nyanloutre
/
nixos-config
1
1
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: nyanloutre:master
Branches Tags
nyanloutre:master
nyanloutre:transmission-patch
vskilet:master
..
compare: vskilet:master
Branches Tags
vskilet:master
nyanloutre:master
nyanloutre:transmission-patch

No commits in common. "master" and "master" have entirely different histories.
master ... master

37 changed files with 1381 additions and 2093 deletions
Show Stats Expand all files Collapse all files

49
containers/vsftpd.nix Normal file
View File

@ -0,0 +1,49 @@
{ config, pkgs, ... }:
{
containers.vsftpd = {
autoStart = true;
config =
{ config, pkgs, ... }:
{
nixpkgs.overlays = [
(import ../overlays/vsftpd.nix)
];
services.vsftpd = {
enable = true;
forceLocalLoginsSSL = true;
forceLocalDataSSL = true;
userlistDeny = false;
localUsers = true;
userlist = ["claire" "manu"];
rsaCertFile = "/var/vsftpd/vsftpd.pem";
extraConfig = ''
pasv_min_port=64000
pasv_max_port=65535
local_root=/mnt/medias
'';
};
users.extraUsers = {
claire = {
isNormalUser = true;
hashedPassword = "$6$Mu47EjsbNTewDkRp$XeQh6rcdvb3BUXzsGqekKImLTrMgnN0VyERoSbpI4rMPlx8oHM9NNeHZtfIiLEaZGtQ9otnbLa54jYse5Iwev1";
description = "Claire TREHIOU";
};
manu = {
isNormalUser = true;
hashedPassword = "$6$YGNIdGEclo$JcUotBS6hqlpENjjUeYhDjtrwxu10oARF4Nq4tEo072Sumr3Rl/w3ZXSHI5/3RxfvUMmJ4ulUVctBLhwrqP.g0";
description = "Emmanuel ZENNER";
};
};
};
bindMounts = {
"/var/vsftpd/vsftpd.pem" = {
hostPath = "/var/vsftpd/vsftpd.pem";
};
"/mnt/medias" = {
hostPath = "/mnt/medias";
};
};
};
}

179
flake.lock
View File

@ -1,179 +0,0 @@
{
"nodes": {
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"dogetipbot-telegram": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1686669604,
"narHash": "sha256-xoPWq1PMEGauyZfVDx85kWERWlCZ2KWgFZSw7Fdx7Ns=",
"owner": "nyanloutre",
"repo": "dogetipbot-telegram",
"rev": "d7970444d7b9b602b55aa67f5e593d41e97d12cf",
"type": "gitlab"
},
"original": {
"owner": "nyanloutre",
"ref": "master",
"repo": "dogetipbot-telegram",
"type": "gitlab"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"ipmihddtemp": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1635966341,
"narHash": "sha256-Y70jZPL3/fY8SzkPnpw9Ta411zbbkJ1D3qOYJ76zuIA=",
"owner": "nyanloutre",
"repo": "ipmihddtemp",
"rev": "6fe5d14f588956dfff89716f81b8101c7a94cd6d",
"type": "gitlab"
},
"original": {
"owner": "nyanloutre",
"ref": "master",
"repo": "ipmihddtemp",
"type": "gitlab"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1727672256,
"narHash": "sha256-9/79hjQc9+xyH+QxeMcRsA6hDyw6Z9Eo1/oxjvwirLk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1719f27dd95fd4206afb9cec9f415b539978827e",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05",
"type": "indirect"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1727802920,
"narHash": "sha256-HP89HZOT0ReIbI7IJZJQoJgxvB2Tn28V6XS3MNKnfLs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "27e30d177e57d912d614c88c622dcfdb2e6e6515",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"root": {
"inputs": {
"dogetipbot-telegram": "dogetipbot-telegram",
"ipmihddtemp": "ipmihddtemp",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"simple-nixos-mailserver": "simple-nixos-mailserver"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs-unstable"
],
"nixpkgs-24_05": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1718084203,
"narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-24.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

86
flake.nix
View File

@ -1,86 +0,0 @@
{
inputs = {
nixpkgs.url = "flake:nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "flake:nixpkgs/nixos-unstable";
simple-nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
inputs = {
nixpkgs.follows = "nixpkgs-unstable";
nixpkgs-24_05.follows = "nixpkgs";
};
};
dogetipbot-telegram = {
url = "gitlab:nyanloutre/dogetipbot-telegram/master";
inputs.nixpkgs.follows = "nixpkgs";
};
ipmihddtemp = {
url = "gitlab:nyanloutre/ipmihddtemp/master";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, nixpkgs-unstable, simple-nixos-mailserver, dogetipbot-telegram, ipmihddtemp }: {
packages.x86_64-linux = (import ./pkgs nixpkgs.legacyPackages.x86_64-linux);
nixosConfigurations.paul-fixe = nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux";
modules = [
nixpkgs-unstable.nixosModules.notDetected
{
nixpkgs.config.allowUnfree = true;
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
registry = {
nixpkgs.to = {
type = "path";
path = nixpkgs-unstable.legacyPackages.x86_64-linux.path;
};
};
};
}
./systems/PC-Fixe/configuration.nix
];
};
nixosConfigurations.loutreos = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit nixpkgs-unstable; };
modules = [
nixpkgs-unstable.nixosModules.notDetected
simple-nixos-mailserver.nixosModule
dogetipbot-telegram.nixosModule
ipmihddtemp.nixosModule
{
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
registry = {
nixpkgs.to = {
type = "path";
path = nixpkgs.legacyPackages.x86_64-linux.path;
};
};
};
systemd.services.watcharr = {
description = "Watcharr";
after = [ "network.target" ];
environment = {
PORT = "3005";
WATCHARR_DATA = "/var/lib/watcharr";
};
serviceConfig = {
DynamicUser = true;
StateDirectory = "watcharr";
ExecStart = "${self.packages.x86_64-linux.watcharr}/bin/Watcharr";
PrivateTmp = true;
};
wantedBy = [ "multi-user.target" ];
};
}
./systems/LoutreOS/configuration.nix
];
};
};
}

9
overlays/dogetipbot-telegram.nix Normal file
View File

@ -0,0 +1,9 @@
self: super:
{
dogetipbot-telegram = super.callPackage (super.fetchgit {
url = "https://gitlab.com/nyanloutre/dogetipbot-telegram.git";
rev = "3bf1c89aaccded42ce41452c72f7ebf6d4d056ca";
sha256 = "1gd1wi054ihbxanvj1ac7mz5ghnxab89a0r3i4hy482sglbxqcih";
}) { pkgs = self; };
}

18
overlays/ledger-udev-rules.nix Normal file
View File

@ -0,0 +1,18 @@
self: super:
{
ledger-udev-rules = super.writeTextFile {
name = "ledger-udev-rules";
text = ''
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="2b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="3b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="4b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1807", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1808", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
'';
destination = "/etc/udev/rules.d/99-ledger.rules";
};
}

22
overlays/neovim.nix Normal file
View File

@ -0,0 +1,22 @@
self: super:
{
neovim = super.neovim.override {
viAlias = true;
vimAlias = true;
configure = {
customRC = ''
set shiftwidth=2
set softtabstop=2
set expandtab
set background=dark
'';
packages.myVimPackage = with super.vimPlugins; {
start = [
vim-startify airline sensible
polyglot ale fugitive
];
opt = [ ];
};
};
};
}

13
overlays/riot-web.nix Normal file
View File

@ -0,0 +1,13 @@
self: super:
{
riot-web = super.riot-web.override {
conf = ''
{
"default_hs_url": "https://matrix.nyanlout.re",
"default_is_url": "https://vector.im",
"brand": "Nyanloutre",
"default_theme": "dark"
}
'';
};
}

6
overlays/sudo.nix Normal file
View File

@ -0,0 +1,6 @@
self: super:
{
sudo = super.sudo.override {
withInsults = true;
};
}

8
overlays/transmission.nix
View File

@ -1,8 +0,0 @@
self: super:
{
transmission = (super.transmission.overrideAttrs (oA: {
patches = [];
})).override {
openssl = super.openssl_legacy;
};
}

6
overlays/vsftpd.nix Normal file
View File

@ -0,0 +1,6 @@
self: super:
{
vsftpd = super.vsftpd.override {
sslEnable = true;
};
}

3
pkgs/default.nix
View File

@ -1,3 +0,0 @@
pkgs: {
watcharr = pkgs.callPackage ./watcharr { };
}

30
pkgs/site-max/default.nix Normal file
View File

@ -0,0 +1,30 @@
{ lib, stdenv, fetchFromGitHub, sassc }:
stdenv.mkDerivation rec {
name= "site-max-${version}";
version = "1.0.1";
src = fetchFromGitHub {
owner = "nyanloutre";
repo = "site-max";
rev = "85e30457291e6a1dfe85a5d7a78f226657bad279";
sha256 = "0fj5w43gcvp0gq0xlknrf6yp0b48wg01686wp02fjc9npm424g0v";
};
buildPhase = ''
${sassc}/bin/sassc -m auto -t compressed scss/creative.scss css/creative.css
'';
installPhase = ''
mkdir -p $out/
cp -R . $out/
'';
meta = {
description = "Site de présentation de Max Spiegel";
homepage = https://maxspiegel.fr/;
maintainers = with stdenv.lib.maintainers; [ nyanloutre ];
license = stdenv.lib.licenses.cc-by-nc-sa-40;
platforms = stdenv.lib.platforms.all;
};
}

64
pkgs/watcharr/default.nix
View File

@ -1,64 +0,0 @@
{ lib
, pkgs
, buildGoModule
, fetchFromGitHub
, buildNpmPackage
, nixosTests
, caddy
, testers
, installShellFiles
, stdenv
}:
let
version = "1.41.0";
src = fetchFromGitHub {
owner = "sbondCo";
repo = "Watcharr";
rev = "v${version}";
hash = "sha256-ZvCxgfZZ9pbp+NvH+IhWphJWnAwgAH0x/REPd/XxJ70=";
};
frontend = buildNpmPackage {
pname = "watcharr-ui";
inherit version src;
npmDepsHash = "sha256-73paI0y4QyzkEnU99f1HeLD/hW8GP3F9N8tGGQnloH8=";
installPhase = ''
cp -r build $out
cp package.json package-lock.json $out
cd $out && npm ci --omit=dev
'';
};
in
buildGoModule {
pname = "watcharr";
inherit version;
src = src + "/server";
vendorHash = "sha256-86pFpS8ZSj+c7vwn0QCwzXlvVYJIf3SBj4X81zlwBWQ=";
# Inject frontend assets into go embed
prePatch = ''
# rm -rf ui
# ln -s ${frontend} ui
substituteInPlace watcharr.go \
--replace-fail ui/index.js ${frontend}/index.js \
--replace-fail \"127.0.0.1:3000\" "\"127.0.0.1:\"+os.Getenv(\"PORT\")"
'';
buildInputs = [ pkgs.makeWrapper ];
postFixup = ''
wrapProgram "$out/bin/Watcharr" --prefix PATH : "${lib.makeBinPath [ pkgs.nodejs ]}"
'';
meta = with lib; {
homepage = "https://watcharr.app/";
description = "Open source, self-hostable watched list for all your content with user authentication, modern and clean UI and a very simple setup";
license = licenses.asl20;
# mainProgram = "caddy";
maintainers = with maintainers; [ nyanloutre ];
};
}

44
services/auto-pr.nix Normal file
View File

@ -0,0 +1,44 @@
{lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.auto-pr;
in
{
options.services.auto-pr = {
enable = mkEnableOption "Cron job PR mise à jour automatique";
};
config = mkIf cfg.enable {
systemd.services.auto-pr-bot = {
description = "Création d'un PR si mise à jour";
requires = ["network-online.target"];
environment = { HOME = "/var/lib/auto-pr-bot"; };
serviceConfig = {
DynamicUser = true;
CacheDirectory = "auto-pr-bot";
StateDirectory = "auto-pr-bot";
Type = "oneshot";
ExecStart = with pkgs;
let env = python3Packages.python.buildEnv.override {
extraLibs = [ python3Packages.PyGithub python3Packages.pyjwt python3Packages.colorama ];
ignoreCollisions = true;
};
in "${pkgs.writeShellScriptBin "run.sh" ''
${env}/bin/python ${pkgs.writeScript "pr-autobot.py" "${readFile ./pr-autobot.py}"} --private-key /var/lib/auto-pr-bot/private-key.pem --app-id 19565 --installation-id 407088 --repo nyanloutre/nixpkgs --cache-dir /var/cache/auto-pr-bot
''}/bin/run.sh";
};
};
systemd.timers.auto-pr-bot = {
description = "Timer auto PR bot";
requires = ["network-online.target"];
wantedBy = ["multi-user.target"];
timerConfig = { OnCalendar = "daily"; Unit = "auto-pr-bot.service"; };
};
};
}

149
services/haproxy-acme.nix Normal file
View File

@ -0,0 +1,149 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.haproxy-acme;
nginx_port = 54321;
haproxyConf = ''
global
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
option forwardfor
option http-server-close
timeout client 10s
timeout connect 4s
timeout server 30s
userlist LOUTRE
user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy.
frontend public
bind :::80 v4v6
bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
mode http
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
acl haproxy-acl path_beg /haproxy
redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
http-response set-header Strict-Transport-Security max-age=15768000
use_backend letsencrypt-backend if letsencrypt-acl
use_backend haproxy_stats if haproxy-acl
${concatStrings (
mapAttrsToList (name: value:
" acl ${name}-acl hdr(host) -i ${name}\n"
+ " use_backend ${name}-backend if ${name}-acl\n"
) cfg.services)}
backend letsencrypt-backend
mode http
server letsencrypt 127.0.0.1:${toString nginx_port}
backend haproxy_stats
mode http
stats enable
stats hide-version
acl AuthOK_LOUTRE http_auth(LOUTRE)
http-request auth realm LOUTRE if !AuthOK_LOUTRE
${concatStrings (
mapAttrsToList (name: value:
''
backend ${name}-backend
mode http
${(
if value.socket == "" then
''
server ${name} ${value.ip}:${toString value.port}
''
else
''
server ${name} ${value.socket}
''
)}
${(if value.auth then (
value.extraAcls
+ ''
acl AUTH_OK http_auth(LOUTRE)
http-request auth realm LOUTRE if ${value.aclBool}
''
) else "")}
''
) cfg.services)}
'';
in
{
options.services.haproxy-acme = {
enable = mkEnableOption "HAproxy + ACME";
domaine = mkOption {
type = types.string;
example = "example.com";
description = ''
Sous domaine à utiliser
Il est necessaire d'avoir un enregistrement pointant sur la wildcard de ce domaine vers le serveur
'';
};
services = mkOption {
type = with types; attrsOf (submodule { options = {
ip = mkOption { type = str; description = "IP address"; };
port = mkOption { type = int; description = "Port number"; };
socket = mkOption { type = str; description = "Emplacement du socket"; default = ""; };
auth = mkOption { type = bool; description = "Enable authentification"; default = false; };
extraAcls = mkOption { type = str; description = "ACL HaProxy suplémentaires"; default = ""; };
aclBool = mkOption { type = str; description = "Logique d'authentification"; default = "!AUTH_OK"; };
}; });
example = ''
haproxy_backends = {
example = { ip = "127.0.0.1"; port = 1234; auth = false; };
};
'';
description = "Liste des noms de domaines associés à leur backend";
};
};
config = mkIf cfg.enable {
services.haproxy.enable = true;
services.haproxy.config = haproxyConf;
services.nginx.enable = true;
services.nginx.virtualHosts = {
"acme" = {
listen = [ { addr = "127.0.0.1"; port = nginx_port; } ];
locations = { "/" = { root = "/var/www/challenges"; }; };
};
};
security.acme.certs = {
${cfg.domaine} = {
extraDomains = mapAttrs' (name: value:
nameValuePair ("${name}") (null)
) cfg.services;
webroot = "/var/www/challenges";
email = "paul@nyanlout.re";
user = "haproxy";
group = "haproxy";
postRun = ''
systemctl reload haproxy.service
'';
};
};
security.acme.directory = "/var/lib/acme";
networking.firewall.allowedTCPPorts = [
80 443
];
};
}

67
services/mail-server.nix Normal file
View File

@ -0,0 +1,67 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.mailserver;
in
{
options.services.mailserver = {
enable = mkEnableOption "Mail Server";
domaine = mkOption {
type = types.string;
example = "example.com";
description = "Nom de domaine du serveur de mails";
};
};
imports = [
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz";
sha256 = "0gqzgy50hgb5zmdjiffaqp277a68564vflfpjvk1gv6079zahksc";
})
];
config = mkIf cfg.enable {
mailserver = {
enable = true;
fqdn = "mail.${cfg.domaine}";
domains = [ cfg.domaine ];
# A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password"
loginAccounts = {
"paul@${cfg.domaine}" = {
hashedPassword = "$6$8wWQbtqVqUoH8$pQKg0bZPcjCbuPvyhjJ1lQy949M/AgfmAye/hDEIVUnCfwtlUxC1yj8CBHpNKeiiXhd8IUqk9r0/IJNvB6okf0";
};
};
# Certificate setup
certificateScheme = 1;
certificateFile = "/var/lib/acme/${cfg.domaine}/fullchain.pem";
keyFile = "/var/lib/acme/${cfg.domaine}/key.pem";
# Enable IMAP and POP3
enableImap = true;
enablePop3 = true;
enableImapSsl = true;
enablePop3Ssl = true;
# Enable the ManageSieve protocol
enableManageSieve = true;
};
security.acme.certs = {
"${cfg.domaine}" = {
extraDomains = {
"mail.${cfg.domaine}" = null;
};
postRun = ''
systemctl reload dovecot2.service
'';
};
};
};
}

74
services/pr-autobot.py Executable file
View File

@ -0,0 +1,74 @@
#!/usr/bin/env python
import jwt, time, urllib.request, json, datetime, argparse, sys, textwrap
from github import Github
from colorama import Fore, Style
from time import sleep
parser = argparse.ArgumentParser(description='Create PR to update nixpkgs fork')
parser.add_argument('--private-key')
parser.add_argument('--app-id')
parser.add_argument('--installation-id')
parser.add_argument('--repo')
parser.add_argument('--cache-dir')
args = vars(parser.parse_args())
channel_req = urllib.request.Request(url='https://nixos.org/channels/nixos-18.09/git-revision')
latest_commit = urllib.request.urlopen(channel_req).read().decode('utf-8')
try:
previous_commit = open(args['cache_dir'] + '/git-revision', 'r').read()
except FileNotFoundError:
open(args['cache_dir'] + '/git-revision', 'w').write(latest_commit)
print("Premier lancement, le hash du dernier commit à été sauvegardé")
sys.exit(0)
print("Dernier commit : " + latest_commit)
print("Commit précédent : " + previous_commit)
if latest_commit != previous_commit:
bearer_token = jwt.encode({
'iat': int(time.time()),
'exp': int(time.time()) + (10 * 60),
'iss': args['app_id']
},
open(args['private_key'],"r").read(),
algorithm='RS256')
req = urllib.request.Request(url='https://api.github.com/app/installations/' +
args['installation_id'] +
'/access_tokens',
method='POST')
req.add_header('Authorization', 'Bearer ' + bearer_token.decode('utf-8'))
req.add_header('Accept', 'application/vnd.github.machine-man-preview+json')
token = json.loads(urllib.request.urlopen(req).read().decode('utf-8'))['token']
g = Github(token)
repo = g.get_repo(args['repo'])
branch = "upgrade-" + datetime.datetime.now().strftime('%Y-%m-%d') + '-' + latest_commit[:11];
repo.create_git_ref('refs/heads/' + branch, latest_commit)
pr_message = textwrap.dedent("""\
### Pull request automatique
### Avancement mise à jour
- [ ] Fusionner la branche
""")
pr = repo.create_pull(title=branch, body=pr_message, base='nixos-18.09', head=branch)
print("Pull request numéro " + str(pr.number) + " créée")
print("URL : " + pr.html_url)
while pr.mergeable == None:
pr = repo.get_pull(pr.number)
sleep(1)
pr.edit(body = pr.body + "\n- [ ] Exécuter `nixos-rebuild -I nixpkgs=https://github.com/nyanloutre/nixpkgs/archive/" + pr.merge_commit_sha + ".tar.gz switch`")
print("État : " + ((Fore.GREEN + "Fusionnable") if pr.mergeable else (Fore.RED + "Conflit")) + Style.RESET_ALL)
open(args['cache_dir'] + '/git-revision', 'w').write(latest_commit)
else:
print(Fore.GREEN + "Aucun changement détecté" + Style.RESET_ALL)

12
services/python-ci.nix
View File

@ -12,14 +12,6 @@ in
config = mkIf cfg.enable {
users.users = {
python-ci = {
isSystemUser = true;
group = "nogroup";
description = "Python CI user";
};
};
systemd.services.python-ci = {
description = "CI Nix en Python";
requires = ["network-online.target"];
@ -27,13 +19,13 @@ in
environment = { HOME = "/var/lib/python-ci"; NIX_PATH = concatStringsSep ":" config.nix.nixPath; NIXPKGS_ALLOW_UNFREE = "1";};
path = with pkgs;[ nix gnutar gzip ];
serviceConfig = {
User = "python-ci";
DynamicUser = true;
StateDirectory = "python-ci";
RuntimeDirectory = "python-ci";
RuntimeDirectoryPreserve = "yes";
ExecStart = with pkgs;
let env = python3Packages.python.buildEnv.override {
extraLibs = with python3Packages;[ pyramid python-gitlab setuptools ];
extraLibs = with python3Packages;[ pyramid python-gitlab ];
ignoreCollisions = true;
};
in "${pkgs.writeShellScriptBin "run.sh" ''

33
services/python-ci.py
View File

@ -13,8 +13,6 @@ from gitlab import Gitlab
import urllib.request
import json
import argparse
import hmac
import hashlib
def gitlab_build(payload, gl):
@ -114,33 +112,23 @@ def gitea_build(payload, token):
route_name="gitea_payload", renderer="json", request_method="POST"
)
class GiteaHook(object):
def __init__(self, request):
self.payload = request.json
self.whitelist = ['nyanloutre/site-musique', 'nyanloutre/site-max']
self.gitea_token = open(args.gitea_token, 'r').readline().strip()
@view_config(header=["X-Gitea-Event:push", "X-Gitea-Signature"], check_hmac=True)
def __init__(self, request):
self.request = request
self.payload = self.request.json
self.whitelist = ['nyanloutre/site-musique', 'nyanloutre/site-max']
self.secret = open(args.secret, 'r').readline().splitlines()[0]
self.gitea_token = open(args.gitea_token, 'r').readline().splitlines()[0]
@view_config(header="X-Gitea-Event:push")
def push_hook(self):
if self.payload['repository']['full_name'] in self.whitelist:
if self.payload['repository']['full_name'] in self.whitelist and self.payload['secret'] == self.secret:
pool.apply_async(gitea_build, (self.payload, self.gitea_token))
return "build started"
else:
raise HTTPNotFound
class CheckHmacPredicate(object):
def __init__(self, val, info):
self.secret = open(args.secret, 'r').readline().strip().encode()
def text(self):
return 'HMAC checking enabled'
phash = text
def __call__(self, context, request):
payload_signature = hmac.new(self.secret, request.body, hashlib.sha256).hexdigest()
return hmac.compare_digest(request.headers["X-Gitea-Signature"], payload_signature)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='CI server')
parser.add_argument('--address', help='listening address', default='127.0.0.1')
@ -151,13 +139,10 @@ if __name__ == "__main__":
parser.add_argument('--gitea-token', help='gitea token file')
args = parser.parse_args()
pool = Pool(1)
config = Configurator()
config.add_view_predicate('check_hmac', CheckHmacPredicate)
config.add_route("gitlab_payload", "/gitlab_payload")
config.add_route("gitea_payload", "/gitea_payload")
config.scan()

42
services/site-max.nix Normal file
View File

@ -0,0 +1,42 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.site-max;
in
{
options.services.site-max = {
enable = mkEnableOption "Site Max Spiegel";
port = mkOption {
type = types.int;
example = 54321;
description = "Local listening port";
};
domaine = mkOption {
type = types.str;
example = "example.com";
description = "Domaine à utiliser";
};
};
config = mkIf cfg.enable {
services.haproxy-acme.services = {
${cfg.domaine} = { ip = "127.0.0.1"; port = cfg.port; auth = false; };
};
services.nginx = {
virtualHosts = {
"max" = {
listen = [ { addr = "127.0.0.1"; port = cfg.port; } ];
locations."/" = {
root = "/run/python-ci/nyanloutre/site-max";
};
};
};
};
};
}

66
services/site-musique.nix Normal file
View File

@ -0,0 +1,66 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.site-musique;
in
{
options.services.site-musique = {
enable = mkEnableOption "Site musique";
port = mkOption {
type = types.int;
example = 54321;
description = "Local listening port";
};
domaine = mkOption {
type = types.str;
example = "example.com";
description = "Domaine à utiliser";
};
};
config = mkIf cfg.enable {
services.haproxy-acme.services = {
${cfg.domaine} = { ip = "127.0.0.1"; port = cfg.port; auth = false; };
};
services.nginx.virtualHosts = {
"musique" = {
listen = [ { addr = "127.0.0.1"; port = cfg.port; } ];
locations."/" = {
root = "/run/python-ci/nyanloutre/site-musique";
index = "index.php";
extraConfig = ''
location ~* \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/phpfpm/musique;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
}
'';
};
};
};
services.phpfpm.poolConfigs.musique = ''
listen = /run/phpfpm/musique
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
pm = dynamic
pm.max_children = 75
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 20
pm.max_requests = 500
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'';
};
}

158
systems/ASUS-G46VW/configuration.nix
View File

@ -7,11 +7,15 @@
{
imports =
[
../common-cli.nix
../common-gui.nix
../common.nix
./hardware-configuration.nix
];
nixpkgs.overlays = [
(import ../../overlays/ledger-udev-rules.nix)
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmpOnTmpfs = true;
@ -25,11 +29,128 @@
ENERGY_PERF_POLICY_ON_BAT=powersave
'';
networking.hostName = "rog-paul";
# NVIDIA
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia.optimus_prime.enable = true;
hardware.nvidia.modesetting.enable = true;
hardware.nvidia.optimus_prime.nvidiaBusId = "PCI:1:0:0";
hardware.nvidia.optimus_prime.intelBusId = "PCI:0:2:0";
# For Steam
hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.support32Bit = true;
hardware.steam-hardware.enable = true;
hardware.u2f.enable = true;
services.udev.packages = with pkgs; [
ledger-udev-rules
];
networking.hostName = "rog-paul"; # Define your hostname.
networking.networkmanager.enable = true; # Enables wireless support via wpa_supplicant.
# Select internationalisation properties.
i18n = {
# consoleFont = "Lat2-Terminus16";
consoleKeyMap = "fr";
defaultLocale = "fr_FR.UTF-8";
};
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
filezilla
wineStaging
winetricks
qbittorrent
transmission-remote-gtk
appimage-run
bat
gopass
xclip
electrum
electron-cash
firefox
torbrowser
chromium
qutebrowser
tdesktop
mumble
kleopatra
gnupg
kdeplasma-addons
ark
kate
kmail
kdeconnect
okular
yakuake
konversation
gwenview
kcalc
spectacle
kile
(texlive.combine {
inherit (texlive) scheme-small titling collection-langfrench cm-super;
})
imagemagick
gnome-breeze
arc-theme
materia-theme
libreoffice
gimp
vlc
kodiPlain
mpv
steam
sc-controller
steam-run
minecraft
glxinfo
i7z
obs-studio
];
programs.wireshark.enable = true;
programs.wireshark.package = pkgs.wireshark;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.bash.enableCompletion = true;
# programs.mtr.enable = true;
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
programs.browserpass.enable = true;
services.pcscd.enable = true;
services.pcscd.plugins = [
(pkgs.ccid.overrideAttrs (oldAttrs: rec {
preBuild = ''
echo "0x2C97:0x0001:Ledger Token" >> ./readers/supported_readers.txt
'';
})
)
];
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ 8000 ];
# networking.firewall.allowedUDPPorts = [ ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
networking.wireguard.interfaces = {
@ -47,29 +168,42 @@
};
};
# Enable CUPS to print documents.
services.printing.enable = true;
services.printing.drivers = [ pkgs.hplip ];
# Enable sound.
sound.enable = true;
hardware.pulseaudio.enable = true;
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "fr";
# services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
services.xserver.libinput.enable = true;
services.xserver.libinput.naturalScrolling = true;
# Enable the KDE Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.extraUsers.paul = {
isNormalUser = true;
uid = 1000;
extraGroups = [ "wheel" "networkmanager" "wireshark" "dialout" ];
extraGroups = [ "wheel" "networkmanager" "wireshark" ];
};
services.syncthing.enable = true;
services.syncthing.user = "paul";
services.syncthing.group = "users";
services.redshift = {
enable = true;
temperature.night = 2700;
};
location.latitude = 48.573406;
location.longitude = 7.752111;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.03"; # Did you read the comment?
}

7
systems/ASUS-G46VW/hardware-configuration.nix
View File

@ -12,13 +12,6 @@
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# NVIDIA
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia.optimus_prime.enable = true;
hardware.nvidia.modesetting.enable = true;
hardware.nvidia.optimus_prime.nvidiaBusId = "PCI:1:0:0";
hardware.nvidia.optimus_prime.intelBusId = "PCI:0:2:0";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7bd3a09b-b188-4ce7-bdcc-d5c5087edc86";
fsType = "ext4";

47
systems/LoutreOS/config-overviewer.py
View File

@ -1,47 +0,0 @@
from .observer import MultiplexingObserver, LoggingObserver, JSObserver
global escape
from cgi import escape
def signFilter(poi):
if poi['id'] == 'Sign' or poi['id'] == 'minecraft:sign':
return "<pre>" + "\n".join(map(escape, [poi['Text1'], poi['Text2'], poi['Text3'], poi['Text4']])) + "</pre>"
global json
import json
def petFilter(poi):
if "CustomName" in poi:
custom_name = json.loads(poi['CustomName'])
if "text" in custom_name:
return custom_name["text"]
def playerIcons(poi):
if poi['id'] == 'Player':
poi['icon'] = "https://overviewer.org/avatar/%s" % poi['EntityId']
return "Last known location for %s" % poi['EntityId']
processes = 2
worlds["My world"] = "/var/lib/minecraft/world"
renders["Vue normale"] = {
"world": "My world",
"title": "Vue normale",
"texturepath": "@CLIENT_JAR@",
"rendermode": smooth_lighting,
'markers': [dict(name="All signs", filterFunction=signFilter),
dict(name="Pets", filterFunction=petFilter, icon="icons/marker_cat.png", createInfoWindow=False, checked=True),
dict(name="Position joueurs", filterFunction=playerIcons),],
}
cave_rendermode = [Base(), EdgeLines(), Cave(only_lit=True), DepthTinting()]
renders["Grottes"] = {
"world": "My world",
"title": "Grottes",
"texturepath": "@CLIENT_JAR@",
"rendermode": cave_rendermode,
}
outputdir = "/var/www/minecraft-overviewer"
observer = MultiplexingObserver(LoggingObserver(), JSObserver(outputdir))

230
systems/LoutreOS/configuration.nix
View File

@ -4,16 +4,18 @@
{ config, pkgs, ... }:
let
gitRev = "baee8283bb858602e6b8d9c4763f11f79d4ac813";
nixpkgs = fetchTarball "https://github.com/nyanloutre/nixpkgs/archive/${gitRev}.tar.gz";
in
{
imports = [
../common-cli.nix
../common.nix
./hardware-configuration.nix
./users.nix
./services.nix
];
nix.settings.trusted-users = [ "root" "paul" ];
boot = {
loader = {
systemd-boot.enable = true;
@ -22,236 +24,40 @@
supportedFilesystems = [ "zfs" ];
tmp.useTmpfs = true;
kernel.sysctl."net.ipv6.conf.all.forwarding" = true;
# Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported
enableContainers = false;
tmpOnTmpfs = true;
};
documentation.nixos.enable = false;
nix.nixPath = [
"nixpkgs=${nixpkgs}"
"nixos-config=/etc/nixos/configuration.nix"
];
services.zfs = {
autoSnapshot.enable = true;
autoScrub = {
enable = true;
interval = "monthly";
};
autoScrub.enable = true;
};
hardware.usb-modeswitch.enable = true;
# eno1 -> VLAN100 -> Internet
# eno2 -> LAN
# eno3 -> Legacy client DHCP
# eno4 -> Pas utilisé
networking = {
hostName = "loutreos"; # Define your hostname.
hostId = "7e66e347";
hosts = {
"127.0.0.1" = [ "gitea.nyanlout.re" ];
};
useNetworkd = true;
useDHCP = false;
vlans = {
bouygues = {
id = 100;
interface = "eno1";
};
};
interfaces = {
bouygues = {
# Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303
macAddress = "E8:AD:A6:21:73:68";
useDHCP = true;
};
eno2 = {
ipv4.addresses = [
{ address = "10.30.0.1"; prefixLength = 16; }
];
};
enp0s21u1.useDHCP = true;
};
# NAT bouygues <-> eno2
nat = {
enable = true;
externalInterface = "bouygues";
# Permet d'utiliser le SNAT plus rapide au lieu de MASQUERADE
# externalIP = "0.0.0.0";
internalIPs = [ "10.30.0.0/16" ];
internalInterfaces = [ "eno2" ];
forwardPorts = [
{ destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;}
{ destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];}
];
};
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ ];
interfaces.eno2 = {
allowedTCPPorts = [
111 2049 4000 4001 4002 # NFS
3483 9000 9090 # Slimserver
1935 # RTMP
];
allowedUDPPorts = [
111 2049 4000 4001 4002 # NFS
3483 # Slimserver
67 # DHCP
];
};
extraCommands = ''
ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true
ip6tables -w -F loutreos-forward 2>/dev/null || true
ip6tables -w -X loutreos-forward 2>/dev/null || true
ip6tables -w -N loutreos-forward
ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A loutreos-forward -j ACCEPT -i eno2
ip6tables -A loutreos-forward -j nixos-fw-log-refuse
ip6tables -w -A FORWARD -j loutreos-forward
# Redirect local network request from server external IP to internal IP
# Make the server available even without internet access
iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true
iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1
'';
# remove refs to nixos-fw-log-refuse before restarting firewall
# prevents "ressource busy" errors
extraStopCommands = ''
ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true
'';
};
};
systemd.network.networks = {
"40-bouygues" = {
dhcpV4Config.RouteMetric = 1;
dhcpV6Config = {
DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
WithoutRA = "solicit";
};
ipv6AcceptRAConfig.DHCPv6Client = true;
networkConfig = {
KeepConfiguration = "dhcp-on-stop";
IPv6AcceptRA = true;
DHCPPrefixDelegation = true;
};
dhcpPrefixDelegationConfig.SubnetId = "0";
};
"40-eno1".linkConfig.RequiredForOnline = "no";
"40-eno2" = {
networkConfig = {
IPv6SendRA = true;
DHCPPrefixDelegation = true;
DHCPServer = true;
};
dhcpServerConfig = {
# MIN = 10.30.100.0
#PoolOffset = 25500;
# MAX = 10.30.200.0
#PoolSize = 25500;
EmitRouter = true;
EmitDNS = true;
DNS = [
"1.1.1.1"
"1.0.0.1"
];
};
dhcpServerStaticLeases = [
# IPMI
{
dhcpServerStaticLeaseConfig = {
Address = "10.30.1.1";
MACAddress = "ac:1f:6b:4b:01:15";
};
}
# paul-fixe
{
dhcpServerStaticLeaseConfig = {
Address = "10.30.50.1";
MACAddress = "b4:2e:99:ed:24:26";
};
}
# salonled
{
dhcpServerStaticLeaseConfig = {
Address = "10.30.40.1";
MACAddress = "e0:98:06:85:e9:ce";
};
}
# miroir-bleu
{
dhcpServerStaticLeaseConfig = {
Address = "10.30.40.2";
MACAddress = "e0:98:06:86:38:fc";
};
}
# miroir-orange
{
dhcpServerStaticLeaseConfig = {
Address = "10.30.40.3";
MACAddress = "50:02:91:78:be:be";
};
}
];
ipv6SendRAConfig = {
EmitDNS = true;
DNS = [
"2606:4700:4700::1111"
"2606:4700:4700::1001"
];
};
};
"40-enp0s21u1".dhcpV4Config.RouteMetric = 1024;
};
nixpkgs.overlays = [
(import ../../overlays/transmission.nix)
(import ../../overlays/riot-web.nix)
];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
X11Forwarding = true;
};
permitRootLogin = "no";
passwordAuthentication = false;
};
users = {
groups.autossh = { };
users.autossh = {
home = "/home/autossh";
createHome = true;
group = "autossh";
isSystemUser = true;
};
networking.firewall = {
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
enable = true;
};
# Options explanations
# -N disable shell
# -R 0.0.0.0:2222:127.0.0.1:22 redirect SSH port on VPS server on port 2222
# -R 127.0.0.1:2525:127.0.0.1:25 redirect SMTP port on VPS port 2525
services.autossh.sessions = [
{
extraArguments = "-N -R 0.0.0.0:2222:127.0.0.1:22 loutre@vps772619.ovh.net";
monitoringPort = 20000;
name = "backup-ssh-reverse";
user = "autossh";
}
];
virtualisation.podman.enable = true;
security.sudo.wheelNeedsPassword = false;
system.stateVersion = "18.03";

72
systems/LoutreOS/hardware-configuration.nix
View File

@ -4,6 +4,10 @@
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
@ -63,13 +67,18 @@
fsType = "zfs";
};
fileSystems."/var/lib/syncthing" =
{ device = "loutrepool/var/syncthing";
fileSystems."/exports/steam" =
{ device = "loutrepool/steam";
fsType = "zfs";
};
fileSystems."/mnt/medias/incomplete" =
{ device = "loutrepool/torrent-dl";
fileSystems."/var/lib/emby/ProgramData-Server" =
{ device = "loutrepool/var/emby";
fsType = "zfs";
};
fileSystems."/var/lib/syncthing" =
{ device = "loutrepool/var/syncthing";
fsType = "zfs";
};
@ -108,11 +117,6 @@
fsType = "zfs";
};
fileSystems."/var/lib/private/factorio" =
{ device = "loutrepool/var/factorio";
fsType = "zfs";
};
fileSystems."/var/dkim" =
{ device = "loutrepool/var/dkim";
fsType = "zfs";
@ -123,10 +127,10 @@
fsType = "zfs";
};
# fileSystems."/mnt/backup" =
# { device = "backup";
# fsType = "zfs";
# };
fileSystems."/mnt/backup" =
{ device = "backup";
fsType = "zfs";
};
fileSystems."/mnt/backup_loutre" =
{ device = "loutrepool/backup";
@ -138,46 +142,6 @@
fsType = "zfs";
};
fileSystems."/var/lib/minecraft" =
{ device = "loutrepool/var/minecraft";
fsType = "zfs";
};
fileSystems."/var/www" =
{ device = "loutrepool/var/www";
fsType = "zfs";
};
fileSystems."/var/lib/mastodon" =
{ device = "loutrepool/var/mastodon";
fsType = "zfs";
};
fileSystems."/var/lib/hass" =
{ device = "loutrepool/var/hass";
fsType = "zfs";
};
fileSystems."/var/lib/nextcloud" =
{ device = "loutrepool/var/nextcloud";
fsType = "zfs";
};
fileSystems."/var/lib/private/photoprism" =
{ device = "loutrepool/var/photoprism";
fsType = "zfs";
};
fileSystems."/mnt/paul-home" =
{ device = "loutrepool/zfs-replicate/paul-fixe/fastaf/home";
fsType = "zfs";
};
fileSystems."/mnt/webdav" =
{ device = "loutrepool/webdav";
fsType = "zfs";
};
swapDevices =
[
{
@ -186,6 +150,6 @@
}
];
nix.settings.max-jobs = lib.mkDefault 4;
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

61
systems/LoutreOS/medias.nix
View File

@ -1,61 +0,0 @@
{ config, lib, pkgs, nixpkgs-unstable, ... }:
{
services = {
transmission = {
enable = true;
package = nixpkgs-unstable.legacyPackages.x86_64-linux.transmission_4;
home = "/var/lib/transmission";
group = "medias";
settings = {
rpc-bind-address = "127.0.0.1";
rpc-port = 9091;
rpc-host-whitelist = "*";
rpc-whitelist-enabled = false;
peer-port = 51413;
incomplete-dir = "/mnt/medias/incomplete";
download-dir = "/mnt/medias/torrent";
};
};
radarr = {
enable = true;
package = nixpkgs-unstable.legacyPackages.x86_64-linux.radarr;
};
sonarr = {
enable = true;
package = nixpkgs-unstable.legacyPackages.x86_64-linux.sonarr;
};
prowlarr.enable = true;
jellyfin = {
enable = true;
package = nixpkgs-unstable.legacyPackages.x86_64-linux.jellyfin;
};
navidrome = {
enable = true;
settings = {
MusicFolder = "/mnt/medias/musique";
ImageCacheSize = 0;
};
};
slimserver.enable = true;
};
systemd.services.transmission.serviceConfig = {
BindPaths = [ "/mnt/medias" ];
LimitNOFILE = 1048576;
};
networking = {
firewall.allowedTCPPorts = [
config.services.transmission.settings.peer-port
];
firewall.allowedUDPPorts = [
config.services.transmission.settings.peer-port
];
};
}

127
systems/LoutreOS/monitoring.nix
View File

@ -1,127 +0,0 @@
{ config, lib, pkgs, ... }:
let
domaine = "nyanlout.re";
in
{
services = {
smartd = {
enable = true;
defaults.monitored = "-a -o on -s (S/../.././02|L/../15/./02)";
notifications.mail = {
enable = true;
recipient = "paul@nyanlout.re";
};
};
influxdb = {
enable = true;
dataDir = "/var/db/influxdb";
};
telegraf = {
enable = true;
extraConfig = {
inputs = {
zfs = { poolMetrics = true; };
net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
netstat = {};
cpu = { totalcpu = true; };
kernel = {};
mem = {};
processes = {};
system = {};
disk = {};
cgroup = [
{
paths = [
"/sys/fs/cgroup/system.slice/*"
];
files = ["memory.current" "cpu.stat"];
}
];
ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
smart = {
path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
};
exec= [
{
commands = [
"${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
import json
from subprocess import check_output
columns = ["NAME", "SIZE", "ALLOC", "FREE", "CKPOINT", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
for pool in parsed_stdout:
for item in pool:
if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
pool[item] = int(pool[item])
if item in ["DEDUP"]:
pool[item] = float(pool[item])
if item == "HEALTH":
pool[item] = health[pool[item]]
print(json.dumps(parsed_stdout))
''}"
];
tag_keys = [ "NAME" ];
data_format = "json";
name_suffix = "_python_zpool";
}
];
};
outputs = {
influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
};
};
};
udev.extraRules = ''
KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
'';
grafana = {
enable = true;
dataDir = "/var/lib/grafana";
settings = {
server = {
http_addr = "127.0.0.1";
root_url = "https://grafana.${domaine}";
};
smtp = {
enabled = true;
from_address = "grafana@${domaine}";
skip_verify = true;
};
auth = {
disable_signout_menu = true;
};
"auth.basic" = {
enabled = false;
};
"auth.proxy" = {
enabled = true;
header_name = "X-WEBAUTH-USER";
};
};
};
zfs.zed.settings = {
ZED_EMAIL_ADDR = [ "paul@nyanlout.re" ];
ZED_NOTIFY_VERBOSE = true;
};
};
systemd.services.influxdb.serviceConfig = {
TimeoutStartSec = "10min";
};
security.sudo.extraRules = [
{ commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
];
}

614
systems/LoutreOS/services.nix
View File

@ -5,146 +5,306 @@ with lib;
let
domaine = "nyanlout.re";
sendMail = to: subject: message: pkgs.writeShellScriptBin "mail.sh" ''
${pkgs.system-sendmail}/bin/sendmail ${to} <<EOF
From: root@nyanlout.re
Subject: ${subject}
${message}
EOF
'';
login_mail_alert = pkgs.writeShellScriptBin "mail_alert.sh" ''
if [ "$PAM_TYPE" != "close_session" ] && [ "$PAM_USER" != "zfspaulfixe" ] && [ "$PAM_USER" != "synology" ] && [ "$PAM_USER" != "rezome" ]; then
${sendMail "paul@nyanlout.re" "SSH Login: $PAM_USER from $PAM_RHOST" "`env`"}/bin/mail.sh
fi
'';
backup_mail_alert = sendMail "paul@nyanlout.re" "ERREUR: Sauvegarde Borg" "Impossible de terminer la sauvegarde. Merci de voir les logs";
unstable = import <nixos-unstable> { };
riot_port = 52345;
pgmanage_port = 52347;
max_port = 52348;
musique_port = 52349;
in
{
imports = [
../../services/haproxy-acme.nix
../../services/mail-server.nix
../../services/site-musique.nix
../../services/site-max.nix
../../services/auto-pr.nix
../../services/python-ci.nix
../../services/sdtdserver.nix
# /mnt/secrets/factorio_secrets.nix
./monitoring.nix
./medias.nix
./web.nix
../../containers/vsftpd.nix
];
security.acme.certs = {
"${domaine}" = {
extraDomainNames = [
"mail.${domaine}"
];
postRun = ''
systemctl reload dovecot2.service
'';
};
};
mailserver = {
enable = true;
fqdn = "mail.${domaine}";
domains = [ domaine ];
# A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password"
loginAccounts = {
"paul@${domaine}" = {
hashedPassword = "$6$eGmy2W7kbkfHAh$/y.ZML4eYL/v14WaVwSIG2ulkUFKFk82uBmrYBDULLtqUR8hQD3/BQIrRiBtsloxrUSja8aZ.E7ypChO.OiOI/";
};
"claire@${domaine}" = {
hashedPassword = "$6$Y.vlWP9./DX$NEQQOLzYftbHOvXDkKdBYFAjzIjh8mlpomDuQRq6qkkZijrdy/p6jSbrpBLhoWwVmj4j1OWekHU1f4C9xCNJk.";
};
};
# Certificate setup
certificateScheme = "manual";
certificateFile = "/var/lib/acme/${domaine}/fullchain.pem";
keyFile = "/var/lib/acme/${domaine}/key.pem";
# Enable IMAP and POP3
enableImap = true;
enablePop3 = true;
enableImapSsl = true;
enablePop3Ssl = true;
# Enable the ManageSieve protocol
enableManageSieve = true;
};
nixpkgs.overlays = [
(import ../../overlays/dogetipbot-telegram.nix)
];
services = {
postfix = {
relayHost = "mailvps.nyanlout.re";
relayPort = 587;
config = {
smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt";
smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key";
};
};
rspamd.workers.controller.extraConfig = ''
secure_ip = ["0.0.0.0/0", "::"];
'';
# redis.enable = true;
# enable with nginx defult config
logrotate.enable = true;
fail2ban.enable = true;
smartd = {
enable = true;
defaults.monitored = "-a -o on -s (S/../.././02|L/../../1/04)";
notifications.mail = {
enable = true;
recipient = "paul@nyanlout.re";
};
};
fstrim.enable = true;
haproxy-acme = {
enable = true;
domaine = domaine;
services = {
"grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; };
"emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; };
"radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API path_beg /api\n"; aclBool = "!AUTH_OK !API"; };
"sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = "acl API path_beg /api\n"; aclBool = "!AUTH_OK !API"; };
"transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; };
"syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
"jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
"searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
"riot.${domaine}" = { ip = "127.0.0.1"; port = riot_port; auth = false; };
"matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
"pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; };
"gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; };
"ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; };
};
};
mailserver = {
enable = true;
domaine = domaine;
};
influxdb = {
enable = true;
dataDir = "/var/db/influxdb";
};
telegraf = {
enable = true;
extraConfig = {
inputs = {
zfs = { poolMetrics = true; };
net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
netstat = {};
cpu = { totalcpu = true; };
kernel = {};
mem = {};
processes = {};
system = {};
disk = {};
ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
smart = {
path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
};
exec= [
{ commands = [
"${pkgs.python}/bin/python ${
pkgs.fetchgit {
url = "https://gitlab.com/nyanloutre/tplink-smartplug.git";
rev = "a0996112fc451b76448589698de440ad5fd6ea79";
sha256 = "1f1625g7rfsddgk428g76p8fr7vz5gfhq3f452q17bjni3rf2pj3";
}
}/tplink_smartplug.py -t 192.168.0.57 -c energy"
];
data_format = "json";
name_suffix = "_tplink-smartplug";
}
{
commands = [
"${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
import json
from subprocess import check_output
columns = ["NAME", "SIZE", "ALLOC", "FREE", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
for pool in parsed_stdout:
for item in pool:
if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
pool[item] = int(pool[item])
if item in ["DEDUP"]:
pool[item] = float(pool[item])
if item == "HEALTH":
pool[item] = health[pool[item]]
print(json.dumps(parsed_stdout))
''}"
];
tag_keys = [ "NAME" ];
data_format = "json";
name_suffix = "_python_zpool";
}
];
};
outputs = {
influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
};
};
};
udev.extraRules = ''
KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
'';
grafana = {
enable = true;
addr = "127.0.0.1";
dataDir = "/var/lib/grafana";
extraOptions = {
SERVER_ROOT_URL = "https://grafana.${domaine}";
SMTP_ENABLED = "true";
SMTP_FROM_ADDRESS = "grafana@${domaine}";
SMTP_SKIP_VERIFY = "true";
AUTH_DISABLE_LOGIN_FORM = "true";
AUTH_DISABLE_SIGNOUT_MENU = "true";
AUTH_ANONYMOUS_ENABLED = "true";
AUTH_ANONYMOUS_ORG_ROLE = "Admin";
AUTH_BASIC_ENABLED = "false";
};
};
emby = {
enable = true;
dataDir = "/var/lib/emby/ProgramData-Server";
};
slimserver = {
enable = true;
dataDir = "/var/lib/slimserver";
};
syncthing = {
enable = true;
dataDir = "/var/lib/syncthing";
openDefaultPorts = true;
};
nfs.server = {
enable = true;
exports = ''
/mnt/medias 10.30.0.0/16(ro,no_root_squash)
/var/lib/minecraft 10.30.0.0/16(rw,no_root_squash)
/mnt/medias 192.168.0.0/16(ro,no_root_squash)
/exports/steam 192.168.0.0/24(rw,no_root_squash)
'';
statdPort = 4000;
lockdPort = 4001;
mountdPort = 4002;
};
transmission = {
enable = true;
home = "/var/lib/transmission";
settings = {
rpc-bind-address = "127.0.0.1";
rpc-host-whitelist = "*";
rpc-whitelist-enabled = false;
};
};
radarr.enable = true;
sonarr.enable = true;
jackett.enable = true;
searx.enable = true;
nginx = {
enable = true;
virtualHosts = {
"riot" = {
listen = [ { addr = "127.0.0.1"; port = riot_port; } ];
locations = { "/" = { root = pkgs.riot-web; }; };
};
};
};
postgresql.enable = true;
matrix-synapse = {
enable = true;
enable_registration = true;
server_name = "nyanlout.re";
listeners = [
{ # federation
bind_address = "";
port = 8448;
resources = [
{ compress = true; names = [ "client" "webclient" ]; }
{ compress = false; names = [ "federation" ]; }
];
tls = true;
type = "http";
x_forwarded = false;
}
{ # client
bind_address = "127.0.0.1";
port = 8008;
resources = [
{ compress = true; names = [ "client" "webclient" ]; }
];
tls = false;
type = "http";
x_forwarded = true;
}
];
database_type = "psycopg2";
database_args = {
database = "matrix-synapse";
};
extraConfig = ''
max_upload_size: "100M"
'';
logConfig = ''
version: 1
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARNING
handlers: [journal]
disable_existing_loggers: False
'';
};
pgmanage = {
enable = true;
port = pgmanage_port;
connections = {
localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
};
};
/*
borgbackup.jobs = {
loutre = {
paths = [
"/var/certs"
"/var/dkim"
"/var/lib/jellyfin"
"/var/lib/gitea"
"/var/lib/grafana"
"/var/lib/matrix-synapse"
"/var/lib/jackett"
"/mnt/borgsnap/postgresql"
"/var/lib/postgresql/.zfs/snapshot/borgsnap"
"/var/lib/radarr"
"/var/lib/sonarr"
"/var/lib/syncthing"
"/var/lib/transmission"
"/var/lib/airsonic"
"/var/lib/hass"
"/var/lib/opendkim"
"/var/lib/slimserver"
"/var/lib/watcharr"
"/var/lib/nextcloud"
"/mnt/medias/musique"
"/mnt/medias/torrent/lidarr"
"/mnt/medias/torrent/musique"
"/mnt/paul-home/paul"
"/var/sieve"
"/var/vmail"
"/mnt/backup_loutre/amandoleen"
"/mnt/secrets"
];
exclude = [
"/var/lib/radarr/.config/Radarr/radarr.db-wal"
"/var/lib/radarr/.config/Radarr/radarr.db-shm"
"/mnt/paul-home/paul/.cache"
];
repo = "ssh://u306925@u306925.your-storagebox.de:23/./loutreos";
environment = { BORG_RSH = "ssh -i /mnt/secrets/hetzner_ssh_key"; };
repo = "/mnt/backup/borg";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /mnt/secrets/borgbackup_loutre_encryption_pass";
@ -155,18 +315,16 @@ in
weekly = 4;
monthly = 12;
};
preHook = ''
${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap
mkdir -p /mnt/borgsnap/postgresql
${config.security.wrapperDir}/mount -t zfs loutrepool/var/postgresql@borgsnap /mnt/borgsnap/postgresql
'';
readWritePaths = [ "/var/lib/postfix/queue/maildrop" ];
preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
postHook = ''
${config.security.wrapperDir}/umount /mnt/borgsnap/postgresql
${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
if [[ $exitStatus == 0 ]]; then
${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO loutre_ovh:loutre
fi
'';
};
};
*/
borgbackup.repos = {
diskstation = {
@ -174,201 +332,84 @@ in
path = "/mnt/backup_loutre/diskstation_borg";
user = "synology";
};
minecraft-rezome = {
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc1nGsSesW96k0DPMSt/chjvCrYmfgPgHG1hdUYB5x0pZPdOJaVRIlETWdoFlO+ViviC518B3TF7Qc3oJXPZMchJQl684Nukbc312juf+j9z/KT3dqD8YvKX6o5ynx1Dyq52ftrfkBAEAvzE0OfRljUPbwGBOM0dGRD4R1jbiHquTXpITlbgGTZymbwr4Jr9W9atgf5kHMiX7xOqMZcasDtUE8g+AG4ysHdpjOrBOUM9QeRbVP1bxEFP8xjqOOoET5tbkwektP4B2jaf+EHBPUy2lkwjVEKT6MaSlkJx/wMvUWp25kG9mrXgwUw1bgfOeZIsK6ztcki3l92BJQD9ip shame@minecraft.rezom.eu" ];
path = "/mnt/backup_loutre/minecraft_rezome";
user = "rezome";
};
gitea = {
enable = true;
cookieSecure = true;
httpPort = 3001;
rootUrl = "https://gitea.nyanlout.re/";
database = {
type = "postgres";
port = 5432;
passwordFile = "/mnt/secrets/gitea_database_passwordFile";
};
};
kresd = {
site-musique = {
enable = true;
port = musique_port;
domaine = "musique-meyenheim.fr";
};
mosquitto = {
site-max = {
enable = true;
listeners = [
{
acl = [ "pattern readwrite #" ];
omitPasswordAuth = true;
address = "127.0.0.1";
settings.allow_anonymous = true;
}
];
port = max_port;
domaine = "maxspiegel.fr";
};
zigbee2mqtt = {
enable = true;
settings = {
mqtt = {
server = "mqtt://${(head config.services.mosquitto.listeners).address}:${toString (head config.services.mosquitto.listeners).port}";
};
frontend = {
port = 8080;
host = "127.0.0.1";
url = "https://zigbee.nyanlout.re";
};
groups = {
"101" = {
friendly_name = "salon";
devices = [
"0x94deb8fffe760f3d"
];
};
"102" = {
friendly_name = "cuisine";
devices = [
"0x003c84fffe6d9ee6"
];
};
"103" = {
friendly_name = "entrée";
devices = [
"0x84ba20fffe5ec243"
];
};
"104" = {
friendly_name = "tout";
devices = [
"0x94deb8fffe760f3d"
"0x003c84fffe6d9ee6"
"0x84ba20fffe5ec243"
];
};
"107" = {
friendly_name = "chambre";
devices = [
"0x84ba20fffe5eb120"
];
};
};
};
};
auto-pr.enable = true;
home-assistant = {
enable = true;
extraComponents = [
# Components required to complete the onboarding
"met"
"radio_browser"
];
config = {
default_config = {};
homeassistant = {
country = "FR";
latitude = 48.60038;
longitude = 7.74063;
elevation = 146;
};
meteo_france = null;
http = {
use_x_forwarded_for = true;
trusted_proxies = [ "127.0.0.1" ];
};
mqtt = null;
esphome = null;
light = [
{
platform = "group";
name = "Salon";
entities = [
"light.salon_light"
"light.cuisine_light"
"light.entree_light"
];
}
];
media_player = [
{
platform = "squeezebox";
host = "10.30.0.1";
}
];
#tplink.switch = [
# { host = "10.30.50.7"; }
#];
#sensor = [
# {
# platform = "template";
# sensors = {
# serveur_amps = {
# friendly_name_template = "{{ states.switch.serveur.name}} Current";
# value_template = ''{{ states.switch.serveur.attributes["current_a"] | float }}'';
# unit_of_measurement = "A";
# };
# serveur_watts = {
# friendly_name_template = "{{ states.switch.serveur.name}} Current Consumption";
# value_template = ''{{ states.switch.serveur.attributes["current_power_w"] | float }}'';
# unit_of_measurement = "W";
# };
# serveur_total_kwh = {
# friendly_name_template = "{{ states.switch.serveur.name}} Total Consumption";
# value_template = ''{{ states.switch.serveur.attributes["total_energy_kwh"] | float }}'';
# unit_of_measurement = "kWh";
# };
# serveur_volts = {
# friendly_name_template = "{{ states.switch.serveur.name}} Voltage";
# value_template = ''{{ states.switch.serveur.attributes["voltage"] | float }}'';
# unit_of_measurement = "V";
# };
# serveur_today_kwh = {
# friendly_name_template = "{{ states.switch.serveur.name}} Today's Consumption";
# value_template = ''{{ states.switch.serveur.attributes["today_energy_kwh"] | float }}'';
# unit_of_measurement = "kWh";
# };
# };
# }
#];
};
};
python-ci.enable = true;
photoprism = {
enable = true;
originalsPath = "/mnt/backup_loutre/amandoleen/d/Users/Amand/Pictures";
passwordFile = "/mnt/secrets/photoprism_pass";
settings = {
PHOTOPRISM_READONLY = "1";
PHOTOPRISM_DETECT_NSFW = "1";
PHOTOPRISM_SITE_URL = "https://photo.nyanlout.re/";
};
sdtdserver.enable = true;
};
/*
systemd.services.dogetipbot-telegram = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "${pkgs.dogetipbot-telegram}/bin/dogetipbot-telegram --block-io-api-key $BLOCK_IO_API_KEY --block-io-pin $BLOCK_IO_PIN --telegram-api-key $TELEGRAM_API_KEY --network DOGE";
enable = true;
serviceConfig = {
EnvironmentFile = "/mnt/secrets/dogetipbot-telegram_env";
User = "nobody";
Group = "nogroup";
};
};
*/
systemd.services.matrix-synapse = {
serviceConfig = {
MemoryHigh = "3G";
MemoryMax = "5G";
};
};
systemd = {
timers."lg-devmode-reset" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "1w";
};
};
services = {
"borgbackup-job-loutre".serviceConfig.TemporaryFileSystem = ["/mnt/borgsnap"];
"lg-devmode-reset" = {
script = ''
${pkgs.curl}/bin/curl https://developer.lge.com/secure/ResetDevModeSession.dev\?sessionToken\=9f94269da0dc14fd924b65d8dca28b076f931ad1ca04fe7a09ac78cdb0e22cb4
'';
serviceConfig = {
Type = "oneshot";
};
};
};
};
dogetipbot-telegram.enable = true;
ipmihddtemp.enable = true;
users.groups.nginx.members = [ "matrix-synapse" ];
security.pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" );
security.sudo.extraRules = [
{ commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
];
networking = {
firewall.interfaces.eno2.allowedTCPPorts = [
3260
];
wireguard.interfaces = {
wg0 = {
ips = [ "192.168.20.1/24" ];
privateKeyFile = "/mnt/secrets/wireguard/wg0.privatekey";
listenPort = 51820;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "0.0.0.0/0" ];
publicKey = "b/SXiqo+GPdNOc54lyEVeUBc6B5AbVMKh+g5EZPGzlE=";
}
];
};
};
firewall.allowedTCPPorts = [
111 2049 4000 4001 4002 # NFS
3483 9000 9090 # Slimserver
51413 # Transmission
8448 # Matrix federation
20 21 # FTP
];
@ -376,5 +417,12 @@ in
firewall.allowedTCPPortRanges = [
{ from = 64000; to = 65535; } # FTP
];
firewall.allowedUDPPorts = [
111 2049 4000 4001 4002 # NFS
3483 # Slimserver
51413 # Transmission
51820 # Wireguard
];
};
}

37
systems/LoutreOS/users.nix
View File

@ -1,12 +1,12 @@
{ lib, config, pkgs, ... }:
{ config, pkgs, ... }:
{
users.users = {
users.extraUsers = {
paul = {
uid = 1000;
isNormalUser = true;
description = "Paul TREHIOU";
extraGroups = [ "wheel" "medias" "transmission" "podman" ];
extraGroups = [ "wheel" "medias" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAF7VlzHzgg70uFbRFtVTS34qNBke/RD36mRENAsa33RxztxrqMsIDscAD/d6CTe6HDy7MCGzJnWCJSXj5iOQFM4RRMvKNEgCKPHqfhmfVvO4YZuMjNB0ufVf6zhJL4Hy43STf7NIWrenGemUP+OvVSwN/ujgl2KKw4KJZt25/h/7JjlCgsZm4lWg4xcjoiKL701W2fbEoU73XKdbRTgTvKoeK1CGxdAPFefFDFcv/mtJ7d+wIxw9xODcLcA66Bu94WGMdpyEAJc4nF8IOy4pW8AzllDi0qNEZGCQ5+94upnLz0knG1ue9qU2ScAkW1/5rIJTHCVtBnmbLNSAOBAstaGQJuSL40TWZ1oPA5i1qUEhunNcJ+Sgtp6XP69qY34T/AeJvHRyw5M5LfN0g+4ka9k06NPBhbpHFASz4M8nabQ0iM63++xcapnw/8gk+EPhYVKW86SsyTa9ur+tt6oDWEKNaOhgscX44LexY7jKdeBRt3GaObtBJtVLBRx3Z2aRXgjgnKGqS40mGRiSkqb2DShspI1l8DV2RrPiuwdBzXVQjWRc0KXmJrcgXX9uoPSxihxwaUQyvmITOV1Y+NEuek4gRkVNOxjoG7RGnaYvYzxEQVoI5TwZC2/DCrAUgCv8DQawkcpEiWnBq7Q5VnpmFx5juVQ/I0G8byOkPXgRUOk9 openpgp:0xAB524BBC"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCACVI2dL4AmOdcb7RSl3JZpfK33NhqrYFfWfXMYow5SPJ9VPteOp5kVvKUuSbGH3chjpttYC/ueQJJhFagiKmkeftQTslIw6C009wUExGpJwRotHqISXv2ctURGURKy2FF848whd7xZJzdj49ZJ6S+SCbRFZvVWfT2dP/JwTiWW1mbEaWKyOgrixH6wSKt9ECumjX9KjqSWGw+k3yLJxIhdqiZAjNv4soJs1mQYdIlFCXCuznzoZIQBexZPQCx0j9HjczPz1feMLWkrHzEMexNjsBE2uA6yXLbH1wa8xCJ4VOeD7u9JqVY579AsicD62G+qIgw0B2zmyz7xTrdPv+061zmYn6qYr8EXGTk4dVgedZp8M1XzZ1PVoeeftPFcClXC7zCGyCR2uzJbQLzlaTwZrdghAiS9UhMRuKpNgZy2zDWw4MqdojrF5bndPkoijlXWYrPYBFED5OU1mpwzpanYgldowJC/Ixjwi+Hmse2q4XgZ+egfuotBqPfqB+bWsCa5GNiJWGdLP69uBSsXubGnqLwvE0FAQ2GHb+SEoZKFy/QV9GzOLlVrGlgK5YFgKJD+Q1nn1QRycXt1oMVC/AtR/NshOGanhdvIRpPATGmaxLVXSY093vyAOW4MPrS00fPAXzAfJUwIuWcloFfLMo5Jitj5rpE1s6FX8xrl4upQ== paul@nyanlout.re"
@ -19,43 +19,20 @@
isNormalUser = true;
description = "Victor SENE";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCaCc2qcQsd/VPDX1K97zJ/MjObWnTfRkA98xeNnVTeGoMmbf/fW1KszB+3IYCngCKLhliotHEXkqOK24vMLZ9ylVPTIPLNY5OWLFRQSOU/OykP8r4ikDWmMOwI+tqkoBknTUZdA1MN1JmkpE1cWL8vRJ7mnwl/p7xCMHV19N5+UdoIx3bFsm0CCUMIYSaIefoD3tpIzmgVqBkIH4FSmNwvXHwcXhhOTGqXbTJYC/GY2mI0AFvZI3T61ReV325ms7QRQlElXP8Rv8lpjr57VISNjKsPPNvifLjy10RjIS8iNioN6fJ0XBCfKOmm37VX86aFkAgWdpzxGojprOXnViwZEWSegnvKGx8FNx3gB54zF76e6koWS+qnYf9UTdogO6uXhXZb7AoMC9XD0/l6Egh8HzPWAUZtLx74zhB8ufoKmzqOp4YrCK8Cu4N/1UTFyPUoeSCZJdcE/9iqldym06mOi4rDV5cKCzs+Q0bVP8+x8SZ9ajYUH7l4sxjDHtHiyAYniWIxGPO5NazCfx7J+1GGzbtV0HuBwE/U20z+nBy+WZ4MowQTNb2E2uhq4OgQASx7uTKtyhnfT09A3toHZVerfH8ET8YEVnwdYMCA0GHYMOZ48h1ORdE+OLyqRlxjYTCB17Kc2icSL3iv8Yd66vQagy3A+C8OhZP1rdc15bEZnw== openpgp:0x28DF0235"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1r2ZzVnOlmoNoLgrc3+Lx7whO8mzcwUf2p9DiYAVg2zo2zbfubLVG1BAgFDe7y+2HwJIbGDDMNUaT+FAsv0mHRlfdUMXXF3nVsFPWGovo1ks31O5zUI9IE3qFU5AJ7SPICS4lQYox1o594iS1OcwJ7Iu6pjEQRRG1OLVYSILJ994vtGsDxfz1CZ8b7u9oSwHz0E4pdy6epkFSE/+9WsZl+ziDMigYZfubjzUCzMy2uT5Z6t+r6bW6mcxnmYax/YmrRvL/dTeDE64Qf7nugjB0XOKUOKCPN5dtqYRx0fN9aDSRf4ubmyVaYeKudm9vttGHXjSPVWAvow+jUDOq2cGr victor@sene.ovh"
];
};
amandoleen = {
isNormalUser = true;
isSystemUser = lib.mkForce false;
description = "Amandine <3";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRu0M10AfF2nS8Ky9JzQ4cDRbcjmR+LLvENohxTJhW4xwAwN/f2I0ObbiJ5PHC3mXi8V5JqnSaYNdIMXuULDxxc1QEa0aeLw4xIrYw1wEOrHvL9DeYvS289sRgWSb/PvyejEHwcBBm4Xf0/nQNQF462C064Ms56cT3YAOhNBA7ubyCAqd0VW8RHc1mZ5b/owzM7SviXrpcIM5QDPVP2051SxrqGbunAnwe5x2kNDeYqicyIik61rpYe+erhkyvL3WdgC7mHnF8VPKx049zIsfK5UmJwI+rI24cDUT9E6B4XZttpdyJK6i7/6NSYm4nrMXQxCF1tofd5yZK5vpYH8Dyiic5ykhB57kr1QCmck70VMmt77uOoMeGZ+IJCY5oZYcR/n04mUwN9mmRsECcr17a8IDQkmPd8PNbjrNRgtVKDVLtw4HyOPCAfdH+XzEGiMxnZfzq0rLEYU3S4RAkLpe2W3C0fWniEWzSnXj76AGcyJcxIVzrIYg4uzTgNhZlb08vO1ytw9QaEY17Po5YFjBD8fT9Z0UijG3WQBm7AmSrcg/OLP6UOghbnlkZFYpC0hYcbX1sTfdfysw9kT/d8BImQvwBzmJ/YRqHmCejZGTkCCmw8i93EYFm3uVFZypcSe50JV9rx9P7yPtWS4QVOg/6ltlvJiGsz45P87qjA9nO/Q== amandoleen"
];
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCaCc2qcQsd/VPDX1K97zJ/MjObWnTfRkA98xeNnVTeGoMmbf/fW1KszB+3IYCngCKLhliotHEXkqOK24vMLZ9ylVPTIPLNY5OWLFRQSOU/OykP8r4ikDWmMOwI+tqkoBknTUZdA1MN1JmkpE1cWL8vRJ7mnwl/p7xCMHV19N5+UdoIx3bFsm0CCUMIYSaIefoD3tpIzmgVqBkIH4FSmNwvXHwcXhhOTGqXbTJYC/GY2mI0AFvZI3T61ReV325ms7QRQlElXP8Rv8lpjr57VISNjKsPPNvifLjy10RjIS8iNioN6fJ0XBCfKOmm37VX86aFkAgWdpzxGojprOXnViwZEWSegnvKGx8FNx3gB54zF76e6koWS+qnYf9UTdogO6uXhXZb7AoMC9XD0/l6Egh8HzPWAUZtLx74zhB8ufoKmzqOp4YrCK8Cu4N/1UTFyPUoeSCZJdcE/9iqldym06mOi4rDV5cKCzs+Q0bVP8+x8SZ9ajYUH7l4sxjDHtHiyAYniWIxGPO5NazCfx7J+1GGzbtV0HuBwE/U20z+nBy+WZ4MowQTNb2E2uhq4OgQASx7uTKtyhnfT09A3toHZVerfH8ET8YEVnwdYMCA0GHYMOZ48h1ORdE+OLyqRlxjYTCB17Kc2icSL3iv8Yd66vQagy3A+C8OhZP1rdc15bEZnw== openpgp:0x28DF0235"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1r2ZzVnOlmoNoLgrc3+Lx7whO8mzcwUf2p9DiYAVg2zo2zbfubLVG1BAgFDe7y+2HwJIbGDDMNUaT+FAsv0mHRlfdUMXXF3nVsFPWGovo1ks31O5zUI9IE3qFU5AJ7SPICS4lQYox1o594iS1OcwJ7Iu6pjEQRRG1OLVYSILJ994vtGsDxfz1CZ8b7u9oSwHz0E4pdy6epkFSE/+9WsZl+ziDMigYZfubjzUCzMy2uT5Z6t+r6bW6mcxnmYax/YmrRvL/dTeDE64Qf7nugjB0XOKUOKCPN5dtqYRx0fN9aDSRf4ubmyVaYeKudm9vttGHXjSPVWAvow+jUDOq2cGr victor@sene.ovh"
];
};
synology = {
uid = 1001;
isNormalUser = true;
isSystemUser = lib.mkForce false;
description = "Synology Diskstation maison";
};
rezome = {
description = "Rezome Minecraft backup";
};
zfspaulfixe = {
uid = 1002;
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQjzpEBNEwJhBTh82K5bJMyPSuHvYJyipaZYVtOZSJIDIRcec9YwMOQuMl9+O5kI36tiataEpmb/y3OWU567DXKp/BtljfVfNSQracKJPt6GJFOz4fKqCqoBh7M06ZGsBHUi/NsKIvw4asJsBuK6uACvxKFt2pSR6fp+/2y/3NH0LpDmDuuYORhciJUBC+RUTCLtVUfzkMAeR2p+M079Ia0rnkEXNFgc75FQon1bQu/0bnbHPweSwnNfRB0XPm6Qgz3sS2Cyhf1/GqgvARs80P4MWuqqZFXhsBTajOHOjCu6fiaylPNXNWfLnahkRzKIOkIy7/yEO+MmMD+V7pjbvSqB7MD1T5wfcPHvHTISM4E+7dw9aPj9+JspkgSSACtIFKsqxkWlq5creUV1syDm2Cd4rBnKrc8yWtAxBSusFWbAr6xtxP6I+ibS4trjNdHHrjMJK9jpbPxdblJJrO3qn6VYC/WzFAxzDDUi5ysGzNdpQLacacne/95gSGXCgIIc= root@paul-fixe"
];
description = "paul-fixe zfs backup user";
};
};
users.extraGroups.medias = {
gid = 498;
members = [ "slimserver" "radarr" "sonarr" "jellyfin" "transmission" ];
members = [ "slimserver" "radarr" "sonarr" "emby" "transmission" ];
};
}

488
systems/LoutreOS/web.nix
View File

@ -1,488 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
nginxSsoAuth = pkgs.writeText "nginx-sso_auth.inc" ''
# Protect this location using the auth_request
auth_request /sso-auth;
# Redirect the user to the login page when they are not logged in
error_page 401 = @error401;
location /sso-auth {
# Do not allow requests from outside
internal;
# Access /auth endpoint to query login state
proxy_pass http://127.0.0.1:${toString(config.services.nginx.sso.configuration.listen.port)}/auth;
# Do not forward the request body (nginx-sso does not care about it)
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Set custom information for ACL matching: Each one is available as
# a field for matching: X-Host = x-host, ...
proxy_set_header X-Origin-URI $request_uri;
proxy_set_header X-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# If the user is lead to /logout redirect them to the logout endpoint
# of ngninx-sso which then will redirect the user to / on the current host
location /sso-logout {
return 302 https://login.nyanlout.re/logout?go=$scheme://$http_host/;
}
# Define where to send the user to login and specify how to get back
location @error401 {
return 302 https://login.nyanlout.re/login?go=$scheme://$http_host$request_uri;
}
'';
in
{
security.acme = {
defaults.email = "paul@nyanlout.re";
acceptTerms = true;
};
users.groups = {
work = {};
webdav = {};
};
users.users = {
work = {
isSystemUser = true;
group = config.users.groups.work.name;
};
webdav = {
isSystemUser = true;
group = config.users.groups.webdav.name;
};
# wordpress = {
# isSystemUser = true;
# group = config.services.nginx.group;
# };
};
services = {
phpfpm.pools = {
# work = {
# user = config.users.users.work.name;
# phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]);
# settings = {
# "listen.owner" = config.services.nginx.user;
# "pm" = "dynamic";
# "pm.max_children" = 75;
# "pm.start_servers" = 10;
# "pm.min_spare_servers" = 5;
# "pm.max_spare_servers" = 20;
# "pm.max_requests" = 500;
# };
# };
# "wordpress-designyourfuture" = {
# user = config.users.users.wordpress.name;
# group = config.services.nginx.group;
# settings = {
# "listen.owner" = config.services.nginx.user;
# "pm" = "dynamic";
# "pm.max_children" = 32;
# "pm.start_servers" = 2;
# "pm.min_spare_servers" = 2;
# "pm.max_spare_servers" = 4;
# "pm.max_requests" = 500;
# };
# };
drive = {
user = config.users.users.webdav.name;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
};
phpOptions = ''
output_buffering=off
'';
};
};
nginx = {
enable = true;
package = pkgs.nginx.override {
modules = with pkgs.nginxModules; [ dav moreheaders ];
};
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy origin-when-cross-origin;
'';
sso = {
enable = true;
configuration = {
listen = {
addr = "127.0.0.1";
port = 8082;
};
login = {
title = "LoutreOS login";
default_method = "simple";
hide_mfa_field = true;
names.simple = "Username / Password";
};
cookie = {
domain = ".nyanlout.re";
secure = true;
};
audit_log = {
targets = [ "fd://stdout" ];
events = [ "access_denied" "login_success" "login_failure" "logout" ];
};
providers.simple = {
enable_basic_auth = true;
users = {
paul = "$2y$10$RMqeJF/hUasXZ5/SLKAu4uKKp6ac6qXCaRu4OY/fIN6ZYucDXzqYm";
};
groups = {
admins = [ "paul" ];
};
};
acl = {
rule_sets = [
{
rules = [ { field = "x-host"; regexp = ".*"; } ];
allow = [ "@admins" ];
}
];
};
};
};
virtualHosts = let
base = locations: {
locations = locations // {
"@maintenance" = {
root = "/var/www/errorpages/";
extraConfig = ''
rewrite ^(.*)$ /50x.html break;
'';
};
};
forceSSL = true;
enableACME = true;
extraConfig = ''
error_page 500 502 503 504 = @maintenance;
'';
};
simpleReverse = rport: base {
"/" = {
proxyPass = "http://127.0.0.1:${toString(rport)}/";
};
};
authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
(base {
"/" = {
proxyPass = "http://127.0.0.1:${toString(rport)}/";
extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie;
auth_request_set $username $upstream_http_x_username;
proxy_set_header X-WEBAUTH-USER $username;
add_header Set-Cookie $cookie;
'';
};
})
{
extraConfig = ''
include ${nginxSsoAuth};
'';
}
];
in {
"nyanlout.re" = base {
"/" = {
alias = "/var/www/site-perso/";
};
"/maintenance/" = {
alias = "/var/www/errorpages/";
};
"/.well-known/openpgpkey/" = {
alias = "/var/lib/gnupg/wks/nyanlout.re";
extraConfig = ''
add_header Access-Control-Allow-Origin * always;
'';
};
} // { default = true; };
"factorio.nyanlout.re" = base { "/" = { root = "/var/www/factorio"; }; };
"minecraft.nyanlout.re" = base { "/" = { root = "/var/www/minecraft-overviewer"; }; };
"musique-meyenheim.fr" = base {
"/" = {
proxyPass = "http://unix:/run/site-musique.sock";
};
"/static/" = {
alias = "/var/www/site-musique/staticfiles/";
};
"/media/" = {
alias = "/var/www/site-musique/media/";
};
};
"www.musique-meyenheim.fr" = {
enableACME = true;
forceSSL = true;
globalRedirect = "musique-meyenheim.fr";
};
# "maxspiegel.fr" = base { "/" = { root = "/run/python-ci/nyanloutre/site-max"; }; };
"stream.nyanlout.re" = base {
"/" = {
proxyPass = "http://10.30.135.71";
};
};
"login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;
"grafana.nyanlout.re" = authReverse config.services.grafana.settings.server.http_port;
"transmission.nyanlout.re" = authReverse config.services.transmission.settings.rpc-port;
"radarr.nyanlout.re" = authReverse 7878;
"sonarr.nyanlout.re" = authReverse 8989;
"syncthing.nyanlout.re" = authReverse 8384;
"prowlarr.nyanlout.re" = authReverse 9696;
"matrix.nyanlout.re" = simpleReverse 8008;
"emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
locations."/" = {
proxyWebsockets = true;
};
};
"ci.nyanlout.re" = simpleReverse 52350;
"gitea.nyanlout.re" = simpleReverse config.services.gitea.settings.server.HTTP_PORT;
"musique.nyanlout.re" = simpleReverse config.services.navidrome.settings.Port;
"photo.nyanlout.re" = recursiveUpdate (simpleReverse config.services.photoprism.port) {
locations."/" = {
proxyWebsockets = true;
};
};
"zigbee.nyanlout.re" = recursiveUpdate (authReverse config.services.zigbee2mqtt.settings.frontend.port) {
locations."/" = {
proxyWebsockets = true;
};
};
"apart.nyanlout.re" = recursiveUpdate (simpleReverse config.services.home-assistant.config.http.server_port) {
locations."/" = {
proxyWebsockets = true;
};
};
# "work.rezom.eu" = base {
# "/" = {
# index = "/_h5ai/public/index.php";
# extraConfig = ''
# dav_ext_methods PROPFIND OPTIONS;
# '';
# };
# "~ ^/(_h5ai/public/index|random).php" = {
# extraConfig = ''
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
# include ${pkgs.nginx}/conf/fastcgi_params;
# include ${pkgs.nginx}/conf/fastcgi.conf;
# '';
# };
# } // {
# root = "/mnt/medias/iso_linux";
# extraConfig = ''
# access_log /var/log/nginx/$host.log;
# '';
# };
"drive.nyanlout.re" = base {
"/" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
fastcgi_intercept_errors on;
fastcgi_buffers 64 4K;
client_body_temp_path /mnt/webdav/tmp_upload;
client_max_body_size 0;
proxy_request_buffering off;
'';
};
} // {
root = "/mnt/webdav";
};
"rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
(base {
"/" = {
proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
'';
};
})
{
extraConfig = ''
include ${nginxSsoAuth};
'';
}
];
"designyourfuture.amandoline-creations.fr" = base {
"/".alias = "/var/www/amandoline-designyourfuture/";
};
"amandoline-creations.fr" = base {
"/".alias = "/var/www/amandoline-portfolio/";
};
"www.amandoline-creations.fr" = {
enableACME = true;
forceSSL = true;
globalRedirect = "amandoline-creations.fr";
};
"challenge.amandoline-creations.fr" = base {
"/".alias = "/var/www/amandoline-challenge/";
};
${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
};
"watcharr.nyanlout.re" = simpleReverse 3080;
};
};
postgresql = {
enable = true;
package = pkgs.postgresql_14;
settings = {
full_page_writes = false;
};
};
gitea = {
enable = true;
database = {
type = "postgres";
port = 5432;
passwordFile = "/var/lib/gitea/custom/conf/database_password";
};
settings = {
server = {
HTTP_PORT = 3001;
ROOT_URL = "https://gitea.nyanlout.re/";
};
ui.DEFAULT_THEME = "arc-green";
log.LEVEL = "Warn";
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
python-ci.enable = true;
# mysql = {
# enable = true;
# package = pkgs.mariadb;
# };
nextcloud = {
enable = true;
package = pkgs.nextcloud29;
hostName = "cloud.nyanlout.re";
database.createLocally = true;
https = true;
maxUploadSize = "16G";
config = {
dbtype = "pgsql";
adminpassFile = "$CREDENTIALS_DIRECTORY/nextcloud_admin.pass";
};
settings = {
"preview_max_filesize_image" = "-1";
"preview_max_memory" = "1024";
"preview_ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg";
"enabledPreviewProviders" = [
''OC\Preview\BMP''
''OC\Preview\GIF''
''OC\Preview\JPEG''
''OC\Preview\Krita''
''OC\Preview\MarkDown''
''OC\Preview\MP3''
''OC\Preview\OpenDocument''
''OC\Preview\PNG''
''OC\Preview\TXT''
''OC\Preview\XBitmap''
''OC\Preview\Movie''
];
};
autoUpdateApps.enable = true;
};
};
systemd.services.nginx.serviceConfig = {
ReadWritePaths = [
"/var/www/hls"
"/mnt/webdav"
];
};
systemd.services.phpfpm-work.serviceConfig = {
ReadOnlyPaths = "/mnt/medias/iso_linux";
ReadWritePaths = [
"/mnt/medias/iso_linux/_h5ai"
];
};
systemd.services.phpfpm-drive.serviceConfig = {
ReadWritePaths = [
"/mnt/webdav"
];
};
systemd.services.nextcloud-setup.serviceConfig = {
LoadCredential = "nextcloud_admin.pass:/mnt/secrets/nextcloud_admin.pass";
};
systemd.services.site-musique = let
djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_4 pillow setuptools ]));
in {
description = "Site Django de la musique de Meyenheim";
after = [ "network.target" ];
requires = [ "site-musique.socket" ];
preStart = ''
${djangoEnv}/bin/python manage.py migrate;
${djangoEnv}/bin/python manage.py collectstatic --no-input;
'';
environment = {
DJANGO_SETTINGS_MODULE = "site_musique.settings.prod";
NGINX_DIRECTORY = "/var/www/site-musique";
};
serviceConfig = {
DynamicUser = true;
Group = "nginx";
StateDirectory = "site-musique";
WorkingDirectory = "/var/www/site-musique/";
ReadWritePaths = [ "/var/www/site-musique/staticfiles" "/var/www/site-musique/media" ];
EnvironmentFile = "/mnt/secrets/site-musique.env";
ExecStart = ''${djangoEnv}/bin/gunicorn \
--access-logfile - \
--bind unix:/run/site-musique.sock \
site_musique.wsgi:application
'';
PrivateTmp = true;
};
};
systemd.sockets.site-musique = {
description = "Site Musique socket";
wantedBy = [ "sockets.target" ];
listenStreams = [ "/run/site-musique.sock" ];
};
systemd.services.nginx-sso.serviceConfig.EnvironmentFile = "/mnt/secrets/nginx-sso.env";
}

23
systems/PC-Fixe/codemasters.pem
View File

@ -1,23 +0,0 @@
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIJAIIfD20HgCPEMA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
VQQGEwJVSzEVMBMGA1UECAwMV2Fyd2lja3NoaXJlMSEwHwYDVQQKDBhDb2RlbWFz
dGVycyBTb2Z0d2FyZSBMdGQxGzAZBgNVBAsMEkNvZGVtYXN0ZXJzIE9ubGluZTEj
MCEGA1UEAwwaQ29kZW1hc3RlcnMgT25saW5lIFJvb3QgQ0EwHhcNMTAwOTIyMDgx
NjA4WhcNMzUwOTE2MDgxNjA4WjCBiTELMAkGA1UEBhMCVUsxFTATBgNVBAgMDFdh
cndpY2tzaGlyZTEhMB8GA1UECgwYQ29kZW1hc3RlcnMgU29mdHdhcmUgTHRkMRsw
GQYDVQQLDBJDb2RlbWFzdGVycyBPbmxpbmUxIzAhBgNVBAMMGkNvZGVtYXN0ZXJz
IE9ubGluZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
ncw3VeQt3N8ZJmNGiCa8UJ61qtBWxat2yx9bWfyf2o4VqQtn7Cc79esHkf5Zbjpc
zqMpxO/c0vZnHWgH1R0TWRDrSqKHuJxgbxT2JFoLAQQKm+uTUOclLvlC00IrINks
Y6KPYaQDkaLDAQWX42YGqb7CaKna8DwX6Ms4RHLEm5+L0L5GgRk9RfPlphVYCA9r
tjJIQluYMc0Ny4tzJ6IuCnDjgRfmehWSpBV+UAx8FHFxmOUgone6dhA0pTLtR/lu
P/S2aISWgQZJ0GWWfQ/mjVpccnWKtZUK0TCVoKTPpGaV4kTDHYq9ylpuNItTww9E
rXR0/9gWOZHQ49QXd2rnrQIDAQABo1AwTjAdBgNVHQ4EFgQU9vW1MrzNfAbZeTQJ
gHCzyQQlAZgwHwYDVR0jBBgwFoAU9vW1MrzNfAbZeTQJgHCzyQQlAZgwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAcOUnPyvrbAdzMSPN9PLnvh34I9jW
EwU81ks67EBNHaMdghiUhOFZ65vzQLoUYoqQcgzu+i0rAkLZrfviC1TUlv+mdlgK
ce6eD2VgpQOPrpOG6O/TfmyAhS5mOlA35NMsZqZTpIiTZnZLGHSSu/Shvnk7UDTs
lTp1yNj6etlY03ABieBsSIDu0UmhNfEY2HgjPaGGiAmcenw2d4U5Z2oCiJVDseeq
RdlVx/sg4UM8L24/ccqn5uV05cg5aUF5dAlAYLq2wXNgbkpePtmo+/tqdiE3pL+q
TRW14lealjJNmjUUTO/KHjKOpfPJNCHSGLk/h/UskEvcTUTqwDZATCl4jw==
-----END CERTIFICATE-----

202
systems/PC-Fixe/configuration.nix
View File

@ -8,115 +8,155 @@
imports =
[
./hardware-configuration.nix
../common-cli.nix
../common-gui.nix
../common.nix
];
nix.settings.trusted-users = [ "root" "paul" ];
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
efiSupport = true;
device = "nodev";
zfsSupport = true;
memtest86.enable = true;
fontSize = 32;
};
boot.kernelParams = [
"acpi_enforce_resources=lax"
"zfs.zfs_arc_max=2147483648"
nixpkgs.overlays = [
(import ../../overlays/ledger-udev-rules.nix)
];
boot.tmp.useTmpfs = false;
boot.supportedFilesystems = [ "zfs" ];
boot.extraModprobeConfig = ''
options hid_apple fnmode=2
'';
virtualisation.podman.enable = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = ["acpi_enforce_resources=lax"];
boot.tmpOnTmpfs = true;
services.zfs = {
trim = {
enable = false;
interval = "monthly";
};
autoScrub = {
enable = false;
interval = "monthly";
};
autoSnapshot = {
enable = true;
monthly = 6;
};
autoReplication = {
enable = true;
host = "nyanlout.re";
username = "zfspaulfixe";
identityFilePath = "/var/lib/zfs-replication/id_rsa";
localFilesystem = "fastaf/home";
remoteFilesystem = "loutrepool/zfs-replicate/paul-fixe";
};
};
# NVIDIA
services.xserver.videoDrivers = [ "nvidia" ];
hardware.bluetooth.enable = true;
# For Steam
hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.support32Bit = true;
hardware.steam-hardware.enable = true;
# Logitech G920
hardware.usb-modeswitch.enable = true;
hardware.u2f.enable = true;
services.udev.packages = with pkgs; [
ledger-udev-rules
usb-modeswitch-data # Logitech G920
];
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
'';
networking.hostName = "paul-fixe"; # Define your hostname.
networking.networkmanager.enable = true; # Enables wireless support via wpa_supplicant.
networking.hostName = "paul-fixe";
networking.hostId = "3a1f739e";
networking.hosts = {
"10.30.0.1" = ["emby.nyanlout.re" "nyanlout.re"];
# Select internationalisation properties.
i18n = {
consoleKeyMap = "fr";
defaultLocale = "fr_FR.UTF-8";
};
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
usb-modeswitch
esphome
filezilla
wineStaging
winetricks
qbittorrent
transmission-remote-gtk
appimage-run
bat
usb_modeswitch
gopass
xclip
electrum
electron-cash
firefox
chromium
tdesktop
mumble
kleopatra
gnupg
kdeplasma-addons
ark
kate
kmail
kdeconnect
okular
yakuake
konversation
gwenview
kcalc
spectacle
kile
(texlive.combine {
inherit (texlive) scheme-small titling collection-langfrench cm-super;
})
imagemagick
gnome-breeze
arc-theme
materia-theme
libreoffice
gimp
vlc
kodiPlain
steam
sc-controller
steam-run
minecraft
glxinfo
i7z
lm_sensors
obs-studio
];
programs = {
wireshark.enable = true;
alvr.enable = true;
};
programs.wireshark.enable = true;
programs.wireshark.package = pkgs.wireshark;
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
programs.browserpass.enable = true;
services.pcscd.enable = true;
services.pcscd.plugins = [
(pkgs.ccid.overrideAttrs (oldAttrs: rec {
preBuild = ''
echo "0x2C97:0x0001:Ledger Token" >> ./readers/supported_readers.txt
'';
})
)
];
networking.firewall.enable = false;
services.displayManager.autoLogin.user = "paul";
# Enable sound.
sound.enable = true;
hardware.pulseaudio.enable = true;
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "fr";
# Enable the KDE Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.users.paul = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "wireshark" "input" "dialout" "libvirtd" "vboxusers" ];
extraGroups = [ "wheel" "networkmanager" "wireshark" "input" ];
uid = 1000;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDstFRwMoTEip5IBSYE4dUj3miO0LsKrnUKQJmp7d5QYo3VhXk43jU6VUU0tVAegkzWLlQ3ohoFns+8bZyf7hj7roftrDfoC9bbbx4ihhWrZTlF0gzoH4t52yetFO5eC/tV2sm/zFoa+3IWLokOEFmAoknAVag1MmVLXTQ6WPoTPD4UsX/D3lyE4dbSKxHpMOIjqIdqSEgO0BeTdnHe5afvGXXO1VYTvPsGDHT9w8EHwQV9JXIPn7KVOp3qin7OwvFFrrB3QbiEVTJvGiH2hrfxcARTN/+TxGtf+aOFeuQykURG9Wz/aBK60EWE0wGrzuIymxtNdOR1NhmnNrUZ976Tb9WdR7FC+yM6+/kdfICy+sGQmmn8TLsGvcJTT/pl4Pa9uRAKjRJuLIEgYY6W/ms9lCRyf484yRkDlq+V0BPuN9Jy6Eb7x+tmZNkpEtkqso7wfXD8sf5BIwv2K69SVMpfTswydHGmDwHZ0zaDKGlyCiyJ1QGqUhCTXqtYVq+kQ3AcjKcysMwVEmwx/ySu0XFuV8oUkl9XK/RUoc++sMEd0EbHcn8uwCmBARNX+GLQ03vxwyMW3HyneP8EAxoqtSepZXbTdVP/0i+l7EUUeA7zsaWfU2a82ktZWpVPFGfxkuo0l3zLF19EsXPKZNqlRfkOWjSgp+qWihAkQIQk3GoduQ== openpgp:0x75EE3375"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3fEmkmrhccW8NegIk/Ubu6Yw80VCQ1ttG419e+1V1wkJPXFAqcIhffwrIlz81dJ47T+H+zeptpAX8U1Gbk1B5ZH4DW8OcqU6ymM+j6g/gICpvrjJUOpdgyA3GIOjuBJGijGQGggDw1k2SdopAVV1H38YUAJ33RGDvjLJO6VREYLDYLF4oaDp8ann7Wn8BpX2T7cRvhrzqcwbEGaw1f/xrLE5KklOb6pOHRWFJMxW83d8OKiLkQvM4vFGlvvG0/AKGZaZWHDXS7ldoyAv+vnN8DrIxmWEQjdNLfAwYDBHp6XqE0slde4dqBjVHji5+ajFr7eJnrzc4IXsHJ1jM9xGB paul@loutreos"
];
};
services.openssh.enable = true;
services.openssh.settings = {
PasswordAuthentication = false;
X11Forwarding = true;
};
services.syncthing.enable = true;
services.syncthing.user = "paul";
services.syncthing.group = "users";
services.xserver.deviceSection = ''
Option "metamodes" "DP-4: 3440x1440_144 +0+0 {AllowGSYNCCompatible=On}"
'';
virtualisation.rkt.enable = true;
services.printing.enable = true;
services.printing.drivers = [ pkgs.hplip ];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
systemd.services = {
zfs-replication.serviceConfig.StateDirectory = "zfs-replication";
};
system.stateVersion = "20.03";
}

75
systems/PC-Fixe/hardware-configuration.nix
View File

@ -4,56 +4,63 @@
{ config, lib, pkgs, ... }:
{
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" "coretemp" "it87" ];
boot.extraModulePackages = [ ];
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
services.xserver.videoDrivers = [ "nvidia" ];
hardware.cpu.amd.updateMicrocode = true;
hardware.nvidia = {
open = false;
modesetting.enable = true;
};
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "firewire_ohci" "pata_marvell" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" "nct6775" ];
boot.extraModulePackages = [ ];
boot.blacklistedKernelModules = [ "hid-steam" ];
fileSystems."/" =
{ device = "rpool/root/nixos";
fsType = "zfs";
{ device = "/dev/disk/by-uuid/509a5842-56fe-40bd-8b00-6bda87e02e5e";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/F4EC-57DF";
{ device = "/dev/disk/by-uuid/A225-07A5";
fsType = "vfat";
};
fileSystems."/home" =
{ device = "fastaf/home";
fsType = "zfs";
fileSystems."/mnt/hdd" =
{ device = "/dev/mapper/ManjaroVG-ManjaroRoot";
fsType = "ext4";
};
fileSystems."/home/paul/Documents" =
{ device = "/mnt/hdd/paul/Documents";
options = [ "bind" ];
};
fileSystems."/home/paul/Downloads" =
{ device = "/mnt/hdd/paul/Téléchargements";
options = [ "bind" ];
};
fileSystems."/home/paul/Music" =
{ device = "/mnt/hdd/paul/Musique";
options = [ "bind" ];
};
fileSystems."/home/paul/Pictures" =
{ device = "/mnt/hdd/paul/Images";
options = [ "bind" ];
};
fileSystems."/home/paul/Videos" =
{ device = "/mnt/hdd/paul/Vidéos";
options = [ "bind" ];
};
fileSystems."/mnt/steam" =
{ device = "fastaf/steam";
fsType = "zfs";
};
fileSystems."/mnt/games" =
{ device = "fastaf/games";
fsType = "zfs";
};
# fileSystems."/mnt/hdd" =
# { device = "/dev/mapper/ManjaroVG-ManjaroRoot";
# fsType = "ext4";
# };
fileSystems."/mnt/medias" =
{ device = "10.30.0.1:/mnt/medias";
{ device = "192.168.0.5:/exports/steam";
fsType = "nfs";
options = ["x-systemd.automount" "noauto"];
};
swapDevices = [ ];
nix.settings.max-jobs = lib.mkDefault 12;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}

125
systems/common-cli.nix
View File

@ -1,125 +0,0 @@
{ config, pkgs, ... }:
{
time.timeZone = "Europe/Paris";
environment.systemPackages = with pkgs; [
# Editeurs
(neovim.override {
viAlias = true;
vimAlias = true;
configure = {
customRC = ''
set tabstop=8
set shiftwidth=4
set softtabstop=0
set expandtab
set smarttab
set background=dark
set mouse=
'';
packages.myVimPackage = with pkgs.vimPlugins; {
start = [
vim-startify airline sensible
polyglot ale fugitive
];
opt = [ ];
};
};
})
# Gestionnaires de version
tig
gitAndTools.hub
quilt
# Gestion de paquets
nix-prefetch-scripts
nox
nix-index
# Système
smartmontools
htop
lshw
usbutils
# Réseau
inetutils
rclone
lftp
nfs-utils
nmap
# Divers
fzf
file
ncdu
yt-dlp
tldr
starship
# Audio
beets
# Outils
borgbackup
binutils
bat
molly-guard
nix-template
lz4
# Développement
openssl
];
users.defaultUserShell = pkgs.zsh;
programs = {
tmux = {
enable = true;
clock24 = true;
};
zsh = {
enable = true;
autosuggestions.enable = true;
enableCompletion = true;
syntaxHighlighting.enable = true;
interactiveShellInit = ''
source "$(${pkgs.fzf}/bin/fzf-share)/key-bindings.zsh"
eval "$(starship init zsh)"
'';
ohMyZsh = {
enable = true;
plugins = [ "git" "colored-man-pages" "command-not-found" "extract" "nix" ];
customPkgs = with pkgs;[
nix-zsh-completions
];
};
};
bash.interactiveShellInit = ''
eval "$(starship init bash)"
'';
git.enable = true;
};
environment.variables = let
starshipConfToml =
pkgs.writeText "starship.toml" ''
[[battery.display]]
threshold = 50
'';
in {
EDITOR = "nvim";
STARSHIP_CONFIG = "${starshipConfToml}";
};
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 15d";
systemd.timers.nix-gc.timerConfig.Persistent = true;
}

135
systems/common-gui.nix
View File

@ -1,135 +0,0 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
filezilla
qbittorrent
transmission-remote-gtk
sc-controller
steam-run
prismlauncher
lutris
teamspeak_client
ryujinx
betaflight-configurator
ledger-live-desktop
monero-gui
tor-browser-bundle-bin
brave
tdesktop
element-desktop
mumble
discord
kleopatra
gnupg
gopass
xclip
kdeplasma-addons
ark
kate
kmail
kdePackages.kdeconnect-kde
okular
yakuake
konversation
gwenview
kcalc
spectacle
kinfocenter
kile
(texlive.combine {
inherit (texlive) scheme-small titling collection-langfrench cm-super;
})
libsForQt5.breeze-gtk
libreoffice
gimp
inkscape
imagemagick
obs-studio
vlc
mpv
kdenlive
glxinfo
i7z
pavucontrol
];
i18n = {
defaultLocale = "fr_FR.UTF-8";
};
console.keyMap = "fr";
networking.networkmanager.enable = true;
systemd.extraConfig = "DefaultLimitNOFILE=1048576";
security = {
pam.loginLimits = [{
domain = "*";
type = "hard";
item = "nofile";
value = "1048576";
}];
rtkit.enable = true;
};
programs = {
gnupg.agent = { enable = true; enableSSHSupport = true; };
browserpass.enable = true;
steam.enable = true;
firefox.enable = true;
appimage.enable = true;
};
services = {
# desktopManager.plasma6.enable = true;
displayManager = {
sddm = {
enable = true;
# wayland.enable = true;
autoLogin.relogin = true;
};
};
xserver = {
enable = true;
xkb.layout = "fr";
exportConfiguration = true;
desktopManager.plasma5.enable = true;
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
udev.packages = with pkgs; [ ledger-udev-rules ];
pcscd.enable = true;
};
environment.etc = {
"mpv/mpv.conf" = {
text = ''
profile=gpu-hq
scale=ewa_lanczossharp
cscale=ewa_lanczossharp
video-sync=display-resample
interpolation
tscale=oversample
'';
};
# CK3 fix
"ssl/certs/f387163d.0".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/Starfield_Class_2_CA.crt";
};
}

93
systems/common.nix Normal file
View File

@ -0,0 +1,93 @@
{ config, pkgs, ... }:
{
time.timeZone = "Europe/Paris";
nixpkgs.overlays = [
(import ../overlays/sudo.nix)
(import ../overlays/neovim.nix)
];
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
# Editeurs
neovim
# Gestionnaires de version
gitFull
tig
# Gestion de paquets
nix-prefetch-scripts
nox
nix-index
# Système
smartmontools
htop
lshw
usbutils
# Réseau
telnet
rclone
lftp
wireguard
nfsUtils
nmap
# Divers
fzf
file
ncdu
youtube-dl
tldr
# Audio
beets
# Outils
borgbackup
# Développement
openssl
];
programs.tmux = {
enable = true;
clock24 = true;
};
users.defaultUserShell = pkgs.zsh;
programs.zsh = {
enable = true;
autosuggestions.enable = true;
enableCompletion = true;
syntaxHighlighting.enable = true;
interactiveShellInit = ''
source "$(${pkgs.fzf}/bin/fzf-share)/key-bindings.zsh"
'';
ohMyZsh = {
enable = true;
plugins = [ "git" "colored-man-pages" "command-not-found" "extract" "nix" ];
customPkgs = with pkgs;[
spaceship-prompt
nix-zsh-completions
];
theme = "spaceship";
};
};
environment.variables = {
EDITOR = "nvim";
SPACESHIP_TIME_SHOW = "true";
SPACESHIP_BATTERY_THRESHOLD = "50";
SPACESHIP_EXIT_CODE_SHOW = "true";
};
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 15d";
systemd.timers.nix-gc.timerConfig.Persistent = true;
}