starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-04-25 10:18:37 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: format via 'ls **/*.nix | each { |it| nixfmt $it.name }'

Browse Source
This commit is contained in:
Ryan Yin
2025-07-30 12:17:24 +08:00
parent d10b30b06b
commit 13bb77108c
219 changed files with 2103 additions and 1728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
hosts/12kingdoms-shoukei/hardware-configuration.nix
View File

@@ -24,7 +24,10 @@ in
boot.loader.efi.efiSysMountPoint = "/boot";
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = ["x86_64-linux" "riscv64-linux"];
boot.binfmt.emulatedSystems = [
"x86_64-linux"
"riscv64-linux"
];
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = lib.mkForce [
"ext4"

3
hosts/darwin-fern/default.nix
View File

@@ -6,7 +6,8 @@ _:
#############################################################
let
hostname = "fern";
in {
in
{
networking.hostName = hostname;
networking.computerName = hostname;
system.defaults.smb.NetBIOSName = hostname;

9
hosts/darwin-fern/home.nix
View File

@@ -1,5 +1,8 @@
{config, ...}: let
{ config, ... }:
let
hostName = "fern";
in {
programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}";
in
{
programs.ssh.matchBlocks."github.com".identityFile =
"${config.home.homeDirectory}/.ssh/${hostName}";
}

3
hosts/darwin-frieren/default.nix
View File

@@ -6,7 +6,8 @@ _:
#############################################################
let
hostname = "frieren";
in {
in
{
networking.hostName = hostname;
networking.computerName = hostname;
system.defaults.smb.NetBIOSName = hostname;

9
hosts/darwin-frieren/home.nix
View File

@@ -1,5 +1,8 @@
{config, ...}: let
{ config, ... }:
let
hostName = "frieren";
in {
programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}";
in
{
programs.ssh.matchBlocks."github.com".identityFile =
"${config.home.homeDirectory}/.ssh/${hostName}";
}

3
hosts/idols-ai/ai/default.nix
View File

@@ -1,3 +1,4 @@
{mylib, ...}: {
{ mylib, ... }:
{
imports = mylib.scanPaths ./.;
}

6
hosts/idols-ai/ai/ollama.nix
View File

@@ -2,13 +2,15 @@
pkgs,
nixpkgs-ollama,
...
}: let
}:
let
pkgs-ollama = import nixpkgs-ollama {
inherit (pkgs) system;
# To use cuda, we need to allow the installation of non-free software
config.allowUnfree = true;
};
in {
in
{
services.ollama = rec {
enable = true;
package = pkgs-ollama.ollama;

12
hosts/idols-ai/default.nix
View File

@@ -1,4 +1,4 @@
{myvars, ...}:
{ myvars, ... }:
#############################################################
#
# Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
@@ -11,7 +11,8 @@ let
inherit (myvars.networking.hostsAddr.${hostName}) iface ipv4 ipv6;
ipv4WithMask = "${ipv4}/24";
ipv6WithMask = "${ipv6}/64";
in {
in
{
imports = [
./netdev-mount.nix
# Include the results of the hardware scan.
@@ -35,9 +36,12 @@ in {
systemd.network.enable = true;
systemd.network.networks."10-${iface}" = {
matchConfig.Name = [iface];
matchConfig.Name = [ iface ];
networkConfig = {
Address = [ipv4WithMask ipv6WithMask];
Address = [
ipv4WithMask
ipv6WithMask
];
DNS = nameservers;
DHCP = "ipv6"; # enable DHCPv6 only, so we can get a GUA.
IPv6AcceptRA = true; # for Stateless IPv6 Autoconfiguraton (SLAAC)

3
hosts/idols-ai/game/default.nix
View File

@@ -1,3 +1,4 @@
{mylib, ...}: {
{ mylib, ... }:
{
imports = mylib.scanPaths ./.;
}

6
hosts/idols-ai/game/gamemode.nix
View File

@@ -5,7 +5,8 @@
nix-gaming,
lib,
...
}: let
}:
let
programs = lib.makeBinPath [
config.programs.hyprland.package
pkgs.coreutils
@@ -25,7 +26,8 @@
hyprctl --batch 'keyword decoration:blur 1 ; keyword animations:enabled 1 ; keyword misc:vfr 1'
powerprofilesctl set power-saver
'';
in {
in
{
# Optimise Linux system performance on demand
# https://github.com/FeralInteractive/GameMode
# https://wiki.archlinux.org/title/Gamemode

7
hosts/idols-ai/game/steam.nix
View File

@@ -1,5 +1,6 @@
# https://github.com/fufexan/dotfiles/blob/483680e/system/programs/steam.nix
{pkgs, ...}: {
{ pkgs, ... }:
{
# https://wiki.archlinux.org/title/steam
# Games installed by Steam works fine on NixOS, no other configuration needed.
programs.steam = {
@@ -15,8 +16,8 @@
# fix gamescope inside steam
package = pkgs.steam.override {
extraPkgs = pkgs:
with pkgs; [
extraPkgs =
pkgs: with pkgs; [
xorg.libXcursor
xorg.libXi
xorg.libXinerama

71
hosts/idols-ai/hardware-configuration.nix
View File

@@ -7,7 +7,8 @@
pkgs,
modulesPath,
...
}: {
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
@@ -21,16 +22,26 @@
boot.kernelPackages = pkgs.linuxPackages_latest;
# boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"]; # kvm virtualization support
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; # kvm virtualization support
boot.extraModprobeConfig = "options kvm_intel nested=1"; # for intel cpu
boot.extraModulePackages = [];
boot.extraModulePackages = [ ];
# clear /tmp on boot to get a stateless /tmp directory.
boot.tmp.cleanOnBoot = true;
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"riscv64-linux"
];
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"
@@ -67,7 +78,7 @@
fsType = "btrfs";
# btrfs's top-level subvolume, internally has an id 5
# we can access all other subvolumes from this subvolume.
options = ["subvolid=5"];
options = [ "subvolid=5" ];
};
# equal to `mount -t tmpfs tmpfs /`
@@ -76,26 +87,40 @@
fsType = "tmpfs";
# set mode to 755, otherwise systemd will set it to 777, which cause problems.
# relatime: Update inode access times relative to modify or change time.
options = ["relatime" "mode=755"];
options = [
"relatime"
"mode=755"
];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@nix" "noatime" "compress-force=zstd:1"];
options = [
"subvol=@nix"
"noatime"
"compress-force=zstd:1"
];
};
# for guix store, which use `/gnu/store` as its store directory.
fileSystems."/gnu" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@guix" "noatime" "compress-force=zstd:1"];
options = [
"subvol=@guix"
"noatime"
"compress-force=zstd:1"
];
};
fileSystems."/persistent" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@persistent" "compress-force=zstd:1"];
options = [
"subvol=@persistent"
"compress-force=zstd:1"
];
# preservation's data is required for booting.
neededForBoot = true;
};
@@ -103,30 +128,42 @@
fileSystems."/snapshots" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@snapshots" "compress-force=zstd:1"];
options = [
"subvol=@snapshots"
"compress-force=zstd:1"
];
};
fileSystems."/tmp" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@tmp" "compress-force=zstd:1"];
options = [
"subvol=@tmp"
"compress-force=zstd:1"
];
};
# mount swap subvolume in readonly mode.
fileSystems."/swap" = {
device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
fsType = "btrfs";
options = ["subvol=@swap" "ro"];
options = [
"subvol=@swap"
"ro"
];
};
# remount swapfile in read-write mode
fileSystems."/swap/swapfile" = {
# the swapfile is located in /swap subvolume, so we need to mount /swap first.
depends = ["/swap"];
depends = [ "/swap" ];
device = "/swap/swapfile";
fsType = "none";
options = ["bind" "rw"];
options = [
"bind"
"rw"
];
};
fileSystems."/boot" = {
@@ -135,7 +172,7 @@
};
swapDevices = [
{device = "/swap/swapfile";}
{ device = "/swap/swapfile"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

3
hosts/idols-ai/home.nix
View File

@@ -1,4 +1,5 @@
{config, ...}: {
{ config, ... }:
{
modules.desktop = {
hyprland = {
nvidia = true;

3
hosts/idols-ai/netdev-mount.nix
View File

@@ -2,7 +2,8 @@
config,
myvars,
...
}: {
}:
{
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
# "cifs"

5
hosts/idols-ai/nvidia.nix
View File

@@ -1,4 +1,5 @@
{config, ...}: {
{ config, ... }:
{
# ===============================================================================================
# for Nvidia GPU
# https://wiki.nixos.org/wiki/NVIDIA
@@ -10,7 +11,7 @@
# enabling it is required to make Wayland compositors function properly.
"nvidia-drm.fbdev=1"
];
services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default
services.xserver.videoDrivers = [ "nvidia" ]; # will install nvidia-vaapi-driver by default
hardware.nvidia = {
# Open-source kernel modules are preferred over and planned to steadily replace proprietary modules
open = true;

38
hosts/idols-ai/preservation.nix
View File

@@ -3,9 +3,11 @@
pkgs,
myvars,
...
}: let
}:
let
inherit (myvars) username;
in {
in
{
imports = [
preservation.nixosModules.default
];
@@ -330,27 +332,29 @@ in {
# Note that immediate parent directories of persisted files can also be
# configured with ownership and permissions from the `parent` settings if
# `configureParent = true` is set for the file.
systemd.tmpfiles.settings.preservation = let
permission = {
user = username;
group = "users";
mode = "0755";
systemd.tmpfiles.settings.preservation =
let
permission = {
user = username;
group = "users";
mode = "0755";
};
in
{
"/home/${username}/.config".d = permission;
"/home/${username}/.cache".d = permission;
"/home/${username}/.local".d = permission;
"/home/${username}/.local/share".d = permission;
"/home/${username}/.local/state".d = permission;
"/home/${username}/.local/state/nix".d = permission;
"/home/${username}/.terraform.d".d = permission;
};
in {
"/home/${username}/.config".d = permission;
"/home/${username}/.cache".d = permission;
"/home/${username}/.local".d = permission;
"/home/${username}/.local/share".d = permission;
"/home/${username}/.local/state".d = permission;
"/home/${username}/.local/state/nix".d = permission;
"/home/${username}/.terraform.d".d = permission;
};
# systemd-machine-id-commit.service would fail but it is not relevant
# in this specific setup for a persistent machine-id so we disable it
#
# see the firstboot example below for an alternative approach
systemd.suppressedSystemUnits = ["systemd-machine-id-commit.service"];
systemd.suppressedSystemUnits = [ "systemd-machine-id-commit.service" ];
# let the service commit the transient ID to the persistent volume
systemd.services.systemd-machine-id-commit = {

3
hosts/idols-ai/secureboot.nix
View File

@@ -3,7 +3,8 @@
lib,
lanzaboote,
...
}: {
}:
{
# How to enter setup mode - msi motherboard
## 1. enter BIOS via [Del] Key
## 2. <Advance mode> => <Settings> => <Security> => <Secure Boot>

11
hosts/idols-aquamarine/caddy.nix
View File

@@ -3,7 +3,8 @@
config,
wallpapers,
...
}: let
}:
let
hostCommonConfig = ''
encode zstd gzip
tls ${../../certs/ecc-server.crt} ${config.age.secrets."caddy-ecc-server.key".path} {
@@ -11,7 +12,8 @@
curves x25519 secp384r1 secp521r1
}
'';
in {
in
{
services.caddy = {
enable = true;
# Reload Caddy instead of restarting it when configuration file changes.
@@ -124,7 +126,10 @@ in {
# reverse_proxy http://localhost:9090
# '';
};
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedTCPPorts = [
80
443
];
# Create Directories
# https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html#Type

17
hosts/idols-aquamarine/default.nix
View File

@@ -17,12 +17,11 @@ let
inherit (myvars.networking) defaultGateway defaultGateway6 nameservers;
inherit (myvars.networking.hostsAddr.${hostName}) iface ipv4;
ipv4WithMask = "${ipv4}/24";
in {
imports =
(mylib.scanPaths ./.)
++ [
disko.nixosModules.default
];
in
{
imports = (mylib.scanPaths ./.) ++ [
disko.nixosModules.default
];
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
@@ -42,7 +41,7 @@ in {
zramSwap.memoryPercent = lib.mkForce 100;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = ["kvm-amd"];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {
@@ -57,9 +56,9 @@ in {
systemd.network.enable = true;
systemd.network.networks."10-${iface}" = {
matchConfig.Name = [iface];
matchConfig.Name = [ iface ];
networkConfig = {
Address = [ipv4WithMask];
Address = [ ipv4WithMask ];
DNS = nameservers;
DHCP = "ipv6"; # enable DHCPv6 only, so we can get a GUA.
IPv6AcceptRA = true; # for Stateless IPv6 Autoconfiguraton (SLAAC)

30
hosts/idols-aquamarine/disko-fs.nix
View File

@@ -3,8 +3,9 @@
let
cryptKeyFile = "/etc/agenix/hdd-luks-crypt-key";
unlockDisk = "data-encrypted";
in {
fileSystems."/data/fileshare/public".depends = ["/data/fileshare"];
in
{
fileSystems."/data/fileshare/public".depends = [ "/data/fileshare" ];
# By adding this crypttab entry, the disk will be unlocked by systemd-cryptsetup@xxx.service at boot time.
# This systemd service is running after agenix, so that the keyfile is already available.
@@ -59,7 +60,7 @@ in {
];
content = {
type = "btrfs";
extraArgs = ["-f"]; # Force override existing partition
extraArgs = [ "-f" ]; # Force override existing partition
subvolumes = {
"@apps" = {
mountpoint = "/data/apps";
@@ -71,15 +72,27 @@ in {
};
"@fileshare" = {
mountpoint = "/data/fileshare";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
mountOptions = [
"compress-force=zstd:1"
"noatime"
"nofail"
];
};
"@backups" = {
mountpoint = "/data/backups";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
mountOptions = [
"compress-force=zstd:1"
"noatime"
"nofail"
];
};
"@snapshots" = {
mountpoint = "/data/apps-snapshots";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
mountOptions = [
"compress-force=zstd:1"
"noatime"
"nofail"
];
};
};
};
@@ -101,7 +114,10 @@ in {
subvolumes = {
"@persistent" = {
mountpoint = "/data/fileshare/public";
mountOptions = ["compress-force=zstd:1" "nofail"];
mountOptions = [
"compress-force=zstd:1"
"nofail"
];
};
};
};

3
hosts/idols-aquamarine/exporters/default.nix
View File

@@ -1,3 +1,4 @@
{mylib, ...}: {
{ mylib, ... }:
{
imports = mylib.scanPaths ./.;
}

3
hosts/idols-aquamarine/gitea.nix
View File

@@ -1,4 +1,5 @@
{pkgs, ...}: {
{ pkgs, ... }:
{
# https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/misc/gitea.nix
services.gitea = {
enable = true;

3
hosts/idols-aquamarine/grafana/default.nix
View File

@@ -2,7 +2,8 @@
config,
myvars,
...
}: {
}:
{
services.grafana = {
enable = true;
dataDir = "/data/apps/grafana";

8
hosts/idols-aquamarine/minio.nix
View File

@@ -1,7 +1,9 @@
{config, ...}: let
dataDir = ["/data/apps/minio/data"];
{ config, ... }:
let
dataDir = [ "/data/apps/minio/data" ];
configDir = "/data/apps/minio/config";
in {
in
{
# https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/web-servers/minio.nix
services.minio = {
enable = true;

5
hosts/idols-aquamarine/monitoring/alertmanager.nix
View File

@@ -1,4 +1,5 @@
{config, ...}: {
{ config, ... }:
{
services.prometheus.alertmanager = {
enable = true;
listenAddress = "127.0.0.1";
@@ -22,7 +23,7 @@
receiver = "default";
routes = [
{
group_by = ["host"];
group_by = [ "host" ];
group_wait = "5m";
group_interval = "5m";
repeat_interval = "4h";

3
hosts/idols-aquamarine/monitoring/default.nix
View File

@@ -1,4 +1,5 @@
{mylib, ...}: {
{ mylib, ... }:
{
imports = [
./victoriametrics.nix
./alertmanager.nix

147
hosts/idols-aquamarine/monitoring/victoriametrics.nix
View File

@@ -2,10 +2,11 @@
lib,
myvars,
...
}: {
}:
{
# Since victoriametrics use DynamicUser, the user & group do not exists before the service starts.
# this group is used as a supplementary Unix group for the service to access our data dir(/data/apps/xxx)
users.groups.victoriametrics-data = {};
users.groups.victoriametrics-data = { };
# Workaround for victoriametrics to store data in another place
# https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html#Type
@@ -16,8 +17,8 @@
# Symlinks do not work with DynamicUser, so we should use bind mount here.
# https://github.com/systemd/systemd/issues/25097#issuecomment-1929074961
systemd.services.victoriametrics.serviceConfig = {
SupplementaryGroups = ["victoriametrics-data"];
BindPaths = ["/data/apps/victoriametrics:/var/lib/victoriametrics:rbind"];
SupplementaryGroups = [ "victoriametrics-data" ];
BindPaths = [ "/data/apps/victoriametrics:/var/lib/victoriametrics:rbind" ];
};
# https://victoriametrics.io/docs/victoriametrics/latest/configuration/configuration/
@@ -36,87 +37,83 @@
# specifies a set of targets and parameters describing how to scrape metrics from them.
# https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
prometheusConfig = {
scrape_configs =
[
# --- Homelab Applications --- #
scrape_configs = [
# --- Homelab Applications --- #
{
job_name = "dnsmasq-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.suzi.ipv4}:9153"];
labels.type = "app";
labels.app = "dnsmasq";
labels.host = "suzi";
}
];
}
{
job_name = "dnsmasq-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = [ "${myvars.networking.hostsAddr.suzi.ipv4}:9153" ];
labels.type = "app";
labels.app = "dnsmasq";
labels.host = "suzi";
}
];
}
{
job_name = "v2ray-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = [ "${myvars.networking.hostsAddr.aquamarine.ipv4}:9153" ];
labels.type = "app";
labels.app = "v2ray";
labels.host = "aquamarine";
}
];
}
{
job_name = "postgres-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = [ "${myvars.networking.hostsAddr.aquamarine.ipv4}:9187" ];
labels.type = "app";
labels.app = "postgresql";
labels.host = "aquamarine";
}
];
}
{
job_name = "sftpgo-embedded-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = [ "${myvars.networking.hostsAddr.aquamarine.ipv4}:10000" ];
labels.type = "app";
labels.app = "sftpgo";
labels.host = "aquamarine";
}
];
}
]
# --- Hosts --- #
++ (lib.attrsets.foldlAttrs (
acc: hostname: addr:
acc
++ [
{
job_name = "v2ray-exporter";
job_name = "node-exporter-${hostname}";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:9153"];
labels.type = "app";
labels.app = "v2ray";
labels.host = "aquamarine";
}
];
}
{
job_name = "postgres-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:9187"];
labels.type = "app";
labels.app = "postgresql";
labels.host = "aquamarine";
}
];
}
{
job_name = "sftpgo-embedded-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:10000"];
labels.type = "app";
labels.app = "sftpgo";
labels.host = "aquamarine";
# All my NixOS hosts.
targets = [ "${addr.ipv4}:9100" ];
labels.type = "node";
labels.host = hostname;
}
];
}
]
# --- Hosts --- #
++ (
lib.attrsets.foldlAttrs
(acc: hostname: addr:
acc
++ [
{
job_name = "node-exporter-${hostname}";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
# All my NixOS hosts.
targets = ["${addr.ipv4}:9100"];
labels.type = "node";
labels.host = hostname;
}
];
}
])
[]
myvars.networking.hostsAddr
);
) [ ] myvars.networking.hostsAddr);
};
};
@@ -124,7 +121,7 @@
enable = true;
settings = {
"datasource.url" = "http://localhost:9090";
"notifier.url" = ["http://localhost:9093"]; # alertmanager's api
"notifier.url" = [ "http://localhost:9093" ]; # alertmanager's api
# Whether to disable long-lived connections to the datasource.
"datasource.disableKeepAlive" = true;

5
hosts/idols-aquamarine/oci-containers/default.nix
View File

@@ -2,7 +2,8 @@
lib,
mylib,
...
}: {
}:
{
imports = mylib.scanPaths ./.;
virtualisation = {
@@ -17,7 +18,7 @@
autoPrune = {
enable = true;
dates = "weekly";
flags = ["--all"];
flags = [ "--all" ];
};
};

10
hosts/idols-aquamarine/oci-containers/homepage/default.nix
View File

@@ -2,11 +2,13 @@
config,
pkgs,
...
}: let
}:
let
user = "homepage";
configDir = "/data/apps/homepage-dashboard";
in {
users.groups.${user} = {};
in
{
users.groups.${user} = { };
users.users.${user} = {
group = user;
home = configDir;
@@ -26,7 +28,7 @@ in {
homepage = {
hostname = "homepage";
image = "ghcr.io/gethomepage/homepage:latest";
ports = ["127.0.0.1:54401:3000"];
ports = [ "127.0.0.1:54401:3000" ];
# https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
environment = {
# "PUID" = config.users.users.${user}.uid;

10
hosts/idols-aquamarine/oci-containers/uptime-kuma/default.nix
View File

@@ -1,8 +1,10 @@
{config, ...}: let
{ config, ... }:
let
user = "kuma";
dataDir = "/data/apps/uptime-kuma";
in {
users.groups.${user} = {};
in
{
users.groups.${user} = { };
users.users.${user} = {
group = user;
home = dataDir;
@@ -21,7 +23,7 @@ in {
uptime-kuma = {
hostname = "uptime-kuma";
image = "louislam/uptime-kuma:1";
ports = ["127.0.0.1:53350:3001"];
ports = [ "127.0.0.1:53350:3001" ];
# https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
environment = {
# "PUID" = config.users.users.${user}.uid;

10
hosts/idols-aquamarine/postgresql.nix
View File

@@ -4,13 +4,15 @@
lib,
myvars,
...
}: let
}:
let
inherit (myvars) username;
user = "postgres"; # postgresql's default system user
package = pkgs.postgresql_16;
dataDir = "/data/apps/postgresql/${package.psqlSchema}";
in {
in
{
# Create Directories
# https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html#Type
systemd.tmpfiles.rules = [
@@ -58,8 +60,8 @@ in {
"--allow-group-access"
];
extraPlugins = ps:
with ps; [
extraPlugins =
ps: with ps; [
# postgis
# pg_repack
];

2
hosts/idols-aquamarine/proxy.nix
View File

@@ -5,7 +5,7 @@
enable = true;
config = {
# for monitoring
"stats" = {};
"stats" = { };
"api" = {
"tag" = "api";
"services" = [

8
hosts/idols-aquamarine/restic.nix
View File

@@ -1,8 +1,10 @@
{pkgs, ...}: let
{ pkgs, ... }:
let
passwordFile = "/etc/agenix/restic-password";
sshKeyPath = "/etc/agenix/ssh-key-for-restic-backup";
rcloneConfigFile = "/etc/agenix/rclone-conf-for-restic-backup";
in {
in
{
# https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/backup/restic.nix
services.restic.backups = {
homelab-backup = {
@@ -29,7 +31,7 @@ in {
# Patterns to exclude when backing up. See
# https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
# for details on syntax.
exclude = [];
exclude = [ ];
# A script that must run before starting the backup process.
backupPrepareCommand = ''

6
hosts/idols-aquamarine/sftpgo.nix
View File

@@ -1,7 +1,9 @@
{config, ...}: let
{ config, ... }:
let
user = "sftpgo";
dataDir = "/data/apps/sftpgo";
in {
in
{
# Read SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD from a file
systemd.services.sftpgo.serviceConfig.EnvironmentFile = config.age.secrets."sftpgo.env".path;

6
hosts/idols-aquamarine/transmission.nix
View File

@@ -2,10 +2,12 @@
config,
myvars,
...
}: let
}:
let
dataDir = "/data/fileshare/public/transmission";
name = "transmission";
in {
in
{
# the headless Transmission BitTorrent daemon
# https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/torrent/transmission.nix
# https://wiki.archlinux.org/title/transmission

9
hosts/idols-kana/default.nix
View File

@@ -14,7 +14,8 @@ let
inherit (myvars.networking) defaultGateway defaultGateway6 nameservers;
inherit (myvars.networking.hostsAddr.${hostName}) iface ipv4;
ipv4WithMask = "${ipv4}/24";
in {
in
{
imports = mylib.scanPaths ./.;
# supported file systems, so we can mount any removable disks with these filesystems
@@ -29,7 +30,7 @@ in {
"exfat"
];
boot.kernelModules = ["kvm-amd"];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {
@@ -44,9 +45,9 @@ in {
systemd.network.enable = true;
systemd.network.networks."10-${iface}" = {
matchConfig.Name = [iface];
matchConfig.Name = [ iface ];
networkConfig = {
Address = [ipv4WithMask];
Address = [ ipv4WithMask ];
DNS = nameservers;
DHCP = "ipv6"; # enable DHCPv6 only, so we can get a GUA.
IPv6AcceptRA = true; # for Stateless IPv6 Autoconfiguraton (SLAAC)

14
hosts/idols-ruby/default.nix
View File

@@ -14,11 +14,15 @@ let
inherit (myvars.networking) defaultGateway defaultGateway6 nameservers;
inherit (myvars.networking.hostsAddr.${hostName}) iface ipv4;
ipv4WithMask = "${ipv4}/24";
in {
in
{
imports = mylib.scanPaths ./.;
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"riscv64-linux"
];
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"
@@ -31,7 +35,7 @@ in {
"exfat"
];
boot.kernelModules = ["kvm-amd"];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {
@@ -46,9 +50,9 @@ in {
systemd.network.enable = true;
systemd.network.networks."10-${iface}" = {
matchConfig.Name = [iface];
matchConfig.Name = [ iface ];
networkConfig = {
Address = [ipv4WithMask];
Address = [ ipv4WithMask ];
DNS = nameservers;
DHCP = "ipv6"; # enable DHCPv6 only, so we can get a GUA.
IPv6AcceptRA = true; # for Stateless IPv6 Autoconfiguraton (SLAAC)

26
hosts/k8s/disko-config/kubevirt-disko-fs.nix
View File

@@ -6,7 +6,7 @@
fileSystems."/run/media/nixos_k3s" = {
device = "/dev/disk/by-label/NIXOS_K3S";
fsType = "vfat";
options = ["ro"];
options = [ "ro" ];
};
disko.devices = {
@@ -76,7 +76,7 @@
];
content = {
type = "btrfs";
extraArgs = ["-f"]; # Force override existing partition
extraArgs = [ "-f" ]; # Force override existing partition
subvolumes = {
# mount the top-level subvolume at /btr_pool
# it will be used by btrbk to create snapshots
@@ -84,23 +84,35 @@
mountpoint = "/btr_pool";
# btrfs's top-level subvolume, internally has an id 5
# we can access all other subvolumes from this subvolume.
mountOptions = ["subvolid=5"];
mountOptions = [ "subvolid=5" ];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = ["compress-force=zstd:1" "noatime"];
mountOptions = [
"compress-force=zstd:1"
"noatime"
];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = ["compress-force=zstd:1" "noatime"];
mountOptions = [
"compress-force=zstd:1"
"noatime"
];
};
"@tmp" = {
mountpoint = "/tmp";
mountOptions = ["compress-force=zstd:1" "noatime"];
mountOptions = [
"compress-force=zstd:1"
"noatime"
];
};
"@snapshots" = {
mountpoint = "/snapshots";
mountOptions = ["compress-force=zstd:1" "noatime"];
mountOptions = [
"compress-force=zstd:1"
"noatime"
];
};
"@swap" = {
mountpoint = "/swap";

16
hosts/k8s/k3s-prod-1-master-1/default.nix
View File

@@ -4,7 +4,8 @@
myvars,
mylib,
...
}: let
}:
let
hostName = "k3s-prod-1-master-1"; # Define your hostname.
coreModule = mylib.genKubeVirtGuestModule {
@@ -28,11 +29,10 @@
# "--service-cidr=172.21.0.0/16,fdfd:cafe:00:8003::/112"
# ];
};
in {
imports =
(mylib.scanPaths ./.)
++ [
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
coreModule
k3sModule
];
}

16
hosts/k8s/k3s-prod-1-master-2/default.nix
View File

@@ -4,7 +4,8 @@
myvars,
mylib,
...
}: let
}:
let
hostName = "k3s-prod-1-master-2"; # define your hostname.
coreModule = mylib.genKubeVirtGuestModule {
@@ -27,11 +28,10 @@
# "--service-cidr=172.21.0.0/16,fdfd:cafe:00:8003::/112"
# ];
};
in {
imports =
(mylib.scanPaths ./.)
++ [
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
coreModule
k3sModule
];
}

16
hosts/k8s/k3s-prod-1-master-3/default.nix
View File

@@ -4,7 +4,8 @@
myvars,
mylib,
...
}: let
}:
let
hostName = "k3s-prod-1-master-3"; # define your hostname.
coreModule = mylib.genKubeVirtGuestModule {
@@ -27,11 +28,10 @@
# "--service-cidr=172.21.0.0/16,fdfd:cafe:00:8003::/112"
# ];
};
in {
imports =
(mylib.scanPaths ./.)
++ [
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
coreModule
k3sModule
];
}

16
hosts/k8s/k3s-prod-1-worker-1/default.nix
View File

@@ -4,7 +4,8 @@
myvars,
mylib,
...
}: let
}:
let
hostName = "k3s-prod-1-worker-1"; # define your hostname.
coreModule = mylib.genKubeVirtGuestModule {
@@ -26,11 +27,10 @@
# "--service-cidr=172.21.0.0/16,fdfd:cafe:00:8003::/112"
# ];
};
in {
imports =
(mylib.scanPaths ./.)
++ [
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
coreModule
k3sModule
];
}

16
hosts/k8s/k3s-prod-1-worker-2/default.nix
View File

@@ -4,7 +4,8 @@
myvars,
mylib,
...
}: let
}:
let
hostName = "k3s-prod-1-worker-2"; # define your hostname.
coreModule = mylib.genKubeVirtGuestModule {
@@ -26,11 +27,10 @@
# "--service-cidr=172.21.0.0/16,fdfd:cafe:00:8003::/112"
# ];
};
in {
imports =
(mylib.scanPaths ./.)
++ [
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
coreModule
k3sModule
];
}

16
hosts/k8s/k3s-prod-1-worker-3/default.nix
View File

@@ -4,7 +4,8 @@
myvars,
mylib,
...
}: let
}:
let
hostName = "k3s-prod-1-worker-3"; # define your hostname.
coreModule = mylib.genKubeVirtGuestModule {
@@ -26,11 +27,10 @@
# "--service-cidr=172.21.0.0/16,fdfd:cafe:00:8003::/112"
# ];
};
in {
imports =
(mylib.scanPaths ./.)
++ [
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
coreModule
k3sModule
];
}

16
hosts/k8s/k3s-test-1-master-1/default.nix
View File

@@ -4,7 +4,8 @@
myvars,
mylib,
...
}: let
}:
let
hostName = "k3s-test-1-master-1"; # Define your hostname.
coreModule = mylib.genKubeVirtGuestModule {
@@ -29,11 +30,10 @@
# "--service-cidr=172.19.0.0/16,fdfd:cafe:00:8002::/112"
# ];
};
in {
imports =
(mylib.scanPaths ./.)
++ [
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
coreModule
k3sModule
];
}

16
hosts/k8s/k3s-test-1-master-2/default.nix
View File

@@ -4,7 +4,8 @@
myvars,
mylib,
...
}: let
}:
let
hostName = "k3s-test-1-master-2"; # define your hostname.
coreModule = mylib.genKubeVirtGuestModule {
@@ -27,11 +28,10 @@
# "--service-cidr=172.19.0.0/16,fdfd:cafe:00:8002::/112"
# ];
};
in {
imports =
(mylib.scanPaths ./.)
++ [
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
coreModule
k3sModule
];
}

16
hosts/k8s/k3s-test-1-master-3/default.nix
View File

@@ -4,7 +4,8 @@
myvars,
mylib,
...
}: let
}:
let
hostName = "k3s-test-1-master-3"; # define your hostname.
coreModule = mylib.genKubeVirtGuestModule {
@@ -27,11 +28,10 @@
# "--service-cidr=172.19.0.0/16,fdfd:cafe:00:8002::/112"
# ];
};
in {
imports =
(mylib.scanPaths ./.)
++ [
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
coreModule
k3sModule
];
}

24
hosts/k8s/kubevirt-shoryu/default.nix
View File

@@ -5,7 +5,8 @@
myvars,
disko,
...
}: let
}:
let
# MoreFine - S500Plus
hostName = "kubevirt-shoryu"; # Define your hostname.
@@ -45,17 +46,16 @@
# so we should not disable flannel here.
disableFlannel = false;
};
in {
imports =
(mylib.scanPaths ./.)
++ [
disko.nixosModules.default
../disko-config/kubevirt-disko-fs.nix
./hardware-configuration.nix
./preservation.nix
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
disko.nixosModules.default
../disko-config/kubevirt-disko-fs.nix
./hardware-configuration.nix
./preservation.nix
coreModule
k3sModule
];
boot.kernelParams = [
# disable transparent hugepage(allocate hugepages dynamically)

22
hosts/k8s/kubevirt-shoryu/hardware-configuration.nix
View File

@@ -4,7 +4,8 @@
pkgs,
modulesPath,
...
}: {
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
@@ -18,12 +19,25 @@
# clear /tmp on boot to get a stateless /tmp directory.
boot.tmp.cleanOnBoot = true;
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
boot.kernelModules = ["kvm-amd" "vfio-pci"];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.kernelModules = [
"kvm-amd"
"vfio-pci"
];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"riscv64-linux"
];
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"

34
hosts/k8s/kubevirt-shoryu/preservation.nix
View File

@@ -3,9 +3,11 @@
pkgs,
myvars,
...
}: let
}:
let
inherit (myvars) username;
in {
in
{
imports = [
preservation.nixosModules.default
];
@@ -68,25 +70,27 @@ in {
# Note that immediate parent directories of persisted files can also be
# configured with ownership and permissions from the `parent` settings if
# `configureParent = true` is set for the file.
systemd.tmpfiles.settings.preservation = let
permission = {
user = username;
group = "users";
mode = "0755";
systemd.tmpfiles.settings.preservation =
let
permission = {
user = username;
group = "users";
mode = "0755";
};
in
{
"/home/${username}/.config".d = permission;
"/home/${username}/.local".d = permission;
"/home/${username}/.local/share".d = permission;
"/home/${username}/.local/state".d = permission;
"/home/${username}/.terraform.d".d = permission;
};
in {
"/home/${username}/.config".d = permission;
"/home/${username}/.local".d = permission;
"/home/${username}/.local/share".d = permission;
"/home/${username}/.local/state".d = permission;
"/home/${username}/.terraform.d".d = permission;
};
# systemd-machine-id-commit.service would fail but it is not relevant
# in this specific setup for a persistent machine-id so we disable it
#
# see the firstboot example below for an alternative approach
systemd.suppressedSystemUnits = ["systemd-machine-id-commit.service"];
systemd.suppressedSystemUnits = [ "systemd-machine-id-commit.service" ];
# let the service commit the transient ID to the persistent volume
systemd.services.systemd-machine-id-commit = {

24
hosts/k8s/kubevirt-shushou/default.nix
View File

@@ -5,7 +5,8 @@
myvars,
disko,
...
}: let
}:
let
hostName = "kubevirt-shushou"; # Define your hostname.
coreModule = mylib.genKubeVirtHostModule {
@@ -39,17 +40,16 @@
];
disableFlannel = false;
};
in {
imports =
(mylib.scanPaths ./.)
++ [
disko.nixosModules.default
../disko-config/kubevirt-disko-fs.nix
../kubevirt-shoryu/hardware-configuration.nix
../kubevirt-shoryu/preservation.nix
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
disko.nixosModules.default
../disko-config/kubevirt-disko-fs.nix
../kubevirt-shoryu/hardware-configuration.nix
../kubevirt-shoryu/preservation.nix
coreModule
k3sModule
];
boot.kernelParams = [
# disable transparent hugepage(allocate hugepages dynamically)

24
hosts/k8s/kubevirt-youko/default.nix
View File

@@ -5,7 +5,8 @@
myvars,
disko,
...
}: let
}:
let
hostName = "kubevirt-youko"; # Define your hostname.
coreModule = mylib.genKubeVirtHostModule {
@@ -39,17 +40,16 @@
];
disableFlannel = false;
};
in {
imports =
(mylib.scanPaths ./.)
++ [
disko.nixosModules.default
../disko-config/kubevirt-disko-fs.nix
../kubevirt-shoryu/hardware-configuration.nix
../kubevirt-shoryu/preservation.nix
coreModule
k3sModule
];
in
{
imports = (mylib.scanPaths ./.) ++ [
disko.nixosModules.default
../disko-config/kubevirt-disko-fs.nix
../kubevirt-shoryu/hardware-configuration.nix
../kubevirt-shoryu/preservation.nix
coreModule
k3sModule
];
boot.kernelParams = [
# disable transparent hugepage(allocate hugepages dynamically)