thunderbottom/flakes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: add nixos configuration based on snowfall-lib

Browse Source 
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
This commit is contained in:
Chinmay D. Pai 2024-09-02 18:31:19 +05:30
commit 3a3a8afe30
Signed by: thunderbottom
GPG Key ID: 75507BE256F40CED
66 changed files with 4256 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
result
result-*

2
checks/deploy-rs/default.nix Normal file
View File

@ -0,0 +1,2 @@
{ inputs, ... }:
builtins.mapAttrs (_: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib

28
data.nix Normal file
View File

@ -0,0 +1,28 @@
{
secrets = {
machines = {
thonkpad = {
password.file = ./secrets/machines/thonkpad/password.age;
root-password.file = ./secrets/machines/thonkpad/root-password.age;
};
bicboye = {
password.file = ./secrets/machines/bicboye/password.age;
root-password.file = ./secrets/machines/bicboye/root-password.age;
};
};
services = {
gitea = {
password.file = ./secrets/services/gitea/password.age;
};
miniflux = {
password.file = ./secrets/services/miniflux/password.age;
};
paperless = {
password.file = ./secrets/services/paperless/password.age;
};
vaultwarden = {
password.file = ./secrets/services/vaultwarden/password.age;
};
};
};
}

938
flake.lock Normal file
View File

@ -0,0 +1,938 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": [
"nixpkgs"
],
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"cachix": {
"locked": {
"lastModified": 1635350005,
"narHash": "sha256-tAMJnUwfaDEB2aa31jGcu7R7bzGELM9noc91L2PbVjg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "1c1f5649bb9c1b0d98637c8c365228f57126f361",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-20.09",
"repo": "nixpkgs",
"type": "github"
}
},
"crane": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1721842668,
"narHash": "sha256-k3oiD2z2AAwBFLa4+xfU+7G5fisRXfkvrMTCJrjZzXo=",
"owner": "ipetkov",
"repo": "crane",
"rev": "529c1a0b1f29f0d78fa3086b8f6a134c71ef3aaf",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1718194053,
"narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1724349583,
"narHash": "sha256-zgB1Cfk46irIsto8666yLdKjqKdBrjR48Dd3lhQ0CnQ=",
"owner": "nix-community",
"repo": "disko",
"rev": "435737144be0259559ca3b43f7d72252b1fdcc1b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"firefox": {
"inputs": {
"cachix": "cachix",
"flake-compat": "flake-compat_2",
"lib-aggregate": "lib-aggregate",
"mozilla": "mozilla",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1724347032,
"narHash": "sha256-/MsJjSKmdgoPj0LCt8FE+VjeDcQtTtw90cy7hca0PrI=",
"owner": "nix-community",
"repo": "flake-firefox-nightly",
"rev": "376edecefc793dee239bb7c363647358fa53347a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-firefox-nightly",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"locked": {
"lastModified": 1717312683,
"narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils-plus": {
"inputs": {
"flake-utils": "flake-utils_4"
},
"locked": {
"lastModified": 1715533576,
"narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_6"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"freetype2": {
"flake": false,
"locked": {
"lastModified": 1687587065,
"narHash": "sha256-+Fh+/k+NWL5Ow9sDLtp8Cv/8rLNA1oByQQCIQS/bysY=",
"owner": "wez",
"repo": "freetype2",
"rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d",
"type": "github"
},
"original": {
"owner": "wez",
"repo": "freetype2",
"rev": "e4586d960f339cf75e2e0b34aee30a0ed8353c0d",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"harfbuzz": {
"flake": false,
"locked": {
"lastModified": 1711722720,
"narHash": "sha256-GdxcAPx5QyniSHPAN1ih28AD9JLUPR0ItqW9JEsl3pU=",
"owner": "harfbuzz",
"repo": "harfbuzz",
"rev": "63973005bc07aba599b47fdd4cf788647b601ccd",
"type": "github"
},
"original": {
"owner": "harfbuzz",
"ref": "8.4.0",
"repo": "harfbuzz",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723986931,
"narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_3",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1722329086,
"narHash": "sha256-e/fSi0WER06N8WCvpht62fkGtWfe5ckDxr6zNYkwkFw=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "f5a3a7dff44d131807fc1a89fbd8576cd870334a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"lib-aggregate": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1723983147,
"narHash": "sha256-SMCz4/S1/r+5ONMbxWrLiasPNd1J5FBM6HbNe00OBnw=",
"owner": "nix-community",
"repo": "lib-aggregate",
"rev": "abccaf0cb3f013739df2a89f19a33f912195384c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lib-aggregate",
"type": "github"
}
},
"libpng": {
"flake": false,
"locked": {
"lastModified": 1549245649,
"narHash": "sha256-1+cRp0Ungme/OGfc9kGJbklYIWAFxk8Il1M+NV4KSgw=",
"owner": "glennrp",
"repo": "libpng",
"rev": "8439534daa1d3a5705ba92e653eda9251246dd61",
"type": "github"
},
"original": {
"owner": "glennrp",
"repo": "libpng",
"rev": "8439534daa1d3a5705ba92e653eda9251246dd61",
"type": "github"
}
},
"maych-in": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723472993,
"narHash": "sha256-0oD7G/z5D6iEnXq9saTRNnPJZVb9TGapbxFiwgUvC64=",
"rev": "7c4c0bcd15fdf0056bc0556ab8fa90ccb66c39e9",
"type": "tarball",
"url": "https://git.deku.moe/api/v1/repos/thunderbottom/website/archive/7c4c0bcd15fdf0056bc0556ab8fa90ccb66c39e9.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.deku.moe/thunderbottom/website/archive/main.tar.gz"
}
},
"mozilla": {
"flake": false,
"locked": {
"lastModified": 1704373101,
"narHash": "sha256-+gi59LRWRQmwROrmE1E2b3mtocwueCQqZ60CwLG+gbg=",
"owner": "mozilla",
"repo": "nixpkgs-mozilla",
"rev": "9b11a87c0cc54e308fa83aac5b4ee1816d5418a2",
"type": "github"
},
"original": {
"owner": "mozilla",
"repo": "nixpkgs-mozilla",
"type": "github"
}
},
"nil": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1723948777,
"narHash": "sha256-rX14joTzvRUiCfmCT0LUMV3Mxi79VJANcKB/kkh7Qys=",
"owner": "oxalica",
"repo": "nil",
"rev": "4f3081d1f10bb61f197b780e67f426e53f818691",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "nil",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1724067415,
"narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1724224976,
"narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c374d94f1536013ca8e92341b540eba4c22f9c62",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1723942470,
"narHash": "sha256-QdSArN0xKESEOTcv+3kE6yu4B4WX9lupZ4+Htx3RXGg=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nur": {
"locked": {
"lastModified": 1724348704,
"narHash": "sha256-h8HB+4AiVZAe3ie6zYOmJco7QkKRPC7iHfChsoSOHm4=",
"owner": "nix-community",
"repo": "nur",
"rev": "bf3ebc298e0a5091f4f41cb45f38b31cac050e62",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nur",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1721042469,
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"deploy-rs": "deploy-rs",
"disko": "disko",
"firefox": "firefox",
"home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"maych-in": "maych-in",
"nil": "nil",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nur": "nur",
"snowfall-lib": "snowfall-lib",
"srvos": "srvos",
"wezterm": "wezterm"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722219664,
"narHash": "sha256-xMOJ+HW4yj6e69PvieohUJ3dBSdgCfvI0nnCEe6/yVc=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "a6fbda5d9a14fb5f7c69b8489d24afeb349c7bb4",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"nil",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722824458,
"narHash": "sha256-2k3/geD5Yh8JT1nrGaRycje5kB0DkvQA/OUZoel1bIU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "a8a937c304e62a5098c6276c9cdf65c19a43b1a5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_3": {
"inputs": {
"nixpkgs": [
"wezterm",
"nixpkgs"
]
},
"locked": {
"lastModified": 1721441897,
"narHash": "sha256-gYGX9/22tPNeF7dR6bWN5rsrpU4d06GnQNNgZ6ZiXz0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "b7996075da11a2d441cfbf4e77c2939ce51506fd",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"snowfall-lib": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils-plus": "flake-utils-plus",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1719005984,
"narHash": "sha256-mpFl3Jv4fKnn+5znYXG6SsBjfXHJdRG5FEqNSPx0GLA=",
"owner": "snowfallorg",
"repo": "lib",
"rev": "c6238c83de101729c5de3a29586ba166a9a65622",
"type": "github"
},
"original": {
"owner": "snowfallorg",
"repo": "lib",
"type": "github"
}
},
"srvos": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1724287640,
"narHash": "sha256-MAjp8fUU6/WambitI/jOVxgjuH3YEfE6A8l4EtonktY=",
"owner": "nix-community",
"repo": "srvos",
"rev": "9810f43ff22a10b6f70c38d6085ac6c201b26640",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "srvos",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"wezterm": {
"inputs": {
"flake-utils": "flake-utils_5",
"freetype2": "freetype2",
"harfbuzz": "harfbuzz",
"libpng": "libpng",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_3",
"zlib": "zlib"
},
"locked": {
"dir": "nix",
"lastModified": 1723525023,
"narHash": "sha256-ZsDJQSUokodwFMP4FIZm2dYojf5iC4F/EeKC5VuQlqY=",
"owner": "wez",
"repo": "wezterm",
"rev": "30345b36d8a00fed347e4df5dadd83915a7693fb",
"type": "github"
},
"original": {
"dir": "nix",
"owner": "wez",
"repo": "wezterm",
"type": "github"
}
},
"zlib": {
"flake": false,
"locked": {
"lastModified": 1484501380,
"narHash": "sha256-j5b6aki1ztrzfCqu8y729sPar8GpyQWIrajdzpJC+ww=",
"owner": "madler",
"repo": "zlib",
"rev": "cacf7f1d4e3d44d871b605da3b647f07d718623f",
"type": "github"
},
"original": {
"owner": "madler",
"ref": "v1.2.11",
"repo": "zlib",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

108
flake.nix Normal file
View File

@ -0,0 +1,108 @@
{
outputs = inputs: let
lib = inputs.snowfall-lib.mkLib {
inherit inputs;
src = ./.;
snowfall = {
namespace = "snowflake";
meta = {
name = "nix-snowflake";
title = "NixOS Flake configuration for snowflakes";
};
};
};
userdata = import ./data.nix;
in
lib.mkFlake {
inherit inputs;
src = ./.;
systems.modules.nixos = with inputs; [
agenix.nixosModules.age
disko.nixosModules.disko
nur.nixosModules.nur
srvos.nixosModules.common
srvos.nixosModules.mixins-systemd-boot
];
systems.hosts.thonkpad.modules = [
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-9th-gen
inputs.lanzaboote.nixosModules.lanzaboote
];
systems.hosts.thonkpad.specialArgs = {
inherit userdata;
};
# TODO: setup atticd
systems.hosts.bicboye.modules = [inputs.srvos.nixosModules.server];
systems.hosts.bicboye.specialArgs = {
inherit userdata;
};
systems.hosts.smolboye.modules = [inputs.srvos.nixosModules.server];
overlays = [(_: prev: {inherit (inputs.maych-in.packages.${prev.system}) maych-in;})];
channels-config.allowUnfree = true;
outputs-builder = channels: {
formatter = channels.nixpkgs.writeShellApplication {
name = "format";
runtimeInputs = with channels.nixpkgs; [
nixfmt-rfc-style
deadnix
shfmt
statix
];
text = ''
set -euo pipefail
shfmt --write --simplify --language-dialect bash --indent 2 --case-indent --space-redirects .;
deadnix --edit
statix check . || statix fix .
nixfmt .
'';
};
};
deploy = lib.mkDeploy {inherit (inputs) self;};
};
inputs = {
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.home-manager.follows = "nixpkgs";
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
firefox.url = "github:nix-community/flake-firefox-nightly";
firefox.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
lanzaboote.url = "github:nix-community/lanzaboote";
lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
maych-in.url = "https://git.deku.moe/thunderbottom/website/archive/main.tar.gz";
maych-in.inputs.nixpkgs.follows = "nixpkgs";
nil.url = "github:oxalica/nil";
nil.inputs.nixpkgs.follows = "nixpkgs";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:nixos/nixos-hardware";
nur.url = "github:nix-community/nur";
snowfall-lib.url = "github:snowfallorg/lib";
snowfall-lib.inputs.nixpkgs.follows = "nixpkgs";
srvos.url = "github:nix-community/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs";
wezterm.url = "github:wez/wezterm?dir=nix";
wezterm.inputs.nixpkgs.follows = "nixpkgs";
};
}

135
homes/x86_64-linux/chnmy@thonkpad/default.nix Normal file
View File

@ -0,0 +1,135 @@
{
config,
inputs,
pkgs,
...
}: {
snowfallorg.user.enable = true;
snowfallorg.user.name = "chnmy";
snowflake.desktop.wezterm.enable = true;
snowflake.development.git.enable = true;
snowflake.development.git.user = {
name = "Chinmay D. Pai";
email = "chinmaydpai@gmail.com";
signingKey = "75507BE256F40CED";
};
snowflake.development.git.work = {
enable = true;
email = "chinmay.pai@zerodha.com";
path = "/home/${config.snowfallorg.user.name}/workspace/gitlab.zerodha.tech";
extraConfig = {
url."ssh://git@gitlab.zerodha.tech:2280".insteadOf = "https://gitlab.zerodha.tech";
url."ssh://git@gitlab.zerodha.tech:2280/".insteadOf = "git@gitlab.zerodha.tech:";
};
};
snowflake.development.helix.enable = true;
snowflake.development.tmux.enable = true;
snowflake.shell.fish.enable = true;
programs.firefox = {
enable = true;
package = inputs.firefox.packages.${pkgs.system}.firefox-nightly-bin.override {
cfg = {
pipewireSupport = true;
};
};
# extensions = with config.nur.repos.rycee.firefox-addons; [
# bitwarden
# clearurls
# duckduckgo-privacy-essentials
# reddit-enhancement-suite
# sponsorblock
# ublock-origin
# ];
# policies = {
# DisableFirefoxStudies = true;
# EnableTrackingProtection = {
# Value = true;
# Locked = true;
# Cryptomining = true;
# Fingerprinting = true;
# };
# OfferToSaveLoginsDefault = false;
# DisableTelemetry = true;
# DisablePocket = true;
# DisableFirefoxAccounts = true;
# OverrideFirstRunPage = "";
# OverridePostUpdatePage = "";
# DontCheckDefaultBrowser = true;
# DisplayMenuBar = "default-off";
# SearchBar = "unified";
# NoDefaultBookmarks = true;
# DisplayBookmarksToolbar = "never";
# Preferences = let
# lock-false = {
# Value = false;
# Status = "locked";
# };
# lock-true = {
# Value = false;
# Status = "locked";
# };
# lock-empty-string = {
# Value = false;
# Status = "locked";
# };
# in {
# "toolkit.legacyUserProfileCustomizations.stylesheets" = lock-true;
# # Remove poluting defaults
# "extensions.pocket.enabled" = lock-false;
# # Remove default top sites
# "browser.topsites.contile.enabled" = lock-false;
# "browser.urlbar.suggest.topsites" = lock-false;
# # Remove sponsored sites
# "browser.newtabpage.pinned" = lock-empty-string;
# "browser.newtabpage.activity-stream.showSponsored" = lock-false;
# "browser.newtabpage.activity-stream.system.showSponsored" = lock-false;
# "browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false;
# # Remove firefox shiny buttons
# "browser.tabs.firefox-view" = false;
# "browser.tabs.firefox-view-next" = false;
# # Style
# "browser.compactmode.show" = lock-true;
# "browser.uidensity" = {
# Value = 1;
# Status = "locked";
# };
# # Fonts - make web pages follow system font
# "browser.display.use_document_fonts" = {
# Value = 0;
# Status = "locked";
# };
# "browser.tabs.loadInBackground" = true;
# "gfx.canvas.accelerated" = true;
# "gfx.webrender.enabled" = true;
# "gfx.x11-egl.force-enabled" = true;
# "layers.acceleration.force-enabled" = true;
# "media.av1.enabled" = false;
# "media.ffmpeg.vaapi.enabled" = true;
# "media.hardware-video-decoding.force-enabled" = true;
# "media.rdd-ffmpeg.enabled" = true;
# "widget.dmabuf.force-enabled" = true;
# "svg.context-properties.content.enabled" = true;
# "gnomeTheme.hideSingleTab" = true;
# "gnomeTheme.bookmarksToolbarUnderTabs" = true;
# "gnomeTheme.normalWidthTabs" = false;
# "gnomeTheme.tabsAsHeaderbar" = false;
# };
# };
};
home.packages = [
pkgs.mpv
];
home.stateVersion = "24.05";
}

11
homes/x86_64-linux/server@bicboye/default.nix Normal file
View File

@ -0,0 +1,11 @@
_: {
snowfallorg.user.enable = true;
snowfallorg.user.name = "server";
# snowflake.development.git.enable = true;
snowflake.development.helix.enable = true;
snowflake.development.tmux.enable = true;
snowflake.shell.fish.enable = true;
home.stateVersion = "24.05";
}

26
lib/deploy-rs/default.nix Normal file
View File

@ -0,0 +1,26 @@
{ inputs }:
let
inherit (inputs) deploy-rs;
in
{
mkDeploy =
{ self }:
let
hosts = self.nixosConfigurations or { };
nodes = builtins.mapAttrs (_: machine: {
hostname = machine.config.networking.hostName;
fastConnection = true;
remoteBuild = false;
autoRollback = false;
magicRollback = false;
profiles.system = {
user = "root";
sshUser = "root";
path = deploy-rs.lib.${machine.pkgs.system}.activate.nixos machine;
};
}) hosts;
in
{
inherit nodes;
};
}

12
lib/nixos/default.nix.bak Normal file
View File

@ -0,0 +1,12 @@
{
inputs,
nixosModules,
overlays,
userdata,
...
}: let
helpers = import ./helpers.nix {inherit inputs nixosModules overlays userdata;};
in {
inherit (helpers) mkHost;
inherit (helpers) forAllSystems;
}

45
lib/nixos/helpers.nix.bak Normal file
View File

@ -0,0 +1,45 @@
{
inputs,
nixosModules,
overlays,
userdata,
...
}: {
# Helper function for generating host configurations.
mkHost = {
hostname,
system ? "x86_64-linux",
extraArgs ? {},
extraModules ? [],
}: let
inherit (inputs.nixpkgs) lib;
in
inputs.nixpkgs.lib.nixosSystem {
inherit system;
specialArgs =
{inherit inputs userdata;}
// extraArgs;
modules =
[
{
networking.hostName = lib.mkDefault hostname;
nixpkgs.overlays = overlays;
}
../machines/${hostname}
nixosModules.default
inputs.agenix.nixosModules.default
inputs.disko.nixosModules.disko
inputs.home-manager.nixosModules.home-manager
]
++ extraModules;
};
forAllSystems = inputs.nixpkgs.lib.genAttrs [
"aarch64-linux"
"i686-linux"
"x86_64-linux"
"aarch64-darwin"
"x86_64-darwin"
];
}

44
modules/home/desktop/wezterm/default.nix Normal file
View File

@ -0,0 +1,44 @@
{
config,
inputs,
lib,
pkgs,
...
}:
{
options.snowflake.desktop.wezterm.enable = lib.mkEnableOption "Enable wezterm home configuration";
config = lib.mkIf config.snowflake.desktop.wezterm.enable {
programs.wezterm = {
enable = true;
package = inputs.wezterm.packages.${pkgs.system}.default;
extraConfig = ''
local wezterm = require 'wezterm'
local function BaseName(s)
return string.gsub(s, '(.*[/\\])(.*)', '%2')
end
wezterm.on('format-tab-title', function(tab)
local title = BaseName(tab.active_pane.foreground_process_name)
if title and #title > 0 then
return ' ' .. BaseName(tab.active_pane.foreground_process_name) .. ' '
end
return ' ' .. tab.active_pane.title .. ' '
end)
return {
font = wezterm.font 'IBM Plex Mono',
font_size = 12.0,
cursor_blink_rate = 800,
color_scheme = "ayu",
use_fancy_tab_bar = false,
window_decorations = "NONE",
}
'';
};
};
}

108
modules/home/development/git/default.nix Normal file
View File

@ -0,0 +1,108 @@
{ config, lib, ... }:
let
# Redefine gitIniTyp.
# ref: https://github.com/nix-community/home-manager/blob/master/modules/programs/git.nix
gitIniType =
with lib.types;
let
primitiveType = either str (either bool int);
multipleType = either primitiveType (listOf primitiveType);
sectionType = attrsOf multipleType;
supersectionType = attrsOf (either multipleType sectionType);
in
attrsOf supersectionType;
in
{
options.snowflake.development.git = {
enable = lib.mkEnableOption "Enable development git configuration";
user.name = lib.mkOption {
type = lib.types.str;
description = "Real name for the work git profile";
};
user.email = lib.mkOption {
type = lib.types.str;
description = "Email for the work git profile";
};
user.signingKey = lib.mkOption {
type = lib.types.str;
description = "Public GPG Key for the work git profile";
};
work.enable = lib.mkEnableOption "Enable work git configuration";
work.path = lib.mkOption {
type = lib.types.str;
description = "Absolute path to apply the work git configuration.";
};
work.extraConfig = lib.mkOption {
type = lib.types.either lib.types.lines gitIniType;
default = { };
description = "Additional configuration for work git.";
};
work.email = lib.mkOption {
type = lib.types.str;
description = "Email for the work git profile";
};
};
config = lib.mkIf config.snowflake.development.git.enable {
programs.git = {
enable = true;
delta = {
enable = true;
options = {
diff-so-fancy = true;
line-numbers = true;
true-color = "always";
};
};
extraConfig = {
init.defaultBranch = "main";
commit.gpgSign = true;
diff.algorithm = "histogram";
gc.writeCommitGraph = true;
# Do not `git fetch && git merge` or `git fetch && git rebase`
# on default `git pull behavior`.
pull.ff = "only";
pull.rebase = false;
# Enable REuse REcorded REsolution for git merge conflicts.
rerere.enabled = true;
user.name = config.snowflake.development.git.user.name;
user.email = config.snowflake.development.git.user.email;
user.signingKey = config.snowflake.development.git.user.signingKey;
} // config.snowflake.development.git.work.extraConfig;
# Global gitignore configuration.
ignores = [
"*~"
".#*"
];
includes = lib.mkIf config.snowflake.development.git.work.enable [
# Enable work git configuration in specific directories.
# This allows existence of two different gitconfigs based on directories.
# For this, structuring the git repositories into directories based on
# origin is an ideal workflow.
# Example:
# ~/workspace/github.com: personal git workflow.
# ~/workspace/git.work.example: $WORK git workflow.
# Setting config.snowflake.work.git.workpath = "~/workspace/git.work.example"
# would apply the following configuration to only
# the ~/workspace.git.work.example folder.
{
condition = "gitdir:${config.snowflake.development.git.work.path}";
contents = {
commit.gpgSign = true;
user.email = config.snowflake.development.git.work.email;
user.name = config.snowflake.development.git.user.name;
user.signingKey = config.snowflake.development.git.user.signingKey;
};
}
];
};
};
}

126
modules/home/development/helix/default.nix Normal file
View File

@ -0,0 +1,126 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.development.helix.enable = lib.mkEnableOption "Enable helix development configuration";
config = lib.mkIf config.snowflake.development.helix.enable {
programs.helix = {
enable = true;
package = pkgs.helix.overrideAttrs (old: {
makeWrapperArgs =
with pkgs;
old.makeWrapperArgs or [ ]
++ [
"--suffix"
"PATH"
":"
(lib.makeBinPath [
alejandra
nil
gopls
gotools
marksman
shellcheck
])
];
});
defaultEditor = true;
settings = {
theme = "ayu_dark";
editor = {
line-number = "relative";
cursorline = true;
cursor-shape.insert = "bar";
scrolloff = 5;
color-modes = true;
idle-timeout = 1;
true-color = true;
bufferline = "always";
soft-wrap.enable = true;
completion-replace = true;
lsp = {
display-messages = true;
display-inlay-hints = true;
};
whitespace.render = "all";
whitespace.characters = {
space = "·";
nbsp = "";
tab = "";
newline = "";
};
gutters = [
"diagnostics"
"line-numbers"
"spacer"
"diff"
];
statusline = {
separator = "of";
left = [
"mode"
"selections"
"file-type"
"register"
"spinner"
"diagnostics"
];
center = [ "file-name" ];
right = [
"file-encoding"
"file-line-ending"
"position-percentage"
"spacer"
"separator"
"total-line-numbers"
];
mode = {
normal = "NORMAL";
insert = "INSERT";
select = "SELECT";
};
};
indent-guides = {
render = true;
rainbow-option = "normal";
};
};
};
languages = {
language = [
{
name = "go";
auto-format = true;
}
{
name = "nix";
formatter.command = "alejandra";
auto-format = true;
}
];
language-server = {
nil = {
command = lib.getExe pkgs.nil;
config.nil.formatting.command = [
"${lib.getExe pkgs.alejandra}"
"-q"
];
};
gopls = {
command = lib.getExe pkgs.gopls;
config.gopls.formatting.command = [ "${pkgs.go}/bin/gofmt" ];
};
};
};
};
};
}

57
modules/home/development/tmux/default.nix Normal file
View File

@ -0,0 +1,57 @@
{ config, lib, ... }:
{
options.snowflake.development.tmux.enable = lib.mkEnableOption "Enable tmux core configuration";
config = lib.mkIf config.snowflake.development.tmux.enable {
programs.tmux = {
enable = true;
shortcut = "a";
aggressiveResize = true;
baseIndex = 1;
newSession = true;
escapeTime = 0;
secureSocket = false;
extraConfig = ''
# Set terminal emulator window title
set -g set-titles on
set -g set-titles-string "#S:#I.#P #W"
# Status Bar styles
set -g status-bg black
set -g status-fg white
set -g status-interval 1
# Show hostname on left side
set -g status-left-length 30
set -g status-left '#[fg=colour2][ #[fg=colour10]#h#[fg=colour2] ][#[default] '
# Set mouse to work
set-option -g mouse on
# Show load and date/time on right side
set -g status-right-length 60
set -g status-right '#[fg=colour2]][ #[fg=colour11]#(cut -d " " -f 1-4 /proc/loadavg)#[fg=colour2] ][ #[fg=colour14]%Y-%m-%d %H:%M:%S#[fg=colour2] ]#[default]'
# Center the window list
set -g status-justify centre
# Format of window items
set -g window-status-format ' #I-$ #W '
set -g window-status-current-format '#[bg=black]#[fg=red,bold](#[fg=white,bold]#I*$ #W#[fg=red,bold])#[default]'
# Notifying if other windows has activities
setw -g monitor-activity on
set -g visual-activity off
# Easy to remember split pane commands
bind | split-window -h -c "#{pane_current_path}"
bind - split-window -v -c "#{pane_current_path}"
bind c new-window -c "#{pane_current_path}"
# 256 Color terminals
set -g default-terminal "screen-256color"
'';
};
};
}

105
modules/home/shell/fish/default.nix Normal file
View File

@ -0,0 +1,105 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.shell.fish.enable = lib.mkEnableOption "Enable fish shell home configuration";
config = lib.mkIf config.snowflake.shell.fish.enable {
programs.fish.enable = true;
programs.fish.interactiveShellInit = ''
set fish_greeting
${pkgs.nix-index}/etc/profile.d/command-not-found.sh | source
${pkgs.starship}/bin/starship init fish | source
'';
programs.fish.plugins = [
{
inherit (pkgs.fishPlugins.autopair) src;
name = "autopair";
}
];
programs.starship =
let
elemsConcatted = lib.strings.concatStrings (
map (s: "\$${s}") [
"hostname"
"username"
"directory"
"shell"
"nix_shell"
"git_branch"
"git_commit"
"git_state"
"git_status"
"jobs"
"cmd_duration"
]
);
in
{
enable = true;
settings = {
scan_timeout = 2;
command_timeout = 2000; # nixpkgs makes starship implode with lower values
# add_newline = false;
line_break.disabled = false;
format = "${elemsConcatted}\n$character";
hostname = {
ssh_only = true;
disabled = false;
format = "@[$hostname](bold blue) "; # the whitespace at the end is actually important
};
# configure specific elements
character = {
error_symbol = "[](bold red)";
success_symbol = "[](bold green)";
vicmd_symbol = "[](bold yellow)";
format = "$symbol [|](bold bright-black) ";
};
username = {
format = "[$user]($style) in ";
};
directory = {
# removes the read_only symbol from the format, it doesn't play nicely with my folder icon
format = "[ ](bold green) [$path]($style) ";
};
# git
git_commit.commit_hash_length = 7;
git_branch.style = "bold purple";
git_status = {
style = "red";
ahead = " ";
behind = " ";
conflicted = " ";
renamed = "»";
deleted = " ";
diverged = " ";
modified = "!";
stashed = "";
staged = "+";
untracked = "?";
};
# language configurations
# the whitespaces at the end *are* necessary for proper formatting
python.symbol = "[ ](blue) ";
rust.symbol = "[ ](red) ";
nix_shell.symbol = "[󱄅 ](blue) ";
golang.symbol = "[󰟓 ](blue)";
package.disabled = true;
};
};
};
}

51
modules/home/user/default.nix Normal file
View File

@ -0,0 +1,51 @@
{
config,
inputs,
lib,
pkgs,
...
}:
{
config = lib.mkIf config.snowfallorg.user.enable {
programs.eza = {
enable = true;
extraOptions = [
"--group-directories-first"
"--header"
];
git = config.snowflake.development.git.enable;
icons = true;
};
# Enable faster, indexed search for nixpkgs.
programs.nix-index = {
enable = true;
enableFishIntegration = true;
};
# Allow home-manager to manage itself.
programs.home-manager.enable = true;
# Enable fuzzy finder.
programs.fzf.enable = true;
# Enable faster, smarter `cd`.
programs.zoxide.enable = true;
home.file = {
# Set allow unfree in user home nix config.
".config/nixpkgs/config.nix".text = "{ allowUnfree = true; }";
# Set sane nano defaults.
".nanorc".text = "set constantshow # Show linenumbers -c as default";
};
# Set the EDITOR environment variable.
home.sessionVariables.EDITOR = if config.snowflake.development.helix.enable then "hx" else "nano";
# Show activation change diff for new builds.
home.activation.report-changes = inputs.home-manager.lib.hm.dag.entryAnywhere ''
${pkgs.nvd}/bin/nvd diff $oldGenPath $newGenPath
'';
};
}

160
modules/nixos/core/default.nix Normal file
View File

@ -0,0 +1,160 @@
{
config,
lib,
pkgs,
...
}: {
options.snowflake = {
stateVersion = lib.mkOption {
type = lib.types.str;
example = "24.05";
description = "NixOS state version to use for this system";
};
extraPackages = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [];
description = "Extra packages to be installed system-wide";
};
timeZone = lib.mkOption {
type = lib.types.str;
description = "Timezone to use for the system";
default = "Asia/Kolkata";
};
};
config = {
console = {
keyMap = lib.mkDefault "us";
useXkbConfig = true;
font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
};
# Enable all snowflake core modules.
snowflake.core.fish.enable = lib.mkDefault true;
snowflake.core.gnupg.enable = lib.mkDefault true;
snowflake.core.nix.enable = lib.mkDefault true;
snowflake.core.security.enable = lib.mkDefault true;
snowflake.core.security.sysctl.enable = lib.mkDefault true;
snowflake.core.sshd.enable = lib.mkDefault true;
boot = {
initrd.systemd.enable = true;
initrd.verbose = false;
# Default to the latest kernel package.
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
# Force performance policy for Active State Performance Management.
kernelParams = [
"pcie_aspm.policy=performance"
"nmi_watchdog=0"
"udev.log_level=3"
];
loader = {
efi.canTouchEfiVariables = true;
# Use systemd-boot for all systems.
systemd-boot = {
enable = true;
# Show only last 10 configurations in the boot menu.
configurationLimit = lib.mkDefault 10;
};
};
};
# NixOS documentation.
documentation = {
enable = true;
doc.enable = false;
info.enable = false;
man.enable = true;
nixos.enable = false;
};
environment = {
defaultPackages = with pkgs;
lib.mkForce [
gitMinimal
home-manager
rsync
];
shells = with pkgs; [
bash
fish
];
systemPackages = with pkgs;
[
bat
btop
curl
duf
fd
file
fzf
git
gnumake
jc
jq
ncdu
ripgrep
tree
unzip
wget
# Networking tools.
dnsutils
ethtool
host
prettyping
whois
]
++ config.snowflake.extraPackages;
};
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
supportedLocales = ["en_US.UTF-8/UTF-8"];
};
# Can be configured further or is started in user sessions.
programs.mtr.enable = true;
# Run unpatched dynamic binaries on NixOS.
programs.nix-ld.enable = true;
# Enable firmware updates for the system.
services.fwupd.enable = true;
# Enable irqbalance.
services.irqbalance.enable = true;
# Use a high-performance implementation for DBus
services.dbus.implementation = "broker";
# Workaround for irqbalance read-only filesystem issue.
# ref: https://github.com/Irqbalance/irqbalance/issues/308
systemd.services.irqbalance.serviceConfig.ProtectKernelTunables = "no";
system.stateVersion = config.snowflake.stateVersion;
system.activationScripts.diff = {
supportsDryActivation = true;
text = ''
${pkgs.nvd}/bin/nvd --nix-bin-dir=${pkgs.nix}/bin diff /run/current-system "$systemConfig"
'';
};
time.timeZone = config.snowflake.timeZone;
# Enable zram swap.
# ref: https://wiki.archlinux.org/title/Zram
zramSwap.enable = true;
};
}

30
modules/nixos/core/docker/default.nix Normal file
View File

@ -0,0 +1,30 @@
{
config,
lib,
...
}: {
options.snowflake.core.docker = {
enable = lib.mkEnableOption "Enable core docker configuration";
storageDriver = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Storage driver backend to use for docker";
};
};
config = lib.mkIf config.snowflake.core.docker.enable {
virtualisation.docker = {
enable = true;
# Required for containers with `--restart=always`.
enableOnBoot = true;
autoPrune = {
enable = true;
};
extraOptions = "--iptables=False";
inherit (config.snowflake.core.docker) storageDriver;
};
# Add the system user to the docker group
snowflake.user.extraGroups = ["docker"];
};
}

20
modules/nixos/core/fish/default.nix Normal file
View File

@ -0,0 +1,20 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.core.fish.enable = lib.mkEnableOption "Enable core fish configuration";
config = lib.mkIf config.snowflake.core.fish.enable {
environment.systemPackages = [ pkgs.starship ];
programs.fish.enable = true;
users.users.${config.snowflake.user.username} = lib.mkIf config.snowflake.user.enable {
shell = pkgs.fish;
};
users.users.root.shell = pkgs.fish;
};
}

20
modules/nixos/core/gnupg/default.nix Normal file
View File

@ -0,0 +1,20 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.core.gnupg.enable = lib.mkEnableOption "Enable core gnupg configuration";
config = lib.mkIf config.snowflake.core.gnupg.enable {
services.pcscd.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = !config.snowflake.core.sshd.enable;
};
environment.systemPackages = [ pkgs.gnupg ];
};
}

18
modules/nixos/core/lanzaboote/default.nix Normal file
View File

@ -0,0 +1,18 @@
{
config,
lib,
pkgs,
...
}: {
options.snowflake.core.lanzaboote.enable = lib.mkEnableOption "Enable secure boot configuration";
config = lib.mkIf config.snowflake.core.lanzaboote.enable {
environment.systemPackages = [pkgs.sbctl];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
}

73
modules/nixos/core/nix/default.nix Normal file
View File

@ -0,0 +1,73 @@
{
config,
inputs,
lib,
pkgs,
...
}:
{
options.snowflake.core.nix = {
enable = lib.mkEnableOption "Enable core nix configuration";
};
config = lib.mkIf config.snowflake.core.nix.enable {
nix = {
# Run garbage collector daily, and remove anything
# older than 7 days.
gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 7d";
};
# Add each flake input as a registry to make nix3 commands
# consistent with nix flakes.
registry = lib.mapAttrs (_: value: { flake = value; }) inputs;
# Add inputs to system's legacy channels.
nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
# Use the latest, unstable version of nix.
package = pkgs.nixVersions.git;
settings = {
# Accept flake configuration without prompting.
accept-flake-config = true;
# Replace identical nix store files with hard links.
auto-optimise-store = true;
# Use cache from remote build machines if available.
builders-use-substitutes = true;
experimental-features = [
"auto-allocate-uids"
"ca-derivations"
"cgroups"
"flakes"
"nix-command"
"recursive-nix"
];
# Set local flake registry.
flake-registry = "/etc/nix/registry.json";
# Increase http connections (from 25 to 50) for binary cache.
http-connections = 50;
# Avoid unwanted garbage collection while using nix-direnv.
keep-outputs = true;
keep-derivations = true;
max-jobs = "auto";
# Use sandboxed build environments for builds on all systems.
# Defaults to true on linux.
sandbox = true;
# Add `wheel` group to trusted users.
trusted-users = [
"root"
"@wheel"
];
# Disable warning for dirty git tree.
warn-dirty = false;
# Add cache substituters to allow fetching cached builds.
trusted-substituters = [ "https://nix-community.cachix.org" ];
trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
};
};
};
}

82
modules/nixos/core/security/default.nix Normal file
View File

@ -0,0 +1,82 @@
{
config,
lib,
...
}: {
options.snowflake.core.security = {
enable = lib.mkEnableOption "Enable core security configuration";
sysctl.enable = lib.mkEnableOption "Enable sysctl security configuration";
};
config = lib.mkIf config.snowflake.core.security.enable {
boot = lib.mkMerge [
{
# Disable console logging.
consoleLogLevel = 0;
# Disable verbose message on initrd to prevent log flooding.
initrd.verbose = false;
# Use tmpfs for /tmp, and clean only when not using tmpfs.
tmp.useTmpfs = lib.mkDefault true;
tmp.tmpfsSize = "95%";
# Disable kernel param editing on boot.
loader.systemd-boot.editor = false;
kernelModules = ["tcp_bbr"];
}
(lib.mkIf config.snowflake.core.security.sysctl.enable {
kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router).
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're on a router).
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations).
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks.
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination.
"net.ipv4.tcp_rfc1337" = 1;
# TCP optimization
# Enable TCP Fast Open for incoming and outgoing connections.
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency.
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
})
];
security = {
# Prevent replacing the kernel without reboot.
# protectKernelImage = true;
# Accept ACME terms, so we don't have to do this later.
acme.acceptTerms = true;
# Allows unauthorized applications to send unauthorization request.
polkit.enable = true;
# Enable sudo.
sudo.enable = true;
};
};
}

22
modules/nixos/core/sshd/default.nix Normal file
View File

@ -0,0 +1,22 @@
{ config, lib, ... }:
{
options.snowflake.core.sshd = {
enable = lib.mkEnableOption "Enable core sshd configuration";
};
config = lib.mkIf config.snowflake.core.sshd.enable {
services.openssh = {
enable = true;
settings = {
# Disable password auth and root login.
PasswordAuthentication = false;
PermitRootLogin = "no";
};
openFirewall = true;
};
# Enable mosh for access over spotty networks.
programs.mosh.enable = true;
programs.ssh.startAgent = true;
};
}

82
modules/nixos/desktop/default.nix Normal file
View File

@ -0,0 +1,82 @@
{
config,
lib,
pkgs,
...
}: {
options.snowflake.desktop.enable = lib.mkEnableOption "Enable core Desktop Environment configuration";
config = lib.mkIf config.snowflake.desktop.enable {
snowflake = {
# Enable the fonts module.
desktop.fonts.enable = true;
# Enable the pipewire module.
desktop.pipewire.enable = true;
# Add user to networkmanager and adbusers group.
# Works only when snowflake.user.enable is true.
user.extraGroups = ["adbusers"];
};
# Enable ADB for Android devices.
programs.adb.enable = true;
programs.dconf.enable = true;
# Start the ssh agent if enabled.
programs.ssh.startAgent = config.snowflake.core.sshd.enable;
# Add opengl hardware support.
hardware.graphics = {
enable = true;
enable32Bit = true;
extraPackages = with pkgs; [
vaapiIntel
libvdpau-va-gl
vaapiVdpau
intel-ocl
intel-media-driver
];
};
environment.sessionVariables = {
LIBVA_DRIVER_NAME = "iHD";
};
# Prevents xterm from being installed.
# Prefer installing a custom terminal emulator instead.
services.xserver.excludePackages = [pkgs.xterm];
services.xserver.desktopManager.xterm.enable = false;
# Enable profile-sync-daemon for browsers.
# ref: https://wiki.archlinux.org/title/profile-sync-daemon
services.psd.enable = true;
# Add udev rules for ADB.
services.udev.packages = [pkgs.android-udev-rules];
# Enable XDG Portal.
# Additional configuration will be done through individual
# desktop environment configurations.
xdg.portal.enable = true;
# Set environment variables for the system.
environment.variables = {
# Make Electron applications run in wayland.
NIXOS_OZONE_WL = "1";
# Disable G-Sync and VRR.
__GL_GSYNC_ALLOWED = "0";
__GL_VRR_ALLOWED = "0";
GDK_BACKEND = "wayland";
DIRENV_LOG_FORMAT = "";
WLR_DRM_NO_ATOMIC = "1";
QT_AUTO_SCREEN_SCALE_FACTOR = "1";
QT_QPA_PLATFORM = "wayland;xcb";
# Run firefox in wayland.
MOZ_ENABLE_WAYLAND = "1";
WLR_BACKEND = "vulkan";
WLR_RENDERER = "vulkan";
XDG_SESSION_TYPE = "wayland";
SDL_VIDEODRIVER = "wayland";
CLUTTER_BACKEND = "wayland";
};
};
}

85
modules/nixos/desktop/fonts/default.nix Normal file
View File

@ -0,0 +1,85 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.desktop.fonts.enable = lib.mkEnableOption "Enable desktop font configuration";
config = lib.mkIf config.snowflake.desktop.fonts.enable {
fonts = {
fontDir.enable = true;
packages = with pkgs; [
cantarell-fonts
corefonts
dejavu_fonts
fira
fira-code
fira-code-symbols
fira-go
google-fonts
hack-font
ibm-plex
inconsolata
inter
iosevka
liberation_ttf
libertine
libre-baskerville
material-design-icons
mplus-outline-fonts.githubRelease
(nerdfonts.override {
fonts = [
"FiraCode"
"JetBrainsMono"
"NerdFontsSymbolsOnly"
"SourceCodePro"
"UbuntuMono"
];
})
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
noto-fonts-extra
powerline-fonts
proggyfonts
source-serif
roboto
ubuntu_font_family
vistafonts
work-sans
];
fontconfig = {
enable = true;
antialias = true;
defaultFonts = {
serif = [
"Noto Serif"
"Noto Color Emoji"
];
sansSerif = [
"Noto Sans"
"Noto Color Emoji"
];
monospace = [
"JetBrainsMono Nerd Font"
"Noto Color Emoji"
];
emoji = [ "Noto Color Emoji" ];
};
hinting = {
autohint = false;
enable = true;
style = "slight";
};
subpixel = {
rgba = "rgb";
lcdfilter = "light";
};
};
};
};
}

57
modules/nixos/desktop/kde/default.nix Normal file
View File

@ -0,0 +1,57 @@
{
config,
lib,
pkgs,
...
}: {
options.snowflake.desktop.kde = {
enable = lib.mkEnableOption "Enable the KDE Plasma Desktop Environment";
};
config = lib.mkIf config.snowflake.desktop.kde.enable {
services = {
libinput.enable = true;
xserver = {
enable = true;
videoDrivers = ["intel"];
};
displayManager.sddm = {
enable = true;
wayland.enable = true;
wayland.compositor = "kwin";
};
desktopManager.plasma6.enable = true;
# Enable fingerprint authentication.
# Requires fingerprint registered using `fprint-enroll` to work.
fprintd.enable = true;
};
# Remove bloatware that we do not require.
environment.plasma6.excludePackages = with pkgs.kdePackages; [
konsole
khelpcenter
kate
elisa
];
# Disable fprint authentication for login.
# SDDM does not work well with fingerprint authentication.
security.pam.services.login.fprintAuth = false;
# Additional configuration for XDG Portal.
xdg.portal.wlr.enable = true;
xdg.portal.xdgOpenUsePortal = true;
xdg.portal.extraPortals = with pkgs; [
xdg-desktop-portal-gtk
xdg-desktop-portal-kde
];
snowflake.user.extraGroups = [
"audio"
"input"
"video"
];
};
}

31
modules/nixos/desktop/pipewire/default.nix Normal file
View File

@ -0,0 +1,31 @@
{
config,
lib,
pkgs,
...
}: {
options.snowflake.desktop.pipewire.enable = lib.mkEnableOption "Enable pipewire configuration";
config = lib.mkIf config.snowflake.desktop.pipewire.enable {
# Enable sound.
# sound.enable = true;
# Use pipewire for sound and disable pulseaudio.
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
wireplumber.enable = true;
};
# Add sof-firmware for system mic and speaker mute keys.
# Specifically for thinkpad, might work for a few other systems (untested).
environment.systemPackages = [
pkgs.sof-firmware
pkgs.ffmpeg
];
};
}

27
modules/nixos/gaming/steam/default.nix Normal file
View File

@ -0,0 +1,27 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.gaming.steam.enable = lib.mkEnableOption "Enable steam";
config = lib.mkIf config.snowflake.gaming.steam.enable {
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
package = pkgs.steam.override {
extraPkgs =
pkgs: with pkgs; [
pango
libthai
harfbuzz
glxinfo
];
};
};
};
}

18
modules/nixos/hardware/bluetooth/default.nix Normal file
View File

@ -0,0 +1,18 @@
{ config, lib, ... }:
{
options.snowflake.hardware.bluetooth.enable = lib.mkEnableOption "Enable bluetooth hardware support";
config = lib.mkIf config.snowflake.hardware.bluetooth.enable {
# Enable bluetooth hardware.
hardware.bluetooth = {
enable = true;
settings = {
General = {
# Enable battery charge levels for bluetooth devices.
Experimental = true;
KernelExperimental = true;
};
};
};
};
}

61
modules/nixos/hardware/initrd-luks/default.nix Normal file
View File

@ -0,0 +1,61 @@
{
config,
lib,
...
}: {
options.snowflake.hardware.initrd-luks = {
enable = lib.mkEnableOption "Enable initrd-luks hardware configuration";
sshPort = lib.mkOption {
type = lib.types.int;
default = 22;
description = "SSH Port to use for initrd-luks decryption";
};
shell = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Shell to use for initrd-luks decryption";
};
hostKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = ["/etc/ssh/ssh_host_ed25519_key"];
description = "Path to the host keys to use for initrd-luks decryption";
};
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "List of authorized keys for initrd-luks decyption";
};
availableKernelModules = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "List of available kernel modules for initrd-luks decryption";
};
};
config = lib.mkIf config.snowflake.hardware.initrd-luks.enable {
# Enable remote LUKS unlocking.
# This allows remote SSH to unlock LUKS encrypted root.
# $ ssh root@<ip>
# While in the shell, run `systemctl default` or `systemd-ask-password`
# to trigger the unlock prompt.
boot = {
initrd.network = {
flushBeforeStage2 = true;
enable = true;
ssh = {
enable = true;
port = config.snowflake.hardware.initrd-luks.sshPort;
inherit (config.snowflake.hardware.initrd-luks) hostKeys;
inherit (config.snowflake.hardware.initrd-luks) authorizedKeys;
};
};
# initrd.systemd.users.root.shell = config.snowflake.hardware.initrd-luks.shell;
# Required for the network card that
# requires a kernel module to work.
initrd.availableKernelModules = config.snowflake.hardware.initrd-luks.availableKernelModules;
# Use DHCP to figure out the IP address.
kernelParams = ["ip=dhcp"];
};
};
}

22
modules/nixos/hardware/yubico/default.nix Normal file
View File

@ -0,0 +1,22 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.hardware.yubico.enable = lib.mkEnableOption "Enable yubico hardware support";
config = lib.mkIf config.snowflake.hardware.yubico.enable {
# Enable FIDO authentication support.
# ref: https://nixos.wiki/wiki/Yubikey
security.pam = {
u2f.enable = true;
services = {
login.u2fAuth = true;
sudo.u2fAuth = true;
};
};
services.udev.packages = [ pkgs.yubikey-personalization ];
};
}

81
modules/nixos/networking/default.nix Normal file
View File

@ -0,0 +1,81 @@
{
config,
lib,
...
}: {
options.snowflake.networking = {
iwd.enable = lib.mkEnableOption "Enable iwd backend for network manager";
networkd.enable = lib.mkEnableOption "Enable systemd network management daemon";
networkManager.enable = lib.mkEnableOption "Enable network-manager";
resolved.enable = lib.mkEnableOption "Enable systemd-resolved";
firewall.enable = lib.mkEnableOption "Enable system firewall";
};
config = lib.mkMerge [
{
# Enable the network firewall by default.
networking.firewall.enable = config.snowflake.networking.firewall.enable;
# use nftables for firewall
networking.nftables.enable = true;
}
(lib.mkIf config.snowflake.networking.iwd.enable {
networking.wireless.iwd = {
enable = true;
settings = {
General = {
AddressRandomization = "network";
AddressRandomizationRange = "full";
EnableNetworkConfiguration = true;
RoamRetryInterval = 15;
};
Network = {
EnableIPv6 = true;
RoutePriorityOffset = 300;
};
Settings = {
AutoConnect = true;
};
# Prioritize connection to 5GHz.
Rank.BandModifier5Ghz = 2.0;
Scan.DisablePeriodicScan = true;
};
};
})
(lib.mkIf config.snowflake.networking.networkManager.enable {
systemd.services.NetworkManager-wait-online.enable = false;
networking.networkmanager = {
enable = lib.mkDefault true;
# Disable Wifi powersaving
wifi.powersave = false;
wifi.backend =
if config.snowflake.networking.iwd.enable
then "iwd"
else "wpa_supplicant";
};
snowflake.user.extraGroups = ["networkmanager"];
services.resolved = {
enable = config.snowflake.networking.resolved.enable;
};
})
(lib.mkIf config.snowflake.networking.networkd.enable {
systemd.network.enable = true;
systemd.services = {
systemd-networkd-wait-online.enable = false;
systemd-networkd.restartIfChanged = false;
firewall.restartIfChanged = false;
};
networking.interfaces = {
enp1s0.useDHCP = true;
wlan0.useDHCP = true;
};
})
];
}

25
modules/nixos/networking/mullvad/default.nix Normal file
View File

@ -0,0 +1,25 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.networking.mullvad.enable = lib.mkEnableOption "Enable Mullvad VPN client";
config = lib.mkIf config.snowflake.networking.mullvad.enable {
networking = {
# ref: https://github.com/NixOS/nixpkgs/issues/113589
firewall.checkReversePath = "loose";
wireguard.enable = true;
# mullvad-daemon requires iproute2 route tables.
iproute2.enable = true;
};
services.mullvad-vpn = {
enable = true;
package = pkgs.mullvad-vpn;
};
};
}

30
modules/nixos/networking/netbird/default.nix Normal file
View File

@ -0,0 +1,30 @@
{
config,
lib,
pkgs,
...
}: {
options.snowflake.networking.netbird.enable = lib.mkEnableOption "Enable Netbird VPN client";
config = lib.mkIf config.snowflake.networking.netbird.enable {
networking = {
firewall = {
checkReversePath = "loose";
trustedInterfaces = ["wt0"];
allowedUDPPorts = [config.services.netbird.tunnels.wt0.port];
};
# networkmanager.unmanaged = ["wt0"];
# ref: https://github.com/NixOS/nixpkgs/issues/113589
wireguard.enable = true;
# netbird requires iproute2 route tables.
# iproute2.enable = true;
};
services.netbird.enable = true;
# Unmanage the `wt0` interface rules to allow reconnection after suspend.
systemd.network.config.networkConfig.ManageForeignRoutingPolicyRules = lib.mkDefault false;
snowflake.extraPackages = [pkgs.netbird-ui];
};
}

51
modules/nixos/services/arr/default.nix Normal file
View File

@ -0,0 +1,51 @@
{
config,
lib,
pkgs,
...
}: {
options.snowflake.services.arr = {
enable = lib.mkEnableOption "Enable arr suite configuration";
jellyfin.enable = lib.mkEnableOption "Enable jellyfin configuration for NixOS";
# mediaDir = lib.mkOption {
# type = lib.types.path;
# description = "Path to media storage directory, accessible by all *arr suite applications";
# };
};
config = let
cfg = config.snowflake.services.arr;
in
lib.mkIf cfg.enable {
services.jellyfin = {
enable = cfg.jellyfin.enable;
openFirewall = true;
};
users.groups.media = {
members = ["@wheel" "jellyfin"];
};
nixpkgs.config.packageOverrides = pkgs: {
jellyfin-ffmpeg = pkgs.jellyfin-ffmpeg.override {
ffmpeg_6-full = pkgs.ffmpeg_6-full.override {
withMfx = false;
withVpl = true;
};
};
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-compute-runtime
onevpl-intel-gpu
libvdpau-va-gl
];
};
services.jellyseerr.enable = true;
services.jellyseerr.openFirewall = true;
};
}

116
modules/nixos/services/backup/default.nix Normal file
View File

@ -0,0 +1,116 @@
{
config,
lib,
...
}:
with lib; let
inherit (utils.systemdUtils.unitOptions) unitOption;
in {
options.snowflake.services.backups = {
enable = mkEnableOption "Enable restic backup service";
resticEnvironmentFile = mkOption {
description = "Age module containing the restic environment details";
};
resticPasswordFile = mkOption {
description = "Age module containing the restic password";
};
repository = mkOption {
description = "Repository to use as the restic endpoint. Must be in the form of <provider>:<repository>";
type = types.str;
example = "b2:nix-backup-repository";
};
config = mkOption {
default = {};
type = types.attrsOf (
types.submodule (
{_}: {
options = {
dynamicFilesFrom = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
A script that produces a list of files to back up.
The result of this command are given to the `--files-from` option.
'';
example = "find /home/user/repository -type d -name .git";
};
paths = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
description = ''
List of paths to bck up. If null or an empty array,
no backup command will be run. This can be used to
create a prune-only job.
'';
example = [
"/etc/nixos"
"/var/lib/postgresql"
];
};
user = mkOption {
type = types.str;
default = "root";
description = ''
The user under which the backup should run.
'';
example = "postgresql";
};
timerConfig = mkOption {
type = types.attrsOf unitOption;
default = {
OnCalendar = "daily";
};
description = ''
When to run the backup process. See man systemd.timer for details.
'';
example = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
};
};
}
)
);
};
};
config = let
cfg = config.snowflake.services.backups;
in
mkIf cfg.enable {
age.secrets = {
restic-environment.file = cfg.resticEnvironment.file;
restic-password.file = cfg.resticPassword.file;
};
services.restic.backups =
mapAttrs' (
name: value:
nameValuePair name (
{
initialize = true;
repository = "${cfg.repository}:/${config.system.name}/${name}";
environmentFile = config.age.secrets.restic-environment.path;
passwordFile = config.age.secrets.restic-password.path;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
];
}
// value
)
)
cfg.config;
};
}

109
modules/nixos/services/gitea/default.nix Normal file
View File

@ -0,0 +1,109 @@
{ config, lib, ... }:
{
options.snowflake.services.gitea = {
enable = lib.mkEnableOption "Enable gitea service";
domain = lib.mkOption {
type = lib.types.str;
description = "Configuration domain to use for the gitea service";
};
sshDomain = lib.mkOption {
type = lib.types.str;
description = "SSH domain to use for the gitea service";
};
dbPasswordFile = lib.mkOption {
description = "Age module containing the postgresql password to use for gitea";
};
httpPort = lib.mkOption {
type = lib.types.int;
description = "Configuration port for the gitea service to listen on";
default = 3001;
};
sshPort = lib.mkOption {
type = lib.types.int;
description = "SSH port for the gitea service to listen on";
default = 22022;
};
};
config = lib.mkIf config.snowflake.services.gitea.enable {
age.secrets.gitea = {
inherit (config.snowflake.services.gitea.dbPasswordFile) file;
owner = config.services.gitea.user;
group = config.services.gitea.user;
};
services.gitea = {
enable = true;
lfs.enable = true;
user = "git";
database = {
type = "postgres";
passwordFile = config.age.secrets.gitea.path;
name = config.services.gitea.user;
inherit (config.services.gitea) user;
};
settings = {
actions = {
ENABLED = true;
};
picture = {
DISABLE_GRAVATAR = true;
};
server = {
DOMAIN = config.snowflake.services.gitea.domain;
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = config.snowflake.services.gitea.httpPort;
ROOT_URL = "https://${config.snowflake.services.gitea.domain}";
SSH_DOMAIN = "https://${config.snowflake.services.gitea.sshDomain}";
SSH_PORT = config.snowflake.services.gitea.sshPort;
};
service = {
DISABLE_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
security = {
LOGIN_REMEMBER_DAYS = 14;
MIN_PASSWORD_LENGTH = 12;
PASSWORD_COMPLEXITY = "lower,upper,digit,spec";
PASSWORD_CHECK_PWN = true;
};
other = {
SHOW_FOOTER_VERSION = false;
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
};
};
};
networking.firewall = lib.mkIf config.networking.firewall.enable {
allowedTCPPorts = [ config.snowflake.services.gitea.sshPort ];
};
users.users.git = {
description = "Gitea service user";
home = config.services.gitea.stateDir;
useDefaultShell = true;
group = "git";
isSystemUser = true;
};
users.groups.git = { };
services.nginx = {
virtualHosts = {
"${config.snowflake.services.gitea.domain}" = {
serverName = config.snowflake.services.gitea.domain;
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.snowflake.services.gitea.httpPort}/";
};
};
};
};
};
}

46
modules/nixos/services/homebridge/default.nix Normal file
View File

@ -0,0 +1,46 @@
{ config, lib, ... }:
{
options.snowflake.services.homebridge.enable = lib.mkEnableOption "Enable homebridge service for Apple HomeKit";
config = lib.mkIf config.snowflake.services.homebridge.enable {
networking.firewall = lib.mkIf config.networking.firewall.enable {
allowedTCPPorts = [
5353
8581
51241
];
allowedTCPPortRanges = [
{
from = 52100;
to = 52150;
}
];
allowedUDPPorts = [
5353
8581
51241
];
allowedUDPPortRanges = [
{
from = 52100;
to = 52150;
}
];
};
virtualisation.oci-containers.containers.homebridge = {
image = "docker.io/homebridge/homebridge:latest";
volumes = [ "/var/lib/homebridge:/homebridge" ];
environment = {
TZ = config.time.timeZone;
};
ports = [ "8581:8581" ];
extraOptions = [
"--privileged"
"--net=host"
# For podman
"label=io.containers.autoupdate=registry"
];
};
};
}

27
modules/nixos/services/maych-in/default.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, lib, ... }:
{
options.snowflake.services.static-site = {
enable = lib.mkEnableOption "Enable static site using nginx";
package = lib.mkOption {
type = lib.types.package;
description = "Package to use as a root directory for the static site";
};
domain = lib.mkOption {
type = lib.types.str;
description = "Domain to use for the static site";
};
};
config = lib.mkIf config.snowflake.services.static-site.enable {
services.nginx = {
virtualHosts = {
"${config.snowflake.services.static-site.domain}" = {
serverName = config.snowflake.services.static-site.domain;
enableACME = true;
forceSSL = true;
root = config.snowflake.services.static-site.package;
};
};
};
};
}

61
modules/nixos/services/miniflux/default.nix Normal file
View File

@ -0,0 +1,61 @@
{ config, lib, ... }:
{
options.snowflake.services.miniflux = {
enable = lib.mkEnableOption "Enable miniflux service";
domain = lib.mkOption {
type = lib.types.str;
default = "";
description = "Configuration domain to use for the miniflux service";
};
adminTokenFile = lib.mkOption {
description = "Age module containing the ADMIN_USERNAME and ADMIN_PASSWORD to use for miniflux";
};
listenPort = lib.mkOption {
type = lib.types.int;
description = "Configuration port for the miniflux service to listen on";
default = 8816;
};
};
config =
let
cfg = config.snowflake.services.miniflux;
in
lib.mkIf cfg.enable {
age.secrets.miniflux = {
inherit (cfg.adminTokenFile) file;
owner = "miniflux";
group = "miniflux";
};
services.miniflux.enable = true;
services.miniflux.adminCredentialsFile = config.age.secrets.miniflux.path;
services.miniflux.config = {
LISTEN_ADDR = "localhost:${toString cfg.listenPort}";
BASE_URL = "https://${cfg.domain}";
};
services.nginx = {
virtualHosts = {
"${cfg.domain}" = {
serverName = "${cfg.domain}";
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.listenPort}";
extraConfig = ''
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
};
};
}

67
modules/nixos/services/paperless/default.nix Normal file
View File

@ -0,0 +1,67 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.services.paperless = {
enable = lib.mkEnableOption "Enable paperless service";
domain = lib.mkOption {
type = lib.types.str;
default = "";
description = "Configuration domain to use for the paperless service";
};
passwordFile = lib.mkOption {
description = "Age module containing the password to use for paperless";
};
adminUser = lib.mkOption {
type = lib.types.str;
description = "Administrator username for the paperless service";
};
};
config =
let
cfg = config.snowflake.services.paperless;
in
lib.mkIf cfg.enable {
age.secrets.paperless = {
inherit (cfg.passwordFile) file;
owner = "paperless";
group = "paperless";
};
services.paperless = {
enable = true;
package = pkgs.paperless-ngx;
passwordFile = config.age.secrets.paperless.path;
settings = {
PAPERLESS_URL = "https://${cfg.domain}";
PAPERLESS_OCR_LANGUAGE = "eng";
PAPEERLESS_TASK_WORKERS = 4;
PAPERLESS_THREADS_PER_WORKER = 4;
PAPERLESS_ADMIN_USER = cfg.adminUser;
};
};
# Requires services.nginx.enable.
services.nginx = {
virtualHosts = {
"${cfg.domain}" = {
serverName = "${cfg.domain}";
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/";
};
};
};
};
};
}

21
modules/nixos/services/unifi-controller/default.nix Normal file
View File

@ -0,0 +1,21 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.services.unifi-controller.enable = lib.mkEnableOption "Enable Unifi controller service for Unifi devices";
config = lib.mkIf config.snowflake.services.unifi-controller.enable {
networking.firewall.allowedTCPPorts = [ 8443 ];
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi8;
# Limit memory to 256MB. Works well enough
# for small, home-based controller deployments.
maximumJavaHeapSize = 256;
openFirewall = true;
};
};
}

79
modules/nixos/services/vaultwarden/default.nix Normal file
View File

@ -0,0 +1,79 @@
{
config,
lib,
pkgs,
...
}:
{
options.snowflake.services.vaultwarden = {
enable = lib.mkEnableOption "Enable vaultwarden service with postgres and nginx";
domain = lib.mkOption {
type = lib.types.str;
default = "";
description = "Configuration domain to use for the vaultwarden service";
};
adminTokenFile = lib.mkOption {
description = "Age module containing the ADMIN_TOKEN to use for vaultwarden";
};
};
config =
let
cfg = config.snowflake.services.vaultwarden;
in
lib.mkIf cfg.enable {
age.secrets.vaultwarden = {
inherit (cfg.adminTokenFile) file;
owner = "vaultwarden";
group = "vaultwarden";
};
services.vaultwarden = {
enable = true;
package = pkgs.vaultwarden;
environmentFile = config.age.secrets.vaultwarden.path;
dbBackend = "postgresql";
config = {
domain = "https://${cfg.domain}";
signupsAllowed = false;
rocketAddress = "127.0.0.1";
rocketPort = 33003;
databaseUrl = "postgres:///vaultwarden?host=/var/run/postgresql";
};
};
services.postgresql = {
# NOTE: To upgrade postgresql to a newer version, refer:
# https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading
package = pkgs.postgresql_14;
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
# Requires services.nginx.enable.
services.nginx = {
virtualHosts = {
"${cfg.domain}" = {
serverName = "${cfg.domain}";
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}/";
};
};
};
};
};
}

89
modules/nixos/user/default.nix Normal file
View File

@ -0,0 +1,89 @@
{ config, lib, ... }:
{
options.snowflake.user = {
enable = lib.mkEnableOption "Enable user configuration";
uid = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = 1000;
description = "User ID for the system user";
};
username = lib.mkOption {
type = lib.types.str;
description = "Username for the system user";
};
description = lib.mkOption {
type = lib.types.str;
description = "Real name for the system user";
};
extraGroups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
extraAuthorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Additional authorized keys for the system user";
};
extraRootAuthorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Additional authorized keys for root user";
};
userPasswordAgeModule = lib.mkOption {
description = "Age file to include to use as user password";
};
rootPasswordAgeModule = lib.mkOption {
description = "Age file to include to use as root password";
};
setEmptyPassword = lib.mkEnableOption "Enable to set empty password for the system user";
setEmptyRootPassword = lib.mkEnableOption "Enable to set empty password for the root user";
};
config = {
# Make users immutable.
users.mutableUsers = false;
# Add ~/bin to $PATH.
environment.homeBinInPath = config.snowflake.user.enable;
# Load password files.
age.secrets.hashed-user-password = lib.mkIf (
!config.snowflake.user.setEmptyPassword && config.snowflake.user.enable
) config.snowflake.user.userPasswordAgeModule;
age.secrets.hashed-root-password = lib.mkIf (
!config.snowflake.user.setEmptyRootPassword
) config.snowflake.user.rootPasswordAgeModule;
# Configure the user account.
# NOTE: hashedPasswordFile has an issue. If the auth method is changed from `hashedPassword`
# to `hashedPasswordFile`, /etc/shadow gets messed up and login does not work. To fix this
# we need to remove all the users' entries from /etc/shadow and run nixos-rebuild. Seems to be
# a one-time thing.
# ref: https://github.com/NixOS/nixpkgs/issues/99433
users.users.${config.snowflake.user.username} = lib.mkIf config.snowflake.user.enable {
inherit (config.snowflake.user) description;
extraGroups = [
"wheel"
"users"
] ++ config.snowflake.user.extraGroups;
hashedPasswordFile = lib.mkIf (
!config.snowflake.user.setEmptyPassword
) config.age.secrets.hashed-user-password.path;
isNormalUser = true;
openssh.authorizedKeys.keys = config.snowflake.user.extraAuthorizedKeys;
inherit (config.snowflake.user) uid;
};
# Define password, authorized keys and shell for root user.
users.users.root = {
hashedPasswordFile = lib.mkIf (
!config.snowflake.user.setEmptyRootPassword
) config.age.secrets.hashed-root-password.path;
openssh.authorizedKeys.keys = config.snowflake.user.extraRootAuthorizedKeys;
};
# Configure some miscellaneous dotfiles for my user.
# home-manager.users.${config.snowflake.user.username} = lib.mkIf config.snowflake.user.enable {
};
}

26
overlays/netbird/default.nix Normal file
View File

@ -0,0 +1,26 @@
_: _self: super: let
version = "0.28.8";
in {
netbird = super.netbird.override {
buildGoModule = args:
super.buildGoModule (
args
// {
inherit version;
src = super.fetchFromGitHub {
owner = "netbirdio";
repo = "netbird";
rev = "v${version}";
hash = "sha256-DfY8CVBHgE/kLALKNzSgmUxM0flWLesU0XAgVsHHLKc=";
};
vendorHash = "sha256-CqknRMijAkWRLXCcIjRBX2wB64+RivD/mXq28TqzNjg=";
ldflags = [
"-s"
"-w"
"-X github.com/netbirdio/netbird/version.version=${version}"
"-X main.builtBy=nix"
];
}
);
};
}

7
secrets/machines/bicboye/password.age Normal file
View File

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 XInHQA KqFc6Ej8L8yNVX3EoEqlJZlpdmsBTAn3GDPlH0CsmWc
6cEtER5dcQNzWfPUGeN0tMyPEwOUMkSTiqnCQrsNhp8
-> ssh-ed25519 9JjquQ sFTTVGk5VDcfw/K4yKbwGX73O2LFXp5eHWkzHhAeDVY
usZ/giJLoWxXJ0pA8HZZSHMybxuxf8HxjDkeD5Kpuz4
--- CjABvoWY5QYTJ2OmUnqxOxyehm3r/YQmYyx00auShxY
t0æ<EFBFBD>Ç]—iéû<C3A9>fEÇ!ö¿‹úi µ—+­ÕÔ¬íA(¥Ò£TÚ”R ë,ªM9׺¤Ã?‰¼såÎ~ù=ÓÀ¦ýžOô“Ôõ¢þx<C3BE>}¼7!õã<12>{£"'FÎC¥ $Æ@Æžoæø‘ïç%§íJÝ®bxE·W:³x­<ò3(U±

8
secrets/machines/bicboye/root-password.age Normal file
View File

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 XInHQA 3+hMUFIxtx9E/zDlfBO+hGXrH9DczMw+7iD0X1XKU3k
TOkvyYCoTcDa2hNlKEzlgsw5igOhFbUMDRuW2HAUNw8
-> ssh-ed25519 9JjquQ dPcsKuRuy8x1eDFfECiSfBYZqb6OUXAAdmbURYvaW0E
UmpPB5oPTX24i9lthZmG5Ec13LDiwWO3rDyU4VParcE
--- L03TAuKNx+q1xZSKLIPaeC70arrtZYKr5S3y8B2kPJI
êǼä•Ðï™'~Ÿ™†å^c „tv_Øêñ%#Ò ‰ÄÿT€¾ˆºde[ápœBæܵ“Œ ƒ¨a{Ó߯ddÂÑörÙâ
º«éCà.‰øs]áØ-í6©b±JÿkïËÝ;µüÍg#<>EtçgÊÀ Ðì@å—iQàèäP®ö|>Ì<>ÔÓ

9
secrets/machines/thonkpad/password.age Normal file
View File

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 XInHQA tlbrFSUIpErZri6A7aRu9mrzDG7QcIy/18lEvX25hkA
Fj6JcwB4uJs+aM3AbV6Svrj6VJezt7cpZC1dId5/hSs
-> ssh-ed25519 XbzZEw uKNtnEb70dMwdqQ30o9AQZHu5YlCNibttAXpcNgzxG0
yCkEOaU2ioYdOJxCCbijkKJZREiV02M9gxLyXmOvdTE
-> ssh-ed25519 wWcc7w OSUGAGAa++2z9JudGKv9pdZnP0ZbxuapbAuyjycanz4
i9mArrFaC+zUIJWQms7F57mEnAYKLJzKyu1r9R16j4Q
--- 1unXr5UfhyzTZqri4fExZh0dLtvnQZM6zfWLLlXIBgI
ÂXlúþ4ø õKê.Á$ÆZnÂA4˜M}RòèAîeÿÐO6×ÐpJE!B Ò^-~ä"ë,ÎÜq¤¶l<C2B6>Ÿ™@GÙÃpáM!ä*ùÊIR¤­Âȧ½“)Ìù “lˆòý]åÆq/NÐh¸eRŠ*ŠßvЄƒ *‰<16>B¾1ó63<08>¦kí

BIN
secrets/machines/thonkpad/root-password.age Normal file
View File

Binary file not shown.

33
secrets/secrets.nix Normal file
View File

@ -0,0 +1,33 @@
let
codingcoffee = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN cc@predator"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C cc@eden"
];
thunderbottom = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
];
thonkpad = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrNdHskpknCow+nuCTEBRrKb0b2BKzwTQY60eEAWztS"
];
smolboye = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQFm91hLes24sYbq96zD52mDrrr1l2F2xstcfAEg+qI"];
bicboye = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsciEMPwLAYtbHNkdedjhSrb66fFQ46lgnVGssCuiLH"];
servers = bicboye ++ smolboye;
users = thunderbottom ++ codingcoffee;
in {
"machines/thonkpad/password.age".publicKeys = thunderbottom ++ thonkpad;
"machines/thonkpad/root-password.age".publicKeys = thunderbottom ++ thonkpad;
"machines/bicboye/password.age".publicKeys = thunderbottom ++ bicboye;
"machines/bicboye/root-password.age".publicKeys = thunderbottom ++ bicboye;
"services/backup/environment.age".publicKeys = thunderbottom ++ bicboye;
"services/backup/password.age".publicKeys = thunderbottom ++ bicboye;
"services/gitea/password.age".publicKeys = thunderbottom ++ bicboye;
"services/maddy/password.age".publicKeys = thunderbottom ++ bicboye;
"services/maddy/user-watashi.age".publicKeys = thunderbottom ++ servers;
"services/miniflux/password.age".publicKeys = thunderbottom ++ bicboye;
"services/paperless/password.age".publicKeys = users ++ bicboye;
"services/vaultwarden/password.age".publicKeys = users ++ bicboye;
}

BIN
secrets/services/backup/environment.age Normal file
View File

Binary file not shown.

7
secrets/services/backup/password.age Normal file
View File

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 XInHQA cu04OlowGfn91ape/TGXYToi4kFU9JIS4iY09qlMPmo
Yv2vSFELyNl93DaNQc+E3b9MuwGr0k79TISXF2fUxTY
-> ssh-ed25519 9JjquQ FJ0QtlUi+VKZ7S6BtqCj21x5Q2QG/8s2bay4j+JFFlQ
K1ijqw6pz7F0CZedLxNdXWuPrKMm/y4cnVaVlMuQ4CM
--- WJz/j8eixXYAzN4VxyHrdMaXCSFsVzlVAhXU8cgq6cU
â[À ÿUuàÜ ßfL—8¾Ì¶œÇ­QÂRrV4£ò'_&Å»zÏ<7A>þ,ƒÆîQ•š6g䃡NÙq

7
secrets/services/gitea/password.age Normal file
View File

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 XInHQA PIaYFOuYTsAufLY3jySjdLfKzfcQ6hAetR8sG9k4KTM
Wg1kb+WgD8MW81bJfwejeTiiEVJCH9WWQ7O7J5zeYj8
-> ssh-ed25519 9JjquQ nN0gqdhhk+tcsXgb2YdlNr9TCM8ZzJ8jgwFQK+o3Cw0
uklN8haFY8XCUMIlAPqIheganGtCyLSg2w/4LM9dcdM
--- uNsDhT+Z43s4wRMaKiuVS0CIib7Geh+zBtSHIPLdHmY
7Vÿ<EFBFBD>ÌäŒ%Ð)¶},1¾Ã½r㊔_× Ù;œçÝ·ï°õÿÍ­Nbîl

7
secrets/services/maddy/password.age Normal file
View File

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 XInHQA 6fvS/eRe0S7zxzr85BqpsPzsrcgnpnVvHh8qI7CEyig
9QpSqlaAfRJ3zS3tnwna6WnZLfQdvoGqFETjVHbZVJ4
-> ssh-ed25519 9JjquQ l8kHf5rPgVU/ls1nHp9c1pLhCOfxgodbcKhxP1CTwi0
kU/FeaKvBfEtTAT3F6jBMesZDtenUA4lza7+lYsaJlc
--- 7pUn3sY/IBJkMQWYzjY99NJURtov6Aiyz5djQCgpgPo
ÏÝXÞ2)RÒ„þÖæc¸éb q1q!>w¶ö¡#ý®øW(·¡Ý(<>yJDz#üØ)D¹(ý"yQÆë~±•YP¦<50>¤aO¦ìV˜Ñ(äЭ#lmì†Ë+/‘Í<48>#+ZëÂy¶@ ðž{p

9
secrets/services/maddy/user-watashi.age Normal file
View File

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 XInHQA OsckddKmgFuwo64IFPysoEWhUWdaNz0fQOpgup0dKQY
o1/BcRP/NND8YHZYuQnclfa1GxlczSdc57nOw9Zm2io
-> ssh-ed25519 9JjquQ pLjLs2p363cKXPmz8iYAOJUYSlmK4N9GCXlizaE5fj4
kIdPVG/i3WdRGYxLefEnCA8cTytHCZEcpqbp5Y8aG2o
-> ssh-ed25519 H9OGOA BowCiYKCWxWbiapKpdshcRzdZR1UEscscAAOe/kEig8
Lexjp0LuPZs5bV8CQ63Scb+xh8lPDM7x17KD9r0/1qU
--- e+NBlts82HBx3gbjznmUKufAYF1w2fzEO+LNx9yvq18
<EFBFBD>#<ÐUŲݲ?Ã{çþC¹ÝÈäÓ_ÞoyXüZBEʶ£%é§Ä,m<>#÷fSõkÀ§à­~z

7
secrets/services/miniflux/password.age Normal file
View File

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 XInHQA inhxQU5+jlt6A2Ahn7xif+Ncv2SGSRusySaiGSRC/Cg
mUIduBibBHSQKf+3gyFxU4HRA1Hrb4dVA5grE/vO2Mc
-> ssh-ed25519 9JjquQ qnjvC1aSVNonnVKwEgSPwpbWmalSI2rL99XnGCFMr0I
lbLq+anGxBDIZ5JLxv0AuW33wRqzgU/TQ8yT5m5rHJg
--- 28LhE362umkY5DWiBzAiT32Zm6AvBQRiVLjJ9EALRkA
p­¡~Rt°‰R†žÔÈ ù°‰Û$}ÂJúâóÌ@³X$MÅcé»ÿþ>ºÀî Þ<Ãì<¤[¨ª&Ëd©…·£ØÔÌ3<C38C>£ÞÆÿ8…àcm•~Èál¡

12
secrets/services/paperless/password.age Normal file
View File

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 XInHQA uCUIywKJrUQhqYI8uhhxNIsXoTcRBbZSRVfUJPCp2wM
2p1OvwRBUMJTXvhp2PdGBCwxKU/rFPBHKZaKJ38HvAo
-> ssh-ed25519 K8TEKA d4DDO/774I+lhafaKbrERWsl6NqeqpdkbmZy0FA6Dws
ObQGhn0BmzqE5pSg+vPSVdx3rLng9h3wPfoFx2umVAI
-> ssh-ed25519 7+Zv5Q M1P+teBvn1p4zbFNIVvGremZC5hViNswi9q24mCxCEg
zR1sV/5t8nI3jky5Ou9Ud7IYC8E8nkQnvRIW9lG7nbA
-> ssh-ed25519 9JjquQ P5F2UqVRXkySbbI4OHM6rChELU0wpx6Stpvz78Ie1yY
uWOhkO0vx0anNHA5EWuLmDmTQvoY/c1iSzlVl2xldC4
--- BARoI30iwdy5g5hWJoHpVlA6Hlhu4SBpGhxrTPvG8ok
´•µãØÄ;”Ö&ß_xIúXÛRŸøóÏ£ÂĴ螞ܾ]¹9ÅÏ'La§1ø÷¡Q )ê@
°WMeÎ%€3¼K

11
secrets/services/vaultwarden/password.age Normal file
View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 XInHQA aQ/88prWa3Tx1JdSIgSGZPhF+DAMtQllm4KRhUlDDg8
31xawF9XFf83zxx7SdHYLul12Pb8wk+5DBjbT236FD4
-> ssh-ed25519 K8TEKA 75kXFnNq76OsX+aRQp5BN0q4mw1cdGIeBVdYUcly2wg
9LFm33M8FTRYRJtAwGrwspSFJmcpMGIrq36wYs3Zz8g
-> ssh-ed25519 7+Zv5Q yTsGVm9Q1IWiuEd57JzOjqkLpVwfnFdkz5RnwCsLxB0
TfiDbFF/yI8ZQBCaz8QmL5dWkQlDSPHLXvPnaeNMAQs
-> ssh-ed25519 9JjquQ 4ksLVKkaDvsg7c5tK/PUELN+NOJUmC0ajD3aliuvkhY
8Swc8sjfpjP+yvIuZkucC121ei7cvHV9CRsi5Kdm98E
--- 4K9ZIqe95VA4ewxLh8OELKCywAs2NKhPdVzaYzmzAjI
-F¾ØŒÖ(Ë3ŽóC¾ù¡¹\LÇ  /]ª×Ü¡Év¥.®C#Uð ©ÇnruMGÿ2*ó…‘á‡>Ä6Ó`ƒ~H ¢EË]Šˆá½´`õ­Œß>;Ô¶¿<0F>ßñHÒ8Ë\Q4ÎYç!§i¢iÑÖtg†ÌW À>å„£P€<ˆé0c˼˜|MP_)¿ø«á³—%õYÞE2؃oµ“v

111
systems/x86_64-linux/bicboye/default.nix Normal file
View File

@ -0,0 +1,111 @@
{
lib,
pkgs,
userdata,
...
}: {
imports = [./hardware.nix];
hardware.cpu.intel.updateMicrocode = true;
hardware.enableRedistributableFirmware = true;
networking = {
hostName = "bicboye";
useDHCP = lib.mkDefault false;
interfaces.enp6s0 = {
useDHCP = lib.mkDefault true;
wakeOnLan.enable = true;
};
firewall.allowedTCPPorts = [
80
443
];
};
# Enable weekly btrfs auto-scrub.
services.btrfs.autoScrub = {
enable = true;
interval = "weekly";
fileSystems = ["/"];
};
# Power management, enable powertop and thermald.
powerManagement.powertop.enable = true;
services.thermald.enable = true;
# TODO: move to module
security.acme.defaults.email = "chinmaydpai@gmail.com";
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
};
snowflake = {
stateVersion = "24.05";
core.docker.enable = true;
core.docker.storageDriver = "btrfs";
core.security.sysctl.enable = lib.mkForce false;
networking.networkManager.enable = true;
hardware.initrd-luks = {
enable = true;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
];
availableKernelModules = ["r8169"];
};
services = {
gitea = {
enable = true;
domain = "git.deku.moe";
sshDomain = "git-ssh.deku.moe";
dbPasswordFile = userdata.secrets.services.gitea.password;
};
miniflux = {
enable = true;
domain = "flux.deku.moe";
adminTokenFile = userdata.secrets.services.miniflux.password;
};
paperless = {
enable = true;
domain = "docs.deku.moe";
passwordFile = userdata.secrets.services.paperless.password;
adminUser = "chinmay";
};
vaultwarden = {
enable = true;
domain = "bw.deku.moe";
adminTokenFile = userdata.secrets.services.vaultwarden.password;
};
static-site = {
enable = true;
package = pkgs.maych-in;
domain = "maych.in";
};
unifi-controller.enable = true;
};
user = {
enable = true;
username = "server";
description = "Bicboye Server";
userPasswordAgeModule = userdata.secrets.machines.bicboye.password;
rootPasswordAgeModule = userdata.secrets.machines.bicboye.root-password;
extraAuthorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
];
};
};
}

122
systems/x86_64-linux/bicboye/hardware-intel.nix Normal file
View File

@ -0,0 +1,122 @@
_: {
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"ehci_pci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
luks.devices."cryptroot".device = "/dev/disk/by-uuid/e570c2be-65df-4208-9cac-a03de08a6209";
};
kernelModules = ["kvm-intel"];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@"
];
neededForBoot = true; # required
};
"/home" = {
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@home"
];
};
"/.snapshots" = {
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@snapshots"
];
};
"/var/log" = {
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@log"
];
};
"/etc/nixos" = {
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@nixos-config"
];
};
"/var/cache" = {
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@cache"
];
};
"/boot" = {
device = "/dev/disk/by-uuid/B731-09A3";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
# "/storage/immich" = {
# device = "/dev/disk/by-uuid/bae65b7a-4f08-4b0d-963c-72e71bfcff46";
# fsType = "btrfs";
# options = [
# "defaults"
# "compress-force=zstd"
# "noatime"
# "user"
# ];
# };
# TODO: delete btrfs subvolume
# "/storage/syncthing" = {
# device = "/dev/disk/by-uuid/e3a4c251-a3e2-4b5e-a63b-70f53b51836a";
# fsType = "btrfs";
# options = [
# "defaults"
# "compress-force=zstd"
# "noatime"
# "user"
# ];
# };
};
swapDevices = [];
}

121
systems/x86_64-linux/bicboye/hardware.nix Normal file
View File

@ -0,0 +1,121 @@
_: {
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"ehci_pci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
luks.devices."root".device = "/dev/disk/by-uuid/e70bfc3c-1147-4af7-9bae-69f70146953f";
};
kernelModules = ["kvm-intel"];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@"
];
neededForBoot = true; # required
};
"/home" = {
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@home"
];
};
"/.snapshots" = {
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@snapshots"
];
};
"/var/log" = {
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@log"
];
};
"/etc/nixos" = {
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@nixos-config"
];
};
"/var/cache" = {
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@cache"
];
};
"/boot" = {
device = "/dev/disk/by-uuid/1C6C-122C";
fsType = "vfat";
};
"/storage/immich" = {
device = "/dev/disk/by-uuid/bae65b7a-4f08-4b0d-963c-72e71bfcff46";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"user"
];
};
# TODO: delete btrfs subvolume
"/storage/syncthing" = {
device = "/dev/disk/by-uuid/e3a4c251-a3e2-4b5e-a63b-70f53b51836a";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"user"
];
};
};
swapDevices = [];
}

73
systems/x86_64-linux/thonkpad/default.nix Normal file
View File

@ -0,0 +1,73 @@
{
lib,
pkgs,
userdata,
...
}: {
imports = [./hardware.nix];
hardware.cpu.intel.updateMicrocode = true;
hardware.enableRedistributableFirmware = true;
networking.hostName = "thonkpad";
networking.interfaces.wlan0.useDHCP = lib.mkDefault false;
networking.useNetworkd = true;
# Enable weekly btrfs auto-scrub.
services.btrfs.autoScrub = {
enable = true;
interval = "weekly";
fileSystems = ["/"];
};
services.system76-scheduler.enable = true;
services.system76-scheduler.settings.cfsProfiles.enable = true;
# Power management, enable powertop and thermald.
powerManagement.powertop.enable = true;
powerManagement.cpuFreqGovernor = lib.mkDefault "schedutil";
services.thermald.enable = true;
# TODO: remove, temporary for mongoDB build
systemd.services.nix-daemon.environment.TMPDIR = "/var/tmp/nix-daemon";
services.ratbagd.enable = true;
snowflake = {
stateVersion = "24.05";
extraPackages = with pkgs; [
easyeffects
glibc
logseq
obsidian
piper
# terraform
terraform-ls
];
core.lanzaboote.enable = true;
core.docker.enable = true;
core.docker.storageDriver = "btrfs";
desktop.enable = true;
desktop.kde.enable = true;
gaming.steam.enable = true;
hardware.bluetooth.enable = true;
hardware.yubico.enable = true;
networking.firewall.enable = true;
networking.networkManager.enable = true;
networking.iwd.enable = true;
networking.resolved.enable = true;
networking.netbird.enable = true;
user.enable = true;
user.username = "chnmy";
user.description = "Chinmay D. Pai";
user.extraGroups = ["video"];
user.userPasswordAgeModule = userdata.secrets.machines.thonkpad.password;
user.rootPasswordAgeModule = userdata.secrets.machines.thonkpad.root-password;
};
}

1
systems/x86_64-linux/thonkpad/disk-config.nix Normal file
View File

@ -0,0 +1 @@
{ }

141
systems/x86_64-linux/thonkpad/hardware.nix Normal file
View File

@ -0,0 +1,141 @@
_: {
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"xhci_hcd"
"nvme"
"usb_storage"
"sd_mod"
];
luks.devices."cryptroot".device = "/dev/disk/by-uuid/312b4d84-64dc-4721-9be3-bb0148199b16";
luks.devices."cryptroot".preLVM = true;
};
kernelModules = [
"kvm-intel"
"thinkpad_acpi"
"iwlwifi"
"i915"
];
blacklistedKernelModules = [
"iTCO_wdt"
];
kernelParams = ["resume_offset=2465529" "intel_pstate=active" "i915.enable_gvt=1" "i915.enable_guc=3" "thinkpad_acpi.fan_control=1"];
resumeDevice = "/dev/disk/by-uuid/d5c21883-f0e6-4e7a-b9a5-ee0bf4780ec5";
supportedFilesystems = ["btrfs"];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/d5c21883-f0e6-4e7a-b9a5-ee0bf4780ec5";
fsType = "btrfs";
options = [
"defaults"
# "autodefrag"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@"
"discard=async"
];
neededForBoot = true;
};
"/home" = {
device = "/dev/disk/by-uuid/d5c21883-f0e6-4e7a-b9a5-ee0bf4780ec5";
fsType = "btrfs";
options = [
"defaults"
# "autodefrag"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@home"
"discard=async"
];
};
"/.snapshots" = {
device = "/dev/disk/by-uuid/d5c21883-f0e6-4e7a-b9a5-ee0bf4780ec5";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@snapshots"
"discard=async"
];
};
"/var/log" = {
device = "/dev/disk/by-uuid/d5c21883-f0e6-4e7a-b9a5-ee0bf4780ec5";
fsType = "btrfs";
options = [
"defaults"
# "autodefrag"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@log"
"discard=async"
];
};
"/var/cache" = {
device = "/dev/disk/by-uuid/d5c21883-f0e6-4e7a-b9a5-ee0bf4780ec5";
fsType = "btrfs";
options = [
"defaults"
# "autodefrag"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@cache"
"discard=async"
];
};
"/etc/nixos" = {
device = "/dev/disk/by-uuid/d5c21883-f0e6-4e7a-b9a5-ee0bf4780ec5";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@nix-config"
];
};
"/nix" = {
device = "/dev/disk/by-uuid/d5c21883-f0e6-4e7a-b9a5-ee0bf4780ec5";
fsType = "btrfs";
options = [
"defaults"
# "autodefrag"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@nix-store"
"discard=async"
];
};
# ref: https://sawyershepherd.org/post/hibernating-to-an-encrypted-swapfile-on-btrfs-with-nixos/
"/swap" = {
device = "/dev/disk/by-uuid/d5c21883-f0e6-4e7a-b9a5-ee0bf4780ec5";
fsType = "btrfs";
options = [
"subvol=@swap"
"noatime"
];
};
"/boot" = {
device = "/dev/disk/by-uuid/90A5-35FF";
fsType = "vfat";
};
};
swapDevices = [{device = "/swap/swapfile";}];
}

136
systems/x86_64-linux/thonkpad/thonkpad-12.nix Normal file
View File

@ -0,0 +1,136 @@
_: {
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usb_storage"
"sd_mod"
];
luks.devices."cryptroot".device = "/dev/disk/by-uuid/9de352ea-128f-4d56-a720-36d81dfd9b92";
};
kernelModules = [
"kvm-intel"
# "thinkpad_acpi"
"iwlwifi"
"xe"
];
kernelParams = [
"xe.force_probe=7d45"
# "resume_offset=2465529"
# "intel_pstate=active"
# "thinkpad_acpi.fan_control=1"
];
# resumeDevice = "/dev/disk/by-uuid/870fde90-a91a-4554-8b1c-d5702c789f4d";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/870fde90-a91a-4554-8b1c-d5702c789f4d";
fsType = "btrfs";
options = [
"defaults"
"autodefrag"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@"
];
neededForBoot = true;
};
"/home" = {
device = "/dev/disk/by-uuid/870fde90-a91a-4554-8b1c-d5702c789f4d";
fsType = "btrfs";
options = [
"defaults"
"autodefrag"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@home"
];
};
"/.snapshots" = {
device = "/dev/disk/by-uuid/870fde90-a91a-4554-8b1c-d5702c789f4d";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@snapshots"
];
};
"/var/log" = {
device = "/dev/disk/by-uuid/870fde90-a91a-4554-8b1c-d5702c789f4d";
fsType = "btrfs";
options = [
"defaults"
"autodefrag"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@log"
];
};
"/var/cache" = {
device = "/dev/disk/by-uuid/870fde90-a91a-4554-8b1c-d5702c789f4d";
fsType = "btrfs";
options = [
"defaults"
"autodefrag"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@cache"
];
};
"/etc/nixos" = {
device = "/dev/disk/by-uuid/870fde90-a91a-4554-8b1c-d5702c789f4d";
fsType = "btrfs";
options = [
"defaults"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@nix-config"
];
};
"/nix" = {
device = "/dev/disk/by-uuid/870fde90-a91a-4554-8b1c-d5702c789f4d";
fsType = "btrfs";
options = [
"defaults"
"autodefrag"
"compress-force=zstd"
"noatime"
"ssd"
"subvol=@nix-store"
];
};
# ref: https://sawyershepherd.org/post/hibernating-to-an-encrypted-swapfile-on-btrfs-with-nixos/
# "/swap" = {
# device = "/dev/disk/by-uuid/870fde90-a91a-4554-8b1c-d5702c789f4d";
# fsType = "btrfs";
# options = [
# "subvol=@swap"
# "noatime"
# ];
# };
"/boot" = {
device = "/dev/disk/by-uuid/B9A2-7AA6";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
};
swapDevices = [];
}