Compare commits

...

4 commits

Author SHA1 Message Date
Patrick 7b756ebaac
update and preliminary hostapd 2024-12-16 23:27:40 +01:00
Patrick 3d39955759
feat: vlans 2024-12-16 21:28:08 +01:00
Patrick d4e2805a87
feat: nucnix 2024-12-14 21:45:46 +01:00
Patrick 1d2e32b8b0
feat: topology 2024-12-12 20:12:36 +01:00
30 changed files with 1020 additions and 499 deletions

View file

@ -5,6 +5,7 @@
}: }:
{ {
networking = { networking = {
search = [ "local" ];
useNetworkd = true; useNetworkd = true;
dhcpcd.enable = false; dhcpcd.enable = false;
useDHCP = false; useDHCP = false;

44
config/support/server.nix Normal file
View file

@ -0,0 +1,44 @@
{
environment = {
# Print the URL instead on servers
variables.BROWSER = "echo";
# Don't install the /lib/ld-linux.so.2 and /lib64/ld-linux-x86-64.so.2
# stubs. Server users should know what they are doing.
stub-ld.enable = false;
};
documentation.nixos.enable = false;
# No need for fonts on a server
fonts.fontconfig.enable = false;
programs.command-not-found.enable = false;
# freedesktop xdg files
xdg.autostart.enable = false;
xdg.icons.enable = false;
xdg.menus.enable = false;
xdg.mime.enable = false;
xdg.sounds.enable = false;
systemd = {
# For more detail, see:
# https://0pointer.de/blog/projects/watchdog.html
watchdog = {
# systemd will send a signal to the hardware watchdog at half
# the interval defined here, so every 7.5s.
# If the hardware watchdog does not get a signal for 15s,
# it will forcefully reboot the system.
runtimeTime = "15s";
# Forcefully reboot if the final stage of the reboot
# hangs without progress for more than 30s.
# For more info, see:
# https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
rebootTime = "30s";
# Forcefully reboot when a host hangs after kexec.
# This may be the case when the firmware does not support kexec.
kexecTime = "1m";
};
};
}

View file

@ -36,11 +36,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1732704340, "lastModified": 1734208773,
"narHash": "sha256-zcX8QIaaJJ5Us53vaWMPH2LNkZBCSwTH7pI+FgXCg+0=", "narHash": "sha256-K2ugS2XJSyF3lYCrT5SCJtSAqndn/c5OwPkC5Nl18BU=",
"owner": "oddlama", "owner": "oddlama",
"repo": "agenix-rekey", "repo": "agenix-rekey",
"rev": "662522cf89fde332157e527b4322d614598631d9", "rev": "1472730015a2b3da0de09d9f1538bab3a816f618",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -134,17 +134,29 @@
}, },
"crane_2": { "crane_2": {
"inputs": { "inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [ "nixpkgs": [
"lanzaboote", "lanzaboote",
"nixpkgs" "nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
] ]
}, },
"locked": { "locked": {
"lastModified": 1707363508, "lastModified": 1681177078,
"narHash": "sha256-Cu5Mwktod5hcxxSpHl0FCeZ9la7v4KO5Tfrrs59AAJg=", "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "f2926e34a1599837f3256c701739529d772e36e7", "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -367,11 +379,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733168902, "lastModified": 1734343412,
"narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=", "narHash": "sha256-b7G8oFp0Nj01BYUJ6ENC9Qf/HsYAIZvN9k/p0Kg/PFU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "785c1e02c7e465375df971949b8dcbde9ec362e5", "rev": "a08bfe06b39e94eec98dd089a2c1b18af01fef19",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -477,11 +489,11 @@
"flake-compat_12": { "flake-compat_12": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1732722421, "lastModified": 1733328505,
"narHash": "sha256-HRJ/18p+WoXpWJkcdsk9St5ZiukCqSDgbOGFa8Okehg=", "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "9ed2ac151eada2306ca8c418ebd97807bb08f6ac", "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -656,11 +668,11 @@
"nixpkgs-lib": "nixpkgs-lib_2" "nixpkgs-lib": "nixpkgs-lib_2"
}, },
"locked": { "locked": {
"lastModified": 1730504689, "lastModified": 1733312601,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90", "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -756,11 +768,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730504689, "lastModified": 1733312601,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90", "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -792,11 +804,11 @@
"systems": "systems_3" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1726560853, "lastModified": 1731533236,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -931,11 +943,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1732021966, "lastModified": 1734279981,
"narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1143,11 +1155,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733175814, "lastModified": 1734344598,
"narHash": "sha256-zFOtOaqjzZfPMsm1mwu98syv3y+jziAq5DfWygaMtLg=", "narHash": "sha256-wNX3hsScqDdqKWOO87wETUEi7a/QlPVgpC/Lh5rFOuA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "bf23fe41082aa0289c209169302afd3397092f22", "rev": "83ecd50915a09dca928971139d3a102377a8d242",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1164,11 +1176,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733175814, "lastModified": 1734093295,
"narHash": "sha256-zFOtOaqjzZfPMsm1mwu98syv3y+jziAq5DfWygaMtLg=", "narHash": "sha256-hSwgGpcZtdDsk1dnzA0xj5cNaHgN9A99hRF/mxMtwS4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "bf23fe41082aa0289c209169302afd3397092f22", "rev": "66c5d8b62818ec4c1edb3e941f55ef78df8141a8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1225,11 +1237,11 @@
}, },
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1731242966, "lastModified": 1734200366,
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "narHash": "sha256-0NursoP4BUdnc+wy+Mq3icHkXu/RgP1Sjo0MJxV2+Dw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "impermanence", "repo": "impermanence",
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "rev": "c6323585fa0035d780e3d8906eb1b24b65d19a48",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1299,11 +1311,11 @@
"nixpkgs-lib": "nixpkgs-lib_5" "nixpkgs-lib": "nixpkgs-lib_5"
}, },
"locked": { "locked": {
"lastModified": 1733055216, "lastModified": 1734264809,
"narHash": "sha256-yB2y7tGJxDI/SDQ0D7b6ocRtLTPm93u8ybdIKQGXRDE=", "narHash": "sha256-94fu5E0gM8aMY0bX/ix7BWGf/e/OfGjoCtNrJfwL0dM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "lib-aggregate", "repo": "lib-aggregate",
"rev": "f67bf0781c69a46bf3a1469f83c98518aa3054c3", "rev": "46bedda9e45f2735f41ec3c01cba2b8ce7ba9808",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1334,11 +1346,11 @@
"spectrum": "spectrum" "spectrum": "spectrum"
}, },
"locked": { "locked": {
"lastModified": 1733265436, "lastModified": 1734041466,
"narHash": "sha256-zxBh56jKE6AXhiUoktY6cOHPUTyqXWbI/Pyh5sSC5B4=", "narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=",
"owner": "patrickdag", "owner": "astro",
"repo": "microvm.nix", "repo": "microvm.nix",
"rev": "799370e27eb8643e860a5df5cd168da72219a684", "rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1438,11 +1450,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733105089, "lastModified": 1733570843,
"narHash": "sha256-Qs3YmoLYUJ8g4RkFj2rMrzrP91e4ShAioC9s+vG6ENM=", "narHash": "sha256-sQJAxY1TYWD1UyibN/FnN97paTFuwBw3Vp3DNCyKsMk=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "c6b65d946097baf3915dd51373251de98199280d", "rev": "a35b08d09efda83625bef267eb24347b446c80b8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1459,11 +1471,11 @@
"treefmt-nix": "treefmt-nix_4" "treefmt-nix": "treefmt-nix_4"
}, },
"locked": { "locked": {
"lastModified": 1732631228, "lastModified": 1733909753,
"narHash": "sha256-/7Wyhp00yecUMPNz79gGZpjos8OLHqOfdiWWIQfZA1M=", "narHash": "sha256-5GChR6LKh6EwGXLfR3HLW2Z0AWoyce4Hyp3VB5C4FCk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-eval-jobs", "repo": "nix-eval-jobs",
"rev": "8f56354b794624689851b2d86c2ce0209cc8f0cf", "rev": "b1f94fed4af8e7f30665a3bf8b369dc3b8a95884",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1501,11 +1513,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733024876, "lastModified": 1734234111,
"narHash": "sha256-vy9Q41hBE7Zg0yakF79neVgb3i3PQMSMR7uHPpPywFE=", "narHash": "sha256-icEMqBt4HtGH52PU5FHidgBrNJvOfXH6VQKNtnD1aw8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "6e0b7f81367069589a480b91603a10bcf71f3103", "rev": "311d6cf3ad3f56cb051ffab1f480b2909b3f754d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1522,11 +1534,11 @@
"pre-commit-hooks": "pre-commit-hooks_3" "pre-commit-hooks": "pre-commit-hooks_3"
}, },
"locked": { "locked": {
"lastModified": 1732192922, "lastModified": 1734266385,
"narHash": "sha256-xQO/3I99TFdiXTN5VoS28NpbNlCQWQUvxmPQHlfkzmU=", "narHash": "sha256-k9P9Sa6jw/Xre8UDp7Ukk75h4Tcq8ZrK+nz6A2MC1IM=",
"owner": "oddlama", "owner": "oddlama",
"repo": "nix-topology", "repo": "nix-topology",
"rev": "2b107e98bbde932a363874e0ef5b1739a932bbc5", "rev": "ba6f61e594a85eabebf1c8f373923b59b3b07448",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1537,11 +1549,11 @@
}, },
"nixlib": { "nixlib": {
"locked": { "locked": {
"lastModified": 1733015484, "lastModified": 1734224914,
"narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", "narHash": "sha256-hKWALzQ/RxxXdKWsLKXULru6XTag9Cc5exgVyS4a/AE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", "rev": "538697b664a64fade8ce628d01f35d1f1fd82d77",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1561,11 +1573,11 @@
"pre-commit-hooks": "pre-commit-hooks_4" "pre-commit-hooks": "pre-commit-hooks_4"
}, },
"locked": { "locked": {
"lastModified": 1732216602, "lastModified": 1734380654,
"narHash": "sha256-svG11P+vsHYKoDj1nWSGHoep4f+rzbRM/fdWPSVE/Uk=", "narHash": "sha256-YrJ4vz6fbz5Sz7H6mdFsqaqEkLVOJUnrUi6swiYbmc4=",
"owner": "oddlama", "owner": "oddlama",
"repo": "nixos-extra-modules", "repo": "nixos-extra-modules",
"rev": "6841242d5f7c32fc8a214014f1c97ae935ef8b8e", "rev": "da6945497bb3e6a2baf3d783c12d780ea8c4b5ea",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1582,11 +1594,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733101779, "lastModified": 1734311693,
"narHash": "sha256-Qqnfnb/RFxBbD25UYJ/yibvl9kIZNK5WkyLsUcb2byk=", "narHash": "sha256-ODRrnbaUsOe3e4kp+uHl+iJxey5zE3kqiBqJWQxrlnY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "a471acc460d4c238936a5116c8cc48a3c431dd66", "rev": "a5278f7c326205681f1f42a90fa46a75a13627eb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1597,11 +1609,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1733217105, "lastModified": 1734352517,
"narHash": "sha256-fc6jTzIwCIVWTX50FtW6AZpuukuQWSEbPiyg6ZRGWFY=", "narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "cceee0a31d2f01bcc98b2fbd591327c06a4ea4f9", "rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1641,11 +1653,11 @@
"treefmt-nix": "treefmt-nix_3" "treefmt-nix": "treefmt-nix_3"
}, },
"locked": { "locked": {
"lastModified": 1733348844, "lastModified": 1734374811,
"narHash": "sha256-glufwHZDCoXjPrfvYSw8PrwQLyFVsg933gt/Gg4hlLE=", "narHash": "sha256-+an6TysKwyWWeC7MeWGoHcULR9gc7TeXyszMAzvwRRo=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "3052ba7b255b8e3c333fcb318e79ce15c88dd2a7", "rev": "85a6a4df38b05ed2d70e530d43de9820b3231e4a",
"revCount": 22, "revCount": 25,
"type": "git", "type": "git",
"url": "https://forge.lel.lol/patrick/nixp-meta.git" "url": "https://forge.lel.lol/patrick/nixp-meta.git"
}, },
@ -1684,14 +1696,14 @@
}, },
"nixpkgs-lib_2": { "nixpkgs-lib_2": {
"locked": { "locked": {
"lastModified": 1730504152, "lastModified": 1733096140,
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
} }
}, },
"nixpkgs-lib_3": { "nixpkgs-lib_3": {
@ -1720,11 +1732,11 @@
}, },
"nixpkgs-lib_5": { "nixpkgs-lib_5": {
"locked": { "locked": {
"lastModified": 1733015484, "lastModified": 1734224914,
"narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", "narHash": "sha256-hKWALzQ/RxxXdKWsLKXULru6XTag9Cc5exgVyS4a/AE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", "rev": "538697b664a64fade8ce628d01f35d1f1fd82d77",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1839,11 +1851,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733251568, "lastModified": 1734366874,
"narHash": "sha256-o0CA0AeQWEKSJpaPst6aMJq4NU6+ccgNKBmo8GD3WJ8=", "narHash": "sha256-DBB1cTb+gmjUpcR3Ki+qQbdQsHwBjW7FB7iOp39WF0g=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs-wayland", "repo": "nixpkgs-wayland",
"rev": "baa85eb4c456e649f340c7daef3bf9398dc2f2d7", "rev": "7c76738f71e0d4a0365ad95ab3a09e236a655f30",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1918,11 +1930,11 @@
}, },
"nixpkgs_6": { "nixpkgs_6": {
"locked": { "locked": {
"lastModified": 1733212471, "lastModified": 1734119587,
"narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1979,11 +1991,11 @@
"treefmt-nix": "treefmt-nix_5" "treefmt-nix": "treefmt-nix_5"
}, },
"locked": { "locked": {
"lastModified": 1733220378, "lastModified": 1734368549,
"narHash": "sha256-tWCskBne7LigfeXRWnUFJKKTLOYmmdqiwdqom2Sml1s=", "narHash": "sha256-D8LYUU+IWbpmyjOAKEnKVOhd7Qfe7q+DvUNZTYoitKY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "78bfbf7b7eb7a1b6cf42e199547de55a55ba2cea", "rev": "6c30476a4d5f761149945a65e74179f4492b1ea6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2002,11 +2014,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733006402, "lastModified": 1733773348,
"narHash": "sha256-BC1CecAQISV5Q4LZK72Gx0+faemOwaChiD9rMVfDPoA=", "narHash": "sha256-Y47y+LesOCkJaLvj+dI/Oa6FAKj/T9sKVKDXLNsViPw=",
"owner": "NuschtOS", "owner": "NuschtOS",
"repo": "search", "repo": "search",
"rev": "16307548b7a1247291c84ae6a12c0aacb07dfba2", "rev": "3051be7f403bff1d1d380e4612f0c70675b44fc9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2224,11 +2236,11 @@
"nixpkgs-stable": "nixpkgs-stable_6" "nixpkgs-stable": "nixpkgs-stable_6"
}, },
"locked": { "locked": {
"lastModified": 1732021966, "lastModified": 1734379367,
"narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "narHash": "sha256-Keu8z5VgT5gnCF4pmB+g7XZFftHpfl4qOn7nqBcywdE=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "rev": "0bb4be58f21ff38fc3cdbd6c778eb67db97f0b99",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2470,11 +2482,11 @@
"spectrum": { "spectrum": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1729945407, "lastModified": 1733308308,
"narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=", "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "f1d94ee7029af18637dbd5fdf4749621533693fa", "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
"revCount": 764, "revCount": 792,
"type": "git", "type": "git",
"url": "https://spectrum-os.org/git/spectrum" "url": "https://spectrum-os.org/git/spectrum"
}, },
@ -2491,11 +2503,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733199390, "lastModified": 1734322624,
"narHash": "sha256-kPEbVBeCL1Y/Q46G/fbHFpTxS0IVUMj69Es5abaoXN8=", "narHash": "sha256-9G6h+hHM8RyUvan2qojZwHlRoJ3gkLwZQLsW7bXyNrE=",
"owner": "Gerg-l", "owner": "Gerg-l",
"repo": "spicetify-nix", "repo": "spicetify-nix",
"rev": "7d1d92636fda6098600770ba559daba909312595", "rev": "f8289a4668187d3866caa7940dfd8ff680e41d0d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2861,11 +2873,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1732894027, "lastModified": 1733761991,
"narHash": "sha256-2qbdorpq0TXHBWbVXaTqKoikN4bqAtAplTwGuII+oAc=", "narHash": "sha256-s4DalCDepD22jtKL5Nw6f4LP5UwoMcPzPZgHWjAfqbQ=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "6209c381904cab55796c5d7350e89681d3b2a8ef", "rev": "0ce9d149d99bc383d1f2d85f31f6ebd146e46085",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -69,4 +69,5 @@
programs.streamcontroller.enable = true; programs.streamcontroller.enable = true;
hardware.opentabletdriver.enable = true; hardware.opentabletdriver.enable = true;
topology.self.icon = "devices.desktop";
} }

View file

@ -16,6 +16,7 @@
../../config/support/initrd-ssh.nix ../../config/support/initrd-ssh.nix
../../config/support/physical.nix ../../config/support/physical.nix
../../config/support/secureboot.nix ../../config/support/secureboot.nix
../../config/support/server.nix
../../config/support/zfs.nix ../../config/support/zfs.nix
./net.nix ./net.nix
@ -28,57 +29,5 @@
}; };
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
# Given that our systems are headless, emergency mode is useless. topology.self.interfaces.lan.network = "home";
# We prefer the system to attempt to continue booting so
# that we can hopefully still access it remotely.
boot.initrd.systemd.suppressedUnits = [
"emergency.service"
"emergency.target"
];
environment = {
# Print the URL instead on servers
variables.BROWSER = "echo";
# Don't install the /lib/ld-linux.so.2 and /lib64/ld-linux-x86-64.so.2
# stubs. Server users should know what they are doing.
stub-ld.enable = false;
};
# Given that our systems are headless, emergency mode is useless.
# We prefer the system to attempt to continue booting so
# that we can hopefully still access it remotely.
systemd.enableEmergencyMode = false;
documentation.nixos.enable = false;
# No need for fonts on a server
fonts.fontconfig.enable = false;
programs.command-not-found.enable = false;
# freedesktop xdg files
xdg.autostart.enable = false;
xdg.icons.enable = false;
xdg.menus.enable = false;
xdg.mime.enable = false;
xdg.sounds.enable = false;
systemd = {
# For more detail, see:
# https://0pointer.de/blog/projects/watchdog.html
watchdog = {
# systemd will send a signal to the hardware watchdog at half
# the interval defined here, so every 7.5s.
# If the hardware watchdog does not get a signal for 15s,
# it will forcefully reboot the system.
runtimeTime = "15s";
# Forcefully reboot if the final stage of the reboot
# hangs without progress for more than 30s.
# For more info, see:
# https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
rebootTime = "30s";
# Forcefully reboot when a host hangs after kexec.
# This may be the case when the firmware does not support kexec.
kexecTime = "1m";
};
};
} }

View file

@ -27,20 +27,13 @@ let
actual = "actual"; actual = "actual";
firefly = "money"; firefly = "money";
homebox = "homebox"; homebox = "homebox";
octoprint = "print";
invidious = "yt"; invidious = "yt";
blog = "blog"; blog = "blog";
}; };
in in
"${domains.${hostName}}.${config.secrets.secrets.global.domains.web}"; "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
# TODO hard coded elisabeth nicht so schön # TODO hard coded elisabeth nicht so schön
ipOf = ipOf = hostName: nodes."elisabeth-${hostName}".config.wireguard.elisabeth.ipv4;
hostName:
if hostName == "octoprint" then
#nodes.testienix.config.wireguard.elisabeth.ipv4
"0.0.0.0"
else
nodes."elisabeth-${hostName}".config.wireguard.elisabeth.ipv4;
in in
{ {
services.netbird.server.proxy = services.netbird.server.proxy =
@ -66,6 +59,7 @@ in
port ? 3000, port ? 3000,
upstream ? hostName, upstream ? hostName,
protocol ? "http", protocol ? "http",
...
}: }:
{ {
upstreams.${hostName} = { upstreams.${hostName} = {
@ -91,7 +85,11 @@ in
}; };
}; };
proxyProtect = proxyProtect =
hostName: cfg: allowedGroup: hostName:
{
allowedGroup ? true,
...
}@cfg:
lib.mkMerge [ lib.mkMerge [
(blockOf hostName cfg) (blockOf hostName cfg)
{ {
@ -152,17 +150,16 @@ in
proxy_request_buffering off; proxy_request_buffering off;
''; '';
}) })
(proxyProtect "adguardhome" { } true) (proxyProtect "adguardhome" { })
(proxyProtect "oauth2-proxy" { } false) (proxyProtect "oauth2-proxy" { allowedGroup = false; })
(blockOf "paperless" { maxBodySize = "5G"; }) (blockOf "paperless" { maxBodySize = "5G"; })
(proxyProtect "ttrss" { port = 80; } true) (proxyProtect "ttrss" { port = 80; })
(proxyProtect "invidious" { } true) (proxyProtect "invidious" { })
(blockOf "yourspotify" { port = 80; }) (blockOf "yourspotify" { port = 80; })
(blockOf "blog" { port = 80; }) (blockOf "blog" { port = 80; })
(blockOf "homebox" { }) (blockOf "homebox" { })
(proxyProtect "ollama" { } true) (proxyProtect "ollama" { })
(proxyProtect "octoprint" { } true) (proxyProtect "firefly" { port = 80; })
(proxyProtect "firefly" { port = 80; } true)
(blockOf "apispotify" { (blockOf "apispotify" {
port = 3000; port = 3000;
upstream = "yourspotify"; upstream = "yourspotify";

View file

@ -20,14 +20,6 @@
MulticastDNS = true; MulticastDNS = true;
}; };
}; };
"40-lan01" = {
dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false;
ipv6AcceptRAConfig.UseDNS = false;
networkConfig = {
MulticastDNS = true;
};
};
}; };
boot.initrd.systemd.network = { boot.initrd.systemd.network = {
enable = true; enable = true;

View file

@ -16,4 +16,5 @@
"virtio_blk" "virtio_blk"
]; ];
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
topology.self.icon = "devices.cloud-server";
} }

View file

@ -33,4 +33,5 @@
createHome = false; createHome = false;
}; };
users.groups.nix-build = { }; users.groups.nix-build = { };
topology.self.icon = "devices.cloud-server";
} }

31
hosts/nucnix/default.nix Normal file
View file

@ -0,0 +1,31 @@
{
inputs,
minimal,
lib,
...
}:
{
imports = [
inputs.nixos-hardware.nixosModules.common-pc
inputs.nixos-hardware.nixosModules.common-pc-ssd
inputs.nixos-hardware.nixosModules.common-cpu-intel
../../config/basic
../../config/support/initrd-ssh.nix
../../config/support/physical.nix
../../config/support/zfs.nix
../../config/support/server.nix
./net.nix
./fs.nix
] ++ lib.lists.optionals (!minimal) [ ./guests.nix ];
services.xserver = {
xkb = {
layout = "de";
};
};
nixpkgs.hostPlatform = "x86_64-linux";
topology.self.interfaces.lan.network = "home";
}

91
hosts/nucnix/fs.nix Normal file
View file

@ -0,0 +1,91 @@
{
config,
lib,
...
}:
{
disko.devices = {
disk = {
ssd = rec {
type = "disk";
device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.nvme}";
content = with lib.disko.gpt; {
type = "gpt";
partitions = {
boot = (partEfi "1G") // {
device = "${device}-part1";
};
rpool = (partLuksZfs "ssd" "rpool" "100%") // {
device = "${device}-part2";
};
};
};
};
};
zpool = with lib.disko.zfs; {
rpool = mkZpool { datasets = impermanenceZfsDatasets; };
};
};
boot.kernel.sysctl."fs.inotify.max_user_instances" = 1024;
services.zrepl = {
enable = true;
settings = {
global = {
logging = [
{
type = "syslog";
level = "info";
format = "human";
}
];
# TODO Monitoring
};
jobs = [
#{
# type = "push";
# name = "push-to-remote";
#}
{
type = "snap";
name = "mach-schnipp-schusss";
filesystems = {
"rpool/local/state<" = true;
"rpool/local/guests<" = true;
"rpool/safe<" = true;
};
snapshotting = {
type = "periodic";
prefix = "zrepl-";
interval = "10m";
timestamp_format = "iso-8601";
};
pruning = {
keep = [
{
type = "regex";
regex = "^zrepl-.*$";
negate = true;
}
{
type = "grid";
grid = lib.concatStringsSep " | " [
"1x1d(keep=all)"
"142x1h(keep=2)"
"90x1d(keep=2)"
"500x7d"
];
regex = "^zrepl-.*$";
}
];
};
}
];
};
};
fileSystems."/state".neededForBoot = true;
fileSystems."/persist".neededForBoot = true;
}

187
hosts/nucnix/guests.nix Normal file
View file

@ -0,0 +1,187 @@
{
config,
stateVersion,
inputs,
lib,
minimal,
nodes,
...
}:
let
domainOf =
hostName:
let
domains =
{
};
in
"${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
# TODO hard coded elisabeth nicht so schön
ipOf = hostName: nodes."elisabeth-${hostName}".config.wireguard.elisabeth.ipv4;
in
{
services.nginx =
let
blockOf =
hostName:
{
virtualHostExtraConfig ? "",
maxBodySize ? "500M",
port ? 3000,
upstream ? hostName,
protocol ? "http",
...
}:
{
upstreams.${hostName} = {
servers."${ipOf upstream}:${toString port}" = { };
extraConfig = ''
zone ${hostName} 64k ;
keepalive 5 ;
'';
};
virtualHosts.${domainOf hostName} = {
forceSSL = true;
useACMEHost = "web";
locations."/" = {
proxyPass = "${protocol}://${hostName}";
proxyWebsockets = true;
X-Frame-Options = "SAMEORIGIN";
};
extraConfig =
''
client_max_body_size ${maxBodySize} ;
''
+ virtualHostExtraConfig;
};
};
proxyProtect =
hostName:
{
allowedGroup ? true,
...
}@cfg:
lib.mkMerge [
(blockOf hostName cfg)
{
virtualHosts.${domainOf hostName} = {
locations."/".extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_preferred_username;
# Set the email to our own domain in case user change their mail
auth_request_set $email "''${upstream_http_x_auth_request_preferred_username}@${config.secrets.secrets.global.domains.web}";
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
locations."/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass =
"http://oauth2-proxy/oauth2/auth"
+ lib.optionalString allowedGroup "?allowed_groups=${hostName}_access";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}
];
in
lib.mkMerge [
{
enable = false;
recommendedSetup = true;
}
];
guests =
let
mkGuest = guestName: {
autostart = true;
zfs."/state" = {
pool = "rpool";
dataset = "local/guests/${guestName}";
};
zfs."/persist" = {
pool = "rpool";
dataset = "safe/guests/${guestName}";
};
modules = [
../../config/basic
../../config/services/${guestName}.nix
{
node.secretsDir = config.node.secretsDir + "/${guestName}";
networking.nftables.firewall.zones.untrusted.interfaces = [
config.guests.${guestName}.networking.mainLinkName
];
systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = {
DHCP = lib.mkForce "no";
address = [
(lib.net.cidr.hostCidr
config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}"
config.secrets.secrets.global.net.privateSubnetv4
)
(lib.net.cidr.hostCidr
config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}"
config.secrets.secrets.global.net.privateSubnetv6
)
];
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
};
}
];
};
mkMicrovm = guestName: cfg: {
${guestName} = mkGuest guestName cfg // {
backend = "microvm";
microvm = {
system = "x86_64-linux";
macvtap = "lan";
baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
};
extraSpecialArgs = {
inherit (inputs.self) nodes;
inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal stateVersion;
};
};
};
mkContainer = guestName: cfg: {
${guestName} = mkGuest guestName cfg // {
backend = "container";
container.macvlan = "lan";
extraSpecialArgs = {
inherit
lib
nodes
inputs
minimal
stateVersion
;
};
};
};
in
{ };
}

47
hosts/nucnix/hostapd.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, ... }:
let
cfg = name: {
countryCode = "DE";
# wifi4.capabilities = [
# "LDPC"
# "HT40+"
# "HT40-"
# "GF"
# "SHORT-GI-20"
# "SHORT-GI-40"
# "TX-STBC"
# "RX-STBC1"
# ];
wifi6.enable = true;
wifi7.enable = true;
networks."${name}" = {
inherit (config.secrets.secrets.global.hostapd) ssid;
apIsolate = true;
authentication = {
saePasswords = [
{
password = "lol";
vlanid = 10;
}
];
enableRecommendedPairwiseCiphers = true;
};
bssid = "02:c0:ca:b1:4f:9f";
};
};
in
{
hardware.wirelessRegulatoryDatabase = true;
services.hostapd = {
enable = true;
radios.wlan1 = {
band = "2g";
} // cfg "wlan1";
radios.wlan2 = {
band = "5g";
} // cfg "wlan2";
};
}

130
hosts/nucnix/net.nix Normal file
View file

@ -0,0 +1,130 @@
{ config, lib, ... }:
{
imports = [ ./hostapd.nix ];
networking = {
inherit (config.secrets.secrets.local.networking) hostId;
};
systemd.network = {
networks = {
"10-lan01" = {
address = [
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
config.secrets.secrets.global.net.privateSubnetv4
)
];
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
#matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
matchConfig.Name = "lan";
dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false;
ipv6AcceptRAConfig.UseDNS = false;
networkConfig = {
MulticastDNS = true;
};
};
};
netdevs."40-vlan-home" = {
netdevConfig = {
Name = "vlan-home";
Kind = "vlan";
};
vlanConfig.Id = 10;
};
netdevs."40-vlan-services" = {
netdevConfig = {
Name = "vlan-services";
Kind = "vlan";
};
vlanConfig.Id = 20;
};
netdevs."40-vlan-devices" = {
netdevConfig = {
Name = "vlan-devices";
Kind = "vlan";
};
vlanConfig.Id = 30;
};
netdevs."40-vlan-iot" = {
netdevConfig = {
Name = "vlan-iot";
Kind = "vlan";
};
vlanConfig.Id = 40;
};
netdevs."40-vlan-guests" = {
netdevConfig = {
Name = "vlan-guests";
Kind = "vlan";
};
vlanConfig.Id = 50;
};
networks."40-vlans" = {
matchConfig.Name = "lan01";
vlan = [
"vlan-home"
"vlan-services"
"vlan-devices"
"vlan-iot"
"vlan-guests"
];
};
};
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ];
# To be able to ping containers from the host, it is necessary
# to create a macvlan on the host on the VLAN 1 network.
networking.macvlans.lan = {
interface = "vlan-home";
mode = "bridge";
};
boot.initrd = {
availableKernelModules = [
"8021q"
];
systemd.network = {
enable = true;
networks = {
# redo the network cause the livesystem has macvlans
"10-lan01" = {
address = [
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
config.secrets.secrets.global.net.privateSubnetv4
)
];
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
matchConfig.Name = "vlan-home";
dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false;
ipv6AcceptRAConfig.UseDNS = false;
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
};
};
netdevs."10-vlan-home" = {
netdevConfig = {
Name = "vlan-home";
Kind = "vlan";
};
vlanConfig.Id = 10;
};
networks."40-vlans" = {
matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
vlan = [
"vlan-home"
];
};
};
};
}

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDS0gxZD8aIAAKBtt7gyMHZ2KloQPlHxS+LsQY/62SzE

Binary file not shown.

View file

@ -44,4 +44,5 @@
"kvm" "kvm"
"nixos-test" "nixos-test"
]; ];
topology.self.icon = "devices.laptop";
} }

View file

@ -21,6 +21,7 @@ in
name = "Home-manager options for the main user"; name = "Home-manager options for the main user";
merge = _loc: defs: (map (x: x.value) defs); merge = _loc: defs: (map (x: x.value) defs);
}; };
default = { };
}; };
hm-all = mkOption { hm-all = mkOption {
description = "Home-manager options for the primary User and root."; description = "Home-manager options for the primary User and root.";
@ -28,6 +29,7 @@ in
name = "Home-manager options for the all users"; name = "Home-manager options for the all users";
merge = _loc: defs: (map (x: x.value) defs); merge = _loc: defs: (map (x: x.value) defs);
}; };
default = { };
}; };
}; };
config.home-manager.users = mkMerge [ config.home-manager.users = mkMerge [

View file

@ -1,154 +0,0 @@
{
lib,
pkgs,
config,
...
}:
let
inherit (lib)
getExe
mkEnableOption
mkIf
mkOption
mkPackageOption
types
;
cfg = config.services.actual;
configFile = formatType.generate "config.json" cfg.settings;
dataDir = "/var/lib/actual";
formatType = pkgs.formats.json { };
in
{
options.services.actual = {
enable = mkEnableOption "actual, a privacy focused app for managing your finances";
package = mkPackageOption pkgs "actual-server" { };
user = mkOption {
type = types.str;
default = "actual";
description = ''
User to run actual as.
::: {.note}
If left as the default value this user will automatically be created
on system activation, otherwise the sysadmin is responsible for
ensuring the user exists.
:::
'';
};
group = mkOption {
type = types.str;
default = "actual";
description = ''
Group under which to run.
::: {.note}
If left as the default value this group will automatically be created
on system activation, otherwise the sysadmin is responsible for
ensuring the user exists.
:::
'';
};
openFirewall = mkOption {
default = false;
type = types.bool;
description = "Whether to open the firewall for the specified port.";
};
settings = mkOption {
default = { };
description = "Server settings, refer to (the documentation)[https://actualbudget.org/docs/config/] for available options.";
type = types.submodule {
freeformType = formatType.type;
options = {
hostname = mkOption {
type = types.str;
description = "The address to listen on";
default = "::";
};
port = mkOption {
type = types.port;
description = "The port to listen on";
default = 3000;
};
};
config = {
serverFiles = "${dataDir}/server-files";
userFiles = "${dataDir}/user-files";
inherit dataDir;
};
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.port ];
users.groups = mkIf (cfg.group == "actual") {
${cfg.group} = { };
};
users.users = mkIf (cfg.user == "actual") {
${cfg.user} = {
isSystemUser = true;
inherit (cfg) group;
home = dataDir;
};
};
systemd.services.actual = {
description = "Actual server, a local-first personal finance app";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment.ACTUAL_CONFIG_PATH = configFile;
serviceConfig = {
ExecStart = getExe cfg.package;
User = cfg.user;
Group = cfg.group;
StateDirectory = "actual";
WorkingDirectory = dataDir;
LimitNOFILE = "1048576";
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
#MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
UMask = "0077";
};
};
};
}

View file

@ -1 +1,183 @@
{ } { config, ... }:
let
inherit (config.lib.topology)
mkInternet
mkRouter
mkConnection
mkSwitch
mkDevice
;
in
{
networks = {
home = {
name = "Heimnetz";
cidrv4 = "192.168.178.0/24";
};
};
nodes = {
internet = mkInternet {
connections = [
(mkConnection "fritzbox" "wan1")
(mkConnection "mailnix" "lan01")
(mkConnection "maddy" "lan01")
];
};
fritzbox = mkRouter "FritzBox" {
info = "FRITZ!Box 7520";
interfaceGroups = [
[
"wan1"
]
[
"eth1"
"eth2"
"eth3"
]
];
interfaces.eth1 = {
addresses = [ "192.168.178.1" ];
network = "home";
};
connections.eth1 = mkConnection "switch-ganzoben" "eth1";
};
switch-ganzoben = mkSwitch "Switch Ganzoben" {
info = "TPLink 16 Port";
interfaceGroups = [
[
"eth1"
"eth2"
"eth3"
"eth4"
"eth5"
"eth6"
"eth7"
"eth8"
"eth9"
"eth10"
"eth11"
"eth12"
"eth13"
"eth14"
"eth15"
"eth16"
]
];
connections = {
eth2 = mkConnection "switch-waschkueche" "eth1";
eth3 = mkConnection "switch-patrick" "eth5";
eth4 = mkConnection "docking-station-ganzoben" "lan";
eth5 = mkConnection "desktop-ganzoben" "lan";
eth6 = mkConnection "nucnix" "lan01";
eth9 = mkConnection "drucker" "lan";
eth10 = mkConnection "homematic" "lan";
eth11 = mkConnection "raspberry-pi" "lan";
eth12 = mkConnection "fernseher" "lan";
eth16 = mkConnection "devolo" "lan";
};
};
switch-waschkueche = mkSwitch "Switch Waschküche" {
info = "TPLink 8 Port";
interfaceGroups = [
[
"eth1"
"eth2"
"eth3"
"eth4"
"eth5"
"eth6"
"eth7"
"eth8"
]
];
connections = {
eth2 = mkConnection "switch-server" "eth1";
eth3 = mkConnection "desktop-david" "lan";
eth7 = mkConnection "solar-anlage" "lan";
eth8 = mkConnection "solar-anlage" "lan";
};
};
switch-server = mkSwitch "Switch Server" {
info = "TPLink 5 Port";
interfaceGroups = [
[
"eth1"
"eth2"
"eth3"
"eth4"
"eth5"
]
];
connections = {
eth2 = mkConnection "elisabeth" "lan01";
eth3 = mkConnection "homematic-ip" "lan";
eth4 = mkConnection "dect" "lan";
eth5 = mkConnection "docking-station-keller" "lan";
};
};
switch-patrick = mkSwitch "Switch Patrick" {
info = "5 Port";
interfaceGroups = [
[
"eth1"
"eth2"
"eth3"
"eth4"
"eth5"
]
];
connections = {
eth4 = mkConnection "desktopnix" "lan01";
eth3 = mkConnection "patricknix" "lan01";
};
};
docking-station-ganzoben = mkDevice "Docking Station Ganzoben" {
info = "Docking Station";
interfaces.lan = { };
};
desktop-ganzoben = mkDevice "Desktop Ganzoben" {
info = "Desktop";
interfaces.lan = { };
};
drucker = mkDevice "Drucker" {
info = "HP Drucker";
interfaces.lan = { };
};
homematic = mkDevice "homematic" {
info = "Homematic zentrale";
interfaces.lan = { };
};
raspberry-pi = mkDevice "RaspberryPi" {
info = "Raspberry-Pi 5";
interfaces.lan = { };
};
fernseher = mkDevice "fernseher" {
info = "LG? Fernseher";
interfaces.lan = { };
};
devolo = mkDevice "devolo" {
info = "devolo";
interfaces.lan = { };
};
solar-anlage = mkDevice "solar" {
info = "solar anlage+batterie";
interfaces.lan = { };
};
desktop-david = mkDevice "desktop-david" {
info = "Desktop";
interfaces.lan = { };
};
homematic-ip = mkDevice "homematic-ip" {
info = "homematic-ip point";
interfaces.lan = { };
};
dect = mkDevice "dect" {
info = "Teflon";
interfaces.lan = { };
};
docking-station-keller = mkDevice "Docking-station Keller" {
info = "Für die kellerarbeiter";
interfaces.lan = { };
};
};
}

View file

@ -1,3 +1,47 @@
diff --git a/nixos/doc/manual/redirects.json b/nixos/doc/manual/redirects.json
index f792750a1ea4d..a4da736ad3191 100644
--- a/nixos/doc/manual/redirects.json
+++ b/nixos/doc/manual/redirects.json
@@ -821,6 +821,12 @@
"module-services-netbird-multiple-connections": [
"index.html#module-services-netbird-multiple-connections"
],
+ "module-services-netbird-firewall": [
+ "index.html#module-services-netbird-firewall"
+ ],
+ "module-services-netbird-customization": [
+ "index.html#module-services-netbird-customization"
+ ],
"module-services-mosquitto": [
"index.html#module-services-mosquitto"
],
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index aee8b80727990..a4be58e5b2005 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -711,7 +711,7 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
and `services.kavita.settings.IpAddresses`. The file at `services.kavita.tokenKeyFile` now needs to contain a secret with
512+ bits instead of 128+ bits.
-- `services.netbird` now allows running multiple tunnels in parallel through [`services.netbird.tunnels`](#opt-services.netbird.tunnels).
+- `services.netbird` now allows running multiple tunnels in parallel through [`services.netbird.tunnels`](#opt-services.netbird.clients).
- `services.nginx.virtualHosts` using `forceSSL` or
`globalRedirect` can now have redirect codes other than 301 through `redirectCode`.
diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
index 10236562d78b1..10c1f4bd44f11 100644
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -135,6 +135,9 @@
- `zf` was updated to 0.10.2, which includes breaking changes from the [0.10.0 release](https://github.com/natecraddock/zf/releases/tag/0.10.0).
`zf` no longer does Unicode normalization of the input and no longer supports terminal escape sequences in the `ZF_PROMPT` environment variable.
+- `services.netbird.tunnels` was renamed to [`services.netbird.clients`](#opt-services.netbird.clients),
+ hardened (using dedicated less-privileged users) and significantly extended.
+
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Other Notable Changes {#sec-release-25.05-notable-changes}
diff --git a/nixos/modules/services/networking/netbird.md b/nixos/modules/services/networking/netbird.md diff --git a/nixos/modules/services/networking/netbird.md b/nixos/modules/services/networking/netbird.md
index e1f6753cbd30c..876c27cb0d22e 100644 index e1f6753cbd30c..876c27cb0d22e 100644
--- a/nixos/modules/services/networking/netbird.md --- a/nixos/modules/services/networking/netbird.md
@ -112,7 +156,7 @@ index e1f6753cbd30c..876c27cb0d22e 100644
+through environment variables, but special care needs to be taken for overriding config location and +through environment variables, but special care needs to be taken for overriding config location and
+daemon address due [hardened](#opt-services.netbird.clients._name_.hardened) option. +daemon address due [hardened](#opt-services.netbird.clients._name_.hardened) option.
diff --git a/nixos/modules/services/networking/netbird.nix b/nixos/modules/services/networking/netbird.nix diff --git a/nixos/modules/services/networking/netbird.nix b/nixos/modules/services/networking/netbird.nix
index d39c373dbc94c..c9a2251437c6a 100644 index 9771503e14e28..c9a2251437c6a 100644
--- a/nixos/modules/services/networking/netbird.nix --- a/nixos/modules/services/networking/netbird.nix
+++ b/nixos/modules/services/networking/netbird.nix +++ b/nixos/modules/services/networking/netbird.nix
@@ -7,64 +7,179 @@ @@ -7,64 +7,179 @@
@ -245,27 +289,27 @@ index d39c373dbc94c..c9a2251437c6a 100644
+ name = mkOption { + name = mkOption {
+ type = str; + type = str;
+ default = name; + default = name;
+ description = '' description = ''
- Port for the ${name} netbird interface.
+ Primary name for use (as a suffix) in: + Primary name for use (as a suffix) in:
+ - systemd service name, + - systemd service name,
+ - hardened user name and group, + - hardened user name and group,
+ - [systemd `*Directory=`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RuntimeDirectory=) names, + - [systemd `*Directory=`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RuntimeDirectory=) names,
+ - desktop application identification, + - desktop application identification,
+ ''; '';
+ }; };
+
+ dns-resolver.address = mkOption { + dns-resolver.address = mkOption {
+ type = nullOr str; + type = nullOr str;
+ default = null; + default = null;
+ example = "127.0.0.123"; + example = "127.0.0.123";
description = '' + description = ''
- Port for the ${name} netbird interface.
+ An explicit address that Netbird will serve `*.netbird.cloud.` (usually) entries on. + An explicit address that Netbird will serve `*.netbird.cloud.` (usually) entries on.
+ +
+ Netbird serves DNS on it's own (dynamic) client address by default. + Netbird serves DNS on it's own (dynamic) client address by default.
''; + '';
}; + };
+
+ dns-resolver.port = mkOption { + dns-resolver.port = mkOption {
+ type = port; + type = port;
+ default = 53; + default = 53;
@ -308,7 +352,7 @@ index d39c373dbc94c..c9a2251437c6a 100644
} }
''; '';
description = '' description = ''
@@ -72,97 +187,416 @@ in @@ -72,64 +187,269 @@ in
''; '';
}; };
@ -324,16 +368,9 @@ index d39c373dbc94c..c9a2251437c6a 100644
+ +
+ As of 2024-02-13 it is not possible to start a Netbird client daemon without immediately + As of 2024-02-13 it is not possible to start a Netbird client daemon without immediately
+ connecting to the network, but it is [planned for a near future](https://github.com/netbirdio/netbird/projects/2#card-91718018). + connecting to the network, but it is [planned for a near future](https://github.com/netbirdio/netbird/projects/2#card-91718018).
''; + '';
}; + };
- }; +
- config.environment = builtins.mapAttrs (_: mkDefault) {
- NB_CONFIG = "/var/lib/${config.stateDir}/config.json";
- NB_LOG_FILE = "console";
- NB_WIREGUARD_PORT = builtins.toString config.port;
- NB_INTERFACE_NAME = name;
- NB_DAEMON_ADDR = "unix:///var/run/${config.stateDir}/sock";
+ openFirewall = mkOption { + openFirewall = mkOption {
+ type = bool; + type = bool;
+ default = true; + default = true;
@ -385,9 +422,16 @@ index d39c373dbc94c..c9a2251437c6a 100644
+ defaultText = literalExpression ''client.ui.enable''; + defaultText = literalExpression ''client.ui.enable'';
+ description = '' + description = ''
+ Controls presence of `netbird-ui` wrapper for this Netbird client. + Controls presence of `netbird-ui` wrapper for this Netbird client.
+ ''; '';
+ }; };
+ - };
- config.environment = builtins.mapAttrs (_: mkDefault) {
- NB_CONFIG = "/var/lib/${config.stateDir}/config.json";
- NB_LOG_FILE = "console";
- NB_WIREGUARD_PORT = builtins.toString config.port;
- NB_INTERFACE_NAME = name;
- NB_DAEMON_ADDR = "unix:///var/run/${config.stateDir}/sock";
+ wrapper = mkOption { + wrapper = mkOption {
+ type = package; + type = package;
+ internal = true; + internal = true;
@ -533,7 +577,9 @@ index d39c373dbc94c..c9a2251437c6a 100644
+ interface = mkDefault "wt0"; + interface = mkDefault "wt0";
+ hardened = mkDefault false; + hardened = mkDefault false;
+ }; + };
+
- (mkIf (cfg.tunnels != { }) {
- boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
+ environment.systemPackages = [ + environment.systemPackages = [
+ (lib.hiPrio ( + (lib.hiPrio (
+ pkgs.runCommand "${client.name}-as-default" { } '' + pkgs.runCommand "${client.name}-as-default" { } ''
@ -551,8 +597,7 @@ index d39c373dbc94c..c9a2251437c6a 100644
+ cfg.clients != { } && (versionOlder kernel.version "5.6") + cfg.clients != { } && (versionOlder kernel.version "5.6")
+ ) kernelPackages.wireguard; + ) kernelPackages.wireguard;
- (mkIf (cfg.tunnels != { }) { - environment.systemPackages = [ cfg.package ];
- boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
+ environment.systemPackages = toClientList (client: client.wrapper) + environment.systemPackages = toClientList (client: client.wrapper)
+ # omitted due to https://github.com/netbirdio/netbird/issues/1562 + # omitted due to https://github.com/netbirdio/netbird/issues/1562
+ #++ optional (cfg.clients != { }) cfg.package + #++ optional (cfg.clients != { }) cfg.package
@ -560,51 +605,38 @@ index d39c373dbc94c..c9a2251437c6a 100644
+ #++ optional (cfg.clients != { } && cfg.ui.enable) cfg.ui.package + #++ optional (cfg.clients != { } && cfg.ui.enable) cfg.ui.package
+ ; + ;
- environment.systemPackages = [ cfg.package ]; - networking.dhcpcd.denyInterfaces = attrNames cfg.tunnels;
+ networking.dhcpcd.denyInterfaces = toClientList (client: client.interface); + networking.dhcpcd.denyInterfaces = toClientList (client: client.interface);
+ networking.networkmanager.unmanaged = toClientList (client: "interface-name:${client.interface}"); + networking.networkmanager.unmanaged = toClientList (client: "interface-name:${client.interface}");
+
- networking.dhcpcd.denyInterfaces = attrNames cfg.tunnels;
+ networking.firewall.allowedUDPPorts = concatLists ( + networking.firewall.allowedUDPPorts = concatLists (
+ toClientList (client: optional client.openFirewall client.port) + toClientList (client: optional client.openFirewall client.port)
+ ); + );
systemd.network.networks = mkIf config.networking.useNetworkd ( systemd.network.networks = mkIf config.networking.useNetworkd (
- mapAttrs' - mapAttrs' (
- ( - name: _:
- name: _: - nameValuePair "50-netbird-${name}" {
- nameValuePair "50-netbird-${name}" {
- matchConfig = {
- Name = name;
- };
- linkConfig = {
- Unmanaged = true;
- ActivationPolicy = "manual";
- };
- }
- )
- cfg.tunnels
+ toClientAttrs ( + toClientAttrs (
+ client: + client:
+ nameValuePair "50-netbird-${client.interface}" { + nameValuePair "50-netbird-${client.interface}" {
+ matchConfig = { matchConfig = {
- Name = name;
+ Name = client.interface; + Name = client.interface;
+ }; };
+ linkConfig = { linkConfig = {
+ Unmanaged = true; Unmanaged = true;
+ ActivationPolicy = "manual"; ActivationPolicy = "manual";
+ }; };
+ } }
- ) cfg.tunnels
+ ) + )
); );
- systemd.services = - systemd.services = mapAttrs' (
- mapAttrs' - name:
- ( - { environment, stateDir, ... }:
- name: - nameValuePair "netbird-${name}" {
- { environment, stateDir, ... }:
- nameValuePair "netbird-${name}" {
- description = "A WireGuard-based mesh network that connects your devices into a single private network";
+ environment.etc = toClientAttrs ( + environment.etc = toClientAttrs (
+ client: + client:
+ nameValuePair "netbird-${client.name}/config.d/50-nixos.json" { + nameValuePair "netbird-${client.name}/config.d/50-nixos.json" {
@ -612,60 +644,45 @@ index d39c373dbc94c..c9a2251437c6a 100644
+ mode = "0444"; + mode = "0444";
+ } + }
+ ); + );
+
- documentation = [ "https://netbird.io/docs/" ];
+ systemd.services = toClientAttrs ( + systemd.services = toClientAttrs (
+ client: + client:
+ nameValuePair "netbird-${client.name}" { + nameValuePair "netbird-${client.name}" {
+ description = "A WireGuard-based mesh network that connects your devices into a single private network"; description = "A WireGuard-based mesh network that connects your devices into a single private network";
- after = [ "network.target" ]; documentation = [ "https://netbird.io/docs/" ];
- wantedBy = [ "multi-user.target" ]; @@ -137,17 +457,19 @@ in
+ documentation = [ "https://netbird.io/docs/" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
- path = with pkgs; [ openresolv ]; - path = with pkgs; [ openresolv ];
+ after = [ "network.target" ]; -
+ wantedBy = [ "multi-user.target" ]; - inherit environment;
- inherit environment;
+ path = optional (!config.services.resolved.enable) pkgs.openresolv; + path = optional (!config.services.resolved.enable) pkgs.openresolv;
- serviceConfig = { serviceConfig = {
- ExecStart = "${getExe cfg.package} service run"; - ExecStart = "${getExe cfg.package} service run";
- Restart = "always";
- RuntimeDirectory = stateDir;
- StateDirectory = stateDir;
- StateDirectoryMode = "0700";
- WorkingDirectory = "/var/lib/${stateDir}";
- };
+ serviceConfig = {
+ ExecStart = "${getExe client.wrapper} service run"; + ExecStart = "${getExe client.wrapper} service run";
+ Restart = "always"; Restart = "always";
- RuntimeDirectory = stateDir;
- unitConfig = { - StateDirectory = stateDir;
- StartLimitInterval = 5; +
- StartLimitBurst = 10;
- };
+ RuntimeDirectory = "netbird-${client.name}"; + RuntimeDirectory = "netbird-${client.name}";
+ RuntimeDirectoryMode = mkDefault "0755"; + RuntimeDirectoryMode = mkDefault "0755";
+ ConfigurationDirectory = "netbird-${client.name}"; + ConfigurationDirectory = "netbird-${client.name}";
+ StateDirectory = "netbird-${client.name}"; + StateDirectory = "netbird-${client.name}";
+ StateDirectoryMode = "0700"; StateDirectoryMode = "0700";
- WorkingDirectory = "/var/lib/${stateDir}";
- stopIfChanged = false; +
- }
- )
- cfg.tunnels;
+ WorkingDirectory = "/var/lib/netbird-${client.name}"; + WorkingDirectory = "/var/lib/netbird-${client.name}";
+ }; };
+
+ unitConfig = { unitConfig = {
+ StartLimitInterval = 5; @@ -157,7 +479,124 @@ in
+ StartLimitBurst = 10;
+ }; stopIfChanged = false;
+ }
+ stopIfChanged = false; - ) cfg.tunnels;
+ }
+ ); + );
+ } + }
+ # Hardening section + # Hardening section

View file

@ -1,10 +1,10 @@
diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
index 10645d55e8389..e4ffb75742580 100644 index 595b6af0e339d..72f5dbff1c2f4 100644
--- a/nixos/doc/manual/release-notes/rl-2505.section.md --- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -40,6 +40,10 @@ @@ -175,6 +175,10 @@
add `vimPlugins.notmuch-vim` to your (Neo)vim configuration if you want the - `zf` was updated to 0.10.2, which includes breaking changes from the [0.10.0 release](https://github.com/natecraddock/zf/releases/tag/0.10.0).
vim plugin. `zf` no longer does Unicode normalization of the input and no longer supports terminal escape sequences in the `ZF_PROMPT` environment variable.
+- The `octoprint` service has gained an `enableRaspberryPi` option, which will +- The `octoprint` service has gained an `enableRaspberryPi` option, which will
+ be disabled for state versions following 25.05. Users running on Raspberry Pi + be disabled for state versions following 25.05. Users running on Raspberry Pi
@ -14,17 +14,11 @@ index 10645d55e8389..e4ffb75742580 100644
## Other Notable Changes {#sec-release-25.05-notable-changes} ## Other Notable Changes {#sec-release-25.05-notable-changes}
diff --git a/nixos/modules/services/misc/octoprint.nix b/nixos/modules/services/misc/octoprint.nix diff --git a/nixos/modules/services/misc/octoprint.nix b/nixos/modules/services/misc/octoprint.nix
index d8e4c9c302b38..6ab48ee10e3c7 100644 index 193e4222a37e7..6ab48ee10e3c7 100644
--- a/nixos/modules/services/misc/octoprint.nix --- a/nixos/modules/services/misc/octoprint.nix
+++ b/nixos/modules/services/misc/octoprint.nix +++ b/nixos/modules/services/misc/octoprint.nix
@@ -1,17 +1,27 @@ @@ -6,17 +6,22 @@
-{ config, lib, pkgs, ... }: }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let let
- cfg = config.services.octoprint; - cfg = config.services.octoprint;
@ -43,7 +37,7 @@ index d8e4c9c302b38..6ab48ee10e3c7 100644
- plugins.curalegacy.cura_engine = "${pkgs.curaengine_stable}/bin/CuraEngine"; - plugins.curalegacy.cura_engine = "${pkgs.curaengine_stable}/bin/CuraEngine";
- server.port = cfg.port; - server.port = cfg.port;
- webcam.ffmpeg = "${pkgs.ffmpeg.bin}/bin/ffmpeg"; - webcam.ffmpeg = "${pkgs.ffmpeg.bin}/bin/ffmpeg";
- } // lib.optionalAttrs (cfg.host != null) {server.host = cfg.host;}; - } // lib.optionalAttrs (cfg.host != null) { server.host = cfg.host; };
+ cfg = config.services.octoprint; + cfg = config.services.octoprint;
- fullConfig = lib.recursiveUpdate cfg.extraConfig baseConfig; - fullConfig = lib.recursiveUpdate cfg.extraConfig baseConfig;
@ -54,7 +48,7 @@ index d8e4c9c302b38..6ab48ee10e3c7 100644
pluginsEnv = package.python.withPackages (ps: [ ps.octoprint ] ++ (cfg.plugins ps)); pluginsEnv = package.python.withPackages (ps: [ ps.octoprint ] ++ (cfg.plugins ps));
@@ -67,18 +77,32 @@ in @@ -72,18 +77,32 @@ in
description = "State directory of the daemon."; description = "State directory of the daemon.";
}; };
@ -95,7 +89,7 @@ index d8e4c9c302b38..6ab48ee10e3c7 100644
}; };
}; };
@@ -86,6 +110,20 @@ in @@ -91,6 +110,20 @@ in
}; };
##### implementation ##### implementation
@ -116,7 +110,7 @@ index d8e4c9c302b38..6ab48ee10e3c7 100644
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@@ -100,12 +138,13 @@ in @@ -105,12 +138,13 @@ in
octoprint.gid = config.ids.gids.octoprint; octoprint.gid = config.ids.gids.octoprint;
}; };
@ -136,7 +130,7 @@ index d8e4c9c302b38..6ab48ee10e3c7 100644
systemd.services.octoprint = { systemd.services.octoprint = {
description = "OctoPrint, web interface for 3D printers"; description = "OctoPrint, web interface for 3D printers";
@@ -115,10 +154,10 @@ in @@ -120,10 +154,10 @@ in
preStart = '' preStart = ''
if [ -e "${cfg.stateDir}/config.yaml" ]; then if [ -e "${cfg.stateDir}/config.yaml" ]; then
@ -149,7 +143,7 @@ index d8e4c9c302b38..6ab48ee10e3c7 100644
chmod 600 "${cfg.stateDir}/config.yaml" chmod 600 "${cfg.stateDir}/config.yaml"
fi fi
''; '';
@@ -127,12 +166,42 @@ in @@ -132,12 +166,42 @@ in
ExecStart = "${pluginsEnv}/bin/octoprint serve -b ${cfg.stateDir}"; ExecStart = "${pluginsEnv}/bin/octoprint serve -b ${cfg.stateDir}";
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
@ -176,14 +170,14 @@ index d8e4c9c302b38..6ab48ee10e3c7 100644
+ "AF_INET" + "AF_INET"
+ "AF_INET6" + "AF_INET6"
+ "AF_NETLINK" + "AF_NETLINK"
]; + ];
+ RestrictNamespaces = true; + RestrictNamespaces = true;
+ RestrictRealtime = true; + RestrictRealtime = true;
+ SystemCallArchitectures = "native"; + SystemCallArchitectures = "native";
+ SystemCallFilter = [ + SystemCallFilter = [
+ "@system-service" + "@system-service"
+ "@pkey" + "@pkey"
+ ]; ];
+ ReadWritePaths = [ cfg.stateDir ]; + ReadWritePaths = [ cfg.stateDir ];
+ UMask = "0077"; + UMask = "0077";
+ +
@ -195,29 +189,31 @@ index d8e4c9c302b38..6ab48ee10e3c7 100644
+ meta.maintainers = with lib.maintainers; [ patrickdag ]; + meta.maintainers = with lib.maintainers; [ patrickdag ];
} }
diff --git a/nixos/tests/octoprint.nix b/nixos/tests/octoprint.nix diff --git a/nixos/tests/octoprint.nix b/nixos/tests/octoprint.nix
index 15a2d677d4cf8..dc60b10813311 100644 index 9473797d50475..12fb94e0eaf90 100644
--- a/nixos/tests/octoprint.nix --- a/nixos/tests/octoprint.nix
+++ b/nixos/tests/octoprint.nix +++ b/nixos/tests/octoprint.nix
@@ -11,7 +11,7 @@ in @@ -54,16 +54,22 @@ import ./make-test-python.nix (
environment.systemPackages = with pkgs; [ jq ]; curl_cmd = "curl --retry-all-errors --connect-timeout 5 --max-time 10 --retry 5 --retry-delay 0 \
services.octoprint = { --retry-max-time 40 -X GET --header 'X-API-Key: ${apikey}' "
enable = true;
- extraConfig = { - # used to fail early, in case octoprint first starts and then crashes
+ settings = { - with octoprint_running: # type: ignore[union-attr]
server = { - with subtest("Check for web interface"):
firstRun = false; - machine.wait_until_succeeds("curl -s localhost:5000")
}; + # used to fail early, in case octoprint first starts and then crashes
@@ -50,11 +50,18 @@ in + with octoprint_running: # type: ignore[union-attr]
# used to fail early, in case octoprint first starts and then crashes + with subtest("Check for web interface"):
with octoprint_running: # type: ignore[union-attr]
with subtest("Check for web interface"):
- machine.wait_until_succeeds("curl -s localhost:5000")
+ machine.wait_until_succeeds("curl -s -4 localhost:5000") + machine.wait_until_succeeds("curl -s -4 localhost:5000")
+ machine.wait_until_succeeds("curl -s -6 localhost:5000") + machine.wait_until_succeeds("curl -s -6 localhost:5000")
- with subtest("Check API"): - with subtest("Check API"):
- version = json.loads(machine.succeed(curl_cmd + "localhost:5000/api/version")) - version = json.loads(machine.succeed(curl_cmd + "localhost:5000/api/version"))
- server = json.loads(machine.succeed(curl_cmd + "localhost:5000/api/server")) - server = json.loads(machine.succeed(curl_cmd + "localhost:5000/api/server"))
- assert version["server"] == str("${pkgs.octoprint.version}")
- assert server["safemode"] == None
- '';
- }
-)
+ with subtest("Check API IPv4"): + with subtest("Check API IPv4"):
+ version = json.loads(machine.succeed(curl_cmd + "-4 localhost:5000/api/version")) + version = json.loads(machine.succeed(curl_cmd + "-4 localhost:5000/api/version"))
+ server = json.loads(machine.succeed(curl_cmd + "-4 localhost:5000/api/server")) + server = json.loads(machine.succeed(curl_cmd + "-4 localhost:5000/api/server"))
@ -227,9 +223,10 @@ index 15a2d677d4cf8..dc60b10813311 100644
+ with subtest("Check API IPv6"): + with subtest("Check API IPv6"):
+ version = json.loads(machine.succeed(curl_cmd + "-6 localhost:5000/api/version")) + version = json.loads(machine.succeed(curl_cmd + "-6 localhost:5000/api/version"))
+ server = json.loads(machine.succeed(curl_cmd + "-6 localhost:5000/api/server")) + server = json.loads(machine.succeed(curl_cmd + "-6 localhost:5000/api/server"))
assert version["server"] == str("${pkgs.octoprint.version}") + assert version["server"] == str("${pkgs.octoprint.version}")
assert server["safemode"] == None + assert server["safemode"] == None
''; + '';
+})
diff --git a/pkgs/by-name/oc/octoprint/ffmpeg-path.patch b/pkgs/by-name/oc/octoprint/ffmpeg-path.patch diff --git a/pkgs/by-name/oc/octoprint/ffmpeg-path.patch b/pkgs/by-name/oc/octoprint/ffmpeg-path.patch
deleted file mode 100644 deleted file mode 100644
index 2e7c7dbe06428..0000000000000 index 2e7c7dbe06428..0000000000000
@ -259,7 +256,7 @@ index 2e7c7dbe06428..0000000000000
- commandline = data["webcam"]["ffmpegCommandline"] - commandline = data["webcam"]["ffmpegCommandline"]
- if not all( - if not all(
diff --git a/pkgs/by-name/oc/octoprint/package.nix b/pkgs/by-name/oc/octoprint/package.nix diff --git a/pkgs/by-name/oc/octoprint/package.nix b/pkgs/by-name/oc/octoprint/package.nix
index a4b437ac6d1c7..3042f7d6dd643 100644 index 4d2ab61ecf855..66422e93d1b5c 100644
--- a/pkgs/by-name/oc/octoprint/package.nix --- a/pkgs/by-name/oc/octoprint/package.nix
+++ b/pkgs/by-name/oc/octoprint/package.nix +++ b/pkgs/by-name/oc/octoprint/package.nix
@@ -1,5 +1,4 @@ @@ -1,5 +1,4 @@

View file

@ -1,5 +1,5 @@
diff --git a/pkgs/by-name/be/beatsabermodmanager/deps.nix b/pkgs/by-name/be/beatsabermodmanager/deps.nix diff --git a/pkgs/by-name/be/beatsabermodmanager/deps.nix b/pkgs/by-name/be/beatsabermodmanager/deps.nix
index 9fc703773a8e5..14f21eb5e6d5e 100644 index 9fc703773a8e5..547872d25303a 100644
--- a/pkgs/by-name/be/beatsabermodmanager/deps.nix --- a/pkgs/by-name/be/beatsabermodmanager/deps.nix
+++ b/pkgs/by-name/be/beatsabermodmanager/deps.nix +++ b/pkgs/by-name/be/beatsabermodmanager/deps.nix
@@ -2,110 +2,120 @@ @@ -2,110 +2,120 @@
@ -136,20 +136,20 @@ index 9fc703773a8e5..14f21eb5e6d5e 100644
+ (fetchNuGet { pname = "HarfBuzzSharp.NativeAssets.WebAssembly"; version = "2.8.2.3"; hash = "sha256-ZsiBGpXfODHUHPgU/50k9QR/j6Klo7rsB0SUt8zYcBA="; }) + (fetchNuGet { pname = "HarfBuzzSharp.NativeAssets.WebAssembly"; version = "2.8.2.3"; hash = "sha256-ZsiBGpXfODHUHPgU/50k9QR/j6Klo7rsB0SUt8zYcBA="; })
+ (fetchNuGet { pname = "HarfBuzzSharp.NativeAssets.Win32"; version = "2.8.2.3"; hash = "sha256-5GSzM5IUoOwK+zJg0d74WlT3n1VZly8pKlyjiqVocCI="; }) + (fetchNuGet { pname = "HarfBuzzSharp.NativeAssets.Win32"; version = "2.8.2.3"; hash = "sha256-5GSzM5IUoOwK+zJg0d74WlT3n1VZly8pKlyjiqVocCI="; })
+ (fetchNuGet { pname = "MicroCom.Runtime"; version = "0.11.0"; hash = "sha256-VdwpP5fsclvNqJuppaOvwEwv2ofnAI5ZSz2V+UEdLF0="; }) + (fetchNuGet { pname = "MicroCom.Runtime"; version = "0.11.0"; hash = "sha256-VdwpP5fsclvNqJuppaOvwEwv2ofnAI5ZSz2V+UEdLF0="; })
+ (fetchNuGet { pname = "Microsoft.AspNetCore.App.Ref"; version = "6.0.35"; hash = "sha256-BxvIeZIaBdC0wyDQqKW0E5axSRSrtQk3oEPsT287014="; }) + (fetchNuGet { pname = "Microsoft.AspNetCore.App.Ref"; version = "6.0.36"; hash = "sha256-9jDkWbjw/nd8yqdzVTagCuqr6owJ/DUMi4BlUZT4hWU="; })
+ (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-arm64"; version = "6.0.35"; hash = "sha256-jM/HzLumZvI939DrNb8LHnEr/in1Lws0j/FAfdXSzbk="; }) + (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-arm64"; version = "6.0.36"; hash = "sha256-JQULJyF0ivLoUU1JaFfK/HHg+/qzpN7V2RR2Cc+WlQ4="; })
+ (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-x64"; version = "6.0.35"; hash = "sha256-2eUqoTcqTU3ebv53IV6yvN9EhkOqnyBRd2tz74HuSsE="; }) + (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-x64"; version = "6.0.36"; hash = "sha256-zUsVIpV481vMLAXaLEEUpEMA9/f1HGOnvaQnaWdzlyY="; })
+ (fetchNuGet { pname = "Microsoft.CodeAnalysis.Analyzers"; version = "3.0.0"; hash = "sha256-KDbCfsBWSJ5ohEXUKp1s1LX9xA2NPvXE/xVzj68EdC0="; }) + (fetchNuGet { pname = "Microsoft.CodeAnalysis.Analyzers"; version = "3.0.0"; hash = "sha256-KDbCfsBWSJ5ohEXUKp1s1LX9xA2NPvXE/xVzj68EdC0="; })
+ (fetchNuGet { pname = "Microsoft.CodeAnalysis.Common"; version = "3.8.0"; hash = "sha256-3G9vSc/gHH7FWgOySLTut1+eEaf3H66qcPOvNPLOx4o="; }) + (fetchNuGet { pname = "Microsoft.CodeAnalysis.Common"; version = "3.8.0"; hash = "sha256-3G9vSc/gHH7FWgOySLTut1+eEaf3H66qcPOvNPLOx4o="; })
+ (fetchNuGet { pname = "Microsoft.CodeAnalysis.CSharp"; version = "3.8.0"; hash = "sha256-i/r3V/No/VzqmJlWxpGoirvlbJDbBPa/ONZtzYrxuc4="; }) + (fetchNuGet { pname = "Microsoft.CodeAnalysis.CSharp"; version = "3.8.0"; hash = "sha256-i/r3V/No/VzqmJlWxpGoirvlbJDbBPa/ONZtzYrxuc4="; })
+ (fetchNuGet { pname = "Microsoft.CodeAnalysis.CSharp.Scripting"; version = "3.8.0"; hash = "sha256-fA9Qu+vTyMZ9REzxJ4aMg/SHCDRk4q9k4ZGUdynoHnA="; }) + (fetchNuGet { pname = "Microsoft.CodeAnalysis.CSharp.Scripting"; version = "3.8.0"; hash = "sha256-fA9Qu+vTyMZ9REzxJ4aMg/SHCDRk4q9k4ZGUdynoHnA="; })
+ (fetchNuGet { pname = "Microsoft.CodeAnalysis.Scripting.Common"; version = "3.8.0"; hash = "sha256-866jMHp8kbc1FYpKuUWnd7ViU6kGJTAxPcL/IjXrT0I="; }) + (fetchNuGet { pname = "Microsoft.CodeAnalysis.Scripting.Common"; version = "3.8.0"; hash = "sha256-866jMHp8kbc1FYpKuUWnd7ViU6kGJTAxPcL/IjXrT0I="; })
+ (fetchNuGet { pname = "Microsoft.CSharp"; version = "4.3.0"; hash = "sha256-a3dAiPaVuky0wpcHmpTVtAQJNGZ2v91/oArA+dpJgj8="; }) + (fetchNuGet { pname = "Microsoft.CSharp"; version = "4.3.0"; hash = "sha256-a3dAiPaVuky0wpcHmpTVtAQJNGZ2v91/oArA+dpJgj8="; })
+ (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-arm64"; version = "6.0.35"; hash = "sha256-yrtPCYD8skaWnfIoaUdQ1dns0YrypxDocskS2WGxF6g="; }) + (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-arm64"; version = "6.0.36"; hash = "sha256-9lC/LYnthYhjkWWz2kkFCvlA5LJOv11jdt59SDnpdy0="; })
+ (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-x64"; version = "6.0.35"; hash = "sha256-maNzxJQ5oCd86VI4ROzl4RqOV1RNXn3qWjrAfBjr2Y0="; }) + (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-x64"; version = "6.0.36"; hash = "sha256-VFRDzx7LJuvI5yzKdGmw/31NYVbwHWPKQvueQt5xc10="; })
+ (fetchNuGet { pname = "Microsoft.NETCore.App.Ref"; version = "6.0.35"; hash = "sha256-IcpSbsSHgYBbNVvbcXfmRRM9bdx3pogLncO4RuXEab0="; }) + (fetchNuGet { pname = "Microsoft.NETCore.App.Ref"; version = "6.0.36"; hash = "sha256-9LZgVoIFF8qNyUu8kdJrYGLutMF/cL2K82HN2ywwlx8="; })
+ (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-arm64"; version = "6.0.35"; hash = "sha256-jPUhSrzqnH1GNi/c7dSnZSQhFNVGdmlAQkDLdXVWBBc="; }) + (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-arm64"; version = "6.0.36"; hash = "sha256-k3rxvUhCEU0pVH8KgEMtkPiSOibn+nBh+0zT2xIfId8="; })
+ (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-x64"; version = "6.0.35"; hash = "sha256-Gf3e0EdBEgq8GcZttTHbKGupFlDyB80nhYpBN0X9Kro="; }) + (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-x64"; version = "6.0.36"; hash = "sha256-U8wJ2snSDFqeAgDVLXjnniidC7Cr5aJ1/h/BMSlyu0c="; })
+ (fetchNuGet { pname = "Microsoft.NETCore.Platforms"; version = "1.1.0"; hash = "sha256-FeM40ktcObQJk4nMYShB61H/E8B7tIKfl9ObJ0IOcCM="; }) + (fetchNuGet { pname = "Microsoft.NETCore.Platforms"; version = "1.1.0"; hash = "sha256-FeM40ktcObQJk4nMYShB61H/E8B7tIKfl9ObJ0IOcCM="; })
+ (fetchNuGet { pname = "Microsoft.NETCore.Platforms"; version = "2.1.2"; hash = "sha256-gYQQO7zsqG+OtN4ywYQyfsiggS2zmxw4+cPXlK+FB5Q="; }) + (fetchNuGet { pname = "Microsoft.NETCore.Platforms"; version = "2.1.2"; hash = "sha256-gYQQO7zsqG+OtN4ywYQyfsiggS2zmxw4+cPXlK+FB5Q="; })
+ (fetchNuGet { pname = "Microsoft.NETCore.Targets"; version = "1.1.0"; hash = "sha256-0AqQ2gMS8iNlYkrD+BxtIg7cXMnr9xZHtKAuN4bjfaQ="; }) + (fetchNuGet { pname = "Microsoft.NETCore.Targets"; version = "1.1.0"; hash = "sha256-0AqQ2gMS8iNlYkrD+BxtIg7cXMnr9xZHtKAuN4bjfaQ="; })
@ -238,7 +238,7 @@ index 42e1f738e470f..6ebea28bb187b 100644
}: }:
-buildDotnetModule rec { -buildDotnetModule rec {
+buildDotnetModule rec { +buildDotnetModule {
pname = "beatsabermodmanager"; pname = "beatsabermodmanager";
- version = "0.0.5"; - version = "0.0.5";
+ version = "0.0.7"; + version = "0.0.7";

Binary file not shown.

View file

@ -28,7 +28,7 @@ lib.optionalAttrs (!minimal) {
services.libinput = { services.libinput = {
enable = true; enable = true;
mouse = { mouse = {
accelSpeed = "0.5"; accelSpeed = "0.3";
accelProfile = "flat"; accelProfile = "flat";
middleEmulation = false; middleEmulation = false;
}; };

View file

@ -32,6 +32,8 @@
".config/gh" ".config/gh"
".config/qmk"
".local/share/osu" ".local/share/osu"
".local/share/monado" ".local/share/monado"

View file

@ -41,6 +41,7 @@
yt-dlp yt-dlp
zathura zathura
zotero zotero
qmk
]; ];
}; };
hm.programs.bat.enable = true; hm.programs.bat.enable = true;
@ -60,4 +61,5 @@
DOWN add volume -2 DOWN add volume -2
''; '';
}; };
services.udev.packages = [ pkgs.qmk-udev-rules ];
} }

View file

@ -2,6 +2,7 @@
hm.programs.direnv = { hm.programs.direnv = {
enable = true; enable = true;
nix-direnv.enable = true; nix-direnv.enable = true;
config.warn_timout = "1m";
}; };
hm.home.persistence."/state".directories = [ hm.home.persistence."/state".directories = [
".local/share/direnv" ".local/share/direnv"

View file

@ -26,16 +26,6 @@
user = "root"; user = "root";
}; };
"testienix" = {
hostname = "testienix.local";
user = "root";
};
"patricknix" = {
hostname = "patricknix.local";
user = "root";
};
"maddy" = { "maddy" = {
hostname = config.secrets.secrets.global.user.hetzner_ip; hostname = config.secrets.secrets.global.user.hetzner_ip;
user = "root"; user = "root";
@ -45,10 +35,6 @@
user = "root"; user = "root";
}; };
"desktopnix" = {
hostname = "desktopnix.local";
user = "root";
};
"*" = { "*" = {
user = "root"; user = "root";
identitiesOnly = true; identitiesOnly = true;