34 KiB
Executable File
34 KiB
Executable File
JawZ NixOS main Configuration
[0/6]- ABOUT
- IMPORTS
- SYSTEM CONFIGURATION
- GNOME
- SOUND
- SECURITY
- USER PACKAGES
- MISC SETTINGS
- HOME-MANAGER
- ENVIRONMENT PACKAGES
- ENVIRONMENT VARIABLES
- DOCKER
- SNAPRAID
- SYSTEM PROGRAMS & SERVICES
- SYSTEMD
- FIREWALL
- FINAL SYSTEM CONFIGURATIONS
TODO
[0/6]
-
System configurations
[0/8]- fail2ban
- Bluetooth multiple devices + pass-through
- Topgrade (perhaps unnecessary)
-
dotfiles
[0/4]- migrate config to home-manager
- migrate share to home-manager
- migrate dconf to home-manager
-
Migrate apps
[3/6]- paru
- appimages
-
Compile missing apps
[1/8]- zap init
- font-downloader
- SaveDesktop (flathub)
- gelata
- menulibre
-
Misc
[0/3]- Figure out how to get rid of xterm
ABOUT
Setting up the document. Also this should allow me to set up variables, and other functions.
- Global version number so NixOS and Home-Manager are in sync
- The unstable part allows me to build packages from the unstable channel by prepending "unstable" to a package name.
- The next part creates a simple build of some of my simple scripts, turning them into binaries which then I can integrate into the nix-store as well as declared systemd units.
{ config, pkgs, ... }:
let
VERSION = "23.05";
unstable = import (builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") {
config = config.nixpkgs.config;
};
nix-gaming = import (builtins.fetchTarball "https://github.com/fufexan/nix-gaming/archive/master.tar.gz");
jawz_nextcloud_scrapsync = pkgs.writeScriptBin
"nextcloud_scrapsync" (builtins.readFile ./scripts/nextcloud_scrapsync.sh);
jawz_manage_library = pkgs.writeScriptBin
"manage_library" (builtins.readFile ./scripts/manage_library.sh);
jawz_tasks = pkgs.writeScriptBin
"tasks" (builtins.readFile ./scripts/tasks.sh);
in
{ # Remember to close this bracket at the end of the documentIMPORTS
These are files and modules which get loaded onto the configuration file, in the future I may segment this file into different modules once it becomes too cluttered, for example, I may create a module for systemd units.
imports = [
./hardware-configuration.nix
./nginx.nix
# ./openldap.nix
<home-manager/nixos>
<agenix/modules/age.nix>
"${nix-gaming}/modules/pipewireLowLatency.nix"
];SYSTEM CONFIGURATION
NETWORKING
At the moment, I don't have a wireless card on this computer, however as I build a new system, such setting may come in handy.
Pick ONLY ONE of the below networking options.
- wireless.enable enables wireless support via wpa_supplicant.
- NetworkManager it's the default of GNOME, and easiest to use and integrate.
networking = {
hostName = "workstation";
networkmanager.enable = true;
};TIMEZONE & LOCALE
For some reason, useXkbConfig throws an error when building the system, either way it is an unnecessary setting as my keyboards are the default en_US, only locale set to Canadian out because I prefer how it displays the date.
time.timeZone = "America/Mexico_City";
i18n = {
defaultLocale = "en_CA.UTF-8";
extraLocaleSettings = {
LC_MONETARY = "es_MX.UTF-8";
};
};
console = {
font = "Lat2-Terminus16";
keyMap = "us";
# useXkbConfig = true; # use xkbOptions in tty.
};GNOME
At the time of writing this file, I require of X11, as the NVIDIA support for Wayland isn't perfect yet. At the time being, the ability to switch through GDM from Wayland to XORG, it's pretty handy, but in the future these settings will require an update.
Sets up GNOME as the default desktop environment, while excluding some undesirable packages from installing.
services = {
xserver = {
enable = true;
videoDrivers = [ "nvidia" ];
displayManager.gdm.enable = true;
desktopManager.gnome.enable = true;
layout = "us";
libinput.enable = true; # Wacom required?
};
};
environment.gnome.excludePackages = (with pkgs; [
gnome-photos
gnome-tour
gnome-text-editor
gnome-connections
# gnome-shell-extensions
baobab
])
++ (with pkgs.gnome; [
# totem
gedit
gnome-music
epiphany
gnome-characters
yelp
gnome-font-viewer
cheese
]);
# Sets up QT to use adwaita themes.
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita";
};SOUND
In order to avoid issues with PipeWire, the wiki recommends to disable sound.enable This is a basic PipeWire configuration, in the future stuff like Bluetooth or latency will require expanding these settings.
hardware.pulseaudio.enable = false;
sound.enable = false;
security = {
rtkit.enable = true;
acme = {
acceptTerms = true;
defaults.email = "captainjawz@outlook.com";
};
};
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
lowLatency = {
enable = true;
quantum = 64;
rate = 48000;
};
};SECURITY
Recently, I've gotten frustrated with OpenDoas, as such I've decided to temporarily enable Sudo, but in the future, I plan to revert that decision.
SUDO
Disabled password for commodity, but this is obviously not recommended.
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};USER PACKAGES
Being part of the "wheel" group, means that the user has root privileges.
This allows to install non-free packages, and also a toggle for installing packages from the unstable repository by prepending "unstable" to the package name.
nixpkgs.config = {
allowUnfree = true;
packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
permittedInsecurePackages = [
"nodejs-14.21.3"
"openssl-1.1.1u"
];
};This section of the document categorizes and organizes all he packages that I want installed, attempting to group them as dependencies of others when necessary.
It has come to my attention, that using home-manager to manage packages, isn't a recommended thing, while in theory there should be no errors with it, being a downstream package there is no warranty that an upstream change will break things with a new upgrade, breaking thus, the declarative nature of NixOs, for that purpose, I have decided to keep home-manager as a module, with the intention of reduce the number of dotfiles, however I will keep it exclusively as a dotfile and service manager.
users.groups = {
nextcloud.gid = 990;
piracy.gid = 985;
};
users.users = {
prowlarr = {
isSystemUser = true;
group = "piracy";
};
nextcloud = {
isSystemUser = true;
uid = 990;
group = "nextcloud";
extraGroups = [ "render" ];
packages = (with pkgs; [
nodejs_14
perl
# unstable.exiftool
( perlPackages.buildPerlPackage rec {
pname = "Image-ExifTool";
version = "12.60";
src = fetchurl {
url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz";
hash = "sha256-c9vgbQBMMQgqVueNfyRvK7AAL7sYNUR7wyorB289Mq0=";
};
})
]);
};
jawz = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "docker" "scanner" "lp" "piracy" "kavita" ];
initialPassword = "password";
openssh = {
authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5GaQM4N+yGAByibOFQOBVMV/6TjOfaGIP+NunMiK76 gpodeacero\cdreyes@100CDREYES" ];
};
packages = (with pkgs; [GUI PACKAGES
All of my GUI applications categorized to make it easier to identify what each application does, and the justification for is existence on my system.
ART AND DEVELOPMENT
Art and development applications are together, as a game-developer one of my goals is to create a workflow between this ecosystem of applications.
blender # cgi animation and sculpting
godot # game development
gdtoolkit # gdscript language server
krita # art to your heart desire!
# drawpile # arty party with friends!!
mypaint # not the best art program
mypaint-brushes # but it's got some
mypaint-brushes1 # nice damn brushes
pureref # create inspiration/reference boards
gimp # the coolest bestest art program to never existGAMING
So far gaming has been a lot less painful than I could have originally
anticipated, most everything seems to run seamlessly.
note Roblox uninstalled as there is ongoing drama regarding linux users.
lutris
heroic
wine64Packages.full
wineWowPackages.full
vulkan-tools
# nix-gaming.packages.${pkgs.hostPlatform.system}.wine-tkg
winetricks
# nix-gaming.packages.${pkgs.hostPlatform.system}.wine-discord-ipc-bridge
# grapejuice # roblox manager
minecraft # minecraft official launcher
parsec-bin # remote gaming with friends
protonup-qt # update proton-ge
renpyPRODUCTIVITY
This is the section where the apps that help me be productive come, a lot of this are not used as often as I wish…
libreoffice-fresh # office, but based
calibre # ugly af eBook library manager
foliate # gtk eBook reader
newsflash # feed reader, syncs with nextcloud
wike # gtk wikipedia wow!
unstable.furtherance # I made this one tehee track time utility
gnome.simple-scan # scannerMISC
Most of these apps, are part of the gnome circle, and I decide to install them if just for a try and play a little.
# sequeler # friendly SQL client
blanket # background noise
czkawka # duplicate finder
pika-backup # backups
# tilix # used to be my favourite terminal, but it's so outdated, that each time I use it less and less…
gnome-obfuscate # censor private information
metadata-cleaner # remove any metadata and geolocation from files
gnome-recipes # migrate these to mealie and delete
denaro # manage your finances
# celeste # sync tool for any cloud provider
libgda # for pano shell extensionMULTIMEDIA
Overwhelmingly player applications, used for videos and music, while most of my consumption has moved towards Danilo-flix, it's still worth the install of most of these, for now.
celluloid # video player
cozy # audiobooks player
gnome-podcasts # podcast player
handbrake # video converter, may be unnecessary
curtail # image compressor
pitivi # video editor
identity # compare images or videos
mousai # poor man shazam
tagger # tag music files
bottles # wine prefix manager
obs-studio # screen recorder & streamer
shortwave # listen to world radio
nextcloud-client # self-hosted google-drive alternativeWEB
Stuff that I use to interact with the web, web browsers, chats, download managers, etc.
discord # chat
telegram-desktop # furry chat
google-chrome # web browser with spyware included
firefox # web browser that allows to disable spyware
# librewolf # no spyware web browser
tor-browser-bundle-bin # dark web, so dark!
# hugo # website engine
nicotine-plus # remember Ares?
warp # never used, but supposedly cool for sharing files
HentaiAtHome # uh-oh
unpackerr # unpacks torrents...COMMAND-LINE PACKAGES
unstable.yt-dlp # downloads videos from most video websites
unstable.gallery-dl # similar to yt-dlp but for most image gallery websites
gdu # disk-space utility, somewhat useful
du-dust # rusty du
gocryptfs # encrypted filesystem! shhh!!!
exa # like ls but with colors
trashy # oop! didn't meant to delete that
rmlint # probably my favourite app, amazing dupe finder that integrates well with BTRFS
tldr # man for retards
vcsi # video thumbnails for torrents, can I replace it with ^?
tree-sitter # code parsing, required by Doom emacs
torrenttools # create torrent files from the terminal!
lm_sensors # for extension, displays cpu temp
# My own scripts
jawz_manage_library
jawz_tasks
(writeScriptBin "ffmpeg4discord" (builtins.readFile ./scripts/ffmpeg4discord.py))
(writeScriptBin "ffmpreg" (builtins.readFile ./scripts/ffmpreg.sh))
(writeScriptBin "chat-dl" (builtins.readFile ./scripts/chat-dl.sh))
(writeScriptBin "split_dir" (builtins.readFile ./scripts/split_dir.sh))
(writeScriptBin "pika_list" (builtins.readFile ./scripts/pika_list.sh))
(writeScriptBin "run" (builtins.readFile ./scripts/run.sh))DEVELOPMENT PACKAGES
# required by doom emacs, but still are rather useful.
fd # modern find, faster searches
fzf # fuzzy finder! super cool and useful
ripgrep # modern grep
# languagetool # proofreader for English. check if works without the service
graphviz # graphs
tetex
# these two are for doom everywhere
xorg.xwininfo
xdotool
# development environment
exercism # learn to code
# SH
bats # testing system, required by Exercism
bashdb # autocomplete
shellcheck # linting
shfmt # a shell parser and formatter
file # required by my tasks script?
xclip # manipulate clipboard from scripts
# NIX
nixfmt # linting
cachix # why spend time compiling?
# PYTHON.
python3 # base language
pipenv # python development workflow for humans
poetry # dependency management made easy
# C# & Rust
# omnisharp-roslyn # c# linter and code formatter
# HASKELL
# cabal-install # haskell interface
# JS
nodejs # not as bad as I thought
# jq # lintingHUNSPELL
These dictionaries work with Firefox, Doom Emacs and LibreOffice.
hunspell
hunspellDicts.it_IT
hunspellDicts.es_MX
hunspellDicts.en_CACUSTOMIZATION PACKAGES
Themes and other customization, making my DE look the way I want is one of the main draws of Linux for me.
# Themes
adw-gtk3
# gradience # theme customizer, allows you to modify adw-gtk3 themes
gnome.gnome-tweaks # tweaks for the gnome desktop environment
qgnomeplatform
# Fonts
(nerdfonts.override {
fonts = [ "Agave" "CascadiaCode" "SourceCodePro" "Ubuntu" "FiraCode" "Iosevka" ];
})
symbola
(papirus-icon-theme.override {
color = "adwaita";
})PYTHON
]) ++ (with pkgs.python3Packages; [
flake8 # wraper for pyflakes, pycodestyle and mccabe
isort # sort Python imports
nose # testing and running python scripts
pyflakes # checks source code for errors
pytest # framework for writing tests
speedtest-cli # check internet speed from the comand line
editorconfig # follow rules of contributin
black # Python code formatter
pylint # bug and style checker for python
(buildPythonApplication rec {
pname = "download";
version = "1.5";
src = ./scripts/download/.;
doCheck = false;
buildInputs = [ setuptools ];
propagatedBuildInputs =
[ pyyaml types-pyyaml ];
})
(buildPythonApplication rec {
pname = "ffpb";
version = "0.4.1";
src = fetchPypi {
inherit pname version;
sha256 = "sha256-7eVqbLpMHS1sBw2vYS4cTtyVdnnknGtEI8190VlXflk=";
};
doCheck = false;
buildInputs = [ setuptools ];
propagatedBuildInputs =
[ tqdm ];
})
# (buildPythonApplication rec {
# pname = "qbit_manage";
# version = "4.0.3";
# src = fetchPypi {
# inherit pname version;
# sha256 = "sha256-7eVqbLpMHS1sBw2vYS4cTtyVdnnknGtEI8190VlXflk=";
# };
# doCheck = true;
# buildInputs = [ setuptools ];
# propagatedBuildInputs =
# [ gitpython requests retrying ruamel-yaml schedule unstable.qbittorrent-api ];
# })BAT-EXTRAS
]) ++ (with pkgs.bat-extras; [
batman # man pages
batpipe # piping
batgrep # ripgrep
batdiff # this is getting crazy!
batwatch # probably my next best friend
prettybat # trans your sourcecode!GNOME EXTENSIONS
]) ++ (with pkgs.gnomeExtensions; [
appindicator # applets for open applications
gsconnect # sync data and notifications from your phone
freon # hardware temperature monitor
panel-scroll # scroll well to change workspaces
reading-strip # like putting a finger on every line I read
tactile # window manager
pano # clipboard manager
blur-my-shell # make the overview more visually appealing
# burn-my-windows
# forge # window manager
# ]) ++ (with unstable.pkgs.gnomeExtensions; [NODEJS PACKAGES
]) ++ (with pkgs.nodePackages; [
dockerfile-language-server-nodejs # LSP
bash-language-server # LSP
pyright # LSP
markdownlint-cli # Linter
prettier # Linter
pnpm # Package manager
]); }; }; # <--- end of package listMISC SETTINGS
ENABLE FONTCONFIG
If enabled, a Fontconfig configuration file will point to a set of default
fonts. If you don't care about running X11 applications or any other program
that uses Fontconfig, you can turn this option off and prevent a dependency on
all those fonts.
tip once that Wayland is ready for deployment, I probably can remove this
setting.
fonts.fontconfig.enable = true;HOME-MANAGER
HOME-MANAGER SETTINGS
These make it so packages install to '/etc' rather than the user home directory, also allow for upgrades when rebuilding the system.
home-manager.useUserPackages = true;
home-manager.useGlobalPkgs = true;PACKAGES
home-manager.users.jawz = { config, pkgs, ... }:{
home.stateVersion = VERSION;
home.packages = with pkgs; [ ];DOTFILES
BASH
programs.bash = {
enable = true;
historyFile = "\${XDG_STATE_HOME}/bash/history";
historyControl = [ "erasedups" ];
shellAliases = {
ls = "exa --icons --group-directories-first --no-permissions --no-user --no-time";
edit = "emacsclient -t";
comic = "download -u jawz -i $(cat $LC | fzf --multi --exact -i)";
gallery = "download -u jawz -i $(cat $LW | fzf --multi --exact -i)";
open_gallery = "cd /mnt/disk2/scrapping/JawZ/gallery-dl && xdg-open $(fd . ./ Husbands -tdirectory -d 1 | fzf -i)";
unique_extensions = "fd -tf | rev | cut -d. -f1 | rev | tr '[:upper:]' '[:lower:]' | sort | uniq --count | sort -rn";
cp = "cp -i";
mv = "mv -i";
mkcd = "mkdir -pv \"$1\" && cd \"$1\" || exit";
mkdir = "mkdir -p";
rm = "trash";
".." = "cd ..";
"..." = "cd ../..";
".3" = "cd ../../..";
".4" = "cd ../../../..";
".5" = "cd ../../../../..";
dl = "download -u jawz -i";
e = "edit";
c = "cat";
f = "fzf --multi --exact -i";
sc = "systemctl --user";
jc = "journalctl --user -xefu";
};
enableVteIntegration = true;
initExtra = ''/home/jawz/.local/bin/pokemon-colorscripts -r --no-title
# Lists
list_root=${config.home.homeDirectory}/.config/jawz/lists/jawz
export LW=$list_root/watch.txt
export LI=$list_root/instant.txt
export LC=$list_root/comic.txt
export command_timeout=30
# GPG_TTY=$(tty)
# export GPG_TTY
if command -v fzf-share >/dev/null; then
source "$(fzf-share)/key-bindings.bash"
source "$(fzf-share)/completion.bash"
fi
nixos-reload () {
local nix_file="$HOME/Development/NixOS/configuration.nix"
local hardware_file="$HOME/Development/NixOS/hardware-configuration.nix"
nixfmt "$nix_file" && nixfmt "$hardware_file"
sudo nixos-rebuild switch -I nixos-config="$nix_file"
} '';
};OTHER
programs = {
direnv = {
enable = true;
enableBashIntegration = true;
nix-direnv.enable = true;
};
bat = {
enable = true;
config = {
pager = "less -FR";
theme = "base16"; };
};
git = {
enable = true;
userName = "Danilo Reyes";
userEmail = "CaptainJawZ@outlook.com";
};
htop = {
enable = true;
package = pkgs.htop-vim;
};
};XDG
xdg = {
enable = true;
userDirs = {
enable = true;
# createDirectories = true;
desktop = "${config.home.homeDirectory}";
documents = "${config.home.homeDirectory}/Documents";
download = "${config.home.homeDirectory}/Downloads";
music = "${config.home.homeDirectory}/Music";
pictures = "${config.home.homeDirectory}/Pictures";
# publicShare = "${config.home.homeDirectory}/.local/hd/Public";
templates = "${config.home.homeDirectory}/.local/share/Templates";
videos = "${config.home.homeDirectory}/Videos";
};
configFile = {
"wgetrc".source = ./dotfiles/wget/wgetrc;
"configstore/update-notifier-npm-check.json".source = ./dotfiles/npm/update-notifier-npm-check.json;
"npm/npmrc".source = ./dotfiles/npm/npmrc;
"gallery-dl/config.json".source = ./dotfiles/gallery-dl/config.json;
"htop/htoprc".source = ./dotfiles/htop/htoprc;
};
};USER-SERVICES
services = {
lorri.enable = true;
emacs = {
enable = true;
defaultEditor = true;
package = pkgs.emacs;
};
};CLOSING HOME-MANAGER
};ENVIRONMENT PACKAGES
These are a MUST to ensure the optimal function of nix, without these, recovery may be challenging.
environment.systemPackages = with pkgs; [
wget
docker-compose # easy way to migrate my docker anywhere!
jellyfin-ffmpeg # coolest video converter!
dlib
];ENVIRONMENT VARIABLES
environment.variables = rec {
# PATH
XDG_CACHE_HOME = "\${HOME}/.cache";
XDG_CONFIG_HOME = "\${HOME}/.config";
XDG_BIN_HOME = "\${HOME}/.local/bin";
XDG_DATA_HOME = "\${HOME}/.local/share";
XDG_STATE_HOME = "\${HOME}/.local/state";
# DEV PATH
CABAL_CONFIG = "\${XDG_CONFIG_HOME}/cabal/config";
CABAL_DIR = "\${XDG_CACHE_HOME}/cabal";
CARGO_HOME = "\${XDG_DATA_HOME}/cargo";
GEM_HOME = "\${XDG_DATA_HOME}/ruby/gems";
GEM_PATH = "\${XDG_DATA_HOME}/ruby/gems";
GEM_SPEC_CACHE = "\${XDG_DATA_HOME}/ruby/specs";
GOPATH = "\${XDG_DATA_HOME}/go";
NPM_CONFIG_USERCONFIG = "\${XDG_CONFIG_HOME}/npm/npmrc";
PNPM_HOME = "\${XDG_DATA_HOME}/pnpm";
# OPTIONS
# HISTFILE = "\${XDG_STATE_HOME}/bash/history";
LESSHISTFILE = "-";
GHCUP_USE_XDG_DIRS = "true";
RIPGREP_CONFIG_PATH = "\${XDG_CONFIG_HOME}/ripgrep/ripgreprc";
ELECTRUMDIR = "\${XDG_DATA_HOME}/electrum";
VISUAL = "emacsclient -ca emacs";
WGETRC = "\${XDG_CONFIG_HOME}/wgetrc";
XCOMPOSECACHE = "${XDG_CACHE_HOME}/X11/xcompose";
"_JAVA_OPTIONS" = "-Djava.util.prefs.userRoot=\${XDG_CONFIG_HOME}/java";
DOCKER_CONFIG="\${XDG_CONFIG_HOME}/docker";
# NVIDIA
CUDA_CACHE_PATH = "\${XDG_CACHE_HOME}/nv";
# WEBKIT_DISABLE_COMPOSITING_MODE = "1";
# GBM_BACKEND = "nvidia-drm";
# "__GLX_VENDOR_LIBRARY_NAME" = "nvidia";
# Themes
# GTK_THEME = "Adwaita:light";
# QT_QPA_PLATFORMTHEME = "adwaita";
# QT_STYLE_OVERRIDE = "adwaita";
CALIBRE_USE_SYSTEM_THEME = "1";
PATH = [
"\${HOME}/.local/bin"
"\${XDG_CONFIG_HOME}/emacs/bin"
"\${XDG_DATA_HOME}/npm/bin"
"\${XDG_DATA_HOME}/pnpm"
];
};DOCKER
Virtualization settings for Docker. NixOS offers an option to declaratively run docker-compose images using Arion. Could be an interesting thing to try out.
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
enableNvidia = true;
};SNAPRAID
It's a parity raid utility which creates a scheme similar to what UNRAID offered, except not in real time, I schedule it to run every night, so it keeps my files sync, while it is possible to use snapraid as a solution to keep a historic backup of your files, I am more concerned with the whole disk recovery in case of failure, as such a frequent sync fits my preferences.
snapraid = {
enable = true;
touchBeforeSync = true;
sync.interval = "02:00";
scrub = {
plan = 10;
olderThan = 10;
interval = "4:00";
};
parityFiles = [
"/mnt/parity/snapraid.parity"
];
extraConfig = ''
autosave 5000
'';
exclude = [
"/tmp/"
"/lost+found/"
"/multimedia/downloads/"
"/scrapping/nextcloud/"
"/backups/"
"/glue/Spankbank/____UNORGANIZED/Chaturbate/"
"/nextcloud/nextcloud.log"
];
dataDisks = {
d1 = "/mnt/disk1/";
d2 = "/mnt/disk2/";
};
contentFiles = [
"/var/snapraid.content"
"/mnt/disk1/snapraid.content"
"/mnt/disk2/snapraid.content"
];
};SYSTEM PROGRAMS & SERVICES
Some programs get enabled and installed through here, as well as the activation of some services.
programs = {
starship.enable = true;
fzf.fuzzyCompletion = true;
neovim = {
enable = true;
vimAlias = true;
};
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
geary = {
enable = true;
};
steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
};
msmtp = {
enable = true;
accounts.default = {
auth = true;
host = "smtp.gmail.com";
port = 587;
tls = true;
from = "stunner6399@gmail.com";
user = "stunner6399@gmail.com";
password = "eqyctcgjdykqeuwt";
};
};
};
services = {
prowlarr.enable = true;
# vaultwarden.enable = true;
kavita = {
enable = true;
tokenKeyFile = "${pkgs.writeText "kavitaToken" "A\u002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjj\u002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}";
};
sonarr = {
enable = true;
group = "piracy";
};
radarr = {
enable = true;
package = unstable.pkgs.radarr;
group = "piracy";
};
bazarr = {
enable = true;
group = "piracy";
};
jellyfin = {
enable = true;
group = "piracy";
};
minidlna = {
enable = true;
openFirewall = true;
settings.media_dir = [
"/mnt/disk2/glue"
];
};
nextcloud = {
enable = true;
https = true;
package = pkgs.nextcloud26;
appstoreEnable = true;
configureRedis = true;
maxUploadSize = "512M";
extraAppsEnable = true;
enableImagemagick = true;
hostName = "cloud.servidos.lat";
config = {
adminpassFile = "${pkgs.writeText "adminpass" "Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}";
overwriteProtocol = "https";
defaultPhoneRegion = "MX";
dbtype = "pgsql";
dbuser = "nextcloud";
dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}";
dbtableprefix = "oc_";
dbname = "nextcloud";
trustedProxies = [ "nginx" ];
extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
};
phpOptions = {
catch_workers_output = "yes";
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
expose_php = "Off";
"opcache.enable_cli" = "1";
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16";
"opcache.jit" = "1255";
"opcache.jit_buffer_size" = "128M";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.save_comments" = "1";
"opcache.validate_timestamps" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
short_open_tag = "Off";
};
extraOptions = {
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
"installed" = true;
"memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool";
enabledPreviewProviders = [
"OC\\Preview\\Image"
"OC\\Preview\\HEIC"
"OC\\Preview\\TIFF"
"OC\\Preview\\MKV"
"OC\\Preview\\MP4"
"OC\\Preview\\AVI"
"OC\\Preview\\Movie"
];
};
phpExtraExtensions = all: [ all.pdlib all.bz2 ];
};
postgresql = {
enable = true;
ensureDatabases = [ "paperless" "nextcloud" "mealie" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = {
"DATABASE nextcloud" = "ALL PRIVILEGES";
};
}
{
name = "paperless";
ensurePermissions = {
"DATABASE paperless" = "ALL PRIVILEGES";
};
}
{
name = "mealie";
ensurePermissions = {
"DATABASE mealie" = "ALL PRIVILEGES";
};
}
];
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
printing = {
enable = true;
drivers = [ pkgs.hplip pkgs.hplipWithPlugin ];
};
avahi.enable = true;
avahi.nssmdns = true;
fstrim.enable = true;
btrfs.autoScrub = {
enable = true;
fileSystems = [
"/"
"/mnt/disk1"
"/mnt/disk2"
];
};
openssh = {
enable = true;
ports = [ 25152 ];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
startWhenNeeded = true;
listenAddresses = [
{
addr = "0.0.0.0";
port = 25152;
}
];
};
emacs = {
enable = true;
defaultEditor = true;
package = pkgs.emacs;
};
};SYSTEMD
Home-manager, is not as flushed out when it comes to creating systemd units, so the best way to define them for now, is using nix.
systemd.services = {
# "docker-compose" = {
# enable = true;
# restartIfChanged = true;
# description = "Start docker-compose servers";
# after = [ "docker.service" "docker.socket" ];
# requires = [ "docker.service" "docker.socket" ];
# wantedBy = [ "default.target" ];
# environment = {
# FILE = "/home/jawz/Development/Docker/docker-compose.yml";
# };
# path = [
# pkgs.docker-compose
# ];
# serviceConfig = {
# Restart = "on-failure";
# RestartSec = 30;
# ExecStart = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans";
# ExecStop = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down";
# };
# };
# "nextcloud_scrapsync" = {
# description = "Sync scrapped files with nextcloud";
# wantedBy = [ "default.target" ];
# path = [
# pkgs.bash
# jawz_nextcloud_scrapsync
# ];
# serviceConfig = {
# RestartSec = 30;
# ExecStart = "${jawz_nextcloud_scrapsync}/bin/nextcloud_scrapsync";
# };
# };
# "nextcloud_previews" = {
# description = "Generate previews";
# wantedBy = [ "default.target" ];
# path = [
# pkgs.nextcloud26
# ];
# serviceConfig = {
# RestartSec = 30;
# ExecStart = "${pkgs.nextcloud26}/occ preview:pre-generate";
# };
# };
};
systemd.timers = {
# "nextcloud_scrapsync" = {
# enable = true;
# description = "Sync scrapped files with nextcloud";
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnCalendar= [
# "*-*-* 01:32:00"
# "*-*-* 08:32:00"
# "*-*-* 14:32:00"
# "*-*-* 20:32:00"
# ];
# RandomizedDelaySec = 30;
# Persistent = true;
# };
# };
# "nextcloud_previews" = {
# enable = true;
# description = "Generate previews";
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnCalendar = "*:0/10";
# };
# };
};
systemd.user.services = {
"HentaiAtHome" = {
enable = true;
restartIfChanged = true;
description = "Run hentai@home server";
wantedBy = [ "default.target" ];
path = [
pkgs.HentaiAtHome
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
WorkingDirectory="/mnt/hnbox";
ExecStart = "${pkgs.HentaiAtHome}/bin/HentaiAtHome";
};
};
"manage_library" = {
enable = true;
restartIfChanged = true;
description = "Run the manage library bash script";
wantedBy = [ "default.target" ];
path = [
pkgs.bash
pkgs.nix
jawz_manage_library
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawz_manage_library}/bin/manage_library";
};
};
"tasks" = {
restartIfChanged = true;
description = "Run a tasks script which keeps a lot of things organized";
wantedBy = [ "default.target" ];
path = [
pkgs.bash
pkgs.nix
jawz_tasks
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawz_tasks}/bin/tasks";
};
};
"update_dns" = let jawz_update_dns = pkgs.writeScriptBin
"update_dns" (builtins.readFile ./scripts/update_dns.sh); in {
restartIfChanged = true;
description = "update DNS of my websites";
wantedBy = [ "default.target" ];
path = [
pkgs.curl
pkgs.bash
jawz_update_dns
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawz_update_dns}/bin/update_dns";
};
};
};
systemd.user.timers = {
"tasks" = {
enable = true;
description = "Run a tasks script which keeps a lot of things organized";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/10";
};
};
"update_dns" = {
enable = true;
description = "update DNS of my websites";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1min";
OnUnitActiveSec = "6h";
};
};
};FIREWALL
Open ports in the firewall.
TIP list what app a port belongs to in a table.
networking = {
firewall = let
open_firewall_ports = [
80 # http
443 # https
6969 # HentaiAtHome
25152 # ssh
];
open_firewall_port_ranges = [
{ from = 1714; to = 1764; } # kdeconnect
];
in
{
allowedTCPPorts = open_firewall_ports;
allowedUDPPorts = open_firewall_ports;
allowedTCPPortRanges = open_firewall_port_ranges;
allowedUDPPortRanges = open_firewall_port_ranges;
};
};
# networking.firewall.enable = false;FINAL SYSTEM CONFIGURATIONS
The first setting creates a copy the NixOS configuration file and link it from the resulting system (/run/current-system/configuration.nix). This is useful in case you accidentally delete configuration.nix.
The version value determines the NixOS release from which the default settings for stateful data, like file locations and database versions on your system. It‘s perfectly fine and recommended to leave this value at the release version of the first install of this system.
Lastly I configure in here Cachix repositories, which is a website that keeps a cache of nixbuilds for easy quick deployments without having to compile everything from scratch.
system = {
copySystemConfiguration = true;
stateVersion = VERSION;
};
nix = {
settings = {
substituters = [
"https://nix-gaming.cachix.org"
"https://nixpkgs-python.cachix.org"
"https://devenv.cachix.org"
"https://cuda-maintainers.cachix.org"
];
trusted-public-keys = [
"nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
"nixpkgs-python.cachix.org-1:hxjI7pFxTyuTHn2NkvWCrAUcNZLNS3ZAvfYNuYifcEU="
"devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
"cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
];
};
gc = {
automatic = true;
dates = "weekly";
};
};CLOSING :D
That super pesky closing bracket.
}