Compare commits

...

No commits in common. "bb2fe560820de4c21cd7923bb9d70df647f18f71" and "03a1f4b84789294c1af3987572cc4072fb2a6ea7" have entirely different histories.

373 changed files with 2775 additions and 16959 deletions

1
.argocd-ignore Normal file
View file

@ -0,0 +1 @@
.pre-commit-config.yaml

163
.devenv.flake.nix Normal file
View file

@ -0,0 +1,163 @@
{
inputs =
let
version = "1.6.1";
system = "x86_64-linux";
devenv_root = "/home/gwg313/repos/homelab-gitops";
devenv_dotfile = ./.devenv;
devenv_dotfile_string = ".devenv";
container_name = null;
devenv_tmpdir = "/run/user/1000";
devenv_runtime = "/run/user/1000/devenv-f22e6d0";
devenv_istesting = false;
devenv_direnvrc_latest_version = 1;
in {
git-hooks.url = "github:cachix/git-hooks.nix";
git-hooks.inputs.nixpkgs.follows = "nixpkgs";
pre-commit-hooks.follows = "git-hooks";
nixpkgs.url = "github:cachix/devenv-nixpkgs/rolling";
devenv.url = "github:cachix/devenv?dir=src/modules";
} // (if builtins.pathExists (devenv_dotfile + "/flake.json")
then builtins.fromJSON (builtins.readFile (devenv_dotfile + "/flake.json"))
else { });
outputs = { nixpkgs, ... }@inputs:
let
version = "1.6.1";
system = "x86_64-linux";
devenv_root = "/home/gwg313/repos/homelab-gitops";
devenv_dotfile = ./.devenv;
devenv_dotfile_string = ".devenv";
container_name = null;
devenv_tmpdir = "/run/user/1000";
devenv_runtime = "/run/user/1000/devenv-f22e6d0";
devenv_istesting = false;
devenv_direnvrc_latest_version = 1;
devenv =
if builtins.pathExists (devenv_dotfile + "/devenv.json")
then builtins.fromJSON (builtins.readFile (devenv_dotfile + "/devenv.json"))
else { };
getOverlays = inputName: inputAttrs:
map
(overlay:
let
input = inputs.${inputName} or (throw "No such input `${inputName}` while trying to configure overlays.");
in
input.overlays.${overlay} or (throw "Input `${inputName}` has no overlay called `${overlay}`. Supported overlays: ${nixpkgs.lib.concatStringsSep ", " (builtins.attrNames input.overlays)}"))
inputAttrs.overlays or [ ];
overlays = nixpkgs.lib.flatten (nixpkgs.lib.mapAttrsToList getOverlays (devenv.inputs or { }));
pkgs = import nixpkgs {
inherit system;
config = {
allowUnfree = devenv.allowUnfree or false;
allowBroken = devenv.allowBroken or false;
permittedInsecurePackages = devenv.permittedInsecurePackages or [ ];
};
inherit overlays;
};
lib = pkgs.lib;
importModule = path:
if lib.hasPrefix "./" path
then if lib.hasSuffix ".nix" path
then ./. + (builtins.substring 1 255 path)
else ./. + (builtins.substring 1 255 path) + "/devenv.nix"
else if lib.hasPrefix "../" path
then throw "devenv: ../ is not supported for imports"
else
let
paths = lib.splitString "/" path;
name = builtins.head paths;
input = inputs.${name} or (throw "Unknown input ${name}");
subpath = "/${lib.concatStringsSep "/" (builtins.tail paths)}";
devenvpath = "${input}" + subpath;
devenvdefaultpath = devenvpath + "/devenv.nix";
in
if lib.hasSuffix ".nix" devenvpath
then devenvpath
else if builtins.pathExists devenvdefaultpath
then devenvdefaultpath
else throw (devenvdefaultpath + " file does not exist for input ${name}.");
project = pkgs.lib.evalModules {
specialArgs = inputs // { inherit inputs; };
modules = [
({ config, ... }: {
_module.args.pkgs = pkgs.appendOverlays (config.overlays or [ ]);
})
(inputs.devenv.modules + /top-level.nix)
{
devenv.cliVersion = version;
devenv.root = devenv_root;
devenv.dotfile = devenv_root + "/" + devenv_dotfile_string;
}
(pkgs.lib.optionalAttrs (inputs.devenv.isTmpDir or false) {
devenv.tmpdir = devenv_tmpdir;
devenv.runtime = devenv_runtime;
})
(pkgs.lib.optionalAttrs (inputs.devenv.hasIsTesting or false) {
devenv.isTesting = devenv_istesting;
})
(pkgs.lib.optionalAttrs (container_name != null) {
container.isBuilding = pkgs.lib.mkForce true;
containers.${container_name}.isBuilding = true;
})
({ options, ... }: {
config.devenv = pkgs.lib.optionalAttrs (builtins.hasAttr "direnvrcLatestVersion" options.devenv) {
direnvrcLatestVersion = devenv_direnvrc_latest_version;
};
})
] ++ (map importModule (devenv.imports or [ ])) ++ [
(if builtins.pathExists ./devenv.nix then ./devenv.nix else { })
(devenv.devenv or { })
(if builtins.pathExists ./devenv.local.nix then ./devenv.local.nix else { })
(if builtins.pathExists (devenv_dotfile + "/cli-options.nix") then import (devenv_dotfile + "/cli-options.nix") else { })
];
};
config = project.config;
options = pkgs.nixosOptionsDoc {
options = builtins.removeAttrs project.options [ "_module" ];
warningsAreErrors = false;
# Unpack Nix types, e.g. literalExpression, mDoc.
transformOptions =
let isDocType = v: builtins.elem v [ "literalDocBook" "literalExpression" "literalMD" "mdDoc" ];
in lib.attrsets.mapAttrs (_: v:
if v ? _type && isDocType v._type then
v.text
else if v ? _type && v._type == "derivation" then
v.name
else
v
);
};
build = options: config:
lib.concatMapAttrs
(name: option:
if builtins.hasAttr "type" option then
if option.type.name == "output" || option.type.name == "outputOf" then {
${name} = config.${name};
} else { }
else
let v = build option config.${name};
in if v != { } then {
${name} = v;
} else { }
)
options;
systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
in
{
devShell = lib.genAttrs systems (system: config.shell);
packages = lib.genAttrs systems (system: {
optionsJSON = options.optionsJSON;
# deprecated
inherit (config) info procfileScript procfileEnv procfile;
ci = config.ciDerivation;
});
devenv = config;
build = build project.options project.config;
};
}

4
.envrc
View file

@ -1 +1,3 @@
use flake
source_url "https://raw.githubusercontent.com/cachix/devenv/82c0147677e510b247d8b9165c54f73d32dfd899/direnvrc" "sha256-7u4iDd1nZpxL4tCzmPG0dQgC5V+/44Ba+tHkPob1v2k="
use devenv

View file

@ -1,11 +0,0 @@
on: [push, pull_request]
name: Basic Code Checks
jobs:
formatting-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
- uses: cachix/install-nix-action@v23
with:
nix_path: nixpkgs=channel:nixos-unstable
- run: nix develop --command alejandra --check .

5
.gitignore vendored
View file

@ -1,4 +1 @@
.direnv
.pre-commit-config.yaml
.devenv

5
.gitleaks.toml Normal file
View file

@ -0,0 +1,5 @@
[allowlist]
description = "Ignore Kubernetes SealedSecrets"
regexes = [
'''(?s)kind:\s*SealedSecret.*?encryptedData:.*?'''
]

View file

@ -1 +0,0 @@
export XDG_DATA_DIRS=$XDG_DATA_DIRS:/usr/share:/var/lib/flatpak/exports/share:$HOME/.local/share/flatpak/exports/share

View file

@ -1,7 +0,0 @@
keys:
- &primary age1k3hs0gyzrmsdyqh9lpret46q3xaayxxntruzc4euy6h3slqn4u6q36h7rg
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *primary

10
.yamllint Normal file
View file

@ -0,0 +1,10 @@
extends: default
rules:
document-start: disable
line-length:
max: 80
allow-non-breakable-words: false
ignore: |
**/*sealed*.yaml

View file

@ -1,54 +0,0 @@
# NixOS Flake Configuration
## Overview
This repository contains my NixOS configuration as a flake. This configuration
is designed to provide a reproducible and declarative setup for my system. It
includes system configuration, package management, and various other NixOS
features.
### Window Manager
- hyrpland
- waybar
- swaylock
- wofi
- light
- grimshot
- mako
### Terminal
- alacritty
- zsh
- starship
- tmux
- neovim(my configuration can be found
[here](https://github.com/gwg313/nvim-nix))
- eza
- ripgrep
- fd
## Prerequisites
Before using this NixOS flake configuration, you should have the following
prerequisites:
- NixOs should be installed on your system.
- Familiarity with Nix and NixOS concepts is helpful but not required.
## Usage
NixOS and home-manager are called seperately,
To rebuild and switch to the new NixOS configuration:
```bash
nixos-rebuild switch --flake .#candlekeep
```
To rebuild and switch to the new home-manager configuration:
```bash
home-manager switch --flake .#gwg313@candlekeep
```

20
apps/audiobookshelf.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: audiobookshelf
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: audiobookshelf
destination:
server: https://kubernetes.default.svc
namespace: audiobookshelf
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

20
apps/bytestash.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bytestash
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: bytestash
destination:
server: https://kubernetes.default.svc
namespace: bytestash
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

18
apps/cert-issuer.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-issuer
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: cluster-issuer
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
automated:
selfHeal: true
prune: true

24
apps/cert-manager.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
spec:
project: default
source:
repoURL: https://charts.jetstack.io
chart: cert-manager
targetRevision: v1.15.0
helm:
releaseName: cert-manager
values: |
installCRDs: true
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

20
apps/forgejo.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: forgejo
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: forgejo
destination:
server: https://kubernetes.default.svc
namespace: forgejo
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

20
apps/harbor-config.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: harbor-config
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: harbor-config
destination:
server: https://kubernetes.default.svc
namespace: harbor
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

51
apps/harbor.yaml Normal file
View file

@ -0,0 +1,51 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: harbor
namespace: argocd
spec:
project: default
destination:
server: https://kubernetes.default.svc
namespace: harbor
source:
repoURL: https://helm.goharbor.io
chart: harbor
targetRevision: 1.14.2
helm:
releaseName: harbor
values: |
externalURL: https://registry.gwg313.xyz
expose:
type: clusterIP
tls:
enabled: false
certSource: secret
secret:
secretName: harbor-cert-nginx
nginx:
replicas: 0
persistence:
persistentVolumeClaim:
registry:
existingClaim: harbor-registry
jobservice:
existingClaim: harbor-jobservice
trivy:
existingClaim: harbor-trivy
database:
existingClaim: harbor-database
redis:
existingClaim: harbor-redis
core:
existingClaim: harbor-core
ingress:
enabled: false
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-base
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "0"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: base
targetRevision: 1.26.0
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

26
apps/istio/istio-cni.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-cni
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "1"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: cni
targetRevision: 1.26.0
helm:
values: |
cni:
enabled: true
chained: false
logLevel: info
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true

View file

@ -0,0 +1,50 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-gateway
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "2"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: gateway
targetRevision: 1.26.0
helm:
values: |
replicaCount: 2
autoscaling:
enabled: false
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
podDisruptionBudget:
enabled: true
minAvailable: 1
proxy:
logLevel: warning
componentLogLevel: "misc:error,config:debug"
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true

View file

@ -0,0 +1,43 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-istiod
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "1"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: istiod
targetRevision: 1.26.0
helm:
values: |
global:
istioCNI:
enabled: true
sidecarInjectorWebhook:
disableInitContainers: true
pilot:
autoscaleEnabled: false
replicaCount: 2
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
podDisruptionBudget:
enabled: true
minAvailable: 1
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true

View file

@ -0,0 +1,9 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
annotations:
name: default
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE

18
apps/metallb-config.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metallb-config
namespace: argocd
spec:
project: default
source:
path: metallb/config
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: HEAD
destination:
server: https://kubernetes.default.svc
namespace: metallb-system
syncPolicy:
automated:
prune: true
selfHeal: true

22
apps/metallb.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metallb
namespace: argocd
spec:
project: default
source:
repoURL: https://metallb.github.io/metallb
chart: metallb
targetRevision: 0.14.5
helm:
releaseName: metallb
destination:
server: https://kubernetes.default.svc
namespace: metallb-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

20
apps/minio-config.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: minio-config
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: minio
destination:
server: https://kubernetes.default.svc
namespace: minio
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

37
apps/minio.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: minio
namespace: argocd
spec:
destination:
namespace: minio
server: https://kubernetes.default.svc
project: default
source:
repoURL: https://charts.bitnami.com/bitnami
chart: minio
targetRevision: 17.0.9
helm:
releaseName: minio
values: |
auth:
existingSecret: minio-auth
ingress:
enabled: false
service:
type: ClusterIP
ports:
api: 9000
console: 9001
persistence:
existingClaim: minio-data
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

20
apps/navidrome.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: navidrome
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: navidrome
destination:
server: https://kubernetes.default.svc
namespace: navidrome
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

33
apps/nfs-subdir.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: nfs-subdir-external-provisioner
namespace: argocd
spec:
project: default
source:
repoURL: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner
chart: nfs-subdir-external-provisioner
targetRevision: 4.0.18
helm:
releaseName: nfs-subdir-external-provisioner
values: |
nfs:
server: truenas.local.gwg313.xyz
path: /mnt/tank/k8s/nfs-subdir
storageClass:
name: nfs-client
defaultClass: true
accessModes: ["ReadWriteMany"]
reclaimPolicy: Delete
archiveOnDelete: false
destination:
server: https://kubernetes.default.svc
namespace: nfs-subdir-external-provisioner
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

24
apps/sealed-secrets.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: sealed-secrets
namespace: argocd
spec:
project: default
source:
repoURL: https://bitnami-labs.github.io/sealed-secrets
chart: sealed-secrets
targetRevision: 2.15.3
helm:
releaseName: sealed-secrets
values: |
fullnameOverride: sealed-secrets-controller
destination:
server: https://kubernetes.default.svc
namespace: sealed-secrets
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

18
apps/security.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cluster-security
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: security
destination:
server: https://kubernetes.default.svc
namespace: kube-system
syncPolicy:
automated:
selfHeal: true
prune: true

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: woodpecker-manifests
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: HEAD
path: woodpecker
destination:
server: https://kubernetes.default.svc
namespace: woodpecker
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

23
apps/woodpecker.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: woodpecker
namespace: argocd
spec:
project: default
source:
repoURL: https://woodpecker-ci.org/
chart: woodpecker
targetRevision: 3.2.0
helm:
releaseName: woodpecker
values: "server:\n env:\n WOODPECKER_HOST: \"https://ci.gwg313.xyz\"\n extraSecretNamesForEnvFrom:\n - woodpecker-server-secrets\n persistentVolume:\n enabled: true\n existingClaim: woodpecker-server-pvc5\n\nagent:\n enabled: true\n replicaCount: 1\n extraSecretNamesForEnvFrom:\n - woodpecker-agent-secrets\n env:\n WOODPECKER_SERVER: \"woodpecker-server:9000\"\n WOODPECKER_MAX_WORKFLOWS: \"5\"\n persistence:\n enabled: true\n existingClaim: woodpecker-agent-pvc5\n securityContext:\n privileged: true \n"
destination:
server: https://kubernetes.default.svc
namespace: woodpecker
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

20
apps/yopass.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: yopass
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: yopass
destination:
server: https://kubernetes.default.svc
namespace: yopass
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: audiobookshelf-cert
namespace: istio-system
spec:
secretName: audiobookshelf-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- audiobooks.gwg313.xyz

View file

@ -0,0 +1,42 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: audiobookshelf
namespace: audiobookshelf
spec:
replicas: 1
selector:
matchLabels:
app: audiobookshelf
template:
metadata:
labels:
app: audiobookshelf
spec:
containers:
- name: audiobookshelf
image: registry.gwg313.xyz/library/audiobookshelf:latest
ports:
- containerPort: 8080
volumeMounts:
- name: audiobooks-volume
mountPath: /audiobooks
- name: podcasts-volume
mountPath: /podcasts
- name: config-volume
mountPath: /config
- name: metadata-volume
mountPath: /metadata
volumes:
- name: audiobooks-volume
persistentVolumeClaim:
claimName: audiobookshelf-audiobooks
- name: podcasts-volume
persistentVolumeClaim:
claimName: audiobookshelf-podcasts
- name: config-volume
persistentVolumeClaim:
claimName: audiobookshelf-config
- name: metadata-volume
persistentVolumeClaim:
claimName: audiobookshelf-metadata

View file

@ -0,0 +1,18 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: audiobookshelf-gateway
namespace: audiobookshelf
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: audiobookshelf-cert
hosts:
- audiobooks.gwg313.xyz

View file

@ -0,0 +1,19 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: audiobookshelf-iscsi-auth
namespace: audiobookshelf
spec:
encryptedData:
discovery.sendtargets.auth.password: AgBlREGUmNCv4V+AAsTN4xn1+CTIQspG86tK34CH8LbAQQtCwrldsyH/ZDnDEK2bmb7Eq0o4Lt9bYYdAFt/2d74ViMWVWyarIG5dU3kwMfzysQsu3lrWtIUwlFS08YaQJg+7Eipy1LbJvncTLY9ixZ3xA7Vx+rlyhXp0bt0Aet6ItzcxTbifA14xtCGDDDRcOjkBp+lhOY70tnqAkQ7NxLooPcNGSIqMPbIwhdc8Nq9Knz7ZqVTnVyl2QxdQSooUIcYBN0V97tiwtZUvwU0pb7LsxSEac2NbwzPMfoP8LnTETURK0JhqvO6Uvi7iMNBLw3sDzR2fCX1VhleLOM1JQgk93w5VA33GZOb+7iofJt+gVIs651G9+rCS2hN8XiQPiZnCVtZ9upxM4DnHz1GvuML0NRcXyIN2zOzcZdwMXBRAQ42XwcdbZIOubiVNbV/yEDoNmA6aR1ItRYDGyheRKwphLEDnbXlgWEDnKKHiUjrj833vNTXn9wtOZ2mnfzE//cr3fvaosQthfnviI/QRo8plpXI8y9BgjNToecsbQNzNIP17ZljCZB2HTBa8urX9A9vAOcFD51k6FugfE92tnBtSu42vGi3vkEuxM2blrFAWlpsChHkyQmONJchHgNsyKqZdlRzFLraZTtic9z8HBjmOyXgykGuoPzGf29vB8bwZ3mIUE8GSsF7WV9hAGdfGzE0VnUp3CKOIMFyrudVeWFOX
discovery.sendtargets.auth.username: AgBerGD4HXIRcJDdyknlztVIIfpLYyEnB5jIQV7tHksPPtDp4VxOQcOOnsgn2xcskpGbPP60iQJgTn9eNtHnRVylFhRDBr7ugn7LKWw0KGg/sexYx07Do6Sc7h7+MrzaoxV7kV7hOJrflALtKhSTmsiNLVnskmU+reckgLYFrFjSPOYJsDJlpq7WPXVBVW2nEJ0EMkCyfWAU1ADfpM5rvbtLu3geCAWAz557BASYgdvaBEWOT5sONC2rbl2MaSJeBVZX+Wr5IdzVd3K/VFJRSJ7xE5LAVKbuWGPpt18H86uU7mqXuyYUz7FR7nD21FT8rPvj4/rXKTR0W2U/hrH/53Jn5yFj30+iAcDhq9C4fRA8ZvI9KsESRZXq0dnInPkYpHzPIKdMwtEs/qycIMGwczRO9d6UDj3qJsJTO4E1btvzPQMt1kJ3d2U87/r7TCzcbIpLlMez8VTS0osnwVkD9/4oR074TX/0m9aMqLomsrw4oyXsetJL8O4R1A59NsjtBRvyeG00BmmJMlSrI+DF+wa131/4g/y6BsYP30QwxxxoOHH1clSdXGueHhQpttmc7le8FSJ+pyyPLR8BrFi76GojZG3GZScArJm/072WcUnsvxpitmtwKgihRFGr6V5yPU/vvPLWsV+swQ+zh6IZ1RPNn8QPk4oKqJnoAlDmMkdXhgqLucor322cxU+bNkE0v3RPBeynzEVpGSzrtYzOvw==
node.session.auth.password: AgB/lsTVb/3hrYtzpEydBfcesvDgZUi6Si4VNjlGRS1PfK9DSLpRBZazgLkrFSIhLOviWb9Rp9zQDNTJFAZkLbPGh8zNWyTzbANgsSziht7ljBArnsT3iMRQbFvZGUkI3QM95EURVXC7GhPEfr15bkEqq93ETzaDaBvZ3tKN2XqjRTFFAR2aFVVV6rPPea3FfAVhhcR700pfbW4YpLPfHuUFentEuMo5a3QRYo3VdzPYB7lzRx+YgD9Rv1rSffTdnPJzlE9IkUeBZKnuK9Xg80Q75aPHvb6MfT++LRZHUtsftQFjbJMcFKqqDu+JktjViyrTYG/2cfdQKsHbsQu4OW4XamU0isZiz42T8cj/Dpo0C+m2meZVXkSrsvyeHCA77vl9yd24O7CkDGKLnAqe5RLWAMJVBQwnVqiDhTdTvEItoyV9MZM079CsPKSpVZMJ4GQoJDjKN3L9Z0IIWHlrV5RJ65RJA3d8/9Ku+vFtxyfGWB3GtXAFvXYW/OZn1vuIEmA3U11mgnGKDIRETBMpuJSvzVKiTxCL4yrq5Ap0VRfBlJlNbDSlj78z6x9Pd8TsSoKUA5htpObLy3+Dx2Lm6SUflKvB6ywKnIbhlfFONlUrsxX6J02taDmqTzeAFT5sSM2Xl4yFveb7XLQQOJUIc32ZAFXOkYkvr9T8lbxXDE9mJG7abzwal7i1KWrxgVnmgN8oM6QDciHqElUb+z+tE69g
node.session.auth.username: AgCjON6B6NWGlbQsJvBLvy1SOgUt7fuIScFKqsnVLZf/AmUH6VJ70qAtjOr+MfoyhvGkpNLAb64LpUsEmxX/AI4pONZnNUVYgWSha+yEizCLsYCp2wL7PHbobg9nkYxL7vRcS/So5iIaHHS+3cHIHJI5O8Dhb6gqOz5kafNgdLu0TJ56n1Axe4QI3mz0m5/XjovzzImM3DiMaqtzJotENGxnnA/X0/zBbNZry94iWuXCTJ115+6cVn+h3SvVw0/rwcJgfNxgIJJW4Rukl6WCyC6MTKTjNnA65Z5R9oW4JviGNF/0PNGTjmkuCoJqSNZ+p5XebhTxn65ultLMxvJXZhVmSHo3es3x8wlmO49UOGhT1a38P+p/9DrrTg3xEdIeDHMmdLaZgOjjEfDh/2OP2S2ZHVEXQnFvG2VnKgmMYWyeylhBGyn4cEkLc1fFhy55g2EMCeF5zXNldTlT3Gh0ca1ipF0BBXgvuJCa9c5tNBK2QS66QVdehOLBOxrnjTnd4VPt05JXKqSQZ6S0ukNecL5hBju2nGHlXdYcVeI94/uZmpkNJC+mqRTJdXGwtUhF9F529Ln+DtkhTcGUAPBcZdP9eEc/lkAjp/lJyzW2jgTynVkqAyBZJsA7etAHAUlsFMgFOw6bG/oKXpJE7wFJ4J929/inpVj8J9rlLC7ruRlQy9gUT8A2uLwAXVmQufpjBTi2AVyS6wACG+eusvOHYg==
template:
metadata:
creationTimestamp: null
name: audiobookshelf-iscsi-auth
namespace: audiobookshelf
type: kubernetes.io/iscsi-chap

57
audiobookshelf/pvcs.yaml Normal file
View file

@ -0,0 +1,57 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-config
namespace: audiobookshelf
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeName: audiobookshelf-config-pv
storageClassName: audiobookshelf-iscsi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-metadata
namespace: audiobookshelf
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeName: audiobookshelf-metadata-pv
storageClassName: audiobookshelf-iscsi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-audiobooks
namespace: audiobookshelf
spec:
accessModes:
- ReadOnlyMany
resources:
requests:
storage: 100Gi
volumeName: audiobookshelf-audiobooks-pv
storageClassName: audiobookshelf-nfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-podcasts
namespace: audiobookshelf
spec:
accessModes:
- ReadOnlyMany
resources:
requests:
storage: 100Gi
volumeName: audiobookshelf-podcasts-pv
storageClassName: audiobookshelf-nfs

73
audiobookshelf/pvs.yaml Normal file
View file

@ -0,0 +1,73 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-config-pv
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: audiobookshelf-iscsi
iscsi:
targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-config
lun: 0
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: audiobookshelf-iscsi-auth
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-metadata-pv
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: audiobookshelf-iscsi
iscsi:
targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-metadata
lun: 1
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: audiobookshelf-iscsi-auth
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-audiobooks-pv
spec:
capacity:
storage: 100Gi
accessModes:
- ReadOnlyMany
persistentVolumeReclaimPolicy: Retain
nfs:
server: truenas.local.gwg313.xyz
path: /mnt/tank/media/audiobooks
storageClassName: audiobookshelf-nfs
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-podcasts-pv
spec:
capacity:
storage: 100Gi
accessModes:
- ReadOnlyMany
persistentVolumeReclaimPolicy: Retain
nfs:
server: truenas.local.gwg313.xyz
path: /mnt/tank/media/podcasts
storageClassName: audiobookshelf-nfs

View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: audiobookshelf
namespace: audiobookshelf
spec:
selector:
app: audiobookshelf
ports:
- port: 80
targetPort: 8080

View file

@ -0,0 +1,19 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: audiobookshelf
namespace: audiobookshelf
spec:
hosts:
- audiobooks.gwg313.xyz
gateways:
- audiobookshelf-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: audiobookshelf
port:
number: 80

View file

@ -0,0 +1,8 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: strict-mtls
namespace: bytestash
spec:
mtls:
mode: STRICT

View file

@ -0,0 +1,15 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: bytestash-secret
namespace: bytestash
spec:
encryptedData:
JWT_SECRET_KEY: AgBhyqlrAr9hDaCZ7yPbZZuXtZMeqbMqd0LXWwT8nlEpTY0Tk7LLwjdv6DoY3gvj0Jbgcoa+Edgg6HywykouVAqe2i6HbDwWOPVjRw5K1GA7y7jlb8IOP2D7ZJN8sKW7MUfhmmraN0piuvpCMVl/NHbT1XfQq4mym/PChHcD4Ju+lNMfFWkHNZtXf/9tpYcTa3cmREf0uBFQRNQFP2TaUx8X+QmzIIdoGaqZA+Jud2HkTHymsRhn7fSK3smaJecw/y7IR4ohNcJ17FqOyaqbnQ/MUzB+aprFKjBOnVmZwbWSjJYWPN1nx6NPndmk8X3Q3XeB50WnoAhqNSwI6a58wo/zVHyM5B3Q+L9slCWd8t27z+Jv7Y8zRFl137dbhDBcrHf73miNnaK5x0b741Bv3yDakJG+DrU5YlmGH2/t4XBZjMMRxF4y0CgdT+DN+cZrkbkATHIQWZARmLTqYfig/2D+PfKhrniE4Tfq3V2gLN12Kwf09fqM02Uo2faOya6QF3fvGGZx3QXiDrzPMthLuvk1JqPqU98fNKniS8x7/q1LdHH6ga5wyXyGk76tl540p+kdY2sAi7K5/VAw0QM6A+6EHXJJgZ4bdd02eB0F1/lCKcCzZhs5lIjBu0r/d81wYlId6GtMvXZiMfsbMS9a7evGl20PXAn2C5KxWfyyyIX3wn7JIAxiOdGwPUOI6E4/LCJSnzlfBa7SWFrMHAjniNyQOLB0S9amtHwDDt6j
template:
metadata:
creationTimestamp: null
name: bytestash-secret
namespace: bytestash
type: Opaque

View file

@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: bytestash-cert
namespace: istio-system
spec:
secretName: bytestash-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
commonName: bytestash.local.gwg313.xyz
dnsNames:
- bytestash.local.gwg313.xyz

18
bytestash/configmap.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: bytestash-config
namespace: bytestash
data:
BASE_PATH: ""
TOKEN_EXPIRY: "24h"
ALLOW_NEW_ACCOUNTS: "true"
DEBUG: "true"
DISABLE_ACCOUNTS: "false"
DISABLE_INTERNAL_ACCOUNTS: "false"
OIDC_ENABLED: "false"
OIDC_DISPLAY_NAME: ""
OIDC_ISSUER_URL: ""
OIDC_CLIENT_ID: ""
OIDC_CLIENT_SECRET: ""
OIDC_SCOPES: ""

43
bytestash/deployment.yaml Normal file
View file

@ -0,0 +1,43 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: bytestash
namespace: bytestash
spec:
replicas: 1
selector:
matchLabels:
app: bytestash
template:
metadata:
labels:
app: bytestash
annotations:
sidecar.istio.io/inject: "true"
spec:
securityContext:
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
containers:
- name: bytestash
image: "ghcr.io/jordan-dalby/bytestash:latest"
ports:
- containerPort: 5000
envFrom:
- configMapRef:
name: bytestash-config
- secretRef:
name: bytestash-secret
volumeMounts:
- name: bytestash-storage
mountPath: /data/snippets
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
capabilities:
drop: ["ALL"]
volumes:
- name: bytestash-storage
persistentVolumeClaim:
claimName: bytestash-pvc

18
bytestash/gateway.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bytestash-gateway
namespace: bytestash
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "bytestash.local.gwg313.xyz"
tls:
mode: SIMPLE
credentialName: bytestash-cert

4
bytestash/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: bytestash

11
bytestash/service.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: bytestash
namespace: bytestash
spec:
selector:
app: bytestash
ports:
- port: 80
targetPort: 5000

29
bytestash/storage.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: bytestash-pv
spec:
capacity:
storage: 1Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: manual
nfs:
path: /mnt/tank/docker-volumes/bytestash
server: truenas.local.gwg313.xyz
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bytestash-pvc
namespace: bytestash
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeName: bytestash-pv

View file

@ -0,0 +1,16 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bytestash
namespace: bytestash
spec:
hosts:
- "bytestash.local.gwg313.xyz"
gateways:
- bytestash/bytestash-gateway
http:
- route:
- destination:
host: bytestash
port:
number: 80

4
cert-manager/values.yaml Normal file
View file

@ -0,0 +1,4 @@
installCRDs: true
extraArgs:
- --dns01-recursive-nameservers-only
- --dns01-recursive-nameservers=1.1.1.1:53,8.8.8.8:53

View file

@ -0,0 +1,15 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: cloudflare-api-token
namespace: cert-manager
spec:
encryptedData:
api-token: AgC7jVHCCMGqv2ZcLxU13J2icxYM6pLCpy9ODRFtEZpjY4MGmja+ScRs00ziY8DeH9Ahhrc21VYTTZAmw1bCesHIys0y19KeXbO5HudWbSt02792kT5sPsjlNdkZyXT0Qmbz3i4OPcH1V1+oXJArTuicoJkAiVg05jGPuIcYM2zDaMvMjk4cq7L8PYc/HAusXlHI/ggozPqmohS4ACBYvsUvgyDEGAvwW0vFRjHb1z3IxyzVtbDdgae8okoQWCHlKRTeFRReB1AX9wml+kNpq2SeElh/5Grdiz4MEr8PsoKUIJg3n+KqjOFgHX7I5gDW7LQv2+W66sYzd3GFF0g6MUs1EjznX35J/e7uYSm3ERtomSIFx3FFx6fFXuN5QkCx79MgKZxP8F/PwBdusc8tDHocgK8V2hvSjxIU2J74rjcMw4ZUqwFvlZa0xAJcUAlkFQrN/b7ldlwQYyzsXhPyRIvIGvGSmBabq+yHE4nyjCVezy28h361O3zB2kCJUXi1k2rbD2+NI1Z+25q6JyRgnUelnfzyiPFJTKlFIiP1He1FC441OPjXILYhuaIenm0w9GQKUt2ndNJng4wRtsCPi6PcGHUIOjiT8ErZTkN4pJmm4/bRYPXumS9J0sTPNr2z564fsZjRpyCD97BJuntnXRnWxQRVbMb55f99Zu2j5jziEDegg6aCsXRLoATHLsBFlK5IiC95cMpkaAbY5FWwCCp4IMLkiPWGlR1dnCbBgF2P4NtxihNW9cPC
template:
metadata:
creationTimestamp: null
name: cloudflare-api-token
namespace: cert-manager
type: Opaque

View file

@ -0,0 +1,16 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: gwg313@pm.me
privateKeySecretRef:
name: letsencrypt-dns-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token

View file

@ -1,15 +0,0 @@
{ pkgs, ... }:
{
services.printing.enable = true;
environment.systemPackages = with pkgs; [
adwaita-icon-theme
gnome-themes-extra
librewolf
qt5.qtwayland
qt6.qmake
qt6.qtwayland
adwaita-qt
adwaita-qt6
];
}

View file

@ -1,14 +0,0 @@
{
config,
pkgs,
...
}: {
services.dbus = {
enable = true;
packages = [pkgs.dconf];
};
programs.dconf = {
enable = true;
};
}

View file

@ -1,9 +0,0 @@
{lib, ...}: {
imports = [
./thunar.nix
./steam.nix
];
thunar.enable = lib.mkDefault true;
steam.enable = lib.mkDefault false;
}

View file

@ -1,16 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
services.xserver = {
displayManager.gdm = {
enable = false;
wayland = true;
};
displayManager.lightdm.enable = false;
};
environment.systemPackages = with pkgs; [
];
}

View file

@ -1,87 +0,0 @@
{
pkgs,
inputs,
...
}:
{
imports = [
./common.nix
./dbus.nix
./pipewire.nix
./wayland.nix
./displayManager.nix
# ./xdg.nix
];
# Security
security = {
pam.services.swaylock = {
text = ''
auth include login
'';
};
};
# Services
services = {
xserver = {
enable = true;
xkb = {
variant = "";
layout = "us";
};
excludePackages = [ pkgs.xterm ];
# videoDrivers = ["amdgpu"];
libinput = {
enable = true;
touchpad.tapping = true;
touchpad.naturalScrolling = true;
touchpad.scrollMethod = "twofinger";
touchpad.disableWhileTyping = true;
touchpad.clickMethod = "clickfinger";
};
};
gvfs.enable = true;
tumbler.enable = true;
gnome = {
sushi.enable = true;
gnome-keyring.enable = true;
};
};
programs = {
hyprland = {
enable = true;
withUWSM = true; # recommended for most users
package = inputs.hyprland.packages.${pkgs.system}.hyprland;
xwayland = {
enable = true;
};
};
waybar = {
enable = false;
package = pkgs.waybar.overrideAttrs (oldAttrs: {
mesonFlags = oldAttrs.mesonFlags ++ [ "-Dexperimental=true" ];
});
};
thunar = {
enable = true;
plugins = with pkgs.xfce; [
thunar-archive-plugin
thunar-volman
];
};
};
environment.systemPackages = with pkgs; [
libva-utils
gsettings-desktop-schemas
xdg-utils
hyprland-qtutils
];
environment.sessionVariables = {
XDG_CURRENT_DESKTOP = "Hyprland";
XDG_SESSION_DESKTOP = "Hyprland";
XDG_SESSION_TYPE = "wayland";
};
}

View file

@ -1,40 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
# Enable sound with pipewire.
hardware.pulseaudio.enable = false;
# hardware.alsa.enablePersistence = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
extraConfig.pipewire.adjust-sample-rate = {
"context.properties" = {
"default.clock.rate" = 192000;
#"defautlt.allowed-rates" = [ 192000 48000 44100 ];
"defautlt.allowed-rates" = [ 192000 ];
#"default.clock.quantum" = 32;
#"default.clock.min-quantum" = 32;
#"default.clock.max-quantum" = 32;
};
};
};
environment.systemPackages = with pkgs; [
pipewire
wireplumber
easyeffects
];
}

View file

@ -1,18 +0,0 @@
{ pkgs, ... }:
let
retroarchWithCores = (
pkgs.retroarch.withCores (
cores: with cores; [
bsnes
mgba
quicknes
genesis-plus-gx
]
)
);
in
{
environment.systemPackages = [
retroarchWithCores
];
}

View file

@ -1,55 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
options = {
steam.enable = lib.mkEnableOption "Enables steam";
};
config = lib.mkIf config.steam.enable {
hardware.opengl.driSupport32Bit = true;
nixpkgs.config.packageOverrides = pkgs: {
steam = pkgs.steam.override {
extraPkgs =
pkgs: with pkgs; [
xorg.libXcursor
xorg.libXi
xorg.libXinerama
xorg.libXScrnSaver
libpng
libpulseaudio
libvorbis
stdenv.cc.cc.lib
libkrb5
keyutils
];
};
};
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
gamescopeSession = {
enable = true;
args = [
"-F fsr"
"-f"
];
};
};
environment.sessionVariables = {
# Proton GE flag
WINE_FULLSCREEN_FSR = "1";
};
environment.systemPackages = with pkgs; [
protonup
scanmem
];
};
}

View file

@ -1,24 +0,0 @@
{
pkgs,
config,
lib,
...
}:
{
options = {
thunar.enable = lib.mkEnableOption "Enables thunar and its plugins";
};
config = lib.mkIf config.thunar.enable {
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [
xfconf
tumbler
thunar-archive-plugin
thunar-volman
];
};
services.gvfs.enable = true; # Mount, trash, and other functionalities
services.tumbler.enable = true; # Thumbnail support for images
};
}

View file

@ -1,26 +0,0 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
wlr-randr
wl-clipboard
];
environment.sessionVariables = {
POLKIT_AUTH_AGENT = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
GSETTINGS_SCHEMA_DIR = "${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}/glib-2.0/schemas";
WLR_NO_HARDWARE_CURSORS = "1";
NIXOS_OZONE_WL = "1";
MOZ_ENABLE_WAYLAND = "1";
SDL_VIDEODRIVER = "wayland";
_JAVA_AWT_WM_NONREPARENTING = "1";
CLUTTER_BACKEND = "wayland";
# WLR_RENDERER = "vulkan";
GTK_USE_PORTAL = "1";
#NIXOS_XDG_OPEN_USE_PORTAL = "1"; # Sets the desktop portal to use flatpak
WLR_NO_HARDWARE_CURSOR = "1";
GDK_BACKEND = "wayland";
QT_QPA_PLATFORM = "wayland;xcb";
QT_AUTO_SCREEN_SCALE_FACTOR = "1";
QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
QT_QPA_PLATFORMTHEME = "qt5ct";
};
}

View file

@ -1,33 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
# XDG Portals
xdg = {
autostart.enable = true;
portal = {
enable = true;
wlr.enable = true;
xdgOpenUsePortal = true;
extraPortals = [
pkgs.xdg-desktop-portal-hyprland
pkgs.xdg-desktop-portal-gtk
pkgs.libsForQt5.xdg-desktop-portal-kde
pkgs.lxqt.xdg-desktop-portal-lxqt
];
};
};
environment.systemPackages = with pkgs; [
xdg-utils
xdg-desktop-portal
xdg-desktop-portal-gtk
xdg-desktop-portal-hyprland
];
environment.sessionVariables = {
XDG_SESSION_TYPE = "wayland";
};
}

View file

@ -1,13 +0,0 @@
{ lib, ... }:
{
imports = [
./zerotier.nix
./firewall.nix
# ./wireless.nix
./networkmanager.nix
];
zerotier.enable = lib.mkDefault true;
firewall.enable = lib.mkDefault true;
# wireless.enable = lib.mkDefault false;
}

View file

@ -1,19 +0,0 @@
{
config,
lib,
pkgs,
inputs,
outputs,
...
}:
{
options = {
firewall.enable = lib.mkEnableOption "Enable the Firewall";
};
config = lib.mkIf config.firewall.enable {
networking.nftables.enable = true;
networking.firewall = {
enable = true;
};
};
}

View file

@ -1,29 +0,0 @@
_: {
networking.extraHosts = ''
10.147.17.246 audiobooks.zerotier.gwg313.xyz
10.147.17.246 music.zerotier.gwg313.xyz
10.147.17.246 recipes.zerotier.gwg313.xyz
10.147.17.246 scholarsome.zerotier.gwg313.xyz
10.147.17.246 bookmarks.zerotier.gwg313.xyz
10.147.17.246 pastebin.zerotier.gwg313.xyz
10.147.17.246 snippets.zerotier.gwg313.xyz
10.147.17.246 git.zerotier.gwg313.xyz
10.147.17.246 s3.zerotier.gwg313.xyz
10.147.17.246 s3-console.zerotier.gwg313.xyz
10.147.17.246 registry.zerotier.gwg313.xyz
10.147.17.246 ci.zerotier.gwg313.xyz
10.147.17.246 uptime.zerotier.gwg313.xyz
10.1.10.50 music.gwg313.xyz
10.1.10.50 git.gwg313.xyz
10.1.10.50 ci.gwg313.xyz
10.1.10.50 registry.gwg313.xyz
10.1.10.50 s3.gwg313.xyz
10.1.10.50 s3-console.gwg313.xyz
10.1.10.50 pastebin.gwg313.xyz
10.1.10.50 audiobooks.gwg313.xyz
10.1.10.9 uptime.gwg313.xyz
'';
}

View file

@ -1,84 +0,0 @@
{
config,
pkgs,
...
}:
{
environment.systemPackages = with pkgs; [ linuxKernel.packages.linux_5_4.wireguard ];
sops.secrets."wireless.env" = { };
networking = {
networkmanager = {
enable = true;
wifi.scanRandMacAddress = true;
ensureProfiles = {
environmentFiles = [ config.sops.secrets."wireless.env".path ];
profiles = {
home-wifi = {
connection.id = "home-wifi";
connection.type = "wifi";
wifi.ssid = "$home_uuid";
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$home_psk";
};
connection.autoconnect-priority = 100;
};
eduroam = {
connection.id = "eduroam";
connection.type = "wifi";
wifi.ssid = "eduroam";
wifi-security = {
key-mgmt = "wpa-eap";
};
"802-1x" = {
eap = "peap;";
identity = "$eduroam_identity";
password = "$school_password";
phase2-auth = "mschapv2";
};
connection.autoconnect = true;
connection.autoconnect-priority = 80;
wifi.powersave = 2;
wifi.mode = "infrastructure";
ipv4.method = "auto";
# ipv4.dns = "8.8.8.8,8.8.4.4.";
# ipv6.dns = "2001:4860:4860::8888";
# wifi.mac-address-randomization = "random";
ipv4.dhcp-send-hostname = false;
# ipv4.dhcp-hostname = "NoName";
# connection.metered = "yes";
};
school = {
connection.id = "School";
connection.type = "wifi";
wifi.ssid = "$school_uuid";
wifi-security = {
key-mgmt = "wpa-eap";
};
"802-1x" = {
eap = "peap;";
identity = "$school_identity";
password = "$school_password";
phase2-auth = "mschapv2";
};
connection.autoconnect = true;
connection.autoconnect-priority = 90;
wifi.powersave = 2;
wifi.mode = "infrastructure";
ipv4.method = "auto";
# ipv4.dns = "8.8.8.8,8.8.4.4.";
# ipv6.dns = "2001:4860:4860::8888";
# wifi.mac-address-randomization = "random";
ipv4.dhcp-send-hostname = false;
# ipv4.dhcp-hostname = "NoName";
# connection.metered = "yes";
};
};
};
};
};
}

View file

@ -1,55 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
options = {
wireless.enable = lib.mkEnableOption "Enables Wifi and adds my networks";
};
config = lib.mkIf config.wireless.enable {
sops.templates."wpa_supplicant.conf" = {
content = ''
network={
}
'';
path = "/etc/wpa_supplicant.conf";
};
sops.secrets."wireless.env" = { };
networking.wireless.enable = true;
environment.systemPackages = with pkgs; [ wpa_supplicant_gui ];
networking.wireless.userControlled.enable = true;
networking.wireless.allowAuxiliaryImperativeNetworks = true;
networking.wireless.secretsFile = config.sops.secrets."wireless.env".path;
networking.wireless.networks = {
"Tycho Station" = {
pskRaw = "ext:home_psk";
priority = 99;
};
"CU-Wireless" = {
auth = ''
key_mgmt=WPA-EAP
eap=PEAP
phase2="auth=MSCHAPV2"
identity="glengoodwin"
password=ext:school_password
'';
priority = 89;
};
"eduroam" = {
auth = ''
key_mgmt=WPA-EAP
eap=PEAP
phase2="auth=MSCHAPV2"
identity="ext:eduroam_identity"
password="ext:school_password"
'';
priority = 79;
};
};
};
}

View file

@ -1,27 +0,0 @@
{
config,
lib,
pkgs,
inputs,
outputs,
...
}:
{
options = {
zerotier.enable = lib.mkEnableOption "Enables zerotier and joins my network";
};
config = lib.mkIf config.zerotier.enable {
services.zerotierone = {
joinNetworks = [
"ebe7fbd445359e9d"
];
enable = true;
};
networking.extraHosts = ''
192.168.194.54 graphene.zt
192.168.191.218 candlekeep.zt
192.168.191.201 grymforge.zt
'';
};
}

View file

@ -1,21 +0,0 @@
{
config,
lib,
...
}: {
options = {
bluetooth.enable = lib.mkEnableOption "Enables Bluetooth";
};
config = lib.mkIf config.bluetooth.enable {
services.blueman.enable = true;
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
};
services.upower = {
enable = true;
};
};
}

View file

@ -1,78 +0,0 @@
{
config,
lib,
pkgs,
inputs,
outputs,
user,
...
}:
{
imports = [
./packages.nix
./users.nix
./locale.nix
./documentation.nix
../../common/style/stylix.nix
];
#
security.sudo.extraRules = [
{
users = [ "gwg313" ];
commands = [
{
command = "/run/current-system/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}
];
}
];
nixpkgs.config = {
allowUnfree = true;
};
nix = {
settings = {
substituters = [
"https://cache.nixos.org?priority=10"
"https://hyprland.cachix.org"
"https://nix-community.cachix.org"
"https://cache.garnix.io"
"https://numtide.cachix.org"
];
trusted-public-keys = [
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
];
experimental-features = [
"nix-command"
"flakes"
];
auto-optimise-store = true;
trusted-users = [ "${user}" ];
};
optimise.automatic = true;
gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 14d";
};
};
services = {
fstrim.enable = true;
};
# Disable so comma can be installed
programs.command-not-found.enable = false;
programs.nix-index-database.comma.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system we e ere taken. It's perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

View file

@ -1,24 +0,0 @@
{ lib, pkgs, ... }:
{
imports = [
./common.nix
./laptop.nix
./nfs.nix
./restic.nix
./ssh/default.nix
./logrotate.nix
];
laptop.enable = lib.mkDefault false;
nfs.enable = lib.mkDefault false;
restic.enable = lib.mkDefault true;
services.flatpak.enable = true;
systemd.services.flatpak-repo = {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.flatpak ];
script = ''
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
'';
};
# flatpak override --user --socket=wayland md.obsidian.Obsidian (Must run this for obsidian to launch)
}

View file

@ -1,18 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = [
pkgs.man-pages
pkgs.man-pages-posix
];
documentation = {
dev.enable = true;
man = {
man-db.enable = false;
mandoc.enable = true;
};
};
environment.sessionVariables = {
MANPAGER = "sh -c '${pkgs.gnugrep}/bin/sed -u -e \"s/\\x1B\[[0-9\;]*m//g; s/.\\x08//g\" | ${pkgs.bat}/bin/bat -p -lman'";
};
}

View file

@ -1,26 +0,0 @@
{
config,
lib,
...
}:
{
imports = [
./bluetooth.nix
# ../networking/wireless.nix
../networking/networkmanager.nix
];
options = {
laptop.enable = lib.mkEnableOption "Enables Laptop options";
};
config = lib.mkIf config.laptop.enable {
# enable's backlight switching
programs.light.enable = true;
# use TLP for power management
services.tlp.enable = true;
bluetooth.enable = true;
# wireless.enable = true;
};
}

View file

@ -1,26 +0,0 @@
{
config,
lib,
pkgs,
inputs,
outputs,
...
}: {
# Set your time zone.
time.timeZone = "America/Toronto";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
}

View file

@ -1,19 +0,0 @@
{
...
}:
{
services.logrotate = {
settings = {
header = {
dateext = true;
};
"var/log/audit/audit.log" = {
frequency = "daily";
rotate = 3;
size = "100k";
};
};
};
}

View file

@ -1,70 +0,0 @@
{
config,
lib,
inputs,
...
}:
{
options = {
nfs.enable = lib.mkEnableOption "Enables NFS and sets up mounts";
};
config = lib.mkIf config.nfs.enable {
fileSystems = {
"/media" = {
device = inputs.secrets.nfs.devices.media;
fsType = "nfs";
options = [
"x-systemd.automount"
"noauto"
"x-systemd.after=network-online.target"
"x-systemd.mount-timeout=90"
];
};
"/books" = {
device = inputs.secrets.nfs.devices.books;
fsType = "nfs";
options = [
"x-systemd.automount"
"noauto"
"x-systemd.after=network-online.target"
"x-systemd.mount-timeout=90"
];
};
"/music" = {
device = inputs.secrets.nfs.devices.music;
fsType = "nfs";
options = [
"x-systemd.automount"
"noauto"
"x-systemd.after=network-online.target"
"x-systemd.mount-timeout=90"
];
};
"/projects" = {
device = inputs.secrets.nfs.devices.projects;
fsType = "nfs";
options = [
"x-systemd.automount"
"noauto"
"x-systemd.after=network-online.target"
"x-systemd.mount-timeout=90"
];
};
"/backups" = {
device = inputs.secrets.nfs.devices.backups;
fsType = "nfs";
options = [
"x-systemd.automount"
"noauto"
"x-systemd.after=network-online.target"
"x-systemd.mount-timeout=90"
];
};
};
};
}

View file

@ -1,40 +0,0 @@
{
config,
lib,
pkgs,
user,
inputs,
outputs,
...
}:
{
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
environment.sessionVariables = {
SSH_AUTH_SOCK = "/run/user/1000/gnupg/S.gpg-agent.ssh";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
alejandra
sops
just
# vim
wget
home-manager
git
nh
nix-output-monitor
nvd
# inputs.superfile.packages.${system}.default
];
environment.sessionVariables = {
NH_FLAKE = "/home/${user}/repos/nixos-config";
};
}

View file

@ -1,35 +0,0 @@
{
config,
lib,
user,
...
}:
{
options = {
restic.enable = lib.mkEnableOption "Enables Restic";
};
config = lib.mkIf config.nfs.enable {
sops.secrets.restic_key = {
owner = config.users.users.${user}.name;
};
services.restic.backups = {
backups = {
user = "${user}";
repository = "/backups/grymforge";
initialize = true;
passwordFile = "${config.sops.secrets.restic_key.path}";
paths = [
"/home/${user}/repos"
"/home/${user}/Documents"
"/home/${user}/.local/share/password-store"
];
# extraBackupArgs = [ "--exclude-file=/home/gwg313/Documents/Celsus" ];
timerConfig = {
OnCalendar = "06:40";
};
};
};
};
}

View file

@ -1,12 +0,0 @@
{ lib, ... }:
{
imports = [
./ssh.nix
./ssh_client.nix
./ssh_guard.nix
];
ssh_client.enable = lib.mkDefault true;
ssh.enable = lib.mkDefault false;
ssh_guard.enable = lib.mkDefault false;
}

View file

@ -1,156 +0,0 @@
{
config,
lib,
user,
...
}:
{
options = {
ssh.enable = lib.mkEnableOption "enable ssh settings";
};
config = lib.mkIf config.ssh.enable {
# https://www.ssh-audit.com/hardening_guides.html
# https://github.com/jtesta/ssh-audit
services.openssh = {
enable = true;
settings = {
########## Features ##########
# disallow ssh-agent forwarding to prevent lateral movement
AllowAgentForwarding = false;
# prevent TCP ports from being forwarded over SSH tunnels
# **please be aware that disabling TCP forwarding does not prevent port forwarding**
# any user with an interactive login shell can spin up his/her own instance of sshd
AllowTcpForwarding = false;
# prevent StreamLocal (Unix-domain socket) forwarding
AllowStreamLocalForwarding = false;
# disables all forwarding features
# overrides all other forwarding switches
DisableForwarding = true;
# disallow remote hosts from connecting to forwarded ports
# i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
GatewayPorts = "no";
# prevent tun device forwarding
PermitTunnel = false;
# suppress MOTD
PrintMotd = false;
# disable X11 forwarding since it is not necessary
X11Forwarding = false;
########## Authentication ##########
AllowUsers = [ "${user}" ];
# Use keys only. Remove if you want to SSH using password (not recommended)
PasswordAuthentication = false;
HostbasedAuthentication = false;
# enable pubkey authentication
PubkeyAuthentication = true;
# Forbid root login through SSH.
PermitRootLogin = "no";
# nix enables pam by default
# UsePAM = false;
# challenge-response authentication backend it not configured by default
# therefore, it is set to "no" by default to avoid the use of an unconfigured backend
ChallengeResponseAuthentication = false;
# set maximum authentication retries to prevent brute force attacks
MaxAuthTries = 3;
# disallow connecting using empty passwords
PermitEmptyPasswords = false;
########## Cryptography ##########
# explicitly define cryptography algorithms to avoid the use of weak algorithms
# AES CTR modes have been removed to mitigate the Terrapin attack
# https://terrapin-attack.com/
Ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
];
Macs = [
"hmac-sha2-256-etm@openssh.com"
"hmac-sha2-512-etm@openssh.com"
"umac-128-etm@openssh.com"
];
KexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
];
# hostKeyAlgorithms = [
# "rsa-sha2-512"
# "rsa-sha2-256"
# "ssh-ed25519"
# ];
########## Connection Preferences ##########
# enforce SSH server to only use SSH protocol version 2
# SSHv1 contains security issues and should be avoided at all costs
# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
# specified anyways to ensure this configuration file's compatibility
# with older versions of OpenSSH server
Protocol = 2;
# number of client alive messages sent without client responding
ClientAliveCountMax = 2;
# send a keepalive message to the client when the session has been idle for 300 seconds
# this prevents/detects connection timeouts
ClientAliveInterval = 300;
# compression before encryption might cause security issues
Compression = false;
# prevent SSH trust relationships from allowing lateral movements
IgnoreRhosts = true;
# log verbosely for addtional information
LogLevel = "VERBOSE";
# allow a maximum of two multiplexed sessions over a single TCP connection
MaxSessions = 2;
# let ClientAliveInterval handle keepalive
TCPKeepAlive = false;
# disable reverse DNS lookups
# UseDNS = false;
};
extraConfig = ''
########## Features ##########
# accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
########## Connection Preferences ##########
# disable reverse DNS lookups
UseDNS no
########## Disable GSS ##########
GSSAPIAuthentication no
'';
};
};
}

View file

@ -1,86 +0,0 @@
{
config,
lib,
...
}:
{
options = {
ssh_client.enable = lib.mkEnableOption "enable ssh client settings";
};
config = lib.mkIf config.ssh_client.enable {
programs.ssh = {
# disable unnecessary forwardings
forwardX11 = false;
# explicitly define cryptography algorithms to avoid the use of weak algorithms
# AES CTR modes have been removed to mitigate the Terrapin attack
# https://terrapin-attack.com/
ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
];
hostKeyAlgorithms = [
"ssh-ed25519"
"ssh-ed25519-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
"sk-ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-256"
"rsa-sha2-256-cert-v01@openssh.com"
"rsa-sha2-512"
"rsa-sha2-512-cert-v01@openssh.com"
];
macs = [
"hmac-sha2-256-etm@openssh.com"
"hmac-sha2-512-etm@openssh.com"
"umac-128-etm@openssh.com"
];
kexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
];
extraConfig = "
# disable unnecessary forwardings
ForwardAgent no
ForwardX11Trusted no
GatewayPorts no
Tunnel no
# disable unnecessary authentication methods
ChallengeResponseAuthentication no
HostbasedAuthentication no
# define authentication methods to be used
PasswordAuthentication yes
PubkeyAuthentication yes
PreferredAuthentications publickey,password
# disable pre-connection compression as it could cause security issues
Compression no
# in addition to checking a host's hostname, also check the host's IP address
# this provides extra safety against DNS spoofing attacks
CheckHostIP yes
# ask the user if the user wants to accept the new host's host key
StrictHostKeyChecking ask
# hash the entries in the known_hosts file to prevent disclosure
# of the file's content
HashKnownHosts yes
# send a keepalive message to the server when the session has been idle for 60 seconds
# this prevents/detects connection timeouts
ServerAliveInterval 60
# increase the number of password retries
NumberOfPasswordPrompts 5
# display an ASCII art of the server's host key
VisualHostKey yes
";
};
};
}

View file

@ -1,21 +0,0 @@
{
config,
lib,
...
}: {
options = {
ssh_guard.enable = lib.mkEnableOption "enable ssh guard";
};
config = lib.mkIf config.ssh_guard.enable {
services.sshguard = {
enable = true;
services = [
"sshd"
];
blocktime = 120;
detection_time = 1800;
blacklist_threshold = 120;
blacklist_file = "/var/lib/sshguard/blacklist.db";
};
};
}

View file

@ -1,8 +0,0 @@
{
imports = [
./kernel.nix
./file_system.nix
./virtualization.nix
./networking/default.nix
];
}

View file

@ -1,41 +0,0 @@
{
config,
pkgs,
...
}: {
boot.kernel.sysctl = {
# disallow core dumping by SUID/SGID programs
"fs.suid_dumpable" = 0;
# protect the creation of hard links
# one of the following conditions must be fulfilled
# - the user can only link to files that he or she owns
# - the user must first have read and write access to a file, that he/she wants to link to
"fs.protected_hardlinks" = 1;
# protect the creation of symbolic links
# one of the following conditions must be fulfilled
# - the process following the symbolic link is the owner of the symbolic link
# - the owner of the directory is also the owner of the symbolic link
"fs.protected_symlinks" = 1;
# enable extended FIFO protection
"fs.protected_fifos" = 2;
# similar to protected_fifos, but it avoids writes to an attacker-controlled regular file
"fs.protected_regular" = 2;
# increase system file descriptor limit
# this value can be up to:
# - 2147483647 (0x7fffffff) on a 32-bit system
# - 9223372036854775807 (0x7fffffffffffffff) on a 64-bit system
# be aware that the Linux kernel documentation suggests that inode-max should be 3-4 times
# larger than this value
"fs.file-max" = 9223372036854775807;
# increase the amount of files that can be watched
# each file watch handle takes 1080 bytes
# up to 540 MiB of memory will be consumed if all 524288 handles are used
"fs.inotify.max_user_watches" = 524288;
};
}

View file

@ -1,73 +0,0 @@
{
config,
pkgs,
...
}:
{
boot.kernel.sysctl = {
# enable ExecShield protection
# 2 enables ExecShield by default unless applications bits are set to disabled
# uncomment on systems without NX/XD protections
# check with: dmesg | grep --color '[NX|DX]*protection'
#kernel.exec-shield = 2
# enable ASLR
# turn on protection and randomize stack, vdso page and mmap + randomize brk base address
"kernel.randomize_va_space" = 2;
# controls the System Request debugging functionality of the kernel
"kernel.sysrq" = 0;
# controls whether core dumps will append the PID to the core filename
# useful for debugging multi-threaded applications
"kernel.core_uses_pid" = 1;
# restrict access to kernel address
# kernel pointers printed using %pK will be replaced with 0s regardless of privileges
"kernel.kptr_restrict" = 2;
# Ptrace protection using Yama
# - 1: only a parent process can be debugged
# - 2: only admins can use ptrace (CAP_SYS_PTRACE capability required)
# - 3: disables ptrace completely, reboot is required to re-enable ptrace
# If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1".
# # breaks debuggers
# "kernel.yama.ptrace_scope" = 3;
# restrict kernel logs to root only
"kernel.dmesg_restrict" = 1;
# restrict BPF JIT compiler to root only
"kernel.unprivileged_bpf_disabled" = 1;
# disables kexec as it can be used to livepatch the running kernel
"kernel.kexec_load_disabled" = 1;
# disable unprivileged user namespaces to decrease attack surface
"kernel.unprivileged_userns_clone" = 0;
# disable the loading of kernel modules
# this can be used to prevent runtime insertion of malicious modules
# could break the system if enabled within sysctl.conf
# consider setting this manually after system is up
# sudo sysctl -w kernel.modules_disabled=1
#kernel.modules_disabled = 1
# allow for more PIDs
# this value can be up to:
# - 32768 (2^15) on a 32-bit system
# - 4194304 (2^22) on a 64-bit system
"kernel.pid_max" = 4194304;
# reboot machine after kernel panic
#kernel.panic = 10
# restrict perf subsystem usage
"kernel.perf_event_paranoid" = 3;
"kernel.perf_cpu_time_max_percent" = 1;
"kernel.perf_event_max_sample_rate" = 1;
# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl
"dev.tty.ldisc_autoload" = 0;
};
}

View file

@ -1,8 +0,0 @@
{
config,
pkgs,
...
}: {
boot.kernel.sysctl = {
};
}

View file

@ -1,7 +0,0 @@
{
imports = [
./ipv4.nix
./ipv6.nix
./net.nix
];
}

View file

@ -1,114 +0,0 @@
{
config,
pkgs,
...
}: {
boot.kernel.sysctl = {
# enable BBR congestion control
"net.ipv4.tcp_congestion_control" = "bbr";
# disallow IPv4 packet forwarding
"net.ipv4.ip_forward" = 0;
# enable SYN cookies for SYN flooding protection
"net.ipv4.tcp_syncookies" = 1;
# number of times SYNACKs for a passive TCP connection attempt will be retransmitted
"net.ipv4.tcp_synack_retries" = 5;
# do not send redirects
"net.ipv4.conf.default.send_redirects" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
# do not accept packets with SRR option
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.all.accept_source_route" = 0;
# enable reverse path source validation (BCP38)
# refer to RFC1812, RFC2827, and BCP38 (http://www.bcp38.info)
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# log packets with impossible addresses to kernel log
"net.ipv4.conf.default.log_martians" = 1;
"net.ipv4.conf.all.log_martians" = 1;
# do not accept ICMP redirect messages
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
# disable sending and receiving of shared media redirects
# this setting overwrites net.ipv4.conf.all.secure_redirects
# refer to RFC1620
"net.ipv4.conf.default.shared_media" = 0;
"net.ipv4.conf.all.shared_media" = 0;
# always use the best local address for announcing local IP via ARP
"net.ipv4.conf.default.arp_announce" = 2;
"net.ipv4.conf.all.arp_announce" = 2;
# reply only if the target IP address is local address configured on the incoming interface
"net.ipv4.conf.default.arp_ignore" = 1;
"net.ipv4.conf.all.arp_ignore" = 1;
# drop Gratuitous ARP frames to prevent ARP poisoning
# this can cause issues when ARP proxies are used in the network
"net.ipv4.conf.default.drop_gratuitous_arp" = 1;
"net.ipv4.conf.all.drop_gratuitous_arp" = 1;
# ignore all ICMP echo requests
#net.ipv4.icmp_echo_ignore_all = 1
# ignore all ICMP echo and timestamp requests sent to broadcast/multicast
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
# ignore bad ICMP errors
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# mitigate TIME-WAIT Assassination hazards in TCP
# refer to RFC1337
"net.ipv4.tcp_rfc1337" = 1;
# disable TCP window scaling
# this makes the host less susceptible to TCP RST DoS attacks
# could drastically reduce throughput if latency is high
#net.ipv4.tcp_window_scaling = 0
# increase system IP port limits
"net.ipv4.ip_local_port_range" = "1024 65535";
# TCP timestamps could provide protection against wrapped sequence numbers,
# but the host's uptime can be calculated precisely from its timestamps
# it is also possible to differentiate operating systems based on their use of timestamps
# - 0: disable TCP timestamps
# - 1: enable timestamps as defined in RFC1323 and use random offset for
# each connection rather than only using the current time
# - 2: enable timestamps without random offsets
"net.ipv4.tcp_timestamps" = 0;
# enabling SACK can increase the throughput
# but SACK is commonly exploited and rarely used
"net.ipv4.tcp_sack" = 0;
"net.ipv4.tcp_dsack" = 0;
"net.ipv4.tcp_fack" = 0;
# divide socket buffer evenly between TCP window size and application
"net.ipv4.tcp_adv_win_scale" = 1;
# SSR could impact TCP's performance on a fixed-speed network (e.g., wired)
# but it could be helpful on a variable-speed network (e.g., LTE)
# uncomment this if you are on a fixed-speed network
"net.ipv4.tcp_slow_start_after_idle" = 0;
# enabling MTU probing helps mitigating PMTU blackhole issues
# this may not be desirable on congested networks
"net.ipv4.tcp_mtu_probing" = 1;
"net.ipv4.tcp_base_mss" = 1024;
# increase memory thresholds to prevent packet dropping
"net.ipv4.tcp_rmem" = "4096 87380 8388608";
"net.ipv4.tcp_wmem" = "4096 87380 8388608";
};
}

View file

@ -1,56 +0,0 @@
{
config,
pkgs,
...
}: {
boot.kernel.sysctl = {
# disallow IPv6 packet forwarding
"net.ipv6.conf.default.forwarding" = 0;
"net.ipv6.conf.all.forwarding" = 0;
# number of Router Solicitations to send until assuming no routers are present
"net.ipv6.conf.default.router_solicitations" = 0;
"net.ipv6.conf.all.router_solicitations" = 0;
# do not accept Router Preference from RA
"net.ipv6.conf.default.accept_ra_rtr_pref" = 0;
"net.ipv6.conf.all.accept_ra_rtr_pref" = 0;
# learn prefix information in router advertisement
"net.ipv6.conf.default.accept_ra_pinfo" = 0;
"net.ipv6.conf.all.accept_ra_pinfo" = 0;
# setting controls whether the system will accept Hop Limit settings from a router advertisement
"net.ipv6.conf.default.accept_ra_defrtr" = 0;
"net.ipv6.conf.all.accept_ra_defrtr" = 0;
# router advertisements can cause the system to assign a global unicast address to an interface
"net.ipv6.conf.default.autoconf" = 0;
"net.ipv6.conf.all.autoconf" = 0;
# number of neighbor solicitations to send out per address
"net.ipv6.conf.default.dad_transmits" = 0;
"net.ipv6.conf.all.dad_transmits" = 0;
# number of global unicast IPv6 addresses can be assigned to each interface
"net.ipv6.conf.default.max_addresses" = 1;
"net.ipv6.conf.all.max_addresses" = 1;
# enable IPv6 Privacy Extensions (RFC30;41) and prefer the temporary address
#"net.ipv6.conf.default.use_tempaddr" = 2; # Nix sets by default
"net.ipv6.conf.all.use_tempaddr" = 2;
# ignore IPv6 ICMP redirect messages
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
# do not accept packets with SRR option
"net.ipv6.conf.default.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# ignore all ICMPv6 echo requests
#net.ipv6.icmp.echo_ignore_all = 1
#net.ipv6.icmp.echo_ignore_anycast = 1
#net.ipv6.icmp.echo_ignore_multicast = 1
};
}

View file

@ -1,21 +0,0 @@
{
config,
pkgs,
...
}: {
boot.kernel.sysctl = {
# increase the maximum length of processor input queues
"net.core.netdev_max_backlog" = 250000;
# enable BPF JIT hardening for all users
# this trades off performance, but can mitigate JIT spraying
"net.core.bpf_jit_harden" = 2;
# increase TCP max buffer size setable using setsockopt()
"net.core.rmem_max" = 8388608;
"net.core.wmem_max" = 8388608;
"net.core.rmem_default" = 8388608;
"net.core.wmem_default" = 8388608;
#net.core.optmem_max = 40960
};
}

View file

@ -1,18 +0,0 @@
{
config,
pkgs,
...
}: {
boot.kernel.sysctl = {
# do not allow mmap in lower addresses
"vm.mmap_min_addr" = 65536;
# improve mmap ASLR effectiveness
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
# prevent unprivileged users from accessing userfaultfd
# restricts syscall to the privileged users or the CAP_SYS_PTRACE capability
"vm.unprivileged_userfaultfd" = 0;
};
}

View file

@ -1,27 +0,0 @@
{ pkgs, ... }:
{
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --asterisks --container-padding 2 --time --time-format '%I:%M %p | %a %h | %F' --cmd Hyprland";
user = "greeter";
};
};
};
environment.systemPackages = with pkgs; [ greetd.tuigreet ];
systemd.services.greetd.serviceConfig = {
Type = "idle";
StandardInput = "tty";
StandardOutput = "tty";
StandardError = "journal";
TTYReset = true;
TTYVHangup = true;
TTYVTDisallocate = true;
};
systemd.extraConfig = "DefaultTimeoutStopSec=10s";
}

View file

@ -1,27 +0,0 @@
{
config,
lib,
pkgs,
inputs,
outputs,
...
}:
{
# Define a user account. Don't forget to set a password with 'passwd'.
programs.zsh.enable = true;
users.users.gwg313 = {
isNormalUser = true;
description = "Glen Goodwin";
extraGroups = [
"networkmanager"
"wheel"
"video"
"docker"
"audio"
"wireshark"
];
shell = pkgs.zsh;
# shell = pkgs.nushell;
uid = 1000;
};
}

View file

@ -1,9 +0,0 @@
{ lib, ... }:
{
options = {
var = lib.mkOption {
type = lib.types.attrs;
default = { };
};
};
}

View file

@ -1,42 +0,0 @@
{ pkgs, ... }:
{
stylix = {
base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-latte.yaml";
# base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-sulphurpool-light.yaml";
# image = ./wallpaper.jpg;
image = ../../wallpapers/nixos-wallpaper-catppuccin-latte.png;
#polarity = "dark";
autoEnable = true;
enable = true;
opacity.terminal = 1.0;
fonts.sizes.terminal = 18;
fonts = {
serif = {
package = pkgs.lmodern;
name = "Latin Modern Roman";
};
sansSerif = {
package = pkgs.inter;
name = "Inter";
};
monospace = {
package = pkgs.fira-code;
name = "Fire Code";
};
emoji = {
package = pkgs.noto-fonts-emoji;
name = "Noto Color Emoji";
};
};
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 20;
};
};
}

View file

@ -1,97 +0,0 @@
{
lib,
pkgs,
config,
...
}:
{
options.theme = lib.mkOption {
type = lib.types.attrs;
default = {
rounding = 20;
gaps-in = 10;
gaps-out = 10 * 2;
active-opacity = 0.96;
inactive-opacity = 0.92;
blur = true;
border-size = 3;
animation-speed = "fast"; # "fast" | "medium" | "slow"
fetch = "none"; # "nerdfetch" | "neofetch" | "pfetch" | "none"
textColorOnWallpaper = config.lib.stylix.colors.base01; # Color of the text displayed on the wallpaper (Lockscreen, display manager, ...)
bar = {
# Hyprpanel
position = "top"; # "top" | "bottom"
transparent = true;
transparentButtons = false;
floating = true;
};
};
description = "Theme configuration options";
};
config.stylix = {
enable = true;
# See https://tinted-theming.github.io/tinted-gallery/ for more schemes
base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-latte.yaml";
# base16Scheme = {
# base00 = "09090B"; # Default Background
# base01 = "1c1e1f"; # Lighter Background (Used for status bars, line number and folding marks)
# base02 = "313244"; # Selection Background
# base03 = "45475a"; # Comments, Invisibles, Line Highlighting
# base04 = "585b70"; # Dark Foreground (Used for status bars)
# base05 = "cdd6f4"; # Default Foreground, Caret, Delimiters, Operators
# base06 = "f5e0dc"; # Light Foreground (Not often used)
# base07 = "b4befe"; # Light Background (Not often used)
# base08 = "f38ba8"; # Variables, XML Tags, Markup Link Text, Markup Lists, Diff Deleted
# base09 = "fab387"; # Integers, Boolean, Constants, XML Attributes, Markup Link Url
# base0A = "f9e2af"; # Classes, Markup Bold, Search Text Background
# base0B = "a6e3a1"; # Strings, Inherited Class, Markup Code, Diff Inserted
# base0C = "94e2d5"; # Support, Regular Expressions, Escape Characters, Markup Quotes
# base0D = "c5afd4"; # Functions, Methods, Attribute IDs, Headings, Accent color
# base0E = "cba6f7"; # Keywords, Storage, Selector, Markup Italic, Diff Changed
# base0F = "f2cdcd"; # Deprecated, Opening/Closing Embedded Language Tags, e.g. <?php ?>
# };
cursor = {
name = "phinger-cursors-light";
package = pkgs.phinger-cursors;
size = 20;
};
fonts = {
serif = {
package = pkgs.lmodern;
name = "Latin Modern Roman";
};
sansSerif = {
package = pkgs.inter;
name = "Inter";
};
monospace = {
package = pkgs.fira-code;
name = "Fire Code";
};
emoji = {
package = pkgs.noto-fonts-emoji;
name = "Noto Color Emoji";
};
sizes = {
applications = 13;
desktop = 13;
popups = 13;
terminal = 13;
};
};
polarity = "light";
image = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/anotherhadi/awesome-wallpapers/refs/heads/main/app/static/wallpapers/black-and-white-forest_minimalist_black-and-white.png";
sha256 = "sha256-MOlLRQonZ6UAaSJlysjL8snxnMrSFH9VOLrjXaU82Kw=";
};
};
}

Binary file not shown.

Before

Width:  |  Height:  |  Size: 1.8 MiB

Some files were not shown because too many files have changed in this diff Show more