraCode" "Iosevka" ]; }) symbola (papirus-icon-theme.override { color = "adwaita"; }) #+end_src ** PYTHON #+begin_src nix ]) ++ (with pkgs.python3Packages; [ flake8 # wraper for pyflakes, pycodestyle and mccabe isort # sort Python imports nose # testing and running python scripts pyflakes # checks source code for errors pytest # framework for writing tests speedtest-cli # check internet speed from the comand line editorconfig # follow rules of contributin black # Python code formatter pylint # bug and style checker for python (buildPythonApplication rec { pname = "download"; version = "1.5"; src = ./scripts/download/.; doCheck = false; buildInputs = [ setuptools ]; propagatedBuildInputs = [ pyyaml types-pyyaml ]; }) (buildPythonApplication rec { pname = "ffpb"; version = "0.4.1"; src = fetchPypi { inherit pname version; sha256 = "sha256-7eVqbLpMHS1sBw2vYS4cTtyVdnnknGtEI8190VlXflk="; }; doCheck = false; buildInputs = [ setuptools ]; propagatedBuildInputs = [ tqdm ]; }) #+end_src ** BAT-EXTRAS #+begin_src nix ]) ++ (with pkgs.bat-extras; [ batman # man pages batpipe # piping batgrep # ripgrep batdiff # this is getting crazy! batwatch # probably my next best friend prettybat # trans your sourcecode! #+end_src ** GNOME EXTENSIONS #+begin_src nix ]) ++ (with pkgs.gnomeExtensions; [ appindicator # applets for open applications gsconnect # sync data and notifications from your phone freon # hardware temperature monitor panel-scroll # scroll well to change workspaces reading-strip # like putting a finger on every line I read tactile # window manager pano # clipboard manager blur-my-shell # make the overview more visually appealing # burn-my-windows # forge # window manager # ]) ++ (with unstable.pkgs.gnomeExtensions; [ #+end_src ** NODEJS PACKAGES #+begin_src nix ]) ++ (with pkgs.nodePackages; [ dockerfile-language-server-nodejs # LSP bash-language-server # LSP pyright # LSP markdownlint-cli # Linter prettier # Linter pnpm # Package manager ]); }; }; # <--- end of package list #+end_src * MISC SETTINGS ** ENABLE FONTCONFIG If enabled, a Fontconfig configuration file will point to a set of default fonts. If you don't care about running X11 applications or any other program that uses Fontconfig, you can turn this option off and prevent a dependency on all those fonts. =tip= once that Wayland is ready for deployment, I probably can remove this setting. #+begin_src nix fonts.fontconfig.enable = true; #+end_src * HOME-MANAGER ** HOME-MANAGER SETTINGS These make it so packages install to '/etc' rather than the user home directory, also allow for upgrades when rebuilding the system. #+begin_src nix home-manager.useUserPackages = true; home-manager.useGlobalPkgs = true; #+end_src ** PACKAGES #+begin_src nix home-manager.users.jawz = { config, pkgs, ... }:{ home.stateVersion = VERSION; home.packages = with pkgs; [ ]; #+end_src ** DOTFILES *** BASH #+begin_src nix programs.bash = { enable = true; historyFile = "\${XDG_STATE_HOME}/bash/history"; historyControl = [ "erasedups" ]; shellAliases = { ls = "exa --icons --group-directories-first --no-permissions --no-user --no-time"; edit = "emacsclient -t"; comic = "download -u jawz -i $(cat $LC | fzf --multi --exact -i)"; gallery = "download -u jawz -i $(cat $LW | fzf --multi --exact -i)"; open_gallery = "cd /mnt/disk2/scrapping/JawZ/gallery-dl && xdg-open $(fd . ./ Husbands -tdirectory -d 1 | fzf -i)"; unique_extensions = "fd -tf | rev | cut -d. -f1 | rev | tr '[:upper:]' '[:lower:]' | sort | uniq --count | sort -rn"; cp = "cp -i"; mv = "mv -i"; mkcd = "mkdir -pv \"$1\" && cd \"$1\" || exit"; mkdir = "mkdir -p"; rm = "trash"; ".." = "cd .."; "..." = "cd ../.."; ".3" = "cd ../../.."; ".4" = "cd ../../../.."; ".5" = "cd ../../../../.."; dl = "download -u jawz -i"; e = "edit"; c = "cat"; f = "fzf --multi --exact -i"; sc = "systemctl --user"; jc = "journalctl --user -xefu"; }; enableVteIntegration = true; initExtra = '' #+end_src #+begin_src bash /home/jawz/.local/bin/pokemon-colorscripts -r --no-title # Lists list_root=${config.home.homeDirectory}/.config/jawz/lists/jawz export LW=$list_root/watch.txt export LI=$list_root/instant.txt export LC=$list_root/comic.txt export command_timeout=30 # GPG_TTY=$(tty) # export GPG_TTY if command -v fzf-share >/dev/null; then source "$(fzf-share)/key-bindings.bash" source "$(fzf-share)/completion.bash" fi nixos-reload () { local nix_file="$HOME/Development/NixOS/configuration.nix" local hardware_file="$HOME/Development/NixOS/hardware-configuration.nix" nixfmt "$nix_file" && nixfmt "$hardware_file" sudo nixos-rebuild switch -I nixos-config="$nix_file" } #+end_src #+begin_src nix ''; }; #+end_src *** OTHER #+begin_src nix programs = { direnv = { enable = true; enableBashIntegration = true; nix-direnv.enable = true; }; bat = { enable = true; config = { pager = "less -FR"; theme = "base16"; }; }; git = { enable = true; userName = "Danilo Reyes"; userEmail = "CaptainJawZ@outlook.com"; }; htop = { enable = true; package = pkgs.htop-vim; }; }; #+end_src *** XDG #+begin_src nix xdg = { enable = true; userDirs = { enable = true; # createDirectories = true; desktop = "${config.home.homeDirectory}"; documents = "${config.home.homeDirectory}/Documents"; download = "${config.home.homeDirectory}/Downloads"; music = "${config.home.homeDirectory}/Music"; pictures = "${config.home.homeDirectory}/Pictures"; # publicShare = "${config.home.homeDirectory}/.local/hd/Public"; templates = "${config.home.homeDirectory}/.local/share/Templates"; videos = "${config.home.homeDirectory}/Videos"; }; configFile = { "wgetrc".source = ./dotfiles/wget/wgetrc; "configstore/update-notifier-npm-check.json".source = ./dotfiles/npm/update-notifier-npm-check.json; "npm/npmrc".source = ./dotfiles/npm/npmrc; "gallery-dl/config.json".source = ./dotfiles/gallery-dl/config.json; "htop/htoprc".source = ./dotfiles/htop/htoprc; }; }; #+end_src ** USER-SERVICES #+begin_src nix services = { lorri.enable = true; emacs = { enable = true; defaultEditor = true; package = pkgs.emacs; }; }; #+end_src ** CLOSING HOME-MANAGER #+begin_src nix }; #+end_src * ENVIRONMENT PACKAGES These are a MUST to ensure the optimal function of nix, without these, recovery may be challenging. #+begin_src nix environment.systemPackages = with pkgs; [ wget docker-compose # easy way to migrate my docker anywhere! jellyfin-ffmpeg # coolest video converter! dlib ]; #+end_src * ENVIRONMENT VARIABLES #+begin_src nix environment.variables = rec { # PATH XDG_CACHE_HOME = "\${HOME}/.cache"; XDG_CONFIG_HOME = "\${HOME}/.config"; XDG_BIN_HOME = "\${HOME}/.local/bin"; XDG_DATA_HOME = "\${HOME}/.local/share"; XDG_STATE_HOME = "\${HOME}/.local/state"; # DEV PATH CABAL_CONFIG = "\${XDG_CONFIG_HOME}/cabal/config"; CABAL_DIR = "\${XDG_CACHE_HOME}/cabal"; CARGO_HOME = "\${XDG_DATA_HOME}/cargo"; GEM_HOME = "\${XDG_DATA_HOME}/ruby/gems"; GEM_PATH = "\${XDG_DATA_HOME}/ruby/gems"; GEM_SPEC_CACHE = "\${XDG_DATA_HOME}/ruby/specs"; GOPATH = "\${XDG_DATA_HOME}/go"; NPM_CONFIG_USERCONFIG = "\${XDG_CONFIG_HOME}/npm/npmrc"; PNPM_HOME = "\${XDG_DATA_HOME}/pnpm"; # OPTIONS # HISTFILE = "\${XDG_STATE_HOME}/bash/history"; LESSHISTFILE = "-"; GHCUP_USE_XDG_DIRS = "true"; RIPGREP_CONFIG_PATH = "\${XDG_CONFIG_HOME}/ripgrep/ripgreprc"; ELECTRUMDIR = "\${XDG_DATA_HOME}/electrum"; VISUAL = "emacsclient -ca emacs"; WGETRC = "\${XDG_CONFIG_HOME}/wgetrc"; XCOMPOSECACHE = "${XDG_CACHE_HOME}/X11/xcompose"; "_JAVA_OPTIONS" = "-Djava.util.prefs.userRoot=\${XDG_CONFIG_HOME}/java"; DOCKER_CONFIG="\${XDG_CONFIG_HOME}/docker"; # NVIDIA CUDA_CACHE_PATH = "\${XDG_CACHE_HOME}/nv"; # WEBKIT_DISABLE_COMPOSITING_MODE = "1"; # GBM_BACKEND = "nvidia-drm"; # "__GLX_VENDOR_LIBRARY_NAME" = "nvidia"; # Themes # GTK_THEME = "Adwaita:light"; # QT_QPA_PLATFORMTHEME = "adwaita"; # QT_STYLE_OVERRIDE = "adwaita"; CALIBRE_USE_SYSTEM_THEME = "1"; PATH = [ "\${HOME}/.local/bin" "\${XDG_CONFIG_HOME}/emacs/bin" "\${XDG_DATA_HOME}/npm/bin" "\${XDG_DATA_HOME}/pnpm" ]; }; #+end_src * DOCKER Virtualization settings for Docker. NixOS offers an option to declaratively run docker-compose images using [[https://nixos.wiki/wiki/Docker][Arion]]. Could be an interesting thing to try out. #+begin_src nix virtualisation.docker = { enable = true; storageDriver = "btrfs"; enableNvidia = true; }; #+end_src * SNAPRAID It's a parity raid utility which creates a scheme similar to what UNRAID offered, except not in real time, I schedule it to run every night, so it keeps my files sync, while it is possible to use snapraid as a solution to keep a historic backup of your files, I am more concerned with the whole disk recovery in case of failure, as such a frequent sync fits my preferences. #+begin_src nix snapraid = { enable = true; touchBeforeSync = true; sync.interval = "02:00"; scrub = { plan = 10; olderThan = 10; interval = "4:00"; }; parityFiles = [ "/mnt/parity/snapraid.parity" ]; extraConfig = '' autosave 5000 ''; exclude = [ "/tmp/" "/lost+found/" "/multimedia/downloads/" "/scrapping/nextcloud/" "/backups/" "/glue/Spankbank/____UNORGANIZED/Chaturbate/" "/nextcloud/nextcloud.log" ]; dataDisks = { d1 = "/mnt/disk1/"; d2 = "/mnt/disk2/"; }; contentFiles = [ "/var/snapraid.content" "/mnt/disk1/snapraid.content" "/mnt/disk2/snapraid.content" ]; }; #+end_src * SYSTEM PROGRAMS & SERVICES Some programs get enabled and installed through here, as well as the activation of some services. #+begin_src nix programs = { starship.enable = true; fzf.fuzzyCompletion = true; neovim = { enable = true; vimAlias = true; }; gnupg.agent = { enable = true; enableSSHSupport = true; }; geary = { enable = true; }; steam = { enable = true; remotePlay.openFirewall = true; dedicatedServer.openFirewall = true; }; }; services = { jellyfin.enable = true; # vaultwarden.enable = true; nextcloud = { https = true; enable = true; package = pkgs.nextcloud26; appstoreEnable = true; configureRedis = true; maxUploadSize = "512M"; extraAppsEnable = true; enableImagemagick = true; hostName = "cloud.servidos.lat"; config = { adminpassFile = "${pkgs.writeText "adminpass" "Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}"; overwriteProtocol = "https"; defaultPhoneRegion = "MX"; dbtype = "pgsql"; dbuser = "nextcloud"; dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}"; dbtableprefix = "oc_"; dbname = "nextcloud"; trustedProxies = [ "nginx" ]; extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ]; }; phpOptions = { catch_workers_output = "yes"; display_errors = "stderr"; error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; expose_php = "Off"; "opcache.enable_cli" = "1"; "opcache.fast_shutdown" = "1"; "opcache.interned_strings_buffer" = "16"; "opcache.jit" = "1255"; "opcache.jit_buffer_size" = "128M"; "opcache.max_accelerated_files" = "10000"; "opcache.memory_consumption" = "128"; "opcache.revalidate_freq" = "1"; "opcache.save_comments" = "1"; "opcache.validate_timestamps" = "0"; "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; short_open_tag = "Off"; }; extraOptions = { mail_smtpmode = "sendmail"; mail_sendmailmode = "pipe"; "installed" = true; "memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool"; enabledPreviewProviders = [ "OC\\Preview\\Image" "OC\\Preview\\HEIC" "OC\\Preview\\TIFF" "OC\\Preview\\MKV" "OC\\Preview\\MP4" "OC\\Preview\\AVI" "OC\\Preview\\Movie" ]; }; phpExtraExtensions = all: [ all.pdlib all.bz2 ]; }; postgresql = { enable = true; ensureDatabases = [ "paperless" "nextcloud" "mealie" ]; ensureUsers = [ { name = "nextcloud"; ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; }; } { name = "paperless"; ensurePermissions = { "DATABASE paperless" = "ALL PRIVILEGES"; }; } { name = "mealie"; ensurePermissions = { "DATABASE mealie" = "ALL PRIVILEGES"; }; } ]; authentication = pkgs.lib.mkOverride 10 '' local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust ''; }; printing = { enable = true; drivers = [ pkgs.hplip pkgs.hplipWithPlugin ]; }; avahi.enable = true; avahi.nssmdns = true; fstrim.enable = true; btrfs.autoScrub = { enable = true; fileSystems = [ "/" "/mnt/disk1" "/mnt/disk2" ]; }; openssh = { enable = true; ports = [ 25152 ]; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; startWhenNeeded = true; listenAddresses = [ { addr = "0.0.0.0"; port = 25152; } ]; }; emacs = { enable = true; defaultEditor = true; package = pkgs.emacs; }; }; #+end_src * SYSTEMD Home-manager, is not as flushed out when it comes to creating systemd units, so the best way to define them for now, is using nix. #+begin_src nix systemd.services = { # "docker-compose" = { # enable = true; # restartIfChanged = true; # description = "Start docker-compose servers"; # after = [ "docker.service" "docker.socket" ]; # requires = [ "docker.service" "docker.socket" ]; # wantedBy = [ "default.target" ]; # environment = { # FILE = "/home/jawz/Development/Docker/docker-compose.yml"; # }; # path = [ # pkgs.docker-compose # ]; # serviceConfig = { # Restart = "on-failure"; # RestartSec = 30; # ExecStart = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans"; # ExecStop = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down"; # }; # }; # "nextcloud_scrapsync" = { # description = "Sync scrapped files with nextcloud"; # wantedBy = [ "default.target" ]; # path = [ # pkgs.bash # jawz_nextcloud_scrapsync # ]; # serviceConfig = { # RestartSec = 30; # ExecStart = "${jawz_nextcloud_scrapsync}/bin/nextcloud_scrapsync"; # }; # }; # "nextcloud_previews" = { # description = "Generate previews"; # wantedBy = [ "default.target" ]; # path = [ # pkgs.nextcloud26 # ]; # serviceConfig = { # RestartSec = 30; # ExecStart = "${pkgs.nextcloud26}/occ preview:pre-generate"; # }; # }; }; systemd.timers = { # "nextcloud_scrapsync" = { # enable = true; # description = "Sync scrapped files with nextcloud"; # wantedBy = [ "timers.target" ]; # timerConfig = { # OnCalendar= [ # "*-*-* 01:32:00" # "*-*-* 08:32:00" # "*-*-* 14:32:00" # "*-*-* 20:32:00" # ]; # RandomizedDelaySec = 30; # Persistent = true; # }; # }; # "nextcloud_previews" = { # enable = true; # description = "Generate previews"; # wantedBy = [ "timers.target" ]; # timerConfig = { # OnCalendar = "*:0/10"; # }; # }; }; systemd.user.services = { "HentaiAtHome" = { enable = true; restartIfChanged = true; description = "Run hentai@home server"; wantedBy = [ "default.target" ]; path = [ pkgs.HentaiAtHome ]; serviceConfig = { Restart = "on-failure"; RestartSec = 30; WorkingDirectory="/mnt/hnbox"; ExecStart = "${pkgs.HentaiAtHome}/bin/HentaiAtHome"; }; }; "manage_library" = { enable = true; restartIfChanged = true; description = "Run the manage library bash script"; wantedBy = [ "default.target" ]; path = [ pkgs.bash pkgs.nix jawz_manage_library ]; serviceConfig = { Restart = "on-failure"; RestartSec = 30; ExecStart = "${jawz_manage_library}/bin/manage_library"; }; }; "tasks" = { restartIfChanged = true; description = "Run a tasks script which keeps a lot of things organized"; wantedBy = [ "default.target" ]; path = [ pkgs.bash pkgs.nix jawz_tasks ]; serviceConfig = { Restart = "on-failure"; RestartSec = 30; ExecStart = "${jawz_tasks}/bin/tasks"; }; }; "update_dns" = let jawz_update_dns = pkgs.writeScriptBin "update_dns" (builtins.readFile ./scripts/update_dns.sh); in { restartIfChanged = true; description = "update DNS of my websites"; wantedBy = [ "default.target" ]; path = [ pkgs.curl pkgs.bash jawz_update_dns ]; serviceConfig = { Restart = "on-failure"; RestartSec = 30; ExecStart = "${jawz_update_dns}/bin/update_dns"; }; }; }; systemd.user.timers = { "tasks" = { enable = true; description = "Run a tasks script which keeps a lot of things organized"; wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = "*:0/10"; }; }; "update_dns" = { enable = true; description = "update DNS of my websites"; wantedBy = [ "timers.target" ]; timerConfig = { OnBootSec = "1min"; OnUnitActiveSec = "6h"; }; }; }; #+end_src * FIREWALL Open ports in the firewall. =TIP= list what app a port belongs to in a table. #+begin_src nix networking = { firewall = let open_firewall_ports = [ 80 # http 443 # https 6969 # HentaiAtHome 25152 # ssh ]; open_firewall_port_ranges = [ { from = 1714; to = 1764; } # kdeconnect ]; in { allowedTCPPorts = open_firewall_ports; allowedUDPPorts = open_firewall_ports; allowedTCPPortRanges = open_firewall_port_ranges; allowedUDPPortRanges = open_firewall_port_ranges; }; }; # networking.firewall.enable = false; #+end_src * FINAL SYSTEM CONFIGURATIONS The first setting creates a copy the NixOS configuration file and link it from the resulting system (/run/current-system/configuration.nix). This is useful in case you accidentally delete configuration.nix. The version value determines the NixOS release from which the default settings for stateful data, like file locations and database versions on your system. It‘s perfectly fine and recommended to leave this value at the release version of the first install of this system. Lastly I configure in here Cachix repositories, which is a website that keeps a cache of nixbuilds for easy quick deployments without having to compile everything from scratch. #+begin_src nix system = { copySystemConfiguration = true; stateVersion = VERSION; }; nix = { settings = { substituters = [ "https://nix-gaming.cachix.org" "https://nixpkgs-python.cachix.org" "https://devenv.cachix.org" "https://cuda-maintainers.cachix.org" ]; trusted-public-keys = [ "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4=" "nixpkgs-python.cachix.org-1:hxjI7pFxTyuTHn2NkvWCrAUcNZLNS3ZAvfYNuYifcEU=" "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E=" ]; }; gc = { automatic = true; dates = "weekly"; }; }; #+end_src ** CLOSING :D That super pesky closing bracket. #+begin_src nix } #+end_src