Compare commits
No commits in common. "bb2fe560820de4c21cd7923bb9d70df647f18f71" and "03a1f4b84789294c1af3987572cc4072fb2a6ea7" have entirely different histories.
bb2fe56082
...
03a1f4b847
373 changed files with 2775 additions and 16959 deletions
1
.argocd-ignore
Normal file
1
.argocd-ignore
Normal file
|
|
@ -0,0 +1 @@
|
|||
.pre-commit-config.yaml
|
||||
163
.devenv.flake.nix
Normal file
163
.devenv.flake.nix
Normal file
|
|
@ -0,0 +1,163 @@
|
|||
{
|
||||
inputs =
|
||||
let
|
||||
version = "1.6.1";
|
||||
system = "x86_64-linux";
|
||||
devenv_root = "/home/gwg313/repos/homelab-gitops";
|
||||
devenv_dotfile = ./.devenv;
|
||||
devenv_dotfile_string = ".devenv";
|
||||
container_name = null;
|
||||
devenv_tmpdir = "/run/user/1000";
|
||||
devenv_runtime = "/run/user/1000/devenv-f22e6d0";
|
||||
devenv_istesting = false;
|
||||
devenv_direnvrc_latest_version = 1;
|
||||
|
||||
in {
|
||||
git-hooks.url = "github:cachix/git-hooks.nix";
|
||||
git-hooks.inputs.nixpkgs.follows = "nixpkgs";
|
||||
pre-commit-hooks.follows = "git-hooks";
|
||||
nixpkgs.url = "github:cachix/devenv-nixpkgs/rolling";
|
||||
devenv.url = "github:cachix/devenv?dir=src/modules";
|
||||
} // (if builtins.pathExists (devenv_dotfile + "/flake.json")
|
||||
then builtins.fromJSON (builtins.readFile (devenv_dotfile + "/flake.json"))
|
||||
else { });
|
||||
|
||||
outputs = { nixpkgs, ... }@inputs:
|
||||
let
|
||||
version = "1.6.1";
|
||||
system = "x86_64-linux";
|
||||
devenv_root = "/home/gwg313/repos/homelab-gitops";
|
||||
devenv_dotfile = ./.devenv;
|
||||
devenv_dotfile_string = ".devenv";
|
||||
container_name = null;
|
||||
devenv_tmpdir = "/run/user/1000";
|
||||
devenv_runtime = "/run/user/1000/devenv-f22e6d0";
|
||||
devenv_istesting = false;
|
||||
devenv_direnvrc_latest_version = 1;
|
||||
|
||||
devenv =
|
||||
if builtins.pathExists (devenv_dotfile + "/devenv.json")
|
||||
then builtins.fromJSON (builtins.readFile (devenv_dotfile + "/devenv.json"))
|
||||
else { };
|
||||
getOverlays = inputName: inputAttrs:
|
||||
map
|
||||
(overlay:
|
||||
let
|
||||
input = inputs.${inputName} or (throw "No such input `${inputName}` while trying to configure overlays.");
|
||||
in
|
||||
input.overlays.${overlay} or (throw "Input `${inputName}` has no overlay called `${overlay}`. Supported overlays: ${nixpkgs.lib.concatStringsSep ", " (builtins.attrNames input.overlays)}"))
|
||||
inputAttrs.overlays or [ ];
|
||||
overlays = nixpkgs.lib.flatten (nixpkgs.lib.mapAttrsToList getOverlays (devenv.inputs or { }));
|
||||
pkgs = import nixpkgs {
|
||||
inherit system;
|
||||
config = {
|
||||
allowUnfree = devenv.allowUnfree or false;
|
||||
allowBroken = devenv.allowBroken or false;
|
||||
permittedInsecurePackages = devenv.permittedInsecurePackages or [ ];
|
||||
};
|
||||
inherit overlays;
|
||||
};
|
||||
lib = pkgs.lib;
|
||||
importModule = path:
|
||||
if lib.hasPrefix "./" path
|
||||
then if lib.hasSuffix ".nix" path
|
||||
then ./. + (builtins.substring 1 255 path)
|
||||
else ./. + (builtins.substring 1 255 path) + "/devenv.nix"
|
||||
else if lib.hasPrefix "../" path
|
||||
then throw "devenv: ../ is not supported for imports"
|
||||
else
|
||||
let
|
||||
paths = lib.splitString "/" path;
|
||||
name = builtins.head paths;
|
||||
input = inputs.${name} or (throw "Unknown input ${name}");
|
||||
subpath = "/${lib.concatStringsSep "/" (builtins.tail paths)}";
|
||||
devenvpath = "${input}" + subpath;
|
||||
devenvdefaultpath = devenvpath + "/devenv.nix";
|
||||
in
|
||||
if lib.hasSuffix ".nix" devenvpath
|
||||
then devenvpath
|
||||
else if builtins.pathExists devenvdefaultpath
|
||||
then devenvdefaultpath
|
||||
else throw (devenvdefaultpath + " file does not exist for input ${name}.");
|
||||
project = pkgs.lib.evalModules {
|
||||
specialArgs = inputs // { inherit inputs; };
|
||||
modules = [
|
||||
({ config, ... }: {
|
||||
_module.args.pkgs = pkgs.appendOverlays (config.overlays or [ ]);
|
||||
})
|
||||
(inputs.devenv.modules + /top-level.nix)
|
||||
{
|
||||
devenv.cliVersion = version;
|
||||
devenv.root = devenv_root;
|
||||
devenv.dotfile = devenv_root + "/" + devenv_dotfile_string;
|
||||
}
|
||||
(pkgs.lib.optionalAttrs (inputs.devenv.isTmpDir or false) {
|
||||
devenv.tmpdir = devenv_tmpdir;
|
||||
devenv.runtime = devenv_runtime;
|
||||
})
|
||||
(pkgs.lib.optionalAttrs (inputs.devenv.hasIsTesting or false) {
|
||||
devenv.isTesting = devenv_istesting;
|
||||
})
|
||||
(pkgs.lib.optionalAttrs (container_name != null) {
|
||||
container.isBuilding = pkgs.lib.mkForce true;
|
||||
containers.${container_name}.isBuilding = true;
|
||||
})
|
||||
({ options, ... }: {
|
||||
config.devenv = pkgs.lib.optionalAttrs (builtins.hasAttr "direnvrcLatestVersion" options.devenv) {
|
||||
direnvrcLatestVersion = devenv_direnvrc_latest_version;
|
||||
};
|
||||
})
|
||||
] ++ (map importModule (devenv.imports or [ ])) ++ [
|
||||
(if builtins.pathExists ./devenv.nix then ./devenv.nix else { })
|
||||
(devenv.devenv or { })
|
||||
(if builtins.pathExists ./devenv.local.nix then ./devenv.local.nix else { })
|
||||
(if builtins.pathExists (devenv_dotfile + "/cli-options.nix") then import (devenv_dotfile + "/cli-options.nix") else { })
|
||||
];
|
||||
};
|
||||
config = project.config;
|
||||
|
||||
options = pkgs.nixosOptionsDoc {
|
||||
options = builtins.removeAttrs project.options [ "_module" ];
|
||||
warningsAreErrors = false;
|
||||
# Unpack Nix types, e.g. literalExpression, mDoc.
|
||||
transformOptions =
|
||||
let isDocType = v: builtins.elem v [ "literalDocBook" "literalExpression" "literalMD" "mdDoc" ];
|
||||
in lib.attrsets.mapAttrs (_: v:
|
||||
if v ? _type && isDocType v._type then
|
||||
v.text
|
||||
else if v ? _type && v._type == "derivation" then
|
||||
v.name
|
||||
else
|
||||
v
|
||||
);
|
||||
};
|
||||
|
||||
build = options: config:
|
||||
lib.concatMapAttrs
|
||||
(name: option:
|
||||
if builtins.hasAttr "type" option then
|
||||
if option.type.name == "output" || option.type.name == "outputOf" then {
|
||||
${name} = config.${name};
|
||||
} else { }
|
||||
else
|
||||
let v = build option config.${name};
|
||||
in if v != { } then {
|
||||
${name} = v;
|
||||
} else { }
|
||||
)
|
||||
options;
|
||||
|
||||
systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
|
||||
in
|
||||
{
|
||||
devShell = lib.genAttrs systems (system: config.shell);
|
||||
packages = lib.genAttrs systems (system: {
|
||||
optionsJSON = options.optionsJSON;
|
||||
# deprecated
|
||||
inherit (config) info procfileScript procfileEnv procfile;
|
||||
ci = config.ciDerivation;
|
||||
});
|
||||
devenv = config;
|
||||
build = build project.options project.config;
|
||||
};
|
||||
}
|
||||
4
.envrc
4
.envrc
|
|
@ -1 +1,3 @@
|
|||
use flake
|
||||
source_url "https://raw.githubusercontent.com/cachix/devenv/82c0147677e510b247d8b9165c54f73d32dfd899/direnvrc" "sha256-7u4iDd1nZpxL4tCzmPG0dQgC5V+/44Ba+tHkPob1v2k="
|
||||
|
||||
use devenv
|
||||
|
|
|
|||
11
.github/workflows/nix.yml
vendored
11
.github/workflows/nix.yml
vendored
|
|
@ -1,11 +0,0 @@
|
|||
on: [push, pull_request]
|
||||
name: Basic Code Checks
|
||||
jobs:
|
||||
formatting-check:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4.1.1
|
||||
- uses: cachix/install-nix-action@v23
|
||||
with:
|
||||
nix_path: nixpkgs=channel:nixos-unstable
|
||||
- run: nix develop --command alejandra --check .
|
||||
5
.gitignore
vendored
5
.gitignore
vendored
|
|
@ -1,4 +1 @@
|
|||
.direnv
|
||||
|
||||
.pre-commit-config.yaml
|
||||
|
||||
.devenv
|
||||
|
|
|
|||
5
.gitleaks.toml
Normal file
5
.gitleaks.toml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
[allowlist]
|
||||
description = "Ignore Kubernetes SealedSecrets"
|
||||
regexes = [
|
||||
'''(?s)kind:\s*SealedSecret.*?encryptedData:.*?'''
|
||||
]
|
||||
1
.profile
1
.profile
|
|
@ -1 +0,0 @@
|
|||
export XDG_DATA_DIRS=$XDG_DATA_DIRS:/usr/share:/var/lib/flatpak/exports/share:$HOME/.local/share/flatpak/exports/share
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
keys:
|
||||
- &primary age1k3hs0gyzrmsdyqh9lpret46q3xaayxxntruzc4euy6h3slqn4u6q36h7rg
|
||||
creation_rules:
|
||||
- path_regex: secrets/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *primary
|
||||
10
.yamllint
Normal file
10
.yamllint
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
extends: default
|
||||
|
||||
rules:
|
||||
document-start: disable
|
||||
line-length:
|
||||
max: 80
|
||||
allow-non-breakable-words: false
|
||||
|
||||
ignore: |
|
||||
**/*sealed*.yaml
|
||||
54
README.md
54
README.md
|
|
@ -1,54 +0,0 @@
|
|||
# NixOS Flake Configuration
|
||||
|
||||
## Overview
|
||||
|
||||
This repository contains my NixOS configuration as a flake. This configuration
|
||||
is designed to provide a reproducible and declarative setup for my system. It
|
||||
includes system configuration, package management, and various other NixOS
|
||||
features.
|
||||
|
||||
### Window Manager
|
||||
|
||||
- hyrpland
|
||||
- waybar
|
||||
- swaylock
|
||||
- wofi
|
||||
- light
|
||||
- grimshot
|
||||
- mako
|
||||
|
||||
### Terminal
|
||||
|
||||
- alacritty
|
||||
- zsh
|
||||
- starship
|
||||
- tmux
|
||||
- neovim(my configuration can be found
|
||||
[here](https://github.com/gwg313/nvim-nix))
|
||||
- eza
|
||||
- ripgrep
|
||||
- fd
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Before using this NixOS flake configuration, you should have the following
|
||||
prerequisites:
|
||||
|
||||
- NixOs should be installed on your system.
|
||||
- Familiarity with Nix and NixOS concepts is helpful but not required.
|
||||
|
||||
## Usage
|
||||
|
||||
NixOS and home-manager are called seperately,
|
||||
|
||||
To rebuild and switch to the new NixOS configuration:
|
||||
|
||||
```bash
|
||||
nixos-rebuild switch --flake .#candlekeep
|
||||
```
|
||||
|
||||
To rebuild and switch to the new home-manager configuration:
|
||||
|
||||
```bash
|
||||
home-manager switch --flake .#gwg313@candlekeep
|
||||
```
|
||||
20
apps/audiobookshelf.yaml
Normal file
20
apps/audiobookshelf.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: audiobookshelf
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: main
|
||||
path: audiobookshelf
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: audiobookshelf
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
20
apps/bytestash.yaml
Normal file
20
apps/bytestash.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: bytestash
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: main
|
||||
path: bytestash
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: bytestash
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
18
apps/cert-issuer.yaml
Normal file
18
apps/cert-issuer.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: cert-issuer
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: main
|
||||
path: cluster-issuer
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: cert-manager
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
24
apps/cert-manager.yaml
Normal file
24
apps/cert-manager.yaml
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://charts.jetstack.io
|
||||
chart: cert-manager
|
||||
targetRevision: v1.15.0
|
||||
helm:
|
||||
releaseName: cert-manager
|
||||
values: |
|
||||
installCRDs: true
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: cert-manager
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
20
apps/forgejo.yaml
Normal file
20
apps/forgejo.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: forgejo
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: main
|
||||
path: forgejo
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: forgejo
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
20
apps/harbor-config.yaml
Normal file
20
apps/harbor-config.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: harbor-config
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: main
|
||||
path: harbor-config
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: harbor
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
51
apps/harbor.yaml
Normal file
51
apps/harbor.yaml
Normal file
|
|
@ -0,0 +1,51 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: harbor
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: harbor
|
||||
source:
|
||||
repoURL: https://helm.goharbor.io
|
||||
chart: harbor
|
||||
targetRevision: 1.14.2
|
||||
helm:
|
||||
releaseName: harbor
|
||||
values: |
|
||||
externalURL: https://registry.gwg313.xyz
|
||||
expose:
|
||||
type: clusterIP
|
||||
tls:
|
||||
enabled: false
|
||||
certSource: secret
|
||||
secret:
|
||||
secretName: harbor-cert-nginx
|
||||
nginx:
|
||||
replicas: 0
|
||||
|
||||
persistence:
|
||||
persistentVolumeClaim:
|
||||
registry:
|
||||
existingClaim: harbor-registry
|
||||
jobservice:
|
||||
existingClaim: harbor-jobservice
|
||||
trivy:
|
||||
existingClaim: harbor-trivy
|
||||
database:
|
||||
existingClaim: harbor-database
|
||||
redis:
|
||||
existingClaim: harbor-redis
|
||||
core:
|
||||
existingClaim: harbor-core
|
||||
|
||||
ingress:
|
||||
enabled: false
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
22
apps/istio/istio-base.yaml
Normal file
22
apps/istio/istio-base.yaml
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: istio-base
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "0"
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://istio-release.storage.googleapis.com/charts
|
||||
chart: base
|
||||
targetRevision: 1.26.0
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: istio-system
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
26
apps/istio/istio-cni.yaml
Normal file
26
apps/istio/istio-cni.yaml
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: istio-cni
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://istio-release.storage.googleapis.com/charts
|
||||
chart: cni
|
||||
targetRevision: 1.26.0
|
||||
helm:
|
||||
values: |
|
||||
cni:
|
||||
enabled: true
|
||||
chained: false
|
||||
logLevel: info
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: istio-system
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
50
apps/istio/istio-gateway.yaml
Normal file
50
apps/istio/istio-gateway.yaml
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: istio-gateway
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "2"
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://istio-release.storage.googleapis.com/charts
|
||||
chart: gateway
|
||||
targetRevision: 1.26.0
|
||||
helm:
|
||||
values: |
|
||||
replicaCount: 2
|
||||
|
||||
autoscaling:
|
||||
enabled: false
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: "500m"
|
||||
memory: "512Mi"
|
||||
limits:
|
||||
cpu: "1000m"
|
||||
memory: "1Gi"
|
||||
|
||||
podDisruptionBudget:
|
||||
enabled: true
|
||||
minAvailable: 1
|
||||
|
||||
proxy:
|
||||
logLevel: warning
|
||||
componentLogLevel: "misc:error,config:debug"
|
||||
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
failureThreshold: 3
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: istio-system
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
43
apps/istio/istio-istiod.yaml
Normal file
43
apps/istio/istio-istiod.yaml
Normal file
|
|
@ -0,0 +1,43 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: istio-istiod
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://istio-release.storage.googleapis.com/charts
|
||||
chart: istiod
|
||||
targetRevision: 1.26.0
|
||||
helm:
|
||||
values: |
|
||||
global:
|
||||
istioCNI:
|
||||
enabled: true
|
||||
|
||||
sidecarInjectorWebhook:
|
||||
disableInitContainers: true
|
||||
|
||||
pilot:
|
||||
autoscaleEnabled: false
|
||||
replicaCount: 2
|
||||
resources:
|
||||
requests:
|
||||
cpu: "500m"
|
||||
memory: "512Mi"
|
||||
limits:
|
||||
cpu: "1000m"
|
||||
memory: "1Gi"
|
||||
|
||||
podDisruptionBudget:
|
||||
enabled: true
|
||||
minAvailable: 1
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: istio-system
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
9
apps/istio/istio-peer-auth.yaml
Normal file
9
apps/istio/istio-peer-auth.yaml
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: security.istio.io/v1beta1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
annotations:
|
||||
name: default
|
||||
namespace: istio-system
|
||||
spec:
|
||||
mtls:
|
||||
mode: PERMISSIVE
|
||||
18
apps/metallb-config.yaml
Normal file
18
apps/metallb-config.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: metallb-config
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
path: metallb/config
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: HEAD
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: metallb-system
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
22
apps/metallb.yaml
Normal file
22
apps/metallb.yaml
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: metallb
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://metallb.github.io/metallb
|
||||
chart: metallb
|
||||
targetRevision: 0.14.5
|
||||
helm:
|
||||
releaseName: metallb
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: metallb-system
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
20
apps/minio-config.yaml
Normal file
20
apps/minio-config.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: minio-config
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: main
|
||||
path: minio
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: minio
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
37
apps/minio.yaml
Normal file
37
apps/minio.yaml
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: minio
|
||||
namespace: argocd
|
||||
spec:
|
||||
destination:
|
||||
namespace: minio
|
||||
server: https://kubernetes.default.svc
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://charts.bitnami.com/bitnami
|
||||
chart: minio
|
||||
targetRevision: 17.0.9
|
||||
helm:
|
||||
releaseName: minio
|
||||
values: |
|
||||
auth:
|
||||
existingSecret: minio-auth
|
||||
|
||||
ingress:
|
||||
enabled: false
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
api: 9000
|
||||
console: 9001
|
||||
|
||||
persistence:
|
||||
existingClaim: minio-data
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
20
apps/navidrome.yaml
Normal file
20
apps/navidrome.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: navidrome
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: main
|
||||
path: navidrome
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: navidrome
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
33
apps/nfs-subdir.yaml
Normal file
33
apps/nfs-subdir.yaml
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: nfs-subdir-external-provisioner
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner
|
||||
chart: nfs-subdir-external-provisioner
|
||||
targetRevision: 4.0.18
|
||||
helm:
|
||||
releaseName: nfs-subdir-external-provisioner
|
||||
values: |
|
||||
nfs:
|
||||
server: truenas.local.gwg313.xyz
|
||||
path: /mnt/tank/k8s/nfs-subdir
|
||||
|
||||
storageClass:
|
||||
name: nfs-client
|
||||
defaultClass: true
|
||||
accessModes: ["ReadWriteMany"]
|
||||
reclaimPolicy: Delete
|
||||
archiveOnDelete: false
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: nfs-subdir-external-provisioner
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
24
apps/sealed-secrets.yaml
Normal file
24
apps/sealed-secrets.yaml
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: sealed-secrets
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://bitnami-labs.github.io/sealed-secrets
|
||||
chart: sealed-secrets
|
||||
targetRevision: 2.15.3
|
||||
helm:
|
||||
releaseName: sealed-secrets
|
||||
values: |
|
||||
fullnameOverride: sealed-secrets-controller
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: sealed-secrets
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
18
apps/security.yaml
Normal file
18
apps/security.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: cluster-security
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: main
|
||||
path: security
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: kube-system
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
20
apps/woodpecker-manifests.yaml
Normal file
20
apps/woodpecker-manifests.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: woodpecker-manifests
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: HEAD
|
||||
path: woodpecker
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: woodpecker
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
23
apps/woodpecker.yaml
Normal file
23
apps/woodpecker.yaml
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: woodpecker
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://woodpecker-ci.org/
|
||||
chart: woodpecker
|
||||
targetRevision: 3.2.0
|
||||
helm:
|
||||
releaseName: woodpecker
|
||||
values: "server:\n env:\n WOODPECKER_HOST: \"https://ci.gwg313.xyz\"\n extraSecretNamesForEnvFrom:\n - woodpecker-server-secrets\n persistentVolume:\n enabled: true\n existingClaim: woodpecker-server-pvc5\n\nagent:\n enabled: true\n replicaCount: 1\n extraSecretNamesForEnvFrom:\n - woodpecker-agent-secrets\n env:\n WOODPECKER_SERVER: \"woodpecker-server:9000\"\n WOODPECKER_MAX_WORKFLOWS: \"5\"\n persistence:\n enabled: true\n existingClaim: woodpecker-agent-pvc5\n securityContext:\n privileged: true \n"
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: woodpecker
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
20
apps/yopass.yaml
Normal file
20
apps/yopass.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: yopass
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://github.com/gwg313/homelab-gitops
|
||||
targetRevision: main
|
||||
path: yopass
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: yopass
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
12
audiobookshelf/certificate.yaml
Normal file
12
audiobookshelf/certificate.yaml
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: audiobookshelf-cert
|
||||
namespace: istio-system
|
||||
spec:
|
||||
secretName: audiobookshelf-cert
|
||||
issuerRef:
|
||||
name: letsencrypt-dns
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- audiobooks.gwg313.xyz
|
||||
42
audiobookshelf/deployment.yaml
Normal file
42
audiobookshelf/deployment.yaml
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: audiobookshelf
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: audiobookshelf
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: audiobookshelf
|
||||
spec:
|
||||
containers:
|
||||
- name: audiobookshelf
|
||||
image: registry.gwg313.xyz/library/audiobookshelf:latest
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
volumeMounts:
|
||||
- name: audiobooks-volume
|
||||
mountPath: /audiobooks
|
||||
- name: podcasts-volume
|
||||
mountPath: /podcasts
|
||||
- name: config-volume
|
||||
mountPath: /config
|
||||
- name: metadata-volume
|
||||
mountPath: /metadata
|
||||
volumes:
|
||||
- name: audiobooks-volume
|
||||
persistentVolumeClaim:
|
||||
claimName: audiobookshelf-audiobooks
|
||||
- name: podcasts-volume
|
||||
persistentVolumeClaim:
|
||||
claimName: audiobookshelf-podcasts
|
||||
- name: config-volume
|
||||
persistentVolumeClaim:
|
||||
claimName: audiobookshelf-config
|
||||
- name: metadata-volume
|
||||
persistentVolumeClaim:
|
||||
claimName: audiobookshelf-metadata
|
||||
18
audiobookshelf/gateway.yaml
Normal file
18
audiobookshelf/gateway.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: audiobookshelf-gateway
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
selector:
|
||||
istio: gateway
|
||||
servers:
|
||||
- port:
|
||||
number: 443
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
credentialName: audiobookshelf-cert
|
||||
hosts:
|
||||
- audiobooks.gwg313.xyz
|
||||
19
audiobookshelf/iscsi-sealed.yaml
Normal file
19
audiobookshelf/iscsi-sealed.yaml
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: audiobookshelf-iscsi-auth
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
encryptedData:
|
||||
discovery.sendtargets.auth.password: AgBlREGUmNCv4V+AAsTN4xn1+CTIQspG86tK34CH8LbAQQtCwrldsyH/ZDnDEK2bmb7Eq0o4Lt9bYYdAFt/2d74ViMWVWyarIG5dU3kwMfzysQsu3lrWtIUwlFS08YaQJg+7Eipy1LbJvncTLY9ixZ3xA7Vx+rlyhXp0bt0Aet6ItzcxTbifA14xtCGDDDRcOjkBp+lhOY70tnqAkQ7NxLooPcNGSIqMPbIwhdc8Nq9Knz7ZqVTnVyl2QxdQSooUIcYBN0V97tiwtZUvwU0pb7LsxSEac2NbwzPMfoP8LnTETURK0JhqvO6Uvi7iMNBLw3sDzR2fCX1VhleLOM1JQgk93w5VA33GZOb+7iofJt+gVIs651G9+rCS2hN8XiQPiZnCVtZ9upxM4DnHz1GvuML0NRcXyIN2zOzcZdwMXBRAQ42XwcdbZIOubiVNbV/yEDoNmA6aR1ItRYDGyheRKwphLEDnbXlgWEDnKKHiUjrj833vNTXn9wtOZ2mnfzE//cr3fvaosQthfnviI/QRo8plpXI8y9BgjNToecsbQNzNIP17ZljCZB2HTBa8urX9A9vAOcFD51k6FugfE92tnBtSu42vGi3vkEuxM2blrFAWlpsChHkyQmONJchHgNsyKqZdlRzFLraZTtic9z8HBjmOyXgykGuoPzGf29vB8bwZ3mIUE8GSsF7WV9hAGdfGzE0VnUp3CKOIMFyrudVeWFOX
|
||||
discovery.sendtargets.auth.username: AgBerGD4HXIRcJDdyknlztVIIfpLYyEnB5jIQV7tHksPPtDp4VxOQcOOnsgn2xcskpGbPP60iQJgTn9eNtHnRVylFhRDBr7ugn7LKWw0KGg/sexYx07Do6Sc7h7+MrzaoxV7kV7hOJrflALtKhSTmsiNLVnskmU+reckgLYFrFjSPOYJsDJlpq7WPXVBVW2nEJ0EMkCyfWAU1ADfpM5rvbtLu3geCAWAz557BASYgdvaBEWOT5sONC2rbl2MaSJeBVZX+Wr5IdzVd3K/VFJRSJ7xE5LAVKbuWGPpt18H86uU7mqXuyYUz7FR7nD21FT8rPvj4/rXKTR0W2U/hrH/53Jn5yFj30+iAcDhq9C4fRA8ZvI9KsESRZXq0dnInPkYpHzPIKdMwtEs/qycIMGwczRO9d6UDj3qJsJTO4E1btvzPQMt1kJ3d2U87/r7TCzcbIpLlMez8VTS0osnwVkD9/4oR074TX/0m9aMqLomsrw4oyXsetJL8O4R1A59NsjtBRvyeG00BmmJMlSrI+DF+wa131/4g/y6BsYP30QwxxxoOHH1clSdXGueHhQpttmc7le8FSJ+pyyPLR8BrFi76GojZG3GZScArJm/072WcUnsvxpitmtwKgihRFGr6V5yPU/vvPLWsV+swQ+zh6IZ1RPNn8QPk4oKqJnoAlDmMkdXhgqLucor322cxU+bNkE0v3RPBeynzEVpGSzrtYzOvw==
|
||||
node.session.auth.password: AgB/lsTVb/3hrYtzpEydBfcesvDgZUi6Si4VNjlGRS1PfK9DSLpRBZazgLkrFSIhLOviWb9Rp9zQDNTJFAZkLbPGh8zNWyTzbANgsSziht7ljBArnsT3iMRQbFvZGUkI3QM95EURVXC7GhPEfr15bkEqq93ETzaDaBvZ3tKN2XqjRTFFAR2aFVVV6rPPea3FfAVhhcR700pfbW4YpLPfHuUFentEuMo5a3QRYo3VdzPYB7lzRx+YgD9Rv1rSffTdnPJzlE9IkUeBZKnuK9Xg80Q75aPHvb6MfT++LRZHUtsftQFjbJMcFKqqDu+JktjViyrTYG/2cfdQKsHbsQu4OW4XamU0isZiz42T8cj/Dpo0C+m2meZVXkSrsvyeHCA77vl9yd24O7CkDGKLnAqe5RLWAMJVBQwnVqiDhTdTvEItoyV9MZM079CsPKSpVZMJ4GQoJDjKN3L9Z0IIWHlrV5RJ65RJA3d8/9Ku+vFtxyfGWB3GtXAFvXYW/OZn1vuIEmA3U11mgnGKDIRETBMpuJSvzVKiTxCL4yrq5Ap0VRfBlJlNbDSlj78z6x9Pd8TsSoKUA5htpObLy3+Dx2Lm6SUflKvB6ywKnIbhlfFONlUrsxX6J02taDmqTzeAFT5sSM2Xl4yFveb7XLQQOJUIc32ZAFXOkYkvr9T8lbxXDE9mJG7abzwal7i1KWrxgVnmgN8oM6QDciHqElUb+z+tE69g
|
||||
node.session.auth.username: AgCjON6B6NWGlbQsJvBLvy1SOgUt7fuIScFKqsnVLZf/AmUH6VJ70qAtjOr+MfoyhvGkpNLAb64LpUsEmxX/AI4pONZnNUVYgWSha+yEizCLsYCp2wL7PHbobg9nkYxL7vRcS/So5iIaHHS+3cHIHJI5O8Dhb6gqOz5kafNgdLu0TJ56n1Axe4QI3mz0m5/XjovzzImM3DiMaqtzJotENGxnnA/X0/zBbNZry94iWuXCTJ115+6cVn+h3SvVw0/rwcJgfNxgIJJW4Rukl6WCyC6MTKTjNnA65Z5R9oW4JviGNF/0PNGTjmkuCoJqSNZ+p5XebhTxn65ultLMxvJXZhVmSHo3es3x8wlmO49UOGhT1a38P+p/9DrrTg3xEdIeDHMmdLaZgOjjEfDh/2OP2S2ZHVEXQnFvG2VnKgmMYWyeylhBGyn4cEkLc1fFhy55g2EMCeF5zXNldTlT3Gh0ca1ipF0BBXgvuJCa9c5tNBK2QS66QVdehOLBOxrnjTnd4VPt05JXKqSQZ6S0ukNecL5hBju2nGHlXdYcVeI94/uZmpkNJC+mqRTJdXGwtUhF9F529Ln+DtkhTcGUAPBcZdP9eEc/lkAjp/lJyzW2jgTynVkqAyBZJsA7etAHAUlsFMgFOw6bG/oKXpJE7wFJ4J929/inpVj8J9rlLC7ruRlQy9gUT8A2uLwAXVmQufpjBTi2AVyS6wACG+eusvOHYg==
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: audiobookshelf-iscsi-auth
|
||||
namespace: audiobookshelf
|
||||
type: kubernetes.io/iscsi-chap
|
||||
57
audiobookshelf/pvcs.yaml
Normal file
57
audiobookshelf/pvcs.yaml
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: audiobookshelf-config
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
volumeName: audiobookshelf-config-pv
|
||||
storageClassName: audiobookshelf-iscsi
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: audiobookshelf-metadata
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
volumeName: audiobookshelf-metadata-pv
|
||||
storageClassName: audiobookshelf-iscsi
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: audiobookshelf-audiobooks
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadOnlyMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Gi
|
||||
volumeName: audiobookshelf-audiobooks-pv
|
||||
storageClassName: audiobookshelf-nfs
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: audiobookshelf-podcasts
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadOnlyMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Gi
|
||||
volumeName: audiobookshelf-podcasts-pv
|
||||
storageClassName: audiobookshelf-nfs
|
||||
73
audiobookshelf/pvs.yaml
Normal file
73
audiobookshelf/pvs.yaml
Normal file
|
|
@ -0,0 +1,73 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: audiobookshelf-config-pv
|
||||
spec:
|
||||
capacity:
|
||||
storage: 1Gi
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
storageClassName: audiobookshelf-iscsi
|
||||
iscsi:
|
||||
targetPortal: truenas.local.gwg313.xyz:3260
|
||||
iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-config
|
||||
lun: 0
|
||||
fsType: ext4
|
||||
readOnly: false
|
||||
chapAuthDiscovery: true
|
||||
chapAuthSession: true
|
||||
secretRef:
|
||||
name: audiobookshelf-iscsi-auth
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: audiobookshelf-metadata-pv
|
||||
spec:
|
||||
capacity:
|
||||
storage: 1Gi
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
storageClassName: audiobookshelf-iscsi
|
||||
iscsi:
|
||||
targetPortal: truenas.local.gwg313.xyz:3260
|
||||
iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-metadata
|
||||
lun: 1
|
||||
fsType: ext4
|
||||
readOnly: false
|
||||
chapAuthDiscovery: true
|
||||
chapAuthSession: true
|
||||
secretRef:
|
||||
name: audiobookshelf-iscsi-auth
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: audiobookshelf-audiobooks-pv
|
||||
spec:
|
||||
capacity:
|
||||
storage: 100Gi
|
||||
accessModes:
|
||||
- ReadOnlyMany
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
nfs:
|
||||
server: truenas.local.gwg313.xyz
|
||||
path: /mnt/tank/media/audiobooks
|
||||
storageClassName: audiobookshelf-nfs
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: audiobookshelf-podcasts-pv
|
||||
spec:
|
||||
capacity:
|
||||
storage: 100Gi
|
||||
accessModes:
|
||||
- ReadOnlyMany
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
nfs:
|
||||
server: truenas.local.gwg313.xyz
|
||||
path: /mnt/tank/media/podcasts
|
||||
storageClassName: audiobookshelf-nfs
|
||||
11
audiobookshelf/service.yaml
Normal file
11
audiobookshelf/service.yaml
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: audiobookshelf
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
selector:
|
||||
app: audiobookshelf
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
19
audiobookshelf/virtualservice.yaml
Normal file
19
audiobookshelf/virtualservice.yaml
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: audiobookshelf
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
hosts:
|
||||
- audiobooks.gwg313.xyz
|
||||
gateways:
|
||||
- audiobookshelf-gateway
|
||||
http:
|
||||
- match:
|
||||
- uri:
|
||||
prefix: /
|
||||
route:
|
||||
- destination:
|
||||
host: audiobookshelf
|
||||
port:
|
||||
number: 80
|
||||
8
bytestash/bytestash-peer-auth.yaml
Normal file
8
bytestash/bytestash-peer-auth.yaml
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: security.istio.io/v1beta1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: strict-mtls
|
||||
namespace: bytestash
|
||||
spec:
|
||||
mtls:
|
||||
mode: STRICT
|
||||
15
bytestash/bytestash-secret-sealed.yaml
Normal file
15
bytestash/bytestash-secret-sealed.yaml
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: bytestash-secret
|
||||
namespace: bytestash
|
||||
spec:
|
||||
encryptedData:
|
||||
JWT_SECRET_KEY: AgBhyqlrAr9hDaCZ7yPbZZuXtZMeqbMqd0LXWwT8nlEpTY0Tk7LLwjdv6DoY3gvj0Jbgcoa+Edgg6HywykouVAqe2i6HbDwWOPVjRw5K1GA7y7jlb8IOP2D7ZJN8sKW7MUfhmmraN0piuvpCMVl/NHbT1XfQq4mym/PChHcD4Ju+lNMfFWkHNZtXf/9tpYcTa3cmREf0uBFQRNQFP2TaUx8X+QmzIIdoGaqZA+Jud2HkTHymsRhn7fSK3smaJecw/y7IR4ohNcJ17FqOyaqbnQ/MUzB+aprFKjBOnVmZwbWSjJYWPN1nx6NPndmk8X3Q3XeB50WnoAhqNSwI6a58wo/zVHyM5B3Q+L9slCWd8t27z+Jv7Y8zRFl137dbhDBcrHf73miNnaK5x0b741Bv3yDakJG+DrU5YlmGH2/t4XBZjMMRxF4y0CgdT+DN+cZrkbkATHIQWZARmLTqYfig/2D+PfKhrniE4Tfq3V2gLN12Kwf09fqM02Uo2faOya6QF3fvGGZx3QXiDrzPMthLuvk1JqPqU98fNKniS8x7/q1LdHH6ga5wyXyGk76tl540p+kdY2sAi7K5/VAw0QM6A+6EHXJJgZ4bdd02eB0F1/lCKcCzZhs5lIjBu0r/d81wYlId6GtMvXZiMfsbMS9a7evGl20PXAn2C5KxWfyyyIX3wn7JIAxiOdGwPUOI6E4/LCJSnzlfBa7SWFrMHAjniNyQOLB0S9amtHwDDt6j
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: bytestash-secret
|
||||
namespace: bytestash
|
||||
type: Opaque
|
||||
13
bytestash/certificate.yaml
Normal file
13
bytestash/certificate.yaml
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: bytestash-cert
|
||||
namespace: istio-system
|
||||
spec:
|
||||
secretName: bytestash-cert
|
||||
issuerRef:
|
||||
name: letsencrypt-dns
|
||||
kind: ClusterIssuer
|
||||
commonName: bytestash.local.gwg313.xyz
|
||||
dnsNames:
|
||||
- bytestash.local.gwg313.xyz
|
||||
18
bytestash/configmap.yaml
Normal file
18
bytestash/configmap.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: bytestash-config
|
||||
namespace: bytestash
|
||||
data:
|
||||
BASE_PATH: ""
|
||||
TOKEN_EXPIRY: "24h"
|
||||
ALLOW_NEW_ACCOUNTS: "true"
|
||||
DEBUG: "true"
|
||||
DISABLE_ACCOUNTS: "false"
|
||||
DISABLE_INTERNAL_ACCOUNTS: "false"
|
||||
OIDC_ENABLED: "false"
|
||||
OIDC_DISPLAY_NAME: ""
|
||||
OIDC_ISSUER_URL: ""
|
||||
OIDC_CLIENT_ID: ""
|
||||
OIDC_CLIENT_SECRET: ""
|
||||
OIDC_SCOPES: ""
|
||||
43
bytestash/deployment.yaml
Normal file
43
bytestash/deployment.yaml
Normal file
|
|
@ -0,0 +1,43 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: bytestash
|
||||
namespace: bytestash
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: bytestash
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: bytestash
|
||||
annotations:
|
||||
sidecar.istio.io/inject: "true"
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: bytestash
|
||||
image: "ghcr.io/jordan-dalby/bytestash:latest"
|
||||
ports:
|
||||
- containerPort: 5000
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: bytestash-config
|
||||
- secretRef:
|
||||
name: bytestash-secret
|
||||
volumeMounts:
|
||||
- name: bytestash-storage
|
||||
mountPath: /data/snippets
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
volumes:
|
||||
- name: bytestash-storage
|
||||
persistentVolumeClaim:
|
||||
claimName: bytestash-pvc
|
||||
18
bytestash/gateway.yaml
Normal file
18
bytestash/gateway.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: bytestash-gateway
|
||||
namespace: bytestash
|
||||
spec:
|
||||
selector:
|
||||
istio: gateway
|
||||
servers:
|
||||
- port:
|
||||
number: 443
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
- "bytestash.local.gwg313.xyz"
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
credentialName: bytestash-cert
|
||||
4
bytestash/namespace.yaml
Normal file
4
bytestash/namespace.yaml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: bytestash
|
||||
11
bytestash/service.yaml
Normal file
11
bytestash/service.yaml
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: bytestash
|
||||
namespace: bytestash
|
||||
spec:
|
||||
selector:
|
||||
app: bytestash
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 5000
|
||||
29
bytestash/storage.yaml
Normal file
29
bytestash/storage.yaml
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: bytestash-pv
|
||||
spec:
|
||||
capacity:
|
||||
storage: 1Gi
|
||||
volumeMode: Filesystem
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
storageClassName: manual
|
||||
nfs:
|
||||
path: /mnt/tank/docker-volumes/bytestash
|
||||
server: truenas.local.gwg313.xyz
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: bytestash-pvc
|
||||
namespace: bytestash
|
||||
spec:
|
||||
storageClassName: manual
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
volumeName: bytestash-pv
|
||||
16
bytestash/virtualservice.yaml
Normal file
16
bytestash/virtualservice.yaml
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bytestash
|
||||
namespace: bytestash
|
||||
spec:
|
||||
hosts:
|
||||
- "bytestash.local.gwg313.xyz"
|
||||
gateways:
|
||||
- bytestash/bytestash-gateway
|
||||
http:
|
||||
- route:
|
||||
- destination:
|
||||
host: bytestash
|
||||
port:
|
||||
number: 80
|
||||
4
cert-manager/values.yaml
Normal file
4
cert-manager/values.yaml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
installCRDs: true
|
||||
extraArgs:
|
||||
- --dns01-recursive-nameservers-only
|
||||
- --dns01-recursive-nameservers=1.1.1.1:53,8.8.8.8:53
|
||||
15
cluster-issuer/01-sealedsecret.yaml
Normal file
15
cluster-issuer/01-sealedsecret.yaml
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cloudflare-api-token
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
encryptedData:
|
||||
api-token: AgC7jVHCCMGqv2ZcLxU13J2icxYM6pLCpy9ODRFtEZpjY4MGmja+ScRs00ziY8DeH9Ahhrc21VYTTZAmw1bCesHIys0y19KeXbO5HudWbSt02792kT5sPsjlNdkZyXT0Qmbz3i4OPcH1V1+oXJArTuicoJkAiVg05jGPuIcYM2zDaMvMjk4cq7L8PYc/HAusXlHI/ggozPqmohS4ACBYvsUvgyDEGAvwW0vFRjHb1z3IxyzVtbDdgae8okoQWCHlKRTeFRReB1AX9wml+kNpq2SeElh/5Grdiz4MEr8PsoKUIJg3n+KqjOFgHX7I5gDW7LQv2+W66sYzd3GFF0g6MUs1EjznX35J/e7uYSm3ERtomSIFx3FFx6fFXuN5QkCx79MgKZxP8F/PwBdusc8tDHocgK8V2hvSjxIU2J74rjcMw4ZUqwFvlZa0xAJcUAlkFQrN/b7ldlwQYyzsXhPyRIvIGvGSmBabq+yHE4nyjCVezy28h361O3zB2kCJUXi1k2rbD2+NI1Z+25q6JyRgnUelnfzyiPFJTKlFIiP1He1FC441OPjXILYhuaIenm0w9GQKUt2ndNJng4wRtsCPi6PcGHUIOjiT8ErZTkN4pJmm4/bRYPXumS9J0sTPNr2z564fsZjRpyCD97BJuntnXRnWxQRVbMb55f99Zu2j5jziEDegg6aCsXRLoATHLsBFlK5IiC95cMpkaAbY5FWwCCp4IMLkiPWGlR1dnCbBgF2P4NtxihNW9cPC
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cloudflare-api-token
|
||||
namespace: cert-manager
|
||||
type: Opaque
|
||||
16
cluster-issuer/02-cluster-issuer.yaml
Normal file
16
cluster-issuer/02-cluster-issuer.yaml
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-dns
|
||||
spec:
|
||||
acme:
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
email: gwg313@pm.me
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-dns-key
|
||||
solvers:
|
||||
- dns01:
|
||||
cloudflare:
|
||||
apiTokenSecretRef:
|
||||
name: cloudflare-api-token
|
||||
key: api-token
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
services.printing.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
adwaita-icon-theme
|
||||
gnome-themes-extra
|
||||
librewolf
|
||||
qt5.qtwayland
|
||||
qt6.qmake
|
||||
qt6.qtwayland
|
||||
adwaita-qt
|
||||
adwaita-qt6
|
||||
];
|
||||
}
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
services.dbus = {
|
||||
enable = true;
|
||||
packages = [pkgs.dconf];
|
||||
};
|
||||
|
||||
programs.dconf = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
{lib, ...}: {
|
||||
imports = [
|
||||
./thunar.nix
|
||||
./steam.nix
|
||||
];
|
||||
|
||||
thunar.enable = lib.mkDefault true;
|
||||
steam.enable = lib.mkDefault false;
|
||||
}
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
services.xserver = {
|
||||
displayManager.gdm = {
|
||||
enable = false;
|
||||
wayland = true;
|
||||
};
|
||||
displayManager.lightdm.enable = false;
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
];
|
||||
}
|
||||
|
|
@ -1,87 +0,0 @@
|
|||
{
|
||||
pkgs,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [
|
||||
./common.nix
|
||||
./dbus.nix
|
||||
./pipewire.nix
|
||||
./wayland.nix
|
||||
./displayManager.nix
|
||||
# ./xdg.nix
|
||||
];
|
||||
|
||||
# Security
|
||||
security = {
|
||||
pam.services.swaylock = {
|
||||
text = ''
|
||||
auth include login
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
# Services
|
||||
services = {
|
||||
xserver = {
|
||||
enable = true;
|
||||
xkb = {
|
||||
variant = "";
|
||||
layout = "us";
|
||||
};
|
||||
excludePackages = [ pkgs.xterm ];
|
||||
# videoDrivers = ["amdgpu"];
|
||||
libinput = {
|
||||
enable = true;
|
||||
touchpad.tapping = true;
|
||||
touchpad.naturalScrolling = true;
|
||||
touchpad.scrollMethod = "twofinger";
|
||||
touchpad.disableWhileTyping = true;
|
||||
touchpad.clickMethod = "clickfinger";
|
||||
};
|
||||
};
|
||||
gvfs.enable = true;
|
||||
tumbler.enable = true;
|
||||
gnome = {
|
||||
sushi.enable = true;
|
||||
gnome-keyring.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
programs = {
|
||||
hyprland = {
|
||||
enable = true;
|
||||
withUWSM = true; # recommended for most users
|
||||
package = inputs.hyprland.packages.${pkgs.system}.hyprland;
|
||||
xwayland = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
waybar = {
|
||||
enable = false;
|
||||
package = pkgs.waybar.overrideAttrs (oldAttrs: {
|
||||
mesonFlags = oldAttrs.mesonFlags ++ [ "-Dexperimental=true" ];
|
||||
});
|
||||
};
|
||||
thunar = {
|
||||
enable = true;
|
||||
plugins = with pkgs.xfce; [
|
||||
thunar-archive-plugin
|
||||
thunar-volman
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
libva-utils
|
||||
gsettings-desktop-schemas
|
||||
xdg-utils
|
||||
hyprland-qtutils
|
||||
];
|
||||
environment.sessionVariables = {
|
||||
XDG_CURRENT_DESKTOP = "Hyprland";
|
||||
XDG_SESSION_DESKTOP = "Hyprland";
|
||||
XDG_SESSION_TYPE = "wayland";
|
||||
};
|
||||
}
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
# Enable sound with pipewire.
|
||||
hardware.pulseaudio.enable = false;
|
||||
# hardware.alsa.enablePersistence = true;
|
||||
security.rtkit.enable = true;
|
||||
services.pipewire = {
|
||||
enable = true;
|
||||
alsa.enable = true;
|
||||
alsa.support32Bit = true;
|
||||
pulse.enable = true;
|
||||
# If you want to use JACK applications, uncomment this
|
||||
#jack.enable = true;
|
||||
|
||||
# use the example session manager (no others are packaged yet so this is enabled by default,
|
||||
# no need to redefine it in your config for now)
|
||||
#media-session.enable = true;
|
||||
extraConfig.pipewire.adjust-sample-rate = {
|
||||
"context.properties" = {
|
||||
"default.clock.rate" = 192000;
|
||||
#"defautlt.allowed-rates" = [ 192000 48000 44100 ];
|
||||
"defautlt.allowed-rates" = [ 192000 ];
|
||||
#"default.clock.quantum" = 32;
|
||||
#"default.clock.min-quantum" = 32;
|
||||
#"default.clock.max-quantum" = 32;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
pipewire
|
||||
wireplumber
|
||||
easyeffects
|
||||
];
|
||||
}
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
let
|
||||
retroarchWithCores = (
|
||||
pkgs.retroarch.withCores (
|
||||
cores: with cores; [
|
||||
bsnes
|
||||
mgba
|
||||
quicknes
|
||||
genesis-plus-gx
|
||||
]
|
||||
)
|
||||
);
|
||||
in
|
||||
{
|
||||
environment.systemPackages = [
|
||||
retroarchWithCores
|
||||
];
|
||||
}
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options = {
|
||||
steam.enable = lib.mkEnableOption "Enables steam";
|
||||
};
|
||||
|
||||
config = lib.mkIf config.steam.enable {
|
||||
hardware.opengl.driSupport32Bit = true;
|
||||
|
||||
nixpkgs.config.packageOverrides = pkgs: {
|
||||
steam = pkgs.steam.override {
|
||||
extraPkgs =
|
||||
pkgs: with pkgs; [
|
||||
xorg.libXcursor
|
||||
xorg.libXi
|
||||
xorg.libXinerama
|
||||
xorg.libXScrnSaver
|
||||
libpng
|
||||
libpulseaudio
|
||||
libvorbis
|
||||
stdenv.cc.cc.lib
|
||||
libkrb5
|
||||
keyutils
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
programs.steam = {
|
||||
enable = true;
|
||||
remotePlay.openFirewall = true;
|
||||
gamescopeSession = {
|
||||
enable = true;
|
||||
args = [
|
||||
"-F fsr"
|
||||
"-f"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
environment.sessionVariables = {
|
||||
# Proton GE flag
|
||||
WINE_FULLSCREEN_FSR = "1";
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
protonup
|
||||
scanmem
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options = {
|
||||
thunar.enable = lib.mkEnableOption "Enables thunar and its plugins";
|
||||
};
|
||||
config = lib.mkIf config.thunar.enable {
|
||||
programs.thunar = {
|
||||
enable = true;
|
||||
plugins = with pkgs.xfce; [
|
||||
xfconf
|
||||
tumbler
|
||||
thunar-archive-plugin
|
||||
thunar-volman
|
||||
];
|
||||
};
|
||||
services.gvfs.enable = true; # Mount, trash, and other functionalities
|
||||
services.tumbler.enable = true; # Thumbnail support for images
|
||||
};
|
||||
}
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
{pkgs, ...}: {
|
||||
environment.systemPackages = with pkgs; [
|
||||
wlr-randr
|
||||
wl-clipboard
|
||||
];
|
||||
|
||||
environment.sessionVariables = {
|
||||
POLKIT_AUTH_AGENT = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
|
||||
GSETTINGS_SCHEMA_DIR = "${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}/glib-2.0/schemas";
|
||||
WLR_NO_HARDWARE_CURSORS = "1";
|
||||
NIXOS_OZONE_WL = "1";
|
||||
MOZ_ENABLE_WAYLAND = "1";
|
||||
SDL_VIDEODRIVER = "wayland";
|
||||
_JAVA_AWT_WM_NONREPARENTING = "1";
|
||||
CLUTTER_BACKEND = "wayland";
|
||||
# WLR_RENDERER = "vulkan";
|
||||
GTK_USE_PORTAL = "1";
|
||||
#NIXOS_XDG_OPEN_USE_PORTAL = "1"; # Sets the desktop portal to use flatpak
|
||||
WLR_NO_HARDWARE_CURSOR = "1";
|
||||
GDK_BACKEND = "wayland";
|
||||
QT_QPA_PLATFORM = "wayland;xcb";
|
||||
QT_AUTO_SCREEN_SCALE_FACTOR = "1";
|
||||
QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
|
||||
QT_QPA_PLATFORMTHEME = "qt5ct";
|
||||
};
|
||||
}
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
# XDG Portals
|
||||
xdg = {
|
||||
autostart.enable = true;
|
||||
portal = {
|
||||
enable = true;
|
||||
wlr.enable = true;
|
||||
xdgOpenUsePortal = true;
|
||||
extraPortals = [
|
||||
pkgs.xdg-desktop-portal-hyprland
|
||||
pkgs.xdg-desktop-portal-gtk
|
||||
pkgs.libsForQt5.xdg-desktop-portal-kde
|
||||
pkgs.lxqt.xdg-desktop-portal-lxqt
|
||||
];
|
||||
};
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
xdg-utils
|
||||
xdg-desktop-portal
|
||||
xdg-desktop-portal-gtk
|
||||
xdg-desktop-portal-hyprland
|
||||
];
|
||||
|
||||
environment.sessionVariables = {
|
||||
XDG_SESSION_TYPE = "wayland";
|
||||
};
|
||||
}
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
./zerotier.nix
|
||||
./firewall.nix
|
||||
# ./wireless.nix
|
||||
./networkmanager.nix
|
||||
];
|
||||
|
||||
zerotier.enable = lib.mkDefault true;
|
||||
firewall.enable = lib.mkDefault true;
|
||||
# wireless.enable = lib.mkDefault false;
|
||||
}
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
inputs,
|
||||
outputs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options = {
|
||||
firewall.enable = lib.mkEnableOption "Enable the Firewall";
|
||||
};
|
||||
config = lib.mkIf config.firewall.enable {
|
||||
networking.nftables.enable = true;
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
_: {
|
||||
networking.extraHosts = ''
|
||||
10.147.17.246 audiobooks.zerotier.gwg313.xyz
|
||||
10.147.17.246 music.zerotier.gwg313.xyz
|
||||
10.147.17.246 recipes.zerotier.gwg313.xyz
|
||||
10.147.17.246 scholarsome.zerotier.gwg313.xyz
|
||||
10.147.17.246 bookmarks.zerotier.gwg313.xyz
|
||||
10.147.17.246 pastebin.zerotier.gwg313.xyz
|
||||
10.147.17.246 snippets.zerotier.gwg313.xyz
|
||||
10.147.17.246 git.zerotier.gwg313.xyz
|
||||
10.147.17.246 s3.zerotier.gwg313.xyz
|
||||
10.147.17.246 s3-console.zerotier.gwg313.xyz
|
||||
10.147.17.246 registry.zerotier.gwg313.xyz
|
||||
10.147.17.246 ci.zerotier.gwg313.xyz
|
||||
10.147.17.246 uptime.zerotier.gwg313.xyz
|
||||
|
||||
|
||||
|
||||
10.1.10.50 music.gwg313.xyz
|
||||
10.1.10.50 git.gwg313.xyz
|
||||
10.1.10.50 ci.gwg313.xyz
|
||||
10.1.10.50 registry.gwg313.xyz
|
||||
10.1.10.50 s3.gwg313.xyz
|
||||
10.1.10.50 s3-console.gwg313.xyz
|
||||
10.1.10.50 pastebin.gwg313.xyz
|
||||
10.1.10.50 audiobooks.gwg313.xyz
|
||||
10.1.10.9 uptime.gwg313.xyz
|
||||
'';
|
||||
}
|
||||
|
|
@ -1,84 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
environment.systemPackages = with pkgs; [ linuxKernel.packages.linux_5_4.wireguard ];
|
||||
|
||||
sops.secrets."wireless.env" = { };
|
||||
networking = {
|
||||
networkmanager = {
|
||||
enable = true;
|
||||
wifi.scanRandMacAddress = true;
|
||||
ensureProfiles = {
|
||||
environmentFiles = [ config.sops.secrets."wireless.env".path ];
|
||||
profiles = {
|
||||
home-wifi = {
|
||||
connection.id = "home-wifi";
|
||||
connection.type = "wifi";
|
||||
wifi.ssid = "$home_uuid";
|
||||
wifi-security = {
|
||||
auth-alg = "open";
|
||||
key-mgmt = "wpa-psk";
|
||||
psk = "$home_psk";
|
||||
};
|
||||
connection.autoconnect-priority = 100;
|
||||
};
|
||||
eduroam = {
|
||||
connection.id = "eduroam";
|
||||
connection.type = "wifi";
|
||||
wifi.ssid = "eduroam";
|
||||
wifi-security = {
|
||||
key-mgmt = "wpa-eap";
|
||||
};
|
||||
"802-1x" = {
|
||||
eap = "peap;";
|
||||
identity = "$eduroam_identity";
|
||||
password = "$school_password";
|
||||
phase2-auth = "mschapv2";
|
||||
};
|
||||
connection.autoconnect = true;
|
||||
connection.autoconnect-priority = 80;
|
||||
wifi.powersave = 2;
|
||||
wifi.mode = "infrastructure";
|
||||
ipv4.method = "auto";
|
||||
# ipv4.dns = "8.8.8.8,8.8.4.4.";
|
||||
# ipv6.dns = "2001:4860:4860::8888";
|
||||
# wifi.mac-address-randomization = "random";
|
||||
ipv4.dhcp-send-hostname = false;
|
||||
# ipv4.dhcp-hostname = "NoName";
|
||||
# connection.metered = "yes";
|
||||
};
|
||||
|
||||
school = {
|
||||
connection.id = "School";
|
||||
connection.type = "wifi";
|
||||
wifi.ssid = "$school_uuid";
|
||||
wifi-security = {
|
||||
key-mgmt = "wpa-eap";
|
||||
};
|
||||
"802-1x" = {
|
||||
eap = "peap;";
|
||||
identity = "$school_identity";
|
||||
password = "$school_password";
|
||||
phase2-auth = "mschapv2";
|
||||
};
|
||||
connection.autoconnect = true;
|
||||
connection.autoconnect-priority = 90;
|
||||
wifi.powersave = 2;
|
||||
wifi.mode = "infrastructure";
|
||||
ipv4.method = "auto";
|
||||
# ipv4.dns = "8.8.8.8,8.8.4.4.";
|
||||
# ipv6.dns = "2001:4860:4860::8888";
|
||||
# wifi.mac-address-randomization = "random";
|
||||
ipv4.dhcp-send-hostname = false;
|
||||
# ipv4.dhcp-hostname = "NoName";
|
||||
# connection.metered = "yes";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
options = {
|
||||
wireless.enable = lib.mkEnableOption "Enables Wifi and adds my networks";
|
||||
};
|
||||
config = lib.mkIf config.wireless.enable {
|
||||
sops.templates."wpa_supplicant.conf" = {
|
||||
content = ''
|
||||
network={
|
||||
}
|
||||
'';
|
||||
path = "/etc/wpa_supplicant.conf";
|
||||
};
|
||||
sops.secrets."wireless.env" = { };
|
||||
networking.wireless.enable = true;
|
||||
environment.systemPackages = with pkgs; [ wpa_supplicant_gui ];
|
||||
networking.wireless.userControlled.enable = true;
|
||||
networking.wireless.allowAuxiliaryImperativeNetworks = true;
|
||||
|
||||
networking.wireless.secretsFile = config.sops.secrets."wireless.env".path;
|
||||
networking.wireless.networks = {
|
||||
"Tycho Station" = {
|
||||
pskRaw = "ext:home_psk";
|
||||
priority = 99;
|
||||
};
|
||||
"CU-Wireless" = {
|
||||
auth = ''
|
||||
key_mgmt=WPA-EAP
|
||||
eap=PEAP
|
||||
phase2="auth=MSCHAPV2"
|
||||
identity="glengoodwin"
|
||||
password=ext:school_password
|
||||
'';
|
||||
priority = 89;
|
||||
};
|
||||
|
||||
"eduroam" = {
|
||||
auth = ''
|
||||
key_mgmt=WPA-EAP
|
||||
eap=PEAP
|
||||
phase2="auth=MSCHAPV2"
|
||||
identity="ext:eduroam_identity"
|
||||
password="ext:school_password"
|
||||
'';
|
||||
priority = 79;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
inputs,
|
||||
outputs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options = {
|
||||
zerotier.enable = lib.mkEnableOption "Enables zerotier and joins my network";
|
||||
};
|
||||
config = lib.mkIf config.zerotier.enable {
|
||||
services.zerotierone = {
|
||||
joinNetworks = [
|
||||
"ebe7fbd445359e9d"
|
||||
];
|
||||
enable = true;
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
192.168.194.54 graphene.zt
|
||||
192.168.191.218 candlekeep.zt
|
||||
192.168.191.201 grymforge.zt
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
options = {
|
||||
bluetooth.enable = lib.mkEnableOption "Enables Bluetooth";
|
||||
};
|
||||
|
||||
config = lib.mkIf config.bluetooth.enable {
|
||||
services.blueman.enable = true;
|
||||
hardware.bluetooth = {
|
||||
enable = true;
|
||||
powerOnBoot = true;
|
||||
};
|
||||
|
||||
services.upower = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,78 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
inputs,
|
||||
outputs,
|
||||
user,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [
|
||||
./packages.nix
|
||||
./users.nix
|
||||
./locale.nix
|
||||
./documentation.nix
|
||||
../../common/style/stylix.nix
|
||||
];
|
||||
#
|
||||
security.sudo.extraRules = [
|
||||
{
|
||||
users = [ "gwg313" ];
|
||||
commands = [
|
||||
{
|
||||
command = "/run/current-system/sw/bin/nixos-rebuild";
|
||||
options = [ "NOPASSWD" ];
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
nixpkgs.config = {
|
||||
allowUnfree = true;
|
||||
};
|
||||
nix = {
|
||||
settings = {
|
||||
substituters = [
|
||||
"https://cache.nixos.org?priority=10"
|
||||
"https://hyprland.cachix.org"
|
||||
"https://nix-community.cachix.org"
|
||||
"https://cache.garnix.io"
|
||||
"https://numtide.cachix.org"
|
||||
];
|
||||
trusted-public-keys = [
|
||||
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
|
||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
|
||||
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
|
||||
];
|
||||
experimental-features = [
|
||||
"nix-command"
|
||||
"flakes"
|
||||
];
|
||||
auto-optimise-store = true;
|
||||
trusted-users = [ "${user}" ];
|
||||
};
|
||||
optimise.automatic = true;
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "daily";
|
||||
options = "--delete-older-than 14d";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
services = {
|
||||
fstrim.enable = true;
|
||||
};
|
||||
# Disable so comma can be installed
|
||||
programs.command-not-found.enable = false;
|
||||
programs.nix-index-database.comma.enable = true;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system we e ere taken. It's perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "23.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
{ lib, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./common.nix
|
||||
./laptop.nix
|
||||
./nfs.nix
|
||||
./restic.nix
|
||||
./ssh/default.nix
|
||||
./logrotate.nix
|
||||
];
|
||||
|
||||
laptop.enable = lib.mkDefault false;
|
||||
nfs.enable = lib.mkDefault false;
|
||||
restic.enable = lib.mkDefault true;
|
||||
services.flatpak.enable = true;
|
||||
systemd.services.flatpak-repo = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ pkgs.flatpak ];
|
||||
script = ''
|
||||
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
|
||||
'';
|
||||
};
|
||||
# flatpak override --user --socket=wayland md.obsidian.Obsidian (Must run this for obsidian to launch)
|
||||
}
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = [
|
||||
pkgs.man-pages
|
||||
pkgs.man-pages-posix
|
||||
];
|
||||
documentation = {
|
||||
dev.enable = true;
|
||||
man = {
|
||||
man-db.enable = false;
|
||||
mandoc.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
environment.sessionVariables = {
|
||||
MANPAGER = "sh -c '${pkgs.gnugrep}/bin/sed -u -e \"s/\\x1B\[[0-9\;]*m//g; s/.\\x08//g\" | ${pkgs.bat}/bin/bat -p -lman'";
|
||||
};
|
||||
}
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [
|
||||
./bluetooth.nix
|
||||
# ../networking/wireless.nix
|
||||
../networking/networkmanager.nix
|
||||
];
|
||||
options = {
|
||||
laptop.enable = lib.mkEnableOption "Enables Laptop options";
|
||||
};
|
||||
|
||||
config = lib.mkIf config.laptop.enable {
|
||||
# enable's backlight switching
|
||||
programs.light.enable = true;
|
||||
|
||||
# use TLP for power management
|
||||
services.tlp.enable = true;
|
||||
|
||||
bluetooth.enable = true;
|
||||
# wireless.enable = true;
|
||||
};
|
||||
}
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
inputs,
|
||||
outputs,
|
||||
...
|
||||
}: {
|
||||
# Set your time zone.
|
||||
time.timeZone = "America/Toronto";
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
i18n.extraLocaleSettings = {
|
||||
LC_ADDRESS = "en_US.UTF-8";
|
||||
LC_IDENTIFICATION = "en_US.UTF-8";
|
||||
LC_MEASUREMENT = "en_US.UTF-8";
|
||||
LC_MONETARY = "en_US.UTF-8";
|
||||
LC_NAME = "en_US.UTF-8";
|
||||
LC_NUMERIC = "en_US.UTF-8";
|
||||
LC_PAPER = "en_US.UTF-8";
|
||||
LC_TELEPHONE = "en_US.UTF-8";
|
||||
LC_TIME = "en_US.UTF-8";
|
||||
};
|
||||
}
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
{
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
services.logrotate = {
|
||||
settings = {
|
||||
header = {
|
||||
dateext = true;
|
||||
};
|
||||
|
||||
"var/log/audit/audit.log" = {
|
||||
frequency = "daily";
|
||||
rotate = 3;
|
||||
size = "100k";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options = {
|
||||
nfs.enable = lib.mkEnableOption "Enables NFS and sets up mounts";
|
||||
};
|
||||
|
||||
config = lib.mkIf config.nfs.enable {
|
||||
fileSystems = {
|
||||
"/media" = {
|
||||
device = inputs.secrets.nfs.devices.media;
|
||||
fsType = "nfs";
|
||||
options = [
|
||||
"x-systemd.automount"
|
||||
"noauto"
|
||||
"x-systemd.after=network-online.target"
|
||||
"x-systemd.mount-timeout=90"
|
||||
];
|
||||
};
|
||||
|
||||
"/books" = {
|
||||
device = inputs.secrets.nfs.devices.books;
|
||||
fsType = "nfs";
|
||||
options = [
|
||||
"x-systemd.automount"
|
||||
"noauto"
|
||||
"x-systemd.after=network-online.target"
|
||||
"x-systemd.mount-timeout=90"
|
||||
];
|
||||
};
|
||||
|
||||
"/music" = {
|
||||
device = inputs.secrets.nfs.devices.music;
|
||||
fsType = "nfs";
|
||||
options = [
|
||||
"x-systemd.automount"
|
||||
"noauto"
|
||||
"x-systemd.after=network-online.target"
|
||||
"x-systemd.mount-timeout=90"
|
||||
];
|
||||
};
|
||||
|
||||
"/projects" = {
|
||||
device = inputs.secrets.nfs.devices.projects;
|
||||
fsType = "nfs";
|
||||
options = [
|
||||
"x-systemd.automount"
|
||||
"noauto"
|
||||
"x-systemd.after=network-online.target"
|
||||
"x-systemd.mount-timeout=90"
|
||||
];
|
||||
};
|
||||
|
||||
"/backups" = {
|
||||
device = inputs.secrets.nfs.devices.backups;
|
||||
fsType = "nfs";
|
||||
options = [
|
||||
"x-systemd.automount"
|
||||
"noauto"
|
||||
"x-systemd.after=network-online.target"
|
||||
"x-systemd.mount-timeout=90"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
user,
|
||||
inputs,
|
||||
outputs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
};
|
||||
|
||||
environment.sessionVariables = {
|
||||
SSH_AUTH_SOCK = "/run/user/1000/gnupg/S.gpg-agent.ssh";
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
alejandra
|
||||
sops
|
||||
just
|
||||
# vim
|
||||
wget
|
||||
home-manager
|
||||
git
|
||||
nh
|
||||
nix-output-monitor
|
||||
nvd
|
||||
# inputs.superfile.packages.${system}.default
|
||||
];
|
||||
environment.sessionVariables = {
|
||||
NH_FLAKE = "/home/${user}/repos/nixos-config";
|
||||
};
|
||||
}
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
user,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options = {
|
||||
restic.enable = lib.mkEnableOption "Enables Restic";
|
||||
};
|
||||
|
||||
config = lib.mkIf config.nfs.enable {
|
||||
sops.secrets.restic_key = {
|
||||
owner = config.users.users.${user}.name;
|
||||
};
|
||||
|
||||
services.restic.backups = {
|
||||
backups = {
|
||||
user = "${user}";
|
||||
repository = "/backups/grymforge";
|
||||
initialize = true;
|
||||
passwordFile = "${config.sops.secrets.restic_key.path}";
|
||||
paths = [
|
||||
"/home/${user}/repos"
|
||||
"/home/${user}/Documents"
|
||||
"/home/${user}/.local/share/password-store"
|
||||
];
|
||||
# extraBackupArgs = [ "--exclude-file=/home/gwg313/Documents/Celsus" ];
|
||||
timerConfig = {
|
||||
OnCalendar = "06:40";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
./ssh.nix
|
||||
./ssh_client.nix
|
||||
./ssh_guard.nix
|
||||
];
|
||||
|
||||
ssh_client.enable = lib.mkDefault true;
|
||||
ssh.enable = lib.mkDefault false;
|
||||
ssh_guard.enable = lib.mkDefault false;
|
||||
}
|
||||
|
|
@ -1,156 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
user,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options = {
|
||||
ssh.enable = lib.mkEnableOption "enable ssh settings";
|
||||
};
|
||||
config = lib.mkIf config.ssh.enable {
|
||||
# https://www.ssh-audit.com/hardening_guides.html
|
||||
# https://github.com/jtesta/ssh-audit
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
########## Features ##########
|
||||
|
||||
# disallow ssh-agent forwarding to prevent lateral movement
|
||||
AllowAgentForwarding = false;
|
||||
|
||||
# prevent TCP ports from being forwarded over SSH tunnels
|
||||
# **please be aware that disabling TCP forwarding does not prevent port forwarding**
|
||||
# any user with an interactive login shell can spin up his/her own instance of sshd
|
||||
AllowTcpForwarding = false;
|
||||
|
||||
# prevent StreamLocal (Unix-domain socket) forwarding
|
||||
AllowStreamLocalForwarding = false;
|
||||
|
||||
# disables all forwarding features
|
||||
# overrides all other forwarding switches
|
||||
DisableForwarding = true;
|
||||
|
||||
# disallow remote hosts from connecting to forwarded ports
|
||||
# i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
|
||||
GatewayPorts = "no";
|
||||
|
||||
# prevent tun device forwarding
|
||||
PermitTunnel = false;
|
||||
|
||||
# suppress MOTD
|
||||
PrintMotd = false;
|
||||
|
||||
# disable X11 forwarding since it is not necessary
|
||||
X11Forwarding = false;
|
||||
|
||||
########## Authentication ##########
|
||||
|
||||
AllowUsers = [ "${user}" ];
|
||||
|
||||
# Use keys only. Remove if you want to SSH using password (not recommended)
|
||||
PasswordAuthentication = false;
|
||||
HostbasedAuthentication = false;
|
||||
|
||||
# enable pubkey authentication
|
||||
PubkeyAuthentication = true;
|
||||
|
||||
# Forbid root login through SSH.
|
||||
PermitRootLogin = "no";
|
||||
|
||||
# nix enables pam by default
|
||||
# UsePAM = false;
|
||||
|
||||
# challenge-response authentication backend it not configured by default
|
||||
# therefore, it is set to "no" by default to avoid the use of an unconfigured backend
|
||||
ChallengeResponseAuthentication = false;
|
||||
|
||||
# set maximum authentication retries to prevent brute force attacks
|
||||
MaxAuthTries = 3;
|
||||
|
||||
# disallow connecting using empty passwords
|
||||
PermitEmptyPasswords = false;
|
||||
|
||||
########## Cryptography ##########
|
||||
|
||||
# explicitly define cryptography algorithms to avoid the use of weak algorithms
|
||||
# AES CTR modes have been removed to mitigate the Terrapin attack
|
||||
# https://terrapin-attack.com/
|
||||
|
||||
Ciphers = [
|
||||
"aes256-gcm@openssh.com"
|
||||
"aes128-gcm@openssh.com"
|
||||
];
|
||||
Macs = [
|
||||
"hmac-sha2-256-etm@openssh.com"
|
||||
"hmac-sha2-512-etm@openssh.com"
|
||||
"umac-128-etm@openssh.com"
|
||||
];
|
||||
KexAlgorithms = [
|
||||
"sntrup761x25519-sha512@openssh.com"
|
||||
"curve25519-sha256"
|
||||
"curve25519-sha256@libssh.org"
|
||||
"diffie-hellman-group16-sha512"
|
||||
"diffie-hellman-group18-sha512"
|
||||
];
|
||||
|
||||
# hostKeyAlgorithms = [
|
||||
# "rsa-sha2-512"
|
||||
# "rsa-sha2-256"
|
||||
# "ssh-ed25519"
|
||||
# ];
|
||||
|
||||
########## Connection Preferences ##########
|
||||
|
||||
# enforce SSH server to only use SSH protocol version 2
|
||||
# SSHv1 contains security issues and should be avoided at all costs
|
||||
# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
|
||||
# specified anyways to ensure this configuration file's compatibility
|
||||
# with older versions of OpenSSH server
|
||||
Protocol = 2;
|
||||
|
||||
# number of client alive messages sent without client responding
|
||||
ClientAliveCountMax = 2;
|
||||
|
||||
# send a keepalive message to the client when the session has been idle for 300 seconds
|
||||
# this prevents/detects connection timeouts
|
||||
ClientAliveInterval = 300;
|
||||
|
||||
# compression before encryption might cause security issues
|
||||
Compression = false;
|
||||
|
||||
# prevent SSH trust relationships from allowing lateral movements
|
||||
IgnoreRhosts = true;
|
||||
|
||||
# log verbosely for addtional information
|
||||
LogLevel = "VERBOSE";
|
||||
|
||||
# allow a maximum of two multiplexed sessions over a single TCP connection
|
||||
MaxSessions = 2;
|
||||
|
||||
# let ClientAliveInterval handle keepalive
|
||||
TCPKeepAlive = false;
|
||||
|
||||
# disable reverse DNS lookups
|
||||
# UseDNS = false;
|
||||
};
|
||||
extraConfig = ''
|
||||
########## Features ##########
|
||||
|
||||
# accept locale-related environment variables
|
||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
AcceptEnv XMODIFIERS
|
||||
|
||||
########## Connection Preferences ##########
|
||||
# disable reverse DNS lookups
|
||||
UseDNS no
|
||||
|
||||
########## Disable GSS ##########
|
||||
|
||||
GSSAPIAuthentication no
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options = {
|
||||
ssh_client.enable = lib.mkEnableOption "enable ssh client settings";
|
||||
};
|
||||
config = lib.mkIf config.ssh_client.enable {
|
||||
programs.ssh = {
|
||||
# disable unnecessary forwardings
|
||||
forwardX11 = false;
|
||||
|
||||
# explicitly define cryptography algorithms to avoid the use of weak algorithms
|
||||
# AES CTR modes have been removed to mitigate the Terrapin attack
|
||||
# https://terrapin-attack.com/
|
||||
ciphers = [
|
||||
"aes256-gcm@openssh.com"
|
||||
"aes128-gcm@openssh.com"
|
||||
];
|
||||
hostKeyAlgorithms = [
|
||||
"ssh-ed25519"
|
||||
"ssh-ed25519-cert-v01@openssh.com"
|
||||
"sk-ssh-ed25519@openssh.com"
|
||||
"sk-ssh-ed25519-cert-v01@openssh.com"
|
||||
"rsa-sha2-256"
|
||||
"rsa-sha2-256-cert-v01@openssh.com"
|
||||
"rsa-sha2-512"
|
||||
"rsa-sha2-512-cert-v01@openssh.com"
|
||||
];
|
||||
macs = [
|
||||
"hmac-sha2-256-etm@openssh.com"
|
||||
"hmac-sha2-512-etm@openssh.com"
|
||||
"umac-128-etm@openssh.com"
|
||||
];
|
||||
kexAlgorithms = [
|
||||
"sntrup761x25519-sha512@openssh.com"
|
||||
"curve25519-sha256"
|
||||
"curve25519-sha256@libssh.org"
|
||||
"diffie-hellman-group16-sha512"
|
||||
"diffie-hellman-group18-sha512"
|
||||
];
|
||||
extraConfig = "
|
||||
# disable unnecessary forwardings
|
||||
ForwardAgent no
|
||||
ForwardX11Trusted no
|
||||
GatewayPorts no
|
||||
Tunnel no
|
||||
|
||||
# disable unnecessary authentication methods
|
||||
ChallengeResponseAuthentication no
|
||||
HostbasedAuthentication no
|
||||
|
||||
# define authentication methods to be used
|
||||
PasswordAuthentication yes
|
||||
PubkeyAuthentication yes
|
||||
PreferredAuthentications publickey,password
|
||||
|
||||
# disable pre-connection compression as it could cause security issues
|
||||
Compression no
|
||||
|
||||
# in addition to checking a host's hostname, also check the host's IP address
|
||||
# this provides extra safety against DNS spoofing attacks
|
||||
CheckHostIP yes
|
||||
|
||||
# ask the user if the user wants to accept the new host's host key
|
||||
StrictHostKeyChecking ask
|
||||
|
||||
# hash the entries in the known_hosts file to prevent disclosure
|
||||
# of the file's content
|
||||
HashKnownHosts yes
|
||||
|
||||
# send a keepalive message to the server when the session has been idle for 60 seconds
|
||||
# this prevents/detects connection timeouts
|
||||
ServerAliveInterval 60
|
||||
|
||||
# increase the number of password retries
|
||||
NumberOfPasswordPrompts 5
|
||||
|
||||
# display an ASCII art of the server's host key
|
||||
VisualHostKey yes
|
||||
";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
options = {
|
||||
ssh_guard.enable = lib.mkEnableOption "enable ssh guard";
|
||||
};
|
||||
config = lib.mkIf config.ssh_guard.enable {
|
||||
services.sshguard = {
|
||||
enable = true;
|
||||
services = [
|
||||
"sshd"
|
||||
];
|
||||
blocktime = 120;
|
||||
detection_time = 1800;
|
||||
blacklist_threshold = 120;
|
||||
blacklist_file = "/var/lib/sshguard/blacklist.db";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
{
|
||||
imports = [
|
||||
./kernel.nix
|
||||
./file_system.nix
|
||||
./virtualization.nix
|
||||
./networking/default.nix
|
||||
];
|
||||
}
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
boot.kernel.sysctl = {
|
||||
# disallow core dumping by SUID/SGID programs
|
||||
"fs.suid_dumpable" = 0;
|
||||
|
||||
# protect the creation of hard links
|
||||
# one of the following conditions must be fulfilled
|
||||
# - the user can only link to files that he or she owns
|
||||
# - the user must first have read and write access to a file, that he/she wants to link to
|
||||
"fs.protected_hardlinks" = 1;
|
||||
|
||||
# protect the creation of symbolic links
|
||||
# one of the following conditions must be fulfilled
|
||||
# - the process following the symbolic link is the owner of the symbolic link
|
||||
# - the owner of the directory is also the owner of the symbolic link
|
||||
"fs.protected_symlinks" = 1;
|
||||
|
||||
# enable extended FIFO protection
|
||||
"fs.protected_fifos" = 2;
|
||||
|
||||
# similar to protected_fifos, but it avoids writes to an attacker-controlled regular file
|
||||
"fs.protected_regular" = 2;
|
||||
|
||||
# increase system file descriptor limit
|
||||
# this value can be up to:
|
||||
# - 2147483647 (0x7fffffff) on a 32-bit system
|
||||
# - 9223372036854775807 (0x7fffffffffffffff) on a 64-bit system
|
||||
# be aware that the Linux kernel documentation suggests that inode-max should be 3-4 times
|
||||
# larger than this value
|
||||
"fs.file-max" = 9223372036854775807;
|
||||
|
||||
# increase the amount of files that can be watched
|
||||
# each file watch handle takes 1080 bytes
|
||||
# up to 540 MiB of memory will be consumed if all 524288 handles are used
|
||||
"fs.inotify.max_user_watches" = 524288;
|
||||
};
|
||||
}
|
||||
|
|
@ -1,73 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
boot.kernel.sysctl = {
|
||||
# enable ExecShield protection
|
||||
# 2 enables ExecShield by default unless applications bits are set to disabled
|
||||
# uncomment on systems without NX/XD protections
|
||||
# check with: dmesg | grep --color '[NX|DX]*protection'
|
||||
#kernel.exec-shield = 2
|
||||
|
||||
# enable ASLR
|
||||
# turn on protection and randomize stack, vdso page and mmap + randomize brk base address
|
||||
"kernel.randomize_va_space" = 2;
|
||||
|
||||
# controls the System Request debugging functionality of the kernel
|
||||
"kernel.sysrq" = 0;
|
||||
|
||||
# controls whether core dumps will append the PID to the core filename
|
||||
# useful for debugging multi-threaded applications
|
||||
"kernel.core_uses_pid" = 1;
|
||||
|
||||
# restrict access to kernel address
|
||||
# kernel pointers printed using %pK will be replaced with 0’s regardless of privileges
|
||||
"kernel.kptr_restrict" = 2;
|
||||
|
||||
# Ptrace protection using Yama
|
||||
# - 1: only a parent process can be debugged
|
||||
# - 2: only admins can use ptrace (CAP_SYS_PTRACE capability required)
|
||||
# - 3: disables ptrace completely, reboot is required to re-enable ptrace
|
||||
# If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1".
|
||||
# # breaks debuggers
|
||||
# "kernel.yama.ptrace_scope" = 3;
|
||||
|
||||
# restrict kernel logs to root only
|
||||
"kernel.dmesg_restrict" = 1;
|
||||
|
||||
# restrict BPF JIT compiler to root only
|
||||
"kernel.unprivileged_bpf_disabled" = 1;
|
||||
|
||||
# disables kexec as it can be used to livepatch the running kernel
|
||||
"kernel.kexec_load_disabled" = 1;
|
||||
|
||||
# disable unprivileged user namespaces to decrease attack surface
|
||||
"kernel.unprivileged_userns_clone" = 0;
|
||||
|
||||
# disable the loading of kernel modules
|
||||
# this can be used to prevent runtime insertion of malicious modules
|
||||
# could break the system if enabled within sysctl.conf
|
||||
# consider setting this manually after system is up
|
||||
# sudo sysctl -w kernel.modules_disabled=1
|
||||
#kernel.modules_disabled = 1
|
||||
|
||||
# allow for more PIDs
|
||||
# this value can be up to:
|
||||
# - 32768 (2^15) on a 32-bit system
|
||||
# - 4194304 (2^22) on a 64-bit system
|
||||
"kernel.pid_max" = 4194304;
|
||||
|
||||
# reboot machine after kernel panic
|
||||
#kernel.panic = 10
|
||||
|
||||
# restrict perf subsystem usage
|
||||
"kernel.perf_event_paranoid" = 3;
|
||||
"kernel.perf_cpu_time_max_percent" = 1;
|
||||
"kernel.perf_event_max_sample_rate" = 1;
|
||||
|
||||
# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl
|
||||
"dev.tty.ldisc_autoload" = 0;
|
||||
};
|
||||
}
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
boot.kernel.sysctl = {
|
||||
};
|
||||
}
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
{
|
||||
imports = [
|
||||
./ipv4.nix
|
||||
./ipv6.nix
|
||||
./net.nix
|
||||
];
|
||||
}
|
||||
|
|
@ -1,114 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
boot.kernel.sysctl = {
|
||||
# enable BBR congestion control
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
|
||||
# disallow IPv4 packet forwarding
|
||||
"net.ipv4.ip_forward" = 0;
|
||||
|
||||
# enable SYN cookies for SYN flooding protection
|
||||
"net.ipv4.tcp_syncookies" = 1;
|
||||
|
||||
# number of times SYNACKs for a passive TCP connection attempt will be retransmitted
|
||||
"net.ipv4.tcp_synack_retries" = 5;
|
||||
|
||||
# do not send redirects
|
||||
"net.ipv4.conf.default.send_redirects" = 0;
|
||||
"net.ipv4.conf.all.send_redirects" = 0;
|
||||
|
||||
# do not accept packets with SRR option
|
||||
"net.ipv4.conf.default.accept_source_route" = 0;
|
||||
"net.ipv4.conf.all.accept_source_route" = 0;
|
||||
|
||||
# enable reverse path source validation (BCP38)
|
||||
# refer to RFC1812, RFC2827, and BCP38 (http://www.bcp38.info)
|
||||
"net.ipv4.conf.default.rp_filter" = 1;
|
||||
"net.ipv4.conf.all.rp_filter" = 1;
|
||||
|
||||
# log packets with impossible addresses to kernel log
|
||||
"net.ipv4.conf.default.log_martians" = 1;
|
||||
"net.ipv4.conf.all.log_martians" = 1;
|
||||
|
||||
# do not accept ICMP redirect messages
|
||||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||
"net.ipv4.conf.default.secure_redirects" = 0;
|
||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.secure_redirects" = 0;
|
||||
|
||||
# disable sending and receiving of shared media redirects
|
||||
# this setting overwrites net.ipv4.conf.all.secure_redirects
|
||||
# refer to RFC1620
|
||||
"net.ipv4.conf.default.shared_media" = 0;
|
||||
"net.ipv4.conf.all.shared_media" = 0;
|
||||
|
||||
# always use the best local address for announcing local IP via ARP
|
||||
"net.ipv4.conf.default.arp_announce" = 2;
|
||||
"net.ipv4.conf.all.arp_announce" = 2;
|
||||
|
||||
# reply only if the target IP address is local address configured on the incoming interface
|
||||
"net.ipv4.conf.default.arp_ignore" = 1;
|
||||
"net.ipv4.conf.all.arp_ignore" = 1;
|
||||
|
||||
# drop Gratuitous ARP frames to prevent ARP poisoning
|
||||
# this can cause issues when ARP proxies are used in the network
|
||||
"net.ipv4.conf.default.drop_gratuitous_arp" = 1;
|
||||
"net.ipv4.conf.all.drop_gratuitous_arp" = 1;
|
||||
|
||||
# ignore all ICMP echo requests
|
||||
#net.ipv4.icmp_echo_ignore_all = 1
|
||||
|
||||
# ignore all ICMP echo and timestamp requests sent to broadcast/multicast
|
||||
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
|
||||
|
||||
# ignore bad ICMP errors
|
||||
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||||
|
||||
# mitigate TIME-WAIT Assassination hazards in TCP
|
||||
# refer to RFC1337
|
||||
"net.ipv4.tcp_rfc1337" = 1;
|
||||
|
||||
# disable TCP window scaling
|
||||
# this makes the host less susceptible to TCP RST DoS attacks
|
||||
# could drastically reduce throughput if latency is high
|
||||
#net.ipv4.tcp_window_scaling = 0
|
||||
|
||||
# increase system IP port limits
|
||||
"net.ipv4.ip_local_port_range" = "1024 65535";
|
||||
|
||||
# TCP timestamps could provide protection against wrapped sequence numbers,
|
||||
# but the host's uptime can be calculated precisely from its timestamps
|
||||
# it is also possible to differentiate operating systems based on their use of timestamps
|
||||
# - 0: disable TCP timestamps
|
||||
# - 1: enable timestamps as defined in RFC1323 and use random offset for
|
||||
# each connection rather than only using the current time
|
||||
# - 2: enable timestamps without random offsets
|
||||
"net.ipv4.tcp_timestamps" = 0;
|
||||
|
||||
# enabling SACK can increase the throughput
|
||||
# but SACK is commonly exploited and rarely used
|
||||
"net.ipv4.tcp_sack" = 0;
|
||||
"net.ipv4.tcp_dsack" = 0;
|
||||
"net.ipv4.tcp_fack" = 0;
|
||||
|
||||
# divide socket buffer evenly between TCP window size and application
|
||||
"net.ipv4.tcp_adv_win_scale" = 1;
|
||||
|
||||
# SSR could impact TCP's performance on a fixed-speed network (e.g., wired)
|
||||
# but it could be helpful on a variable-speed network (e.g., LTE)
|
||||
# uncomment this if you are on a fixed-speed network
|
||||
"net.ipv4.tcp_slow_start_after_idle" = 0;
|
||||
|
||||
# enabling MTU probing helps mitigating PMTU blackhole issues
|
||||
# this may not be desirable on congested networks
|
||||
"net.ipv4.tcp_mtu_probing" = 1;
|
||||
"net.ipv4.tcp_base_mss" = 1024;
|
||||
|
||||
# increase memory thresholds to prevent packet dropping
|
||||
"net.ipv4.tcp_rmem" = "4096 87380 8388608";
|
||||
"net.ipv4.tcp_wmem" = "4096 87380 8388608";
|
||||
};
|
||||
}
|
||||
|
|
@ -1,56 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
boot.kernel.sysctl = {
|
||||
# disallow IPv6 packet forwarding
|
||||
"net.ipv6.conf.default.forwarding" = 0;
|
||||
"net.ipv6.conf.all.forwarding" = 0;
|
||||
|
||||
# number of Router Solicitations to send until assuming no routers are present
|
||||
"net.ipv6.conf.default.router_solicitations" = 0;
|
||||
"net.ipv6.conf.all.router_solicitations" = 0;
|
||||
|
||||
# do not accept Router Preference from RA
|
||||
"net.ipv6.conf.default.accept_ra_rtr_pref" = 0;
|
||||
"net.ipv6.conf.all.accept_ra_rtr_pref" = 0;
|
||||
|
||||
# learn prefix information in router advertisement
|
||||
"net.ipv6.conf.default.accept_ra_pinfo" = 0;
|
||||
"net.ipv6.conf.all.accept_ra_pinfo" = 0;
|
||||
|
||||
# setting controls whether the system will accept Hop Limit settings from a router advertisement
|
||||
"net.ipv6.conf.default.accept_ra_defrtr" = 0;
|
||||
"net.ipv6.conf.all.accept_ra_defrtr" = 0;
|
||||
|
||||
# router advertisements can cause the system to assign a global unicast address to an interface
|
||||
"net.ipv6.conf.default.autoconf" = 0;
|
||||
"net.ipv6.conf.all.autoconf" = 0;
|
||||
|
||||
# number of neighbor solicitations to send out per address
|
||||
"net.ipv6.conf.default.dad_transmits" = 0;
|
||||
"net.ipv6.conf.all.dad_transmits" = 0;
|
||||
|
||||
# number of global unicast IPv6 addresses can be assigned to each interface
|
||||
"net.ipv6.conf.default.max_addresses" = 1;
|
||||
"net.ipv6.conf.all.max_addresses" = 1;
|
||||
|
||||
# enable IPv6 Privacy Extensions (RFC30;41) and prefer the temporary address
|
||||
#"net.ipv6.conf.default.use_tempaddr" = 2; # Nix sets by default
|
||||
"net.ipv6.conf.all.use_tempaddr" = 2;
|
||||
|
||||
# ignore IPv6 ICMP redirect messages
|
||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
|
||||
# do not accept packets with SRR option
|
||||
"net.ipv6.conf.default.accept_source_route" = 0;
|
||||
"net.ipv6.conf.all.accept_source_route" = 0;
|
||||
|
||||
# ignore all ICMPv6 echo requests
|
||||
#net.ipv6.icmp.echo_ignore_all = 1
|
||||
#net.ipv6.icmp.echo_ignore_anycast = 1
|
||||
#net.ipv6.icmp.echo_ignore_multicast = 1
|
||||
};
|
||||
}
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
boot.kernel.sysctl = {
|
||||
# increase the maximum length of processor input queues
|
||||
"net.core.netdev_max_backlog" = 250000;
|
||||
|
||||
# enable BPF JIT hardening for all users
|
||||
# this trades off performance, but can mitigate JIT spraying
|
||||
"net.core.bpf_jit_harden" = 2;
|
||||
|
||||
# increase TCP max buffer size setable using setsockopt()
|
||||
"net.core.rmem_max" = 8388608;
|
||||
"net.core.wmem_max" = 8388608;
|
||||
"net.core.rmem_default" = 8388608;
|
||||
"net.core.wmem_default" = 8388608;
|
||||
#net.core.optmem_max = 40960
|
||||
};
|
||||
}
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
boot.kernel.sysctl = {
|
||||
# do not allow mmap in lower addresses
|
||||
"vm.mmap_min_addr" = 65536;
|
||||
|
||||
# improve mmap ASLR effectiveness
|
||||
"vm.mmap_rnd_bits" = 32;
|
||||
"vm.mmap_rnd_compat_bits" = 16;
|
||||
|
||||
# prevent unprivileged users from accessing userfaultfd
|
||||
# restricts syscall to the privileged users or the CAP_SYS_PTRACE capability
|
||||
"vm.unprivileged_userfaultfd" = 0;
|
||||
};
|
||||
}
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
services.greetd = {
|
||||
enable = true;
|
||||
settings = {
|
||||
default_session = {
|
||||
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --asterisks --container-padding 2 --time --time-format '%I:%M %p | %a • %h | %F' --cmd Hyprland";
|
||||
user = "greeter";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [ greetd.tuigreet ];
|
||||
|
||||
systemd.services.greetd.serviceConfig = {
|
||||
Type = "idle";
|
||||
StandardInput = "tty";
|
||||
StandardOutput = "tty";
|
||||
StandardError = "journal";
|
||||
TTYReset = true;
|
||||
TTYVHangup = true;
|
||||
TTYVTDisallocate = true;
|
||||
};
|
||||
|
||||
systemd.extraConfig = "DefaultTimeoutStopSec=10s";
|
||||
|
||||
}
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
inputs,
|
||||
outputs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
# Define a user account. Don't forget to set a password with 'passwd'.
|
||||
programs.zsh.enable = true;
|
||||
users.users.gwg313 = {
|
||||
isNormalUser = true;
|
||||
description = "Glen Goodwin";
|
||||
extraGroups = [
|
||||
"networkmanager"
|
||||
"wheel"
|
||||
"video"
|
||||
"docker"
|
||||
"audio"
|
||||
"wireshark"
|
||||
];
|
||||
shell = pkgs.zsh;
|
||||
# shell = pkgs.nushell;
|
||||
uid = 1000;
|
||||
};
|
||||
}
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
options = {
|
||||
var = lib.mkOption {
|
||||
type = lib.types.attrs;
|
||||
default = { };
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
stylix = {
|
||||
base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-latte.yaml";
|
||||
# base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-sulphurpool-light.yaml";
|
||||
# image = ./wallpaper.jpg;
|
||||
image = ../../wallpapers/nixos-wallpaper-catppuccin-latte.png;
|
||||
#polarity = "dark";
|
||||
autoEnable = true;
|
||||
enable = true;
|
||||
|
||||
opacity.terminal = 1.0;
|
||||
fonts.sizes.terminal = 18;
|
||||
|
||||
fonts = {
|
||||
serif = {
|
||||
package = pkgs.lmodern;
|
||||
name = "Latin Modern Roman";
|
||||
};
|
||||
|
||||
sansSerif = {
|
||||
package = pkgs.inter;
|
||||
name = "Inter";
|
||||
};
|
||||
|
||||
monospace = {
|
||||
package = pkgs.fira-code;
|
||||
name = "Fire Code";
|
||||
};
|
||||
|
||||
emoji = {
|
||||
package = pkgs.noto-fonts-emoji;
|
||||
name = "Noto Color Emoji";
|
||||
};
|
||||
};
|
||||
cursor = {
|
||||
package = pkgs.bibata-cursors;
|
||||
name = "Bibata-Modern-Classic";
|
||||
size = 20;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options.theme = lib.mkOption {
|
||||
type = lib.types.attrs;
|
||||
default = {
|
||||
rounding = 20;
|
||||
gaps-in = 10;
|
||||
gaps-out = 10 * 2;
|
||||
active-opacity = 0.96;
|
||||
inactive-opacity = 0.92;
|
||||
blur = true;
|
||||
border-size = 3;
|
||||
animation-speed = "fast"; # "fast" | "medium" | "slow"
|
||||
fetch = "none"; # "nerdfetch" | "neofetch" | "pfetch" | "none"
|
||||
textColorOnWallpaper = config.lib.stylix.colors.base01; # Color of the text displayed on the wallpaper (Lockscreen, display manager, ...)
|
||||
|
||||
bar = {
|
||||
# Hyprpanel
|
||||
position = "top"; # "top" | "bottom"
|
||||
transparent = true;
|
||||
transparentButtons = false;
|
||||
floating = true;
|
||||
};
|
||||
};
|
||||
description = "Theme configuration options";
|
||||
};
|
||||
|
||||
config.stylix = {
|
||||
enable = true;
|
||||
|
||||
# See https://tinted-theming.github.io/tinted-gallery/ for more schemes
|
||||
base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-latte.yaml";
|
||||
# base16Scheme = {
|
||||
# base00 = "09090B"; # Default Background
|
||||
# base01 = "1c1e1f"; # Lighter Background (Used for status bars, line number and folding marks)
|
||||
# base02 = "313244"; # Selection Background
|
||||
# base03 = "45475a"; # Comments, Invisibles, Line Highlighting
|
||||
# base04 = "585b70"; # Dark Foreground (Used for status bars)
|
||||
# base05 = "cdd6f4"; # Default Foreground, Caret, Delimiters, Operators
|
||||
# base06 = "f5e0dc"; # Light Foreground (Not often used)
|
||||
# base07 = "b4befe"; # Light Background (Not often used)
|
||||
# base08 = "f38ba8"; # Variables, XML Tags, Markup Link Text, Markup Lists, Diff Deleted
|
||||
# base09 = "fab387"; # Integers, Boolean, Constants, XML Attributes, Markup Link Url
|
||||
# base0A = "f9e2af"; # Classes, Markup Bold, Search Text Background
|
||||
# base0B = "a6e3a1"; # Strings, Inherited Class, Markup Code, Diff Inserted
|
||||
# base0C = "94e2d5"; # Support, Regular Expressions, Escape Characters, Markup Quotes
|
||||
# base0D = "c5afd4"; # Functions, Methods, Attribute IDs, Headings, Accent color
|
||||
# base0E = "cba6f7"; # Keywords, Storage, Selector, Markup Italic, Diff Changed
|
||||
# base0F = "f2cdcd"; # Deprecated, Opening/Closing Embedded Language Tags, e.g. <?php ?>
|
||||
# };
|
||||
|
||||
cursor = {
|
||||
name = "phinger-cursors-light";
|
||||
package = pkgs.phinger-cursors;
|
||||
size = 20;
|
||||
};
|
||||
|
||||
fonts = {
|
||||
serif = {
|
||||
package = pkgs.lmodern;
|
||||
name = "Latin Modern Roman";
|
||||
};
|
||||
|
||||
sansSerif = {
|
||||
package = pkgs.inter;
|
||||
name = "Inter";
|
||||
};
|
||||
|
||||
monospace = {
|
||||
package = pkgs.fira-code;
|
||||
name = "Fire Code";
|
||||
};
|
||||
|
||||
emoji = {
|
||||
package = pkgs.noto-fonts-emoji;
|
||||
name = "Noto Color Emoji";
|
||||
};
|
||||
sizes = {
|
||||
applications = 13;
|
||||
desktop = 13;
|
||||
popups = 13;
|
||||
terminal = 13;
|
||||
};
|
||||
};
|
||||
|
||||
polarity = "light";
|
||||
image = pkgs.fetchurl {
|
||||
url = "https://raw.githubusercontent.com/anotherhadi/awesome-wallpapers/refs/heads/main/app/static/wallpapers/black-and-white-forest_minimalist_black-and-white.png";
|
||||
sha256 = "sha256-MOlLRQonZ6UAaSJlysjL8snxnMrSFH9VOLrjXaU82Kw=";
|
||||
};
|
||||
};
|
||||
}
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 1.8 MiB |
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue