rpqt/flocon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: rpqt:24e8d8e8239b053d9899a459256493ce9962734c
Branches Tags
rpqt:main rpqt:clan
...
compare: rpqt:main
Branches Tags
rpqt:main rpqt:clan

106 Commits
24e8d8e823 ... main

Author SHA1 Message Date
Romain Paquet
dce4057083 update readme 2026-01-31 14:57:10 +01:00
Romain Paquet
a0234b7b6f nextcloud: add calendar and contacts apps 2026-01-31 14:43:31 +01:00
Romain Paquet
59458a3ba1 haze: use lanzaboote 2026-01-31 14:43:31 +01:00
Romain Paquet
5bd14cffe9 alacritty: auto switch dark/light theme 2026-01-31 14:43:31 +01:00
Romain Paquet
0747388105 nixfmt-rfc-style -> nixfmt 2026-01-31 14:31:38 +01:00
Romain Paquet
240cb89fb7 update flake inputs 2026-01-31 14:31:27 +01:00
Romain Paquet
fc81d4ffc9 add forgejo 2026-01-31 14:31:15 +01:00
Romain Paquet
d0c9fdb625 infra: fix migadu generator 2026-01-31 14:30:05 +01:00
Romain Paquet
fb136061cf add lanzaboote 2026-01-31 14:28:44 +01:00
Romain Paquet
782ac7140d Update vars via generator forgejo-s3-storage for machine verbena 2026-01-23 13:31:31 +01:00
Romain Paquet
01f9ce7503 infra: add missing wireguard dns records 2026-01-20 15:52:31 +01:00
Romain Paquet
1ef49241b4 remove wofi-emoji 2026-01-20 15:32:04 +01:00
Romain Paquet
3d5695c9b3 helix: auto-format ocaml 2026-01-19 22:40:41 +01:00
Romain Paquet
de32fe0db0 migrate infra to terranix 2026-01-19 22:38:28 +01:00
Romain Paquet
32c4eeb2f8 add terranix 2026-01-19 22:37:34 +01:00
Romain Paquet
f1e06aaead Update secret hcloud-token 2026-01-19 15:49:10 +01:00
Romain Paquet
93b923c146 rename nixfmt-rfc-style -> nixfmt 2026-01-18 17:06:18 +01:00
Romain Paquet
123c3edb0e update flake inputs 2026-01-18 14:11:52 +01:00
Romain Paquet
6bb5625bc7 enable nix pipe-operators 2026-01-17 17:32:25 +01:00
Romain Paquet
65792b7ad4 add rage 2026-01-17 17:30:57 +01:00
Romain Paquet
8b9ab0b215 change default user shell to fish 2026-01-17 17:30:00 +01:00
Romain Paquet
f3d5f8e5d7 update flake inputs 2026-01-17 17:27:23 +01:00
Romain Paquet
a8d52b0473 update garage crocus hostname 2026-01-10 13:04:58 +01:00
Romain Paquet
a36f64cb93 add direnv-instant 2026-01-10 13:03:55 +01:00
Romain Paquet
1e8e04bf24 enable pcscd for yubikey 2026-01-06 15:51:35 +01:00
Romain Paquet
87e589e690 add .val search domain 2026-01-06 15:50:45 +01:00
Romain Paquet
c9953d269b remove gandi acme 2026-01-06 15:48:51 +01:00
Romain Paquet
d162591696 infra: allow more recent ovh versions 2026-01-06 15:47:03 +01:00
Romain Paquet
4ce5811615 update flake inputs 2026-01-06 15:46:21 +01:00
Romain Paquet
600e2c26c9 add vaultwarden 2026-01-06 15:46:18 +01:00
Romain Paquet
d3201fbca9 move coredns to port 53 to allow access on android 2026-01-06 15:43:40 +01:00
Romain Paquet
2063550f93 setup internal CA 2026-01-06 15:43:17 +01:00
Romain Paquet
dda8ca5d0f move services to internal clan tld 2026-01-06 15:43:17 +01:00
Romain Paquet
9e3d99231d infra: allow more recent version of ovh provider 2026-01-03 23:43:01 +01:00
Romain Paquet
c79df328de infra: fix terrible copypasta 2026-01-03 23:41:23 +01:00
Romain Paquet
7a8b12bba4 infra: remove gandi 2026-01-03 23:41:11 +01:00
Romain Paquet
caa0179f1d refactor nix module list 2026-01-03 22:57:19 +01:00
Romain Paquet
d2c624fe9c genepi: remove mpd 2026-01-03 22:26:56 +01:00
Romain Paquet
3a2dd0cc0b configure email for aerc 2026-01-03 22:24:11 +01:00
Romain Paquet
afb8dd50f4 niri: reserve first workspace for web 2026-01-03 22:21:52 +01:00
Romain Paquet
82a559e81a remove deleted vars 2026-01-03 22:21:28 +01:00
Romain Paquet
f8fb7a2480 add passage 2026-01-03 22:20:52 +01:00
Romain Paquet
410f63eb31 add jjui 2026-01-03 22:20:36 +01:00
Romain Paquet
2b2b5d30c7 migrate rpqt.fr domain to OVH 2026-01-03 22:17:25 +01:00
Romain Paquet
964b9b5b4e add age-plugin-yubikey for clan vars 2026-01-03 22:15:49 +01:00
Romain Paquet
010c53b6ad remove sway config and outdated dotfiles 2026-01-03 22:11:35 +01:00
Romain Paquet
e7ce8dba6d cleanup flake inputs 2026-01-03 22:11:35 +01:00
Romain Paquet
2d8bf05283 Add key(s) for user rpqt to secrets 2025-12-31 00:22:18 +01:00
Romain Paquet
3206d3f476 Add key(s) for user rpqt to secrets 2025-12-31 00:21:10 +01:00
Romain Paquet
7d34c5c7c0 add delta diff for nixpkgs-review 2025-12-27 18:23:45 +01:00
Romain Paquet
9c266bf1df remove taskwarrior 2025-12-27 18:23:30 +01:00
Romain Paquet
2eb70b7108 dms: use nixpkgs version 2025-12-18 17:43:03 +01:00
Romain Paquet
3dbb7e4a7e update flake inputs 2025-12-18 17:43:03 +01:00
Romain Paquet
e0ffd779f0 niri: use dms generated config files 2025-12-18 17:42:59 +01:00
Romain Paquet
421e978aa4 home-manager: set EDITOR explicitly 2025-12-18 16:46:06 +01:00
Romain Paquet
5356d3043f haze: remove deprecated nameservers 2025-12-12 23:24:00 +01:00
Romain Paquet
ae8d0f69e1 haze: add typst and anki 2025-12-12 23:23:00 +01:00
Romain Paquet
25189d72f2 niri: use dms to change display brightness 2025-12-12 23:21:53 +01:00
Romain Paquet
13b4a15aee vicinae: add config 2025-12-12 23:20:44 +01:00
Romain Paquet
8d328aecf3 garage: also listen on wireguard network 2025-12-12 23:16:29 +01:00
Romain Paquet
4f197b4319 vicinae: remove input and use home-manager option 2025-12-12 23:15:47 +01:00
Romain Paquet
3cc9ddccb6 update flake inputs 2025-12-12 19:34:58 +01:00
Romain Paquet
d92ea6d742 move radicle module 2025-12-12 19:34:58 +01:00
Romain Paquet
0096acaf81 radicle: add pinned repositories 2025-12-12 19:24:54 +01:00
Romain Paquet
299bf4ea85 genepi: add password for synchthing-gui 2025-12-01 23:43:40 +01:00
Romain Paquet
5d329ed845 update flake inputs 2025-12-01 23:41:11 +01:00
Romain Paquet
f970fc0623 Update vars via generator syncthing-gui for machine genepi 2025-11-29 14:06:57 +01:00
Romain Paquet
4474dbad90 remove ignis desktop 2025-11-27 16:08:18 +01:00
Romain Paquet
eb16cd96fa add atuin key as clan var 2025-11-27 16:07:36 +01:00
Romain Paquet
b917f503da Update vars via generator atuin for machine haze 2025-11-27 15:56:54 +01:00
Romain Paquet
f7700cadd5 add pixel-7a to wireguard network 
Hard-coded for now until clan-core/wireguard
supports external peers.
 2025-11-27 14:56:53 +01:00
Romain Paquet
b84078220c remove unbound dns auth-zone 
This was moved to coredns to avoid confusion
between the authoritative server and the local
resolver.
 2025-11-27 14:55:26 +01:00
Romain Paquet
09f57a1e6f clan: migrate internal DNS to coredns service 
Currently using a patched version of the upstream
coredns service, with hard-coded IPs until
wireguard exports are supported.

Zerotier connections were flaky and wireguard
seems more stable (although it seems to have a bit
less throughput).
 2025-11-27 14:52:45 +01:00
Romain Paquet
de99dad887 clan: add temporary patched coredns service 
Needed for IPv6 support, and to set the host names
in the auth zone.
 2025-11-27 14:50:44 +01:00
Romain Paquet
e1219f26c3 borg: accept new ssh host keys 2025-11-27 14:48:44 +01:00
Romain Paquet
26600f0647 ssh: add hostnames 2025-11-24 17:39:44 +01:00
Romain Paquet
33721c639c verbena: remove default acme email 2025-11-24 17:39:44 +01:00
Romain Paquet
680def4278 genepi: open web ports to wireguard network 2025-11-24 17:39:44 +01:00
Romain Paquet
18cb4dfc1c sq 2025-11-24 17:39:44 +01:00
Romain Paquet
a81d006e64 clan: use infra output IPs for internet connector 2025-11-24 17:19:27 +01:00
Romain Paquet
6e14a60047 genepi: add terminfo 2025-11-24 17:18:01 +01:00
Romain Paquet
7f80af6b0c set adwaita as default font 2025-11-24 17:17:25 +01:00
Romain Paquet
64c00fe618 vicinae: use nixpkgs package 2025-11-24 17:15:24 +01:00
Romain Paquet
d7243cc7c3 verbena: replace IP literals with infra ouputs 2025-11-24 17:13:57 +01:00
Romain Paquet
649f58d875 home-manager: add yazi 2025-11-24 17:13:13 +01:00
Romain Paquet
c9e10e4081 update flake inputs 2025-11-24 17:12:52 +01:00
Romain Paquet
5f6ba8e29d infra: add flake module and crocus exports 2025-11-24 17:12:29 +01:00
Romain Paquet
925cf3140c Update vars via generator step-intermediate-cert for machine verbena 2025-11-22 15:02:45 +01:00
Romain Paquet
bfe95b15ef Update vars via generator step-intermediate-key for machine verbena 2025-11-22 15:02:44 +01:00
Romain Paquet
0a232abe5f Update vars via generator step-ca for machine crocus 2025-11-22 15:02:44 +01:00
Romain Paquet
a0bec48175 nautilus: enable thumbnails for remote directories 2025-11-21 23:29:48 +01:00
Romain Paquet
080ec61675 genepi: remove taskchampion (unused) 2025-11-21 23:29:26 +01:00
Romain Paquet
3b9f67c0ff haze: add anytype 2025-11-21 23:27:34 +01:00
Romain Paquet
f99575598c nautilus: add "open in ghostty" menu 2025-11-21 23:26:57 +01:00
Romain Paquet
5ddfda7187 clan: set tld to .val 2025-11-21 23:25:53 +01:00
Romain Paquet
7256b7fbc3 clan: add wireguard 2025-11-21 23:25:29 +01:00
Romain Paquet
abaf429a38 verbena: configure IPv6 from tofu outputs 2025-11-21 23:24:22 +01:00
Romain Paquet
3834f215f0 Update vars via generator wireguard-network-wireguard for machine genepi 2025-11-21 17:53:26 +01:00
Romain Paquet
75b2307f82 Update vars via generator wireguard-keys-wireguard for machine genepi 2025-11-21 17:53:26 +01:00
Romain Paquet
98653cb2e6 Update vars via generator wireguard-network-wireguard for machine crocus 2025-11-21 17:53:25 +01:00
Romain Paquet
11c3e87132 Update vars via generator wireguard-keys-wireguard for machine crocus 2025-11-21 17:53:25 +01:00
Romain Paquet
08f14e8d9f Update vars via generator wireguard-network-wireguard for machine haze 2025-11-21 17:24:47 +01:00
Romain Paquet
e42cb7edd3 Update vars via generator wireguard-keys-wireguard for machine haze 2025-11-21 17:24:47 +01:00
Romain Paquet
575e78e473 Update vars via generator wireguard-network-wireguard for machine verbena 2025-11-21 16:59:22 +01:00
Romain Paquet
92e49d0c9c Update vars via generator wireguard-keys-wireguard for machine verbena 2025-11-21 16:59:22 +01:00
Romain Paquet
c048448b6a update flake inputs 2025-11-21 13:07:13 +01:00
222 changed files with 2732 additions and 1846 deletions
Expand all files Collapse all files

20
README.md
View File

@@ -1,15 +1,18 @@
# NixOS & Home Manager config # Flocon
This repository contains all my system configurations, mostly deployed using Nix and [Clan]. This repository contains all my system configurations, mostly deployed using Nix and [Clan].
## Structure ## Structure
- **home**: Dotfiles - **clan**: Clan configuration
- **machines**: Host-specific configs
- **infra**: Terraform/OpenTofu files
- **vars**: Encrypted secrets managed by clan
- **modules**: NixOS modules
- **clanServices**: Custom [Clan Services](https://docs.clan.lol/reference/clanServices) - **clanServices**: Custom [Clan Services](https://docs.clan.lol/reference/clanServices)
- **home**: Dotfiles
- **home-manager**: [Home Manager] modules
- **infra**: [Terranix] files (for Terraform/OpenTofu)
- **machines**: Per-host configurations
- **modules**: [NixOS] modules
- **packages**: Nix packages
- **vars**: Encrypted secrets managed by clan
## Dotfiles ## Dotfiles
@@ -19,4 +22,7 @@ This repository contains all my system configurations, mostly deployed using Nix
dotbot -c ./dotbot/windows.yaml -d home dotbot -c ./dotbot/windows.yaml -d home
``` ```
[Clan]: https//clan.lol [Clan]: https://clan.lol
[Home Manager]: https://home-manager.dev
[NixOS]: https://nixos.org
[Terranix]: https://terranix.org

7
clan/flake-module.nix
View File

@@ -7,6 +7,11 @@
]; ];
clan.meta.name = "blossom"; clan.meta.name = "blossom";
clan.meta.domain = "val";
clan.secrets.age.plugins = [
"age-plugin-yubikey"
];
clan.inventory.instances."rpqt-admin" = { clan.inventory.instances."rpqt-admin" = {
module.input = "clan-core"; module.input = "clan-core";
@@ -113,7 +118,7 @@
repo = "${user}@${host}:./borgbackup/${config.networking.hostName}"; repo = "${user}@${host}:./borgbackup/${config.networking.hostName}";
rsh = "ssh -oPort=23 -i ${ rsh = "ssh -oPort=23 -i ${
config.clan.core.vars.generators.borgbackup.files."borgbackup.ssh".path config.clan.core.vars.generators.borgbackup.files."borgbackup.ssh".path
} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"; } -oStrictHostKeyChecking=accept-new";
}; };
} }
); );

71
clan/network.nix
View File

@@ -1,3 +1,4 @@
{ self, ... }:
{ {
clan.inventory.instances.zerotier = { clan.inventory.instances.zerotier = {
roles.controller.machines.crocus = { }; roles.controller.machines.crocus = { };
@@ -13,8 +14,74 @@
}; };
clan.inventory.instances.internet = { clan.inventory.instances.internet = {
roles.default.machines.verbena = { roles.default.machines.verbena.settings.host = self.infra.machines.verbena.ipv4;
settings.host = "git.turifer.dev"; roles.default.machines.crocus.settings.host = self.infra.machines.crocus.ipv4;
};
clan.inventory.instances.wireguard = {
module.name = "wireguard";
module.input = "clan-core";
roles.controller = {
machines.verbena.settings = {
endpoint = "wg1.turifer.dev";
};
};
roles.peer.machines = {
haze = { };
crocus = { };
genepi = { };
};
};
clan.inventory.instances.certificates = {
module.name = "certificates";
module.input = "clan-core";
roles.ca.machines.verbena = {
settings.acmeEmail = "admin@rpqt.fr";
settings.tlds = [ "val" ];
};
roles.default.tags.all = { };
roles.default.settings.acmeEmail = "admin@rpqt.fr";
};
# Temporarily patched version of clan-core/coredns for AAAA records support
clan.inventory.instances.coredns = {
module.name = "@rpqt/coredns";
module.input = "self";
roles.default.tags.all = { };
roles.server.machines.verbena = {
settings.ip = "fd28:387a:90:c400::1";
settings.dnsPort = 53;
};
roles.server.machines.crocus = {
settings.ip = "fd28:387a:90:c400:6db2:dfc3:c376:9956";
};
roles.server.settings = {
tld = "val";
};
roles.default.machines.verbena.settings = {
ip = "fd28:387a:90:c400::1";
services = [
"ca"
"vaultwarden"
];
};
roles.default.machines.genepi.settings = {
ip = "fd28:387a:90:c400:ab23:3d38:a148:f539"; # FIXME: IPv4 expected (A record)
services = [
"actual"
"assistant"
"glance"
"grafana"
"images"
"lounge"
"pinchflat"
"rss"
];
}; };
}; };
} }

73
clanServices/coredns/README.md Normal file
View File

@@ -0,0 +1,73 @@
!!! Danger "Experimental"
This service is experimental and will change in the future.
This module enables hosting clan-internal services easily, which can be resolved
inside your VPN. This allows defining a custom top-level domain (e.g. `.clan`)
and exposing endpoints from a machine to others, which will be
accessible under `http://<service>.clan` in your browser.
The service consists of two roles:
- A `server` role: This is the DNS-server that will be queried when trying to
resolve clan-internal services. It defines the top-level domain.
- A `default` role: This does two things. First, it sets up the nameservers so
that clan-internal queries are resolved via the `server` machine, while
external queries are resolved as normal via DHCP. Second, it allows exposing
services (see example below).
## Example Usage
Here the machine `dnsserver` is designated as internal DNS-server for the TLD
`.foo`. `server01` will host an application that shall be reachable at
`http://one.foo` and `server02` is going to be reachable at `http://two.foo`.
`client` is any other machine that is part of the clan but does not host any
services.
When `client` tries to resolve `http://one.foo`, the DNS query will be
routed to `dnsserver`, which will answer with `192.168.1.3`. If it tries to
resolve some external domain (e.g. `https://clan.lol`), the query will not be
routed to `dnsserver` but resolved as before, via the nameservers advertised by
DHCP.
```nix
inventory = {
machines = {
dnsserver = { }; # 192.168.1.2
server01 = { }; # 192.168.1.3
server02 = { }; # 192.168.1.4
client = { }; # 192.168.1.5
};
instances = {
coredns = {
module.name = "@clan/coredns";
module.input = "self";
# Add the default role to all machines, including `client`
roles.default.tags.all = { };
# DNS server queries to http://<name>.foo are resolved here
roles.server.machines."dnsserver".settings = {
ip = "192.168.1.2";
tld = "foo";
};
# First service
# Registers http://one.foo will resolve to 192.168.1.3
# underlying service runs on server01
roles.default.machines."server01".settings = {
ip = "192.168.1.3";
services = [ "one" ];
};
# Second service
roles.default.machines."server02".settings = {
ip = "192.168.1.4";
services = [ "two" ];
};
};
};
};
```

235
clanServices/coredns/default.nix Normal file
View File

@@ -0,0 +1,235 @@
{ ... }:
{
_class = "clan.service";
manifest.name = "coredns";
manifest.description = "Clan-internal DNS and service exposure";
manifest.categories = [ "Network" ];
manifest.readme = builtins.readFile ./README.md;
roles.server = {
description = "A DNS server that resolves services in the clan network.";
interface =
{ lib, ... }:
{
options.tld = lib.mkOption {
type = lib.types.str;
default = "clan";
description = ''
Top-level domain for this instance. All services below this will be
resolved internally.
'';
};
options.ip = lib.mkOption {
type = lib.types.str;
# TODO: Set a default
description = "IP for the DNS to listen on";
};
options.dnsPort = lib.mkOption {
type = lib.types.int;
default = 1053;
description = "Port of the clan-internal DNS server";
};
};
perInstance =
{
roles,
settings,
...
}:
{
nixosModule =
{
lib,
pkgs,
...
}:
let
hostServiceEntries =
host:
lib.strings.concatStringsSep "\n" (
map (
service:
let
ip = roles.default.machines.${host}.settings.ip;
isIPv4 = addr: (builtins.match "\\." addr) != null;
recordType = if (isIPv4 ip) then "A" else "AAAA";
in
"${service} IN ${recordType} ${ip} ; ${host}"
) roles.default.machines.${host}.settings.services
);
hostnameEntries = ''
crocus 10800 IN AAAA fd28:387a:90:c400:6db2:dfc3:c376:9956
genepi 10800 IN AAAA fd28:387a:90:c400:ab23:3d38:a148:f539
verbena 10800 IN AAAA fd28:387a:90:c400::1
haze 10800 IN AAAA fd28:387a:90:c400:840e:e9db:4c08:b920
'';
zonefile = builtins.toFile "${settings.tld}.zone" (
''
$TTL 3600 ; 1 Hour
$ORIGIN ${settings.tld}.
${settings.tld}. IN SOA ns1 admin.rpqt.fr. (
2025112300 ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
300 ; minimum
)
${builtins.concatStringsSep "\n" (
lib.lists.imap1 (i: _m: "@ 1D IN NS ns${toString i}.${settings.tld}.") (
lib.attrNames roles.server.machines
)
)}
${builtins.concatStringsSep "\n" (
lib.lists.imap1 (i: m: "ns${toString i} 10800 IN CNAME ${m}.${settings.tld}.") (
lib.attrNames roles.server.machines
)
)}
''
+ hostnameEntries
+ "\n"
+ (lib.strings.concatStringsSep "\n" (
map (host: hostServiceEntries host) (lib.attrNames roles.default.machines)
))
);
in
{
networking.firewall.interfaces.wireguard = {
allowedTCPPorts = [ settings.dnsPort ];
allowedUDPPorts = [ settings.dnsPort ];
};
services.coredns = {
enable = true;
config =
let
dnsPort = builtins.toString settings.dnsPort;
in
''
.:${dnsPort} {
bind wireguard
forward . 1.1.1.1
cache 30
}
${settings.tld}:${dnsPort} {
bind wireguard
file ${zonefile}
}
'';
};
};
};
};
roles.default = {
description = "A machine that registers the 'server' role as resolver and registers services under the configured TLD in the resolver.";
interface =
{ lib, ... }:
{
options.services = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
Service endpoints this host exposes (without TLD). Each entry will
be resolved to <entry>.<tld> using the configured top-level domain.
'';
};
options.ip = lib.mkOption {
type = lib.types.str;
# TODO: Set a default
description = "IP on which the services will listen";
};
options.dnsPort = lib.mkOption {
type = lib.types.int;
default = 1053;
description = "Port of the clan-internal DNS server";
};
};
perInstance =
{ roles, settings, ... }:
{
nixosModule =
{ config, lib, ... }:
{
networking.nameservers = map (
m:
let
port = config.services.unbound.settings.server.port or 53;
in
"127.0.0.1:${toString port}#${roles.server.machines.${m}.settings.tld}"
) (lib.attrNames roles.server.machines);
services.resolved.domains = map (m: "~${roles.server.machines.${m}.settings.tld}") (
lib.attrNames roles.server.machines
);
services.unbound = {
enable = true;
# resolveLocalQueries = true;
checkconf = true;
settings = {
server = {
port = 5353;
verbosity = 2;
interface = [ "127.0.0.1" ];
access-control = [ "127.0.0.0/8 allow" ];
do-not-query-localhost = "no";
domain-insecure = map (m: "${roles.server.machines.${m}.settings.tld}.") (
lib.attrNames roles.server.machines
);
};
# Default: forward everything else to DHCP-provided resolvers
# forward-zone = [
# {
# name = ".";
# forward-addr = "127.0.0.53@53"; # Forward to systemd-resolved
# }
# ];
forward-zone = [
{
name = ".";
forward-tls-upstream = true;
forward-addr = [
"9.9.9.9#dns.quad9.net"
"149.112.112.112#dns.quad9.net"
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
"2606:4700:4700::1111@853#cloudflare-dns.com"
"2606:4700:4700::1001@853#cloudflare-dns.com"
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
"2001:4860:4860::8888#dns.google"
"2001:4860:4860::8844#dns.google"
];
}
];
stub-zone = {
name = "${roles.server.machines.${(lib.head (lib.attrNames roles.server.machines))}.settings.tld}.";
stub-addr = map (
m: "${roles.server.machines.${m}.settings.ip}@${builtins.toString settings.dnsPort}"
) (lib.attrNames roles.server.machines);
};
};
};
};
};
};
}

18
clanServices/coredns/flake-module.nix Normal file
View File

@@ -0,0 +1,18 @@
{ ... }:
let
module = ./default.nix;
in
{
clan.modules = {
"@rpqt/coredns" = module;
};
# perSystem =
# { ... }:
# {
# clan.nixosTests.coredns = {
# imports = [ ./tests/vm/default.nix ];
# clan.modules."@rpqt/coredns" = module;
# };
# };
}

1
clanServices/flake-module.nix
View File

@@ -1,6 +1,7 @@
{ {
imports = [ imports = [
./buildbot/flake-module.nix ./buildbot/flake-module.nix
./coredns/flake-module.nix
./prometheus/flake-module.nix ./prometheus/flake-module.nix
]; ];
} }

4
devShells/flake-module.nix
View File

@@ -11,7 +11,7 @@
inputs'.clan-core.packages.clan-cli inputs'.clan-core.packages.clan-cli
pkgs.garage pkgs.garage
pkgs.nil # Nix language server pkgs.nil # Nix language server
pkgs.nixfmt-rfc-style pkgs.nixfmt
pkgs.opentofu pkgs.opentofu
pkgs.terraform-ls pkgs.terraform-ls
pkgs.deploy-rs pkgs.deploy-rs
@@ -19,7 +19,7 @@
]; ];
shellHook = '' shellHook = ''
export GARAGE_RPC_SECRET=$(clan vars get crocus garage-shared/rpc_secret) export GARAGE_RPC_SECRET=$(clan vars get crocus garage-shared/rpc_secret)
export GARAGE_RPC_HOST=5d8249fe49264d36bc3532bd88400498bf9497b5cd4872245eb820d5d7797ed6@crocus.home.rpqt.fr:3901 export GARAGE_RPC_HOST=5d8249fe49264d36bc3532bd88400498bf9497b5cd4872245eb820d5d7797ed6@crocus.val:3901
''; '';
}; };
}; };

408
flake.lock generated
View File

@@ -10,11 +10,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1761641036, "lastModified": 1769313163,
"narHash": "sha256-WyoAA5qBHimmWj0tuJMnkIq4o8dB01st6smx3ZzI/L0=", "narHash": "sha256-pjYF+adGJBkMLgKFAhnMEMR0818OsCaZAZREYs/baPQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "buildbot-nix", "repo": "buildbot-nix",
"rev": "3cd0114c633815095fde7a3126e1dbd6ad2e673f", "rev": "6c0fbf1425279800fd8f02796fdb567599587b7b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -32,7 +32,6 @@
], ],
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-select": "nix-select", "nix-select": "nix-select",
"nixos-facter-modules": "nixos-facter-modules",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@@ -41,11 +40,11 @@
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1762423941, "lastModified": 1769817905,
"narHash": "sha256-2mahDC4N9CiR/VQR8EqHg0TZhf+ix8u4y2gbPr6qJ6w=", "narHash": "sha256-/Ktjya8b3TfYeskDPY+67/BXyOwz0EpZnIW4QY9Qd94=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "9ddcda8f10c96c790fb83cf4004899d95fae891d", "rev": "49c69a0dd6750bbce8ebc698879e3cb48f32ae6b",
"revCount": 11011, "revCount": 12606,
"type": "git", "type": "git",
"url": "https://git.clan.lol/clan/clan-core" "url": "https://git.clan.lol/clan/clan-core"
}, },
@@ -54,25 +53,18 @@
"url": "https://git.clan.lol/clan/clan-core" "url": "https://git.clan.lol/clan/clan-core"
} }
}, },
"dankMaterialShell": { "crane": {
"inputs": {
"dgop": "dgop",
"dms-cli": "dms-cli",
"nixpkgs": [
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1762704668, "lastModified": 1765145449,
"narHash": "sha256-wrLa8ZoEpAhQjIt9uHcPb47LvVcceA8ok6S7BeUeaC4=", "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=",
"owner": "AvengeMedia", "owner": "ipetkov",
"repo": "DankMaterialShell", "repo": "crane",
"rev": "392a1c03c53ce916ec8d2ba61e852d34d2e1b9cb", "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "AvengeMedia", "owner": "ipetkov",
"repo": "DankMaterialShell", "repo": "crane",
"type": "github" "type": "github"
} }
}, },
@@ -92,35 +84,38 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760612273, "lastModified": 1769701076,
"narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=", "narHash": "sha256-ZquoXeXZ8fwMQ54UVgcGRKjzdK0deRHzm0a2jVbw4uw=",
"rev": "0099739c78be750b215cbdefafc9ba1533609393", "rev": "21655e76e84749d5ce3c9b3aaf9d86ba4016ba08",
"type": "tarball", "type": "tarball",
"url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz" "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/21655e76e84749d5ce3c9b3aaf9d86ba4016ba08.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz" "url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz"
} }
}, },
"dgop": { "direnv-instant": {
"inputs": { "inputs": {
"flake-parts": [
"flake-parts"
],
"nixpkgs": [ "nixpkgs": [
"dankMaterialShell",
"nixpkgs" "nixpkgs"
] ],
"treefmt-nix": "treefmt-nix_3"
}, },
"locked": { "locked": {
"lastModified": 1762435535, "lastModified": 1768707867,
"narHash": "sha256-QhzRn7pYN35IFpKjjxJAj3GPJECuC+VLhoGem3ezycc=", "narHash": "sha256-bNHBR07JIJUMjDGqd3/KwhPsI7e43JkAoeczO2cQ8h8=",
"owner": "AvengeMedia", "owner": "Mic92",
"repo": "dgop", "repo": "direnv-instant",
"rev": "6cf638dde818f9f8a2e26d0243179c43cb3458d7", "rev": "522eeea04ab1bc360464e51477963b0c3e18284a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "AvengeMedia", "owner": "Mic92",
"repo": "dgop", "repo": "direnv-instant",
"type": "github" "type": "github"
} }
}, },
@@ -132,11 +127,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1762276996, "lastModified": 1769524058,
"narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "af087d076d3860760b3323f6b583f4d828c1ac17", "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -152,11 +147,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1762276996, "lastModified": 1769524058,
"narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "af087d076d3860760b3323f6b583f4d828c1ac17", "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -165,24 +160,19 @@
"type": "github" "type": "github"
} }
}, },
"dms-cli": { "flake-compat": {
"inputs": { "flake": false,
"nixpkgs": [
"dankMaterialShell",
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1762491516, "lastModified": 1761588595,
"narHash": "sha256-oGLH5Gje/p2Hc1kO3m8P5eAZ7JldBI30EmwzEET4cNU=", "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
"owner": "AvengeMedia", "owner": "edolstra",
"repo": "danklinux", "repo": "flake-compat",
"rev": "050cf28a2963a7698ed4759736fe5fe77eee7cc2", "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "AvengeMedia", "owner": "edolstra",
"repo": "danklinux", "repo": "flake-compat",
"type": "github" "type": "github"
} }
}, },
@@ -194,11 +184,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1756770412, "lastModified": 1768135262,
"narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "4524271976b625a4a605beefd893f270620fd751", "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -214,11 +204,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1762440070, "lastModified": 1768135262,
"narHash": "sha256-xxdepIcb39UJ94+YydGP221rjnpkDZUlykKuF54PsqI=", "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "26d05891e14c88eb4a5d5bee659c0db5afb609d8", "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -227,21 +217,25 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": { "gitignore": {
"inputs": { "inputs": {
"systems": "systems_3" "nixpkgs": [
"lanzaboote",
"pre-commit",
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1709087332,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "numtide", "owner": "hercules-ci",
"repo": "flake-utils", "repo": "gitignore.nix",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "numtide", "owner": "hercules-ci",
"repo": "flake-utils", "repo": "gitignore.nix",
"type": "github" "type": "github"
} }
}, },
@@ -257,11 +251,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1758022363, "lastModified": 1768476106,
"narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=", "narHash": "sha256-V0YOJRum50gtKgwavsAfwXc9+XAsJCC7386YZx1sWGQ=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "hercules-ci-effects", "repo": "hercules-ci-effects",
"rev": "1a3667d33e247ad35ca250698d63f49a5453d824", "rev": "c19e263e6e22ec7379d972f19e6a322f943c73fb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -277,11 +271,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1762704774, "lastModified": 1769813945,
"narHash": "sha256-iodz4xQbULkHqetbPu5BCSWsVEzZiiNSv0/dzfH4XiE=", "narHash": "sha256-9ABv9Lo9t6MrFjlnRnU8Zw1C6LVj2+R8PipQ/rxGLHk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "be4a9233dd3f6104c9b0fdd3d56f953eb519a4c7", "rev": "475921375def3eb930e1f8883f619ff8609accb6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -290,81 +284,27 @@
"type": "github" "type": "github"
} }
}, },
"ignis": { "lanzaboote": {
"inputs": {
"ignis-gvc": "ignis-gvc",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1758101718,
"narHash": "sha256-qxY1q6ppBK5zWueAWVibiQLXUKbmot3/Zlb+J6q7RS0=",
"owner": "ignis-sh",
"repo": "ignis",
"rev": "57017f8fbde4c4c67bdd4fa69c72589358882928",
"type": "github"
},
"original": {
"owner": "ignis-sh",
"repo": "ignis",
"type": "github"
}
},
"ignis-gvc": {
"inputs": {
"nixpkgs": [
"ignis",
"nixpkgs"
]
},
"locked": {
"lastModified": 1754064086,
"narHash": "sha256-ft5KvY2OYrWF+jEsfBL/Zx8Iuo2C10C6COk8wHwZw34=",
"owner": "ignis-sh",
"repo": "ignis-gvc",
"rev": "f2c9f10d8b49cc38106a2f07a51ea959c6aa4e63",
"type": "github"
},
"original": {
"owner": "ignis-sh",
"repo": "ignis-gvc",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1737831083,
"narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"matugen": {
"inputs": { "inputs": {
"crane": "crane",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"systems": "systems_2" "pre-commit": "pre-commit",
"rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1762639445, "lastModified": 1765382359,
"narHash": "sha256-5E9exwTb7Tr4+SCJLJl/giiouHDmNGFb+pobScH1TkY=", "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=",
"owner": "InioX", "owner": "nix-community",
"repo": "Matugen", "repo": "lanzaboote",
"rev": "4c8c1dc6055853eb62b1f15be2920961194ef4cd", "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "InioX", "owner": "nix-community",
"repo": "Matugen", "ref": "v1.0.0",
"repo": "lanzaboote",
"type": "github" "type": "github"
} }
}, },
@@ -376,11 +316,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1762304480, "lastModified": 1768764703,
"narHash": "sha256-ikVIPB/ea/BAODk6aksgkup9k2jQdrwr4+ZRXtBgmSs=", "narHash": "sha256-5ulSDyOG1U+1sJhkJHYsUOWEsmtLl97O0NTVMvgIVyc=",
"owner": "nix-darwin", "owner": "nix-darwin",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "b8c7ac030211f18bd1f41eae0b815571853db7a2", "rev": "0fc4e7ac670a0ed874abacf73c4b072a6a58064b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -391,11 +331,11 @@
}, },
"nix-select": { "nix-select": {
"locked": { "locked": {
"lastModified": 1755887746, "lastModified": 1763303120,
"narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=", "narHash": "sha256-yxcNOha7Cfv2nhVpz9ZXSNKk0R7wt4AiBklJ8D24rVg=",
"rev": "92c2574c5e113281591be01e89bb9ddb31d19156", "rev": "3d1e3860bef36857a01a2ddecba7cdb0a14c35a9",
"type": "tarball", "type": "tarball",
"url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz" "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/3d1e3860bef36857a01a2ddecba7cdb0a14c35a9.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -417,32 +357,17 @@
"type": "github" "type": "github"
} }
}, },
"nixos-facter-modules": {
"locked": {
"lastModified": 1762264948,
"narHash": "sha256-iaRf6n0KPl9hndnIft3blm1YTAyxSREV1oX0MFZ6Tk4=",
"owner": "nix-community",
"repo": "nixos-facter-modules",
"rev": "fa695bff9ec37fd5bbd7ee3181dbeb5f97f53c96",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-facter-modules",
"type": "github"
}
},
"nixos-generators": { "nixos-generators": {
"inputs": { "inputs": {
"nixlib": "nixlib", "nixlib": "nixlib",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1751903740, "lastModified": 1769813415,
"narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "032decf9db65efed428afd2fa39d80f7089085eb", "rev": "8946737ff703382fda7623b9fab071d037e897d5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -453,11 +378,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1762463231, "lastModified": 1769302137,
"narHash": "sha256-hv1mG5j5PTbnWbtHHomzTus77pIxsc4x8VrMjc7+/YE=", "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "52113c4f5cfd1e823001310e56d9c8d0699a6226", "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -485,11 +410,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1762596750, "lastModified": 1769461804,
"narHash": "sha256-rXXuz51Bq7DHBlfIjN7jO8Bu3du5TV+3DSADBX7/9YQ=", "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b6a8526db03f735b89dd5ff348f53f752e7ddc8e", "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -499,22 +424,64 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1765016596,
"narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"buildbot-nix": "buildbot-nix", "buildbot-nix": "buildbot-nix",
"clan-core": "clan-core", "clan-core": "clan-core",
"dankMaterialShell": "dankMaterialShell", "direnv-instant": "direnv-instant",
"disko": "disko_2", "disko": "disko_2",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_2",
"home-manager": "home-manager", "home-manager": "home-manager",
"ignis": "ignis", "lanzaboote": "lanzaboote",
"impermanence": "impermanence",
"matugen": "matugen",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"srvos": "srvos", "srvos": "srvos",
"vicinae": "vicinae" "terranix": "terranix"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1765075567,
"narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "769156779b41e8787a46ca3d7d76443aaf68be6f",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
} }
}, },
"sops-nix": { "sops-nix": {
@@ -525,11 +492,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760998189, "lastModified": 1769469829,
"narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -545,11 +512,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1762630873, "lastModified": 1769681123,
"narHash": "sha256-3oBDTcYuTFk2e5xINUvXkmGy/NCosajTeFFZIgyrpZE=", "narHash": "sha256-i29n0IDa5nR8O9w7QsajWNy/dfgfnGF7/nJY+/OdjEY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "srvos", "repo": "srvos",
"rev": "84e1e515d32e2d92098ed2a8d102d71ac58676e5", "rev": "861710611463c47190345f09f6959c9230def555",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -574,21 +541,6 @@
} }
}, },
"systems_2": { "systems_2": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_3": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@@ -603,6 +555,30 @@
"type": "github" "type": "github"
} }
}, },
"terranix": {
"inputs": {
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_2"
},
"locked": {
"lastModified": 1762472226,
"narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=",
"owner": "terranix",
"repo": "terranix",
"rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc",
"type": "github"
},
"original": {
"owner": "terranix",
"repo": "terranix",
"type": "github"
}
},
"treefmt-nix": { "treefmt-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -611,11 +587,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1758728421, "lastModified": 1768158989,
"narHash": "sha256-ySNJ008muQAds2JemiyrWYbwbG+V7S5wg3ZVKGHSFu8=", "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "5eda4ee8121f97b218f7cc73f5172098d458f1d1", "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -632,11 +608,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1762366246, "lastModified": 1769691507,
"narHash": "sha256-3xc/f/ZNb5ma9Fc9knIzEwygXotA+0BZFQ5V5XovSOQ=", "narHash": "sha256-8aAYwyVzSSwIhP2glDhw/G0i5+wOrren3v6WmxkVonM=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "a82c779ca992190109e431d7d680860e6723e048", "rev": "28b19c5844cc6e2257801d43f2772a4b4c050a1b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -645,24 +621,24 @@
"type": "github" "type": "github"
} }
}, },
"vicinae": { "treefmt-nix_3": {
"inputs": { "inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": [
"direnv-instant",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1762684504, "lastModified": 1768158989,
"narHash": "sha256-mpZcCsX2DyRtPiSRdYQBXuZQ+exguXRtXzdUgh+h+Pk=", "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=",
"owner": "vicinaehq", "owner": "numtide",
"repo": "vicinae", "repo": "treefmt-nix",
"rev": "184387ffd4087de7313e7d1dca7477c7cfa61756", "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "vicinaehq", "owner": "numtide",
"repo": "vicinae", "repo": "treefmt-nix",
"type": "github" "type": "github"
} }
} }

31
flake.nix
View File

@@ -6,19 +6,17 @@
nixpkgs, nixpkgs,
clan-core, clan-core,
flake-parts, flake-parts,
home-manager,
impermanence,
nixos-hardware,
self,
... ...
}: }:
flake-parts.lib.mkFlake { inherit inputs; } ({ flake-parts.lib.mkFlake { inherit inputs; } ({
imports = [ imports = [
inputs.clan-core.flakeModules.default clan-core.flakeModules.default
inputs.terranix.flakeModule
./clan/flake-module.nix ./clan/flake-module.nix
./clanServices/flake-module.nix ./clanServices/flake-module.nix
./devShells/flake-module.nix ./devShells/flake-module.nix
./home-manager/flake-module.nix ./home-manager/flake-module.nix
./infra/flake-module.nix
./modules/flake-module.nix ./modules/flake-module.nix
./packages/flake-module.nix ./packages/flake-module.nix
]; ];
@@ -38,8 +36,6 @@
home-manager.url = "github:nix-community/home-manager"; home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
impermanence.url = "github:nix-community/impermanence";
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixos-generators.url = "github:nix-community/nixos-generators"; nixos-generators.url = "github:nix-community/nixos-generators";
@@ -48,25 +44,24 @@
clan-core.inputs.nixpkgs.follows = "nixpkgs"; clan-core.inputs.nixpkgs.follows = "nixpkgs";
clan-core.inputs.flake-parts.follows = "flake-parts"; clan-core.inputs.flake-parts.follows = "flake-parts";
ignis.url = "github:ignis-sh/ignis";
ignis.inputs.nixpkgs.follows = "nixpkgs";
matugen.url = "github:InioX/Matugen";
matugen.inputs.nixpkgs.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
srvos.url = "github:nix-community/srvos"; srvos.url = "github:nix-community/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs"; srvos.inputs.nixpkgs.follows = "nixpkgs";
vicinae.url = "github:vicinaehq/vicinae";
vicinae.inputs.nixpkgs.follows = "nixpkgs";
buildbot-nix.url = "github:nix-community/buildbot-nix"; buildbot-nix.url = "github:nix-community/buildbot-nix";
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs"; buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
dankMaterialShell.url = "github:AvengeMedia/DankMaterialShell"; direnv-instant.url = "github:Mic92/direnv-instant";
dankMaterialShell.inputs.nixpkgs.follows = "nixpkgs"; direnv-instant.inputs.nixpkgs.follows = "nixpkgs";
direnv-instant.inputs.flake-parts.follows = "flake-parts";
terranix.url = "github:terranix/terranix";
terranix.inputs.nixpkgs.follows = "nixpkgs";
terranix.inputs.flake-parts.follows = "flake-parts";
lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0";
lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
}; };
} }

83
home-manager/cli.nix
View File

@@ -1,42 +1,11 @@
{ {
self, self,
config, config,
osConfig,
pkgs, pkgs,
... ...
}: }:
{ let
imports = [
self.homeManagerModules.dotfiles
];
home.packages = with pkgs; [
bottom
btop
comma
difftastic
doggo
duf
eza
fd
glow
lazygit
nh
ripgrep
skim
taskwarrior3
tealdeer
vivid
zoxide
];
programs.zoxide.enable = true;
programs.starship.enable = true;
programs.atuin.enable = true;
programs.bat.enable = true;
programs.zsh = {
enable = true;
syntaxHighlighting.enable = true;
shellAliases = { shellAliases = {
ls = "eza"; ls = "eza";
lsa = "ls -A"; lsa = "ls -A";
@@ -49,6 +18,54 @@
".." = "cd .."; ".." = "cd ..";
"..." = "cd ../.."; "..." = "cd ../..";
}; };
in
{
imports = [
self.homeManagerModules.dotfiles
];
home.packages = with pkgs; [
age
age-plugin-yubikey
bottom
btop
comma
difftastic
doggo
duf
eza
fd
glow
jjui
lazygit
nh
passage
rage
ripgrep
skim
tealdeer
vivid
yazi
zoxide
];
programs.zoxide.enable = true;
programs.starship.enable = true;
programs.bat.enable = true;
programs.atuin.enable = true;
xdg.dataFile."atuin/key".source =
config.lib.file.mkOutOfStoreSymlink osConfig.clan.core.vars.generators.atuin.files.key.path;
programs.zsh = {
enable = true;
syntaxHighlighting.enable = true;
inherit shellAliases;
};
programs.fish = {
enable = true;
inherit shellAliases;
}; };
xdg.configFile."git".source = "${config.dotfiles.path}/.config/git"; xdg.configFile."git".source = "${config.dotfiles.path}/.config/git";

8
home-manager/desktop/dank.nix
View File

@@ -1,8 +0,0 @@
{ inputs, ... }:
{
imports = [
inputs.dankMaterialShell.homeModules.dankMaterialShell.default
];
programs.dankMaterialShell.enable = true;
}

1
home-manager/desktop/default.nix
View File

@@ -10,7 +10,6 @@
home.packages = with pkgs; [ home.packages = with pkgs; [
discord discord
seahorse seahorse
wofi-emoji
]; ];
home.pointerCursor = { home.pointerCursor = {

4
home-manager/desktop/fonts.nix
View File

@@ -6,4 +6,8 @@
]; ];
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;
fonts.fontconfig.defaultFonts = {
sansSerif = [ "Adwaita Sans" ];
monospace = [ "Adwaita Mono" ];
};
} }

6
home-manager/desktop/gnome.nix
View File

@@ -4,4 +4,10 @@
blur-my-shell blur-my-shell
paperwm paperwm
]; ];
dconf.settings = {
"org/gnome/nautilus/preferences" = {
show-image-thumbnails = "always";
};
};
} }

38
home-manager/desktop/ignis.nix
View File

@@ -1,38 +0,0 @@
{
self,
config,
inputs,
pkgs,
...
}:
{
imports = [
self.homeManagerModules.dotfiles
inputs.ignis.homeManagerModules.default
];
home.packages = [
pkgs.brightnessctl
pkgs.swaybg
pkgs.swaylock
pkgs.tofi
pkgs.wl-gammarelay-rs
inputs.matugen.packages.${pkgs.system}.default
];
programs.ignis = {
enable = true;
addToPythonEnv = false;
sass.enable = true;
sass.useDartSass = true;
services.bluetooth.enable = true;
services.audio.enable = true;
services.network.enable = true;
};
xdg.configFile."ignis".source =
config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/rep/heath";
}

32
home-manager/desktop/sway.nix
View File

@@ -1,32 +0,0 @@
{
self,
config,
pkgs,
...
}:
{
imports = [
self.homeManagerModules.dotfiles
./wayland.nix
];
home.packages = with pkgs; [
tofi
i3status-rust
wlsunset
kanshi
grim
slurp
playerctl
swaybg
];
xdg.configFile = {
"sway".source = "${config.dotfiles.path}/.config/sway";
"swaylock".source = "${config.dotfiles.path}/.config/swaylock";
"swayidle".source = "${config.dotfiles.path}/.config/swayidle";
"kanshi".source = "${config.dotfiles.path}/.config/kanshi";
"i3status-rust".source = "${config.dotfiles.path}/.config/i3status-rust";
"tofi/config".source = "${config.dotfiles.path}/.config/tofi/config";
};
}

3
home-manager/desktop/terminal.nix
View File

@@ -15,8 +15,7 @@
]; ];
programs.alacritty.enable = true; programs.alacritty.enable = true;
xdg.configFile."alacritty/alacritty.toml".source = xdg.configFile."alacritty".source = "${config.dotfiles.path}/.config/alacritty";
"${config.dotfiles.path}/.config/alacritty/alacritty.toml";
xdg.configFile."ghostty/config".source = "${config.dotfiles.path}/.config/ghostty/config"; xdg.configFile."ghostty/config".source = "${config.dotfiles.path}/.config/ghostty/config";
} }

10
home-manager/desktop/vicinae.nix
View File

@@ -1,17 +1,13 @@
{ {
config, config,
inputs,
lib, lib,
... ...
}: }:
{ {
imports = [ programs.vicinae = {
inputs.vicinae.homeManagerModules.default
];
services.vicinae = {
enable = true; enable = true;
autoStart = true; systemd.enable = true;
systemd.autoStart = true;
}; };
xdg.configFile."vicinae/vicinae.json".source = xdg.configFile."vicinae/vicinae.json".source =

6
home-manager/dev.nix
View File

@@ -9,9 +9,11 @@
./cli.nix ./cli.nix
./helix.nix ./helix.nix
self.homeManagerModules.dotfiles self.homeManagerModules.dotfiles
self.inputs.direnv-instant.homeModules.direnv-instant
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
delta
direnv direnv
gh gh
hut hut
@@ -23,7 +25,7 @@
radicle-tui radicle-tui
typescript-language-server typescript-language-server
nil # Nix language server nil # Nix language server
nixfmt-rfc-style nixfmt
nixpkgs-review nixpkgs-review
]; ];
@@ -33,6 +35,8 @@
nix-direnv.enable = true; nix-direnv.enable = true;
}; };
programs.direnv-instant.enable = true;
xdg.configFile."hut/config".source = "${config.dotfiles.path}/.config/hut/config"; xdg.configFile."hut/config".source = "${config.dotfiles.path}/.config/hut/config";
home.file.".ssh/config".source = "${config.dotfiles.path}/.ssh/config"; home.file.".ssh/config".source = "${config.dotfiles.path}/.ssh/config";
} }

2
home-manager/helix.nix
View File

@@ -16,6 +16,8 @@
defaultEditor = true; defaultEditor = true;
}; };
home.sessionVariables.EDITOR = "hx";
xdg.configFile."helix/config.toml".source = "${config.dotfiles.path}/.config/helix/config.toml"; xdg.configFile."helix/config.toml".source = "${config.dotfiles.path}/.config/helix/config.toml";
xdg.configFile."helix/languages.toml".source = xdg.configFile."helix/languages.toml".source =
"${config.dotfiles.path}/.config/helix/languages.toml"; "${config.dotfiles.path}/.config/helix/languages.toml";

43
home-manager/mail/default.nix
View File

@@ -1,4 +1,7 @@
{ config, ... }: { config, ... }:
let
pass = "passage";
in
{ {
programs.thunderbird = { programs.thunderbird = {
enable = true; enable = true;
@@ -9,24 +12,44 @@
}; };
}; };
programs.aerc = {
enable = true;
# safe since the accounts file just contains commands for retrieving passwords and is readonly in the nix store
extraConfig.general.unsafe-accounts-conf = true;
};
accounts.email.accounts = { accounts.email.accounts = {
"rpqt@rpqt.fr" = { "rpqt@rpqt.fr" = rec {
address = "rpqt@rpqt.fr"; address = "rpqt@rpqt.fr";
realName = "Romain Paquet"; realName = "Romain Paquet";
primary = true; primary = true;
flavor = "migadu.com"; flavor = "migadu.com";
thunderbird.enable = config.programs.thunderbird.enable; thunderbird.enable = config.programs.thunderbird.enable;
aerc.enable = config.programs.aerc.enable;
passwordCommand = [
pass
"show"
"mail/${address}"
];
folders.inbox = "INBOX";
}; };
"admin@rpqt.fr" = { "admin@rpqt.fr" = rec {
address = "admin@rpqt.fr"; address = "admin@rpqt.fr";
aliases = [ "postmaster@rpqt.fr" ]; aliases = [ "postmaster@rpqt.fr" ];
realName = "Postmaster"; realName = "Postmaster";
flavor = "migadu.com"; flavor = "migadu.com";
thunderbird.enable = config.programs.thunderbird.enable; thunderbird.enable = config.programs.thunderbird.enable;
aerc.enable = config.programs.aerc.enable;
passwordCommand = [
pass
"show"
"mail/${address}"
];
folders.inbox = "INBOX";
}; };
"romain.paquet@grenoble-inp.org" = { "romain.paquet@grenoble-inp.org" = rec {
address = "romain.paquet@grenoble-inp.org"; address = "romain.paquet@grenoble-inp.org";
realName = "Romain Paquet"; realName = "Romain Paquet";
userName = "romain.paquet@grenoble-inp.org"; userName = "romain.paquet@grenoble-inp.org";
@@ -39,14 +62,26 @@
port = 465; port = 465;
}; };
thunderbird.enable = config.programs.thunderbird.enable; thunderbird.enable = config.programs.thunderbird.enable;
aerc.enable = config.programs.aerc.enable;
passwordCommand = [
pass
"show"
"mail/${address}"
];
folders.inbox = "INBOX";
}; };
"admin@turifer.dev" = { "admin@turifer.dev" = rec {
address = "admin@turifer.dev"; address = "admin@turifer.dev";
aliases = [ "postmaster@turifer.dev" ]; aliases = [ "postmaster@turifer.dev" ];
realName = "Postmaster"; realName = "Postmaster";
flavor = "migadu.com"; flavor = "migadu.com";
thunderbird.enable = config.programs.thunderbird.enable; thunderbird.enable = config.programs.thunderbird.enable;
aerc.enable = config.programs.aerc.enable;
passwordCommand = [
pass
"mail/${address}"
];
}; };
"romain@student.agh.edu.pl" = { "romain@student.agh.edu.pl" = {

4
home/.config/alacritty/alacritty.toml
View File

@@ -1,6 +1,6 @@
[general] [general]
live_config_reload = false live_config_reload = true
import = ["~/.config/alacritty/themes/kanagawa_wave.toml"] import = ["~/.config/alacritty/themes/default_light.toml"]
[font] [font]
size = 14 size = 14

33
home/.config/alacritty/themes/default_light.toml Normal file
View File

@@ -0,0 +1,33 @@
# Colors (Builtin Light)
[colors.bright]
black = '#555555'
blue = '#5555ff'
cyan = '#22cccc'
green = '#2fd92f'
magenta = '#ff55ff'
red = '#ff5555'
white = '#ffffff'
yellow = '#bfbf15'
[colors.cursor]
cursor = '#000000'
text = '#ffffff'
[colors.normal]
black = '#000000'
blue = '#0000bb'
cyan = '#00bbbb'
green = '#00bb00'
magenta = '#bb00bb'
red = '#bb0000'
white = '#bbbbbb'
yellow = '#bbbb00'
[colors.primary]
background = '#ffffff'
foreground = '#000000'
[colors.selection]
background = '#b5d5ff'
text = '#000000'

29
home/.config/dotfiles/clone.sh
View File

@@ -1,29 +0,0 @@
#!/bin/sh
DOTFILES_GIT_URL='git@git.sr.ht:~rpqt/dotfiles'
# The first argument can be the destination folder
if [ $# -eq 1 ]; then
DOTFILES_DIR="$1"
else
DOTFILES_DIR="$HOME/.dotfiles"
fi
echo "$DOTFILES_DIR" >> "$HOME/.gitignore"
git clone --bare "$DOTFILES_GIT_URL" "$DOTFILES_DIR"
alias dotfiles='/usr/bin/git --git-dir=$DOTFILES_DIR --work-tree=$HOME'
dotfiles config --local status.showUntrackedFiles no
dotfiles checkout
tee "$HOME/.config/git/config" >/dev/null <<EOT
[include]
path = ~/.config/git/common.gitconfig
path = ~/.config/git/local.gitconfig
EOT
unset DOTFILES_DIR
unset DOTFILES_GIT_URL

4
home/.config/helix/languages.toml
View File

@@ -58,3 +58,7 @@ auto-format = true
[[language]] [[language]]
name = "vento" name = "vento"
indent = { tab-width = 2, unit = "\t" } indent = { tab-width = 2, unit = "\t" }
[[language]]
name = "ocaml"
auto-format = true

6
home/.config/i3bar-river/bottom-config.toml
View File

@@ -1,6 +0,0 @@
font = "JetBrains Mono NF Bold 12"
height = 24
background = "#000000"
command = "i3status-rs ~/.config/i3status-rust/bottom-config.toml"
position = "bottom"
show_tags = false

10
home/.config/i3bar-river/config.toml
View File

@@ -1,10 +0,0 @@
font = "JetBrains Mono NF Bold 12"
height = 24
background = "#000000"
command = "i3status-rs"
tags_margin = 0.0
tags_padding = 8.0
tag_fg = "#727169"
tag_bg = "#000000"
tag_focused_fg = "#dcd7ba"
tag_focused_bg = "#000000"

5
home/.config/kanshi/config
View File

@@ -1,5 +0,0 @@
profile mirror-hdmi {
output eDP-1 enable mode 1920x1080 position 0,0
output HDMI-A-1 enable mode 1920x1080 position 1920,0
exec wl-present mirror eDP-1 --fullscreen-output HDMI-A-1 --fullscreen
}

1
home/.config/niri/.gitignore vendored
View File

@@ -1 +0,0 @@
dms

69
home/.config/niri/config.kdl
View File

@@ -1,3 +1,9 @@
include "dms/alttab.kdl"
include "dms/binds.kdl"
include "dms/colors.kdl"
include "dms/layout.kdl"
include "dms/wpblur.kdl"
input { input {
keyboard { keyboard {
xkb { xkb {
@@ -19,6 +25,9 @@ input {
focus-follows-mouse max-scroll-amount="0%" focus-follows-mouse max-scroll-amount="0%"
} }
workspace "browser" {
}
output "eDP-1" { output "eDP-1" {
mode "1920x1080@60.049" mode "1920x1080@60.049"
scale 1 scale 1
@@ -55,39 +64,6 @@ layout {
// You can change the default width of the new windows. // You can change the default width of the new windows.
default-column-width { proportion 0.5; } default-column-width { proportion 0.5; }
// If you leave the brackets empty, the windows themselves will decide their initial width. // If you leave the brackets empty, the windows themselves will decide their initial width.
// You can change how the focus ring looks.
focus-ring {
off
// How many logical pixels the ring extends out from the windows.
width 3
// Color of the ring on the active monitor.
active-color "#101010"
// Color of the ring on inactive monitors.
inactive-color "#505050"
}
border {
width 2
// Color of the ring on the active monitor.
// active-color "#3d5f77"
active-color "#101010"
// Color of the ring on inactive monitors.
inactive-color "#101010"
}
shadow {
// on
softness 10
spread 5
offset x=0 y=0
draw-behind-window true
color "#00000070"
}
} }
prefer-no-csd prefer-no-csd
@@ -99,6 +75,7 @@ cursor {
window-rule { window-rule {
match app-id=r#"^firefox$"# match app-id=r#"^firefox$"#
open-maximized true open-maximized true
open-on-workspace "browser"
focus-ring { focus-ring {
off off
} }
@@ -121,12 +98,6 @@ window-rule {
open-floating true open-floating true
} }
// Enable rounded corners for all windows.
window-rule {
geometry-corner-radius 10
clip-to-geometry true
}
binds { binds {
// Keys consist of modifiers separated by + signs, followed by an XKB key name // Keys consist of modifiers separated by + signs, followed by an XKB key name
// in the end. To find an XKB name for a particular key, you may use a program // in the end. To find an XKB name for a particular key, you may use a program
@@ -147,20 +118,6 @@ binds {
Mod+D { spawn "vicinae" "toggle"; } Mod+D { spawn "vicinae" "toggle"; }
Super+Alt+L hotkey-overlay-title="Lock session" { spawn "loginctl" "lock-session"; } Super+Alt+L hotkey-overlay-title="Lock session" { spawn "loginctl" "lock-session"; }
XF86AudioRaiseVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.05+"; }
XF86AudioLowerVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.05-"; }
XF86AudioMute allow-when-locked=true { spawn "wpctl" "set-mute" "@DEFAULT_AUDIO_SINK@" "toggle"; }
XF86AudioMicMute allow-when-locked=true { spawn "wpctl" "set-mute" "@DEFAULT_AUDIO_SOURCE@" "toggle"; }
XF86MonBrightnessDown { spawn "brightnessctl" "set" "5%-"; }
XF86MonBrightnessUp { spawn "brightnessctl" "set" "+5%"; }
// XF86MonBrightnessUp allow-when-locked=true {
// spawn "dms" "ipc" "call" "brightness" "increment" "5" "";
// }
// XF86MonBrightnessDown allow-when-locked=true {
// spawn "dms" "ipc" "call" "brightness" "decrement" "5" "";
// }
XF86AudioPlay { spawn "playerctl" "play-pause"; } XF86AudioPlay { spawn "playerctl" "play-pause"; }
XF86AudioNext { spawn "playerctl" "next"; } XF86AudioNext { spawn "playerctl" "next"; }
XF86AudioPrev { spawn "playerctl" "previous"; } XF86AudioPrev { spawn "playerctl" "previous"; }
@@ -342,7 +299,6 @@ binds {
screenshot-path "~/Pictures/Screenshots/Screenshot from %Y-%m-%d %H-%M-%S.png" screenshot-path "~/Pictures/Screenshots/Screenshot from %Y-%m-%d %H-%M-%S.png"
spawn-at-startup "dms" "run"
spawn-at-startup "kdeconnect-indicator" spawn-at-startup "kdeconnect-indicator"
spawn-at-startup "~/rep/flocon/home/bin/monitor-dark-mode.sh" spawn-at-startup "~/rep/flocon/home/bin/monitor-dark-mode.sh"
@@ -354,8 +310,3 @@ environment {
hotkey-overlay { hotkey-overlay {
skip-at-startup skip-at-startup
} }
layer-rule {
match namespace="dms:blurwallpaper"
place-within-backdrop true
}

5
home/.config/niri/dms/alttab.kdl Normal file
View File

@@ -0,0 +1,5 @@
recent-windows {
highlight {
corner-radius 12
}
}

55
home/.config/niri/dms/binds.kdl Normal file
View File

@@ -0,0 +1,55 @@
binds {
Mod+Shift+D hotkey-overlay-title="Application Launcher" {
spawn "dms" "ipc" "call" "spotlight" "toggle";
}
Mod+V hotkey-overlay-title="Clipboard Manager" {
spawn "dms" "ipc" "call" "clipboard" "toggle";
}
Mod+M hotkey-overlay-title="Task Manager" {
spawn "dms" "ipc" "call" "processlist" "toggle";
}
Mod+Comma hotkey-overlay-title="Settings" {
spawn "dms" "ipc" "call" "settings" "toggle";
}
Mod+N hotkey-overlay-title="Notification Center" {
spawn "dms" "ipc" "call" "notifications" "toggle";
}
Mod+Shift+N hotkey-overlay-title="Notepad" {
spawn "dms" "ipc" "call" "notepad" "toggle";
}
Mod+Alt+L hotkey-overlay-title="Lock Screen" {
spawn "dms" "ipc" "call" "lock" "lock";
}
Ctrl+Alt+Delete hotkey-overlay-title="Task Manager" {
spawn "dms" "ipc" "call" "processlist" "toggle";
}
// Audio
XF86AudioRaiseVolume allow-when-locked=true {
spawn "dms" "ipc" "call" "audio" "increment" "3";
}
XF86AudioLowerVolume allow-when-locked=true {
spawn "dms" "ipc" "call" "audio" "decrement" "3";
}
XF86AudioMute allow-when-locked=true {
spawn "dms" "ipc" "call" "audio" "mute";
}
XF86AudioMicMute allow-when-locked=true {
spawn "dms" "ipc" "call" "audio" "micmute";
}
// BL
XF86MonBrightnessUp allow-when-locked=true {
spawn "dms" "ipc" "call" "brightness" "increment" "5" "";
}
XF86MonBrightnessDown allow-when-locked=true {
spawn "dms" "ipc" "call" "brightness" "decrement" "5" "";
}
}

36
home/.config/niri/dms/colors.kdl Normal file
View File

@@ -0,0 +1,36 @@
layout {
background-color "transparent"
focus-ring {
active-color "#5c5891"
inactive-color "#787680"
urgent-color "#ba1a1a"
}
border {
active-color "#5c5891"
inactive-color "#787680"
urgent-color "#ba1a1a"
}
shadow {
color "#00000070"
}
tab-indicator {
active-color "#5c5891"
inactive-color "#787680"
urgent-color "#ba1a1a"
}
insert-hint {
color "#5c589180"
}
}
recent-windows {
highlight {
active-color "#444078"
urgent-color "#ba1a1a"
}
}

17
home/.config/niri/dms/layout.kdl Normal file
View File

@@ -0,0 +1,17 @@
layout {
gaps 4
border {
width 2
}
focus-ring {
width 2
}
}
window-rule {
geometry-corner-radius 12
clip-to-geometry true
tiled-state true
draw-border-with-background false
}

4
home/.config/niri/dms/wpblur.kdl Normal file
View File

@@ -0,0 +1,4 @@
layer-rule {
match namespace="dms:blurwallpaper"
place-within-backdrop true
}

2
home/.config/sway/config
View File

@@ -1,2 +0,0 @@
include ~/.config/sway/config.d/*
include /etc/sway/config.d/*

37
home/.config/sway/config.d/bar
View File

@@ -1,37 +0,0 @@
include ~/.config/sway/kanagawa.sway
set $font "JetBrains Mono NF Bold 12"
set $background #000000
bar {
id top_bar
status_command i3status-rs
position top
height 24
font $font
workspace_min_width 20
status_padding 0
status_edge_padding 0
colors {
background $background
focused_workspace #000000 #000000 $fujiWhite
active_workspace #000000 #000000 $fujiGray
inactive_workspace #000000 #000000 $fujiGray
}
}
bar {
id bottom_bar
status_command i3status-rs ~/.config/i3status-rust/bottom-config.toml
position bottom
height 24
font $font
workspace_buttons no
binding_mode_indicator no
tray_output none
colors {
background $background
}
}
# vim:ft=swayconfig

169
home/.config/sway/config.d/bindings
View File

@@ -1,169 +0,0 @@
set $mod Mod4
set $left h
set $down j
set $up k
set $right l
set $term alacritty msg create-window || alacritty
set $launcher tofi-drun | xargs swaymsg exec --
set $lock swaylock
set $screenshots $HOME/Pictures/Screenshots
floating_modifier $mod normal
bindsym {
# Start a terminal
$mod+Return exec $term
# Kill focused window
$mod+Shift+q kill
$mod+w kill
# Application launcher
$mod+d exec $launcher
# Reload the configuration file
$mod+Shift+c reload
# Exit sway / log out
$mod+Shift+e exec swaynag \
-t warning \
-m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' \
-B 'Yes, exit sway' 'swaymsg exit' \
--dismiss-button 'Cancel'
# Move focus
$mod+$left focus left
$mod+$down focus down
$mod+$up focus up
$mod+$right focus right
$mod+Left focus left
$mod+Down focus down
$mod+Up focus up
$mod+Right focus right
# Move the focused window
$mod+Shift+$left move left
$mod+Shift+$down move down
$mod+Shift+$up move up
$mod+Shift+$right move right
$mod+Shift+Left move left
$mod+Shift+Down move down
$mod+Shift+Up move up
$mod+Shift+Right move right
--to-code {
# Switch to workspace
$mod+ampersand workspace number 1
$mod+eacute workspace number 2
$mod+quotedbl workspace number 3
$mod+apostrophe workspace number 4
$mod+parenleft workspace number 5
$mod+minus workspace number 6
$mod+egrave workspace number 7
$mod+underscore workspace number 8
$mod+ccedilla workspace number 9
$mod+agrave workspace number 10
}
# Move focused container to workspace
$mod+1 move container to workspace number 1
$mod+2 move container to workspace number 2
$mod+3 move container to workspace number 3
$mod+4 move container to workspace number 4
$mod+5 move container to workspace number 5
$mod+6 move container to workspace number 6
$mod+7 move container to workspace number 7
$mod+8 move container to workspace number 8
$mod+9 move container to workspace number 9
$mod+0 move container to workspace number 10
$mod+Shift+1 move container to workspace number 1
$mod+Shift+2 move container to workspace number 2
$mod+Shift+3 move container to workspace number 3
$mod+Shift+4 move container to workspace number 4
$mod+Shift+5 move container to workspace number 5
$mod+Shift+6 move container to workspace number 6
$mod+Shift+7 move container to workspace number 7
$mod+Shift+8 move container to workspace number 8
$mod+Shift+9 move container to workspace number 9
$mod+Shift+0 move container to workspace number 10
# Split
$mod+b splith
$mod+v splitv
# Switch the current container between different layout styles
$mod+s layout stacking
$mod+t layout tabbed
$mod+m layout toggle split
# Toggle fullscreen on the current focus
$mod+f fullscreen
# Toggle floating mode for current container
$mod+Shift+f floating toggle
# Move focus to the parent container
$mod+a focus parent
# Move the focused window to the scratchpad
$mod+Shift+equal move scratchpad
# Cycle through scratchpad windows
$mod+equal scratchpad show
# Volume
XF86AudioRaiseVolume exec wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+ -l 1.0
XF86AudioLowerVolume exec wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%- -l 1.0
XF86AudioMute exec wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle
XF86AudioMicMute exec wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle
# Media
XF86AudioPlay exec playerctl play-pause
XF86AudioNext exec playerctl next
XF86AudioPrev exec playerctl previous
XF86Search exec $launcher
# Brightness
--locked {
XF86MonBrightnessDown exec brightnessctl set 5%-
XF86MonBrightnessUp exec brightnessctl set +5%
}
# Lock
Ctrl+Mod4+L exec $lock
# Screenshot
## Full screen capture
Print exec grim "$screenshots/$(date +\"Screenshot from %Y-%m-%d %H-%M-%S.png\")"
## Select a zone and save
$mod+Shift+s exec grim -g "$(slurp -d)" "$screenshots/$(date +\"Screenshot from %Y-%m-%d %H-%M-%S.png\")"
## Select a zone and copy to clipboard
$mod+Shift+Ctrl+s exec grim -g "$(slurp -d)" - | wl-copy
}
mode "resize" bindsym {
# Shrink or grow the container
$left resize shrink width 10px
$down resize grow height 10px
$up resize shrink height 10px
$right resize grow width 10px
# Same with arrow keys
Left resize shrink width 10px
Down resize grow height 10px
Up resize shrink height 10px
Right resize grow width 10px
# Return to default mode
Return mode "default"
Escape mode "default"
}
bindsym $mod+r mode "resize"

17
home/.config/sway/config.d/input
View File

@@ -1,17 +0,0 @@
input "1267:12613:ASUE140C:00_04F3:3145_Keyboard" {
xkb_layout "fr,us(colemak_dh),us"
xkb_options grp:win_space_toggle
}
input "1:1:AT_Translated_Set_2_keyboard" {
xkb_layout "fr,us(colemak_dh),us"
xkb_options grp:win_space_toggle
}
input type:touchpad {
tap enabled
natural_scroll enabled
}
bindgesture swipe:right workspace prev
bindgesture swipe:left workspace next

16
home/.config/sway/config.d/programs
View File

@@ -1,16 +0,0 @@
# Directory for received taildrop files
set $taildrop_inbox $HOME/Downloads
# Screen temperature
exec wlsunset -l 45 -L 6
# Notifications
exec mako
# Output management
exec kanshi
# Auto receive taildrop files
exec tailscale file get --loop --conflict=rename $taildrop_inbox
exec swayidle -w

22
home/.config/sway/config.d/theme
View File

@@ -1,22 +0,0 @@
include ~/.config/sway/kanagawa.sway
default_border pixel 3
smart_borders on
titlebar_border_thickness 2
font "JetBrains Mono NF 11"
gaps outer 0
gaps inner 0
set $waveBlue3 #3D5F77
set $waveBlue4 #6D8FA7
# class border background text indicator child_border
client.focused_inactive $sumiInk2 $sumiInk1 $fujiWhite $sumiInk2 $sumiInk2
client.unfocused $sumiInk2 $sumiInk1 $fujiWhite $sumiInk2 $sumiInk2
client.focused $waveBlue3 $waveBlue2 $fujiWhite $waveBlue4 $waveBlue2
client.focused_tab_title $waveBlue2 $waveBlue2 $fujiWhite
for_window [app_id="firefox"] border none
output * bg ~/.local/state/wallpaper fill

110
home/.config/sway/kanagawa.sway
View File

@@ -1,110 +0,0 @@
# Default foreground
set $fujiWhite #DCD7BA
# Dark foreground (statuslines)
set $oldWhite #C8C093
# Dark background (statuslines and floating windows)
set $sumiInk0 #16161D
# Default background
set $sumiInk1 #1F1F28
# Lighter background (colorcolumn, folds)
set $sumiInk2 #2A2A37
# Lighter background (cursorline)
set $sumiInk3 #363646
# Darker foreground (line numbers, fold column, non-text characters), float borders
set $sumiInk4 #54546D
# Popup background, visual selection background
set $waveBlue1 #223249
# Popup selection background, search background
set $waveBlue2 #2D4F67
# Diff Add (background)
set $winterGreen #2B3328
# Diff Change (background)
set $winterYellow #49443C
# Diff Deleted (background)
set $winterRed #43242B
# Diff Line (background)
set $winterBlue #252535
# Git Add
set $autumnGreen #76946A
# Git Delete
set $autumnRed #C34043
# Git Change
set $autumnYellow #DCA561
# Diagnostic Error
set $samuraiRed #E82424
# Diagnostic Warning
set $roninYellow #FF9E3B
# Diagnostic Info
set $waveAqua1 #6A9589
# Diagnostic Hint
set $dragonBlue #658594
# Comments
set $fujiGray #727169
# Light foreground
set $springViolet1 #938AA9
# Statements and Keywords
set $oniViolet #957FB8
# Functions and Titles
set $crystalBlue #7E9CD8
# Brackets and punctuation
set $springViolet2 #9CABCA
# Specials and builtin functions
set $springBlue #7FB4CA
# Not used
set $lightBlue #A3D4D5
# Types
set $waveAqua2 #7AA89F
# Strings
set $springGreen #98BB6C
# Not used
set $boatYellow1 #938056
# Operators, RegEx
set $boatYellow2 #C0A36E
# Identifiers
set $carpYellow #E6C384
# Numbers
set $sakuraPink #D27E99
# Standout specials 1 (builtin variables)
set $waveRed #E46876
# Standout specials 2 (exception handling, return)
set $peachRed #FF5D62
# Constants, imports, booleans
set $surimiOrange #FFA066
# Deprecated
set $katanaGray #717C7C

10
home/.config/swayidle/config
View File

@@ -1,10 +0,0 @@
# This will lock the screen after 300 seconds of inactivity.
timeout 300 "swaylock -f"
# Turn off all displays after another 300 seconds.
# and turn them back on when resumed.
timeout 600 "swaymsg 'output * dpms off'" resume "swaymsg 'output * dpms on'"
# Lock the screen before the computer goes to sleep.
before-sleep "playerctl pause"
before-sleep "swaylock -f"

29
home/.config/swaylock/config
View File

@@ -1,29 +0,0 @@
daemonize
font=JetBrains Mono NF
font-size=22
image=~/.local/state/wallpaper
ring-color=FFFFFF55
ring-clear-color=FFFFFF55
ring-ver-color=1885d4
ring-wrong-color=FF0000
key-hl-color=FFFFFF
inside-color=00000000
inside-clear-color=00000000
inside-ver-color=00000000
inside-wrong-color=00000000
line-uses-inside
separator-color=00000000
layout-bg-color=00000000
layout-text-color=FFFFFF
text-color=FFFFFF
text-clear-color=FFFFFF
text-ver-color=FFFFFF
text-wrong-color=FFFFFF
indicator-radius=100

4
home/.config/task/taskrc
View File

@@ -1,4 +0,0 @@
data.location=~/.local/share/task
hooks.location=~/.config/task/hooks
include ~/.config/task/sync

176
home/.config/tofi/config
View File

@@ -1,176 +0,0 @@
#
### Fonts
#
# Font to use, either a path to a font file or a name.
#
# If a path is given, tofi will startup much quicker, but any
# characters not in the chosen font will fail to render.
#
# Otherwise, fonts are interpreted in Pango format.
font = "JetBrainsMono NF"
# Point size of text.
font-size = 15
# Perform font hinting. Only applies when a path to a font has been
# specified via `font`. Disabling font hinting speeds up text
# rendering appreciably, but will likely look poor at small font pixel
# sizes.
hint-font = true
#
### Colors
#
# Window background
background-color = #111111DD
# Border outlines
outline-color = #080800
# Border
border-color = #0981E3
# Default text
text-color = #C5C9C7
# Selection text
selection-color = #0981E3
# Matching portion of selection text
selection-match-color = #44BBFF
# Selection background
selection-background = #00000000
#
### Text layout
#
# Prompt to display.
prompt-text = "run: "
# Extra horizontal padding between prompt and input.
prompt-padding = 0
# Maximum number of results to display.
# If 0, tofi will draw as many results as it can fit in the window.
num-results = 0
# Spacing between results in pixels. Can be negative.
result-spacing = 8
# List results horizontally.
horizontal = false
# Minimum width of input in horizontal mode.
min-input-width = 0
# Extra horizontal padding of the selection background in pixels.
selection-background-padding = 0
#
### Window layout
#
# Width and height of the window. Can be pixels or a percentage.
width = 100%
height = 100%
# Width of the border outlines in pixels.
outline-width = 0
# Width of the border in pixels.
border-width = 0
# Radius of window corners in pixels.
corner-radius = 0
# Padding between borders and text. Can be pixels or a percentage.
padding-top = 200
padding-bottom = 0
padding-left = 35%
padding-right = 0
# Whether to scale the window by the output's scale factor.
scale = true
#
### Window positioning
#
# The name of the output to appear on. An empty string will use the
# default output chosen by the compositor.
output = ""
# Location on screen to anchor the window to.
#
# Supported values: top-left, top, top-right, right, bottom-right,
# bottom, bottom-left, left, center.
anchor = center
# Set the size of the exclusive zone.
#
# A value of -1 means ignore exclusive zones completely.
# A value of 0 will move tofi out of the way of other windows' zones.
# A value greater than 0 will set that much space as an exclusive zone.
#
# Values greater than 0 are only meaningful when tofi is anchored to a
# single edge.
exclusive-zone = -1
# Window offset from edge of screen. Only has an effect when anchored
# to the relevant edge. Can be pixels or a percentage.
margin-top = 0
margin-bottom = 0
margin-left = 0
margin-right = 0
#
### Behaviour
#
# Hide the cursor.
hide-cursor = false
# Sort results by number of usages in run and drun modes.
history = true
# Use fuzzy matching for searches.
fuzzy-match = false
# If true, require a match to allow a selection to be made. If false,
# making a selection with no matches will print input to stdout.
# In drun mode, this is always true.
require-match = true
# If true, typed input will be hidden, and what is displayed (if
# anything) is determined by the hidden-character option.
hide-input = false
# Replace displayed input characters with a character. If the empty
# string is given, input will be completely hidden.
# This option only has an effect when hide-input is set to true.
hidden-character = "*"
# If true, directly launch applications on selection when in drun mode.
# Otherwise, just print the command line to stdout.
drun-launch = false
# The terminal to run terminal programs in when in drun mode.
# This option has no effect if drun-launch is set to true.
# Defaults to the value of the TERMINAL environment variable.
# terminal = foot
# Delay keyboard initialisation until after the first draw to screen.
# This option is experimental, and will cause tofi to miss keypresses
# for a short time after launch. The only reason to use this option is
# performance on slow systems.
late-keyboard-init = false
# If true, allow multiple simultaneous processes.
# If false, create a lock file on startup to prevent multiple instances
# from running simultaneously.
multi-instance = false
#
### Inclusion
#
# Configs can be split between multiple files, and then included
# within each other.
# include = /path/to/config

23
home/.config/vicinae/vicinae.json Normal file
View File

@@ -0,0 +1,23 @@
{
"closeOnFocusLoss": false,
"considerPreedit": false,
"faviconService": "twenty",
"font": {
"size": 12
},
"keybinding": "default",
"keybinds": {
},
"popToRootOnClose": true,
"rootSearch": {
"searchFiles": true
},
"theme": {
"name": "matugen"
},
"window": {
"csd": true,
"opacity": 1,
"rounding": 10
}
}

3
home/.ssh/config
View File

@@ -1,8 +1,11 @@
Host crocus Host crocus
HostName crocus.val
User root User root
Host verbena Host verbena
HostName verbena.val
User root User root
Host genepi Host genepi
HostName genepi.val
User root User root

18
home/bin/switch-helix-theme.sh
View File

@@ -6,10 +6,24 @@ HELIX_CONFIG_PATH=$(readlink -f "${HOME}/.config/helix/config.toml")
HELIX_THEME_LIGHT="zed_onelight" HELIX_THEME_LIGHT="zed_onelight"
HELIX_THEME_DARK="kanagawa" HELIX_THEME_DARK="kanagawa"
ALACRITTY_CONFIG_PATH=$(readlink -f "${HOME}/.config/alacritty/alacritty.toml")
ALACRITTY_THEME_LIGHT="default_light"
ALACRITTY_THEME_DARK="kanagawa_wave"
set_helix_theme() {
sed -i "s/^theme .*/theme = \"$1\"/" "$HELIX_CONFIG_PATH"
}
set_alacritty_theme() {
sed -i "s/^import .*/import = \[\"\~\/\.config\/alacritty\/themes\/$1\.toml\"\]/" "$ALACRITTY_CONFIG_PATH"
}
if [[ "$2" == "prefer-dark" ]]; then if [[ "$2" == "prefer-dark" ]]; then
sed -i "s/^theme .*/theme = \"$HELIX_THEME_DARK\"/" "$HELIX_CONFIG_PATH" set_helix_theme "$HELIX_THEME_DARK"
sey_alacritty_theme "$HELIX_THEME_DARK"
else else
sed -i "s/^theme .*/theme = \"$HELIX_THEME_LIGHT\"/" "$HELIX_CONFIG_PATH" set_helix_theme "$HELIX_THEME_LIGHT"
set_alacritty_theme "$HELIX_THEME_LIGHT"
fi fi
pkill -USR1 hx || true pkill -USR1 hx || true

77
infra/.terraform.lock.hcl generated
View File

@@ -1,83 +1,16 @@
# This file is maintained automatically by "tofu init". # This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates. # Manual edits may be lost in future updates.
provider "registry.opentofu.org/go-gandi/gandi" { provider "registry.opentofu.org/hashicorp/external" {
version = "2.3.0" version = "2.3.5"
constraints = "2.3.0"
hashes = [ hashes = [
"h1:9kqWL+eFk/ogrQSltL9zVqjMcOqbvs3EgIJEeyNPb8U=", "h1:en/2hMK/W/2hKtsEkbxGiiYwi/pSPS/UoGDILHIHjmw=",
"zh:0936d011cf75bb5162c6027d00575a586807adc9008f4152def157b6ad22bae9",
"zh:2170e671f04d3346ea416fcc404be6d05f637eab7df77e289a6898a928885f0b",
"zh:250329baae3cb09cfb88dd004d45f003ba76fbe7b8daf9d18fd640b93a2b7252",
"zh:2ccd9f253424738ca5fbbcb2127bf3713c20e87bfb3829f8c4565569424fd0bd",
"zh:3607b48bc4691cd209528f9ffe16a6cc666bd284b0d0bdfe8c4e1d538559a408",
"zh:3bc1d2b770fe0f50027da59c405b2468d1322243235367014f75f765124f458d",
"zh:6c8a9092847ee2e2890825432b54424c456638d494e49b7d1845f055214714f5",
"zh:8e0b62a330876005d52bcd65d7b1d9a679a7ac79c626e0f86661519e8f9b5698",
"zh:8f44f4d52583ff249e2001ea2a8b8841010489dd43e1a01a9ec3a6813d121c28",
"zh:9a617927d4a3a2897ff10999a19a6d1f0ef634b8c6b8fc3be12cf53948cfd9cf",
"zh:cab3c82c54e38e6001eed5b80a2d16b7824921f8f8b3909049e174c48e6e8804",
"zh:f78cc685aa4ba5056ea53a7f8ce585f87a911f0a8a387a44a33d7dfb69db7663",
]
}
provider "registry.opentofu.org/hashicorp/assert" {
version = "0.16.0"
hashes = [
"h1:2jeV46S9jN2rk0GXOa+HGNlVvyWzaB3wz0T65elbjOc=",
"zh:3c04d08d1bb4ae810b7972a219c8dd42a8ab901a9bc25197b250c38f3fa57033",
"zh:46119bcc47b545809c0ee873a72d44f4f875cca4d7228605f5c7a8956a5e7d55",
"zh:511949ee8a6ac8ff7296b4c9778deb2aec2783f5b85c4f27382a3b623fc50a4a",
"zh:b4ebb8b832bae26443880d2e17493f754495db2d6c3f02c6d0070cbf5ae21598",
"zh:bebed6c1873871eb824103f08e72055c077f01b10a40944760d19ffdd721d9ab",
"zh:e412855fd2fd81e0a847e45308bdbac99995315c503fdddf262ee59e1b7c5263",
"zh:ed47c4fe28c6f148f11fa4098516abea008c49fa670c3cedd2ff94596cac0831",
"zh:edee914b1d12ac6db241a1fecaa5186c47f361f4ceb2deb23ad45d67bf95c7b1",
"zh:eff5b2e1c2128217bdbc600eda4fe011831e5c655bf4acd84b6495fc20d128d3",
"zh:ff64424784171a3361b1ea95d8cef334ec1c4a395812edd0a77a1ed6b4119b0f",
] ]
} }
provider "registry.opentofu.org/hetznercloud/hcloud" { provider "registry.opentofu.org/hetznercloud/hcloud" {
version = "1.52.0" version = "1.58.0"
constraints = "~> 1.45"
hashes = [ hashes = [
"h1:LTjrLuC+4F1Kv4TxS9e7LVVkG8/S4QQ7X4ORblvKTbc=", "h1:6C2LNEvCyGPyWgALDAFTNbRp+5Iuikd4Ju1Xejh+aeg=",
"zh:1e9bb6b6a2ea5f441638dbae2d60fbe04ff455f58a18c740b8b7913e2197d875",
"zh:29c122e404ba331cfbadacc7f1294de5a31c9dfd60bdfe3e1b402271fc8e419c",
"zh:2bd0ae2f0bb9f16b7753f59a08e57ac7230f9c471278d7882f81406b9426c8c7",
"zh:4383206971873f6b5d81580a9a36e0158924f5816ebb6206b0cf2430e4e6a609",
"zh:47e2ca1cfa18500e4952ab51dc357a0450d00a92da9ea03e452f1f3efe6bbf75",
"zh:8e9fe90e3cea29bb7892b64da737642fc22b0106402df76c228a3cbe99663278",
"zh:a2d69350a69c471ddb63bcc74e105e585319a0fc0f4d1b7f70569f6d2ece5824",
"zh:a97abcc254e21c294e2d6b0fc9068acfd63614b097dda365f1c56ea8b0fd5f6b",
"zh:aba8d72d4fe2e89c922d5446d329e5c23d00b28227b4666e6486ba18ea2ec278",
"zh:ad36c333978c2d9e4bc43dcadcbff42fe771a8c5ef53d028bcacec8287bf78a7",
"zh:cdb1e6903b9d2f0ad8845d4eb390fbe724ee2435fb045baeab38d4319e637682",
"zh:df77b08757f3f36b8aadb33d73362320174047044414325c56a87983f48b5186",
"zh:e07513d5ad387247092b5ae1c87e21a387fc51873b3f38eee616187e38b090a7",
"zh:e2be02bdc59343ff4b9e26c3b93db7680aaf3e6ed13c8c4c4b144c74c2689915",
]
}
provider "registry.opentofu.org/ovh/ovh" {
version = "2.5.0"
constraints = "2.5.0"
hashes = [
"h1:CrmFEWjczVhLWc2qzOktKSu8Q0U78uV8fnSHo54lMQg=",
"zh:1a11c3bc191c3417b41af5c56a66ac7071980f7babb390096b43aab3ac60fe7c",
"zh:1d46fa7c37468becb01d117463838f694a093e58a9b7d28347db2c377933db76",
"zh:22b83b15e878a9627477fe49e03dada3f4cd4357cb91cdb621394da690238542",
"zh:316541fc8bbf2fe14f4a484d878c63e4b949bd21a352e0ebf60d4848c96a338e",
"zh:50e72847a4b1d532e7abd5669408832ac1b49dcfda266378b8e2419d97f0f49a",
"zh:7582c8630edb3e83642e7a4b06fababeaf4833ce622c71220c38724d0e0231af",
"zh:a26714d6bd8e04acbbc94c708b151405c4b6fc20dc7060e0daef8395f1bb9ce0",
"zh:aa8be95462c5ca909c923cc3d44636eccc71cb25b51572fe7e2f68bc93c57612",
"zh:b520c0661c514586b2aa3105c4345eda4d34ef08b62fda2cc20a2bcb8cb88ab2",
"zh:be8125f1b6bc8aa93441ec9dd96db5f49d21b4dcc100c13028404b461da545c9",
"zh:c6aab9b6b04fa8483aa10c194eaab8e4a1fbffc64ad495f5027d496e5b2da214",
"zh:d537d85afc71c51d86b1031586c619c503df9462e0240d94984bc32273a03df2",
"zh:eaa9f41d33fa7731c4a937e80554a1b6b2042d273705e4c8fc983ba251193206",
"zh:f0d085065a0ada787ad080ddd6e7c646b8ca3a351712961de735d18c9d59af7c",
] ]
} }

5
infra/README.md
View File

@@ -19,3 +19,8 @@ tofu import hcloud_firewall.hcloud_firewall YYY
``` ```
For Hetzner Cloud, the resource IDs can be found in the URL of the admin console. For Hetzner Cloud, the resource IDs can be found in the URL of the admin console.
## Outputs
The nix configuration reads some values from the `outputs.json` file.
When modifying these, the file should be regenerated with `tofu output -json > outputs.json`.

24
infra/base.nix Normal file
View File

@@ -0,0 +1,24 @@
{
config,
lib,
pkgs,
...
}:
{
terraform.required_providers.hcloud.source = "hetznercloud/hcloud";
data.external.hcloud-token = {
program = [
(lib.getExe (
pkgs.writeShellApplication {
name = "get-clan-secret";
text = ''
jq -n --arg secret "$(clan secrets get hcloud-token)" '{"secret":$secret}'
'';
}
))
];
};
provider.hcloud.token = config.data.external.hcloud-token "result.secret";
}

64
infra/crocus.tf
View File

@@ -1,64 +0,0 @@
resource "hcloud_server" "crocus_server" {
name = "crocus"
server_type = "cx22"
datacenter = "nbg1-dc3"
image = "ubuntu-20.04"
firewall_ids = [hcloud_firewall.crocus_firewall.id]
public_net {
ipv4 = hcloud_primary_ip.crocus_ipv4.id
}
}
resource "hcloud_primary_ip" "crocus_ipv4" {
name = "crocus_ipv4"
type = "ipv4"
datacenter = "nbg1-dc3"
assignee_type = "server"
auto_delete = true
}
resource "hcloud_firewall" "crocus_firewall" {
name = "crocus-firewall"
rule {
direction = "in"
protocol = "icmp"
source_ips = ["0.0.0.0/0", "::/0"]
}
rule {
direction = "in"
protocol = "tcp"
port = "22"
source_ips = ["0.0.0.0/0", "::/0"]
}
rule {
direction = "in"
protocol = "tcp"
port = "22"
source_ips = ["0.0.0.0/0", "::/0"]
}
rule {
direction = "in"
protocol = "tcp"
port = "80"
source_ips = ["0.0.0.0/0", "::/0"]
}
rule {
direction = "in"
protocol = "tcp"
port = "443"
source_ips = ["0.0.0.0/0", "::/0"]
}
# radicle-node
rule {
direction = "in"
protocol = "tcp"
port = "8776"
source_ips = ["0.0.0.0/0", "::/0"]
}
}

20
infra/dns.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, ... }:
{
resource.hcloud_zone.rpqt_fr = {
name = "rpqt.fr";
mode = "primary";
};
resource.hcloud_zone.turifer_dev = {
name = "turifer.dev";
mode = "primary";
};
output.rpqt_fr_zone_name = {
value = config.resource.hcloud_zone.rpqt_fr "name";
};
output.turifer_dev_zone_name = {
value = config.resource.hcloud_zone.turifer_dev "name";
};
}

66
infra/dns.tf
View File

@@ -1,66 +0,0 @@
data "gandi_livedns_domain" "rpqt_fr" {
name = "rpqt.fr"
}
resource "gandi_livedns_record" "rpqt_fr_radicle_a" {
zone = data.gandi_livedns_domain.rpqt_fr.id
name = "radicle"
type = "A"
ttl = 10800
values = [
hcloud_server.crocus_server.ipv4_address,
]
}
resource "gandi_livedns_record" "rpqt_fr_radicle_aaaa" {
zone = data.gandi_livedns_domain.rpqt_fr.id
name = "radicle"
type = "AAAA"
ttl = 10800
values = [
hcloud_server.crocus_server.ipv6_address,
]
}
resource "gandi_livedns_record" "rpqt_fr_cloud_a" {
zone = data.gandi_livedns_domain.rpqt_fr.id
name = "cloud"
type = "A"
ttl = 10800
values = local.verbena_ipv4_addresses
}
resource "gandi_livedns_record" "rpqt_fr_cloud_aaaa" {
zone = data.gandi_livedns_domain.rpqt_fr.id
name = "cloud"
type = "AAAA"
ttl = 10800
values = local.verbena_ipv6_addresses
}
data "ovh_vps" "verbena_vps" {
service_name = "vps-7e78bac2.vps.ovh.net"
}
data "ovh_domain_zone" "turifer_dev" {
name = "turifer.dev"
}
resource "ovh_domain_zone_import" "turifer_dev_import" {
zone_name = "turifer.dev"
zone_file = local.turifer_dev_zone_file
}
locals {
verbena_ipv4_addresses = [for ip in data.ovh_vps.verbena_vps.ips : ip if provider::assert::ipv4(ip)]
verbena_ipv6_addresses = [for ip in data.ovh_vps.verbena_vps.ips : ip if provider::assert::ipv6(ip)]
turifer_dev_zone_file = templatefile("./templates/turifer.dev.zone", {
crocus_ipv4_address = hcloud_server.crocus_server.ipv4_address
crocus_ipv6_address = hcloud_server.crocus_server.ipv6_address
verbena_ipv4_addresses = local.verbena_ipv4_addresses
verbena_ipv6_addresses = local.verbena_ipv6_addresses
})
}

40
infra/flake-module.nix Normal file
View File

@@ -0,0 +1,40 @@
{ self, ... }:
{
perSystem =
{ pkgs, ... }:
{
terranix.terranixConfigurations.infra = {
terraformWrapper.package = pkgs.opentofu.withPlugins (p: [
p.hashicorp_external
p.hetznercloud_hcloud
]);
extraArgs = { inherit (self) infra; };
modules = [
./base.nix
./dns.nix
./mail.nix
./radicle.nix
./web.nix
];
};
};
flake.infra =
let
tf_outputs = builtins.fromJSON (builtins.readFile ./outputs.json);
in
{
machines = {
verbena = {
ipv4 = tf_outputs.verbena_ipv4.value;
ipv6 = tf_outputs.verbena_ipv6.value;
gateway6 = tf_outputs.verbena_gateway6.value;
};
crocus = {
ipv4 = tf_outputs.crocus_ipv4.value;
ipv6 = "2a01:4f8:1c1e:e415::1";
};
};
};
}

88
infra/lib.nix Normal file
View File

@@ -0,0 +1,88 @@
{ lib, ... }:
let
mkMigaduDkim = zone: name: {
inherit zone;
name = "${name}._domainkey";
type = "CNAME";
records = [
{ value = "${name}.${zone}._domainkey.migadu.com."; }
];
};
in
{
mkMigadu_hcloud_zone_rrset = zone: hostedEmailVerify: {
dkim_1 = mkMigaduDkim zone "key1";
dkim_2 = mkMigaduDkim zone "key2";
dkim_3 = mkMigaduDkim zone "key3";
spf = {
inherit zone;
name = "@";
type = "TXT";
records = [
{
value = lib.tf.ref ''provider::hcloud::txt_record("v=spf1 include:spf.migadu.com -all")'';
}
{
value = lib.tf.ref ''provider::hcloud::txt_record("hosted-email-verify=${hostedEmailVerify}")'';
}
];
};
dmarc = {
inherit zone;
name = "_dmarc";
type = "TXT";
records = [
{
value = lib.tf.ref ''provider::hcloud::txt_record("v=DMARC1; p=quarantine;")'';
}
];
};
mx = {
inherit zone;
name = "@";
type = "MX";
records = [
{ value = "10 aspmx1.migadu.com."; }
{ value = "20 aspmx2.migadu.com."; }
];
};
autoconfig = {
inherit zone;
name = "autoconfig";
type = "CNAME";
records = [ { value = "autoconfig.migadu.com."; } ];
};
autodiscover = {
inherit zone;
name = "_autodiscover._tcp";
type = "SRV";
records = [ { value = "0 1 443 autodiscover.migadu.com."; } ];
};
submissions = {
inherit zone;
name = "_submissions._tcp";
type = "SRV";
records = [ { value = "0 1 465 smtp.migadu.com."; } ];
};
imaps = {
inherit zone;
name = "_imaps._tcp";
type = "SRV";
records = [ { value = "0 1 993 imap.migadu.com."; } ];
};
pop3s = {
inherit zone;
name = "_pop3s._tcp";
type = "SRV";
records = [ { value = "0 1 995 pop.migadu.com."; } ];
};
};
}

15
infra/mail.nix Normal file
View File

@@ -0,0 +1,15 @@
{ config, lib, ... }:
let
inherit (import ./lib.nix { inherit lib; })
mkMigadu_hcloud_zone_rrset
;
rpqt_fr = mkMigadu_hcloud_zone_rrset (config.resource.hcloud_zone.rpqt_fr "name") "pgeaq3bp";
# Prefix resource names with zone name to avoid collision
turifer_dev = lib.mapAttrs' (name: value: lib.nameValuePair "turifer_dev_${name}" value) (
mkMigadu_hcloud_zone_rrset (config.resource.hcloud_zone.turifer_dev "name") "k5z4lcfc"
);
in
{
resource.hcloud_zone_rrset = rpqt_fr // turifer_dev;
}

19
infra/main.tf
View File

@@ -1,19 +0,0 @@
terraform {
required_providers {
gandi = {
source = "go-gandi/gandi"
version = "2.3.0"
}
hcloud = {
source = "hetznercloud/hcloud"
version = "~> 1.45"
}
ovh = {
source = "ovh/ovh"
version = "2.5.0"
}
assert = {
source = "hashicorp/assert"
}
}
}

22
infra/outputs.json Normal file
View File

@@ -0,0 +1,22 @@
{
"crocus_ipv4": {
"sensitive": false,
"type": "string",
"value": "116.203.18.122"
},
"verbena_gateway6": {
"sensitive": false,
"type": "string",
"value": "2001:41d0:305:2100::1"
},
"verbena_ipv4": {
"sensitive": false,
"type": "string",
"value": "51.68.122.153"
},
"verbena_ipv6": {
"sensitive": false,
"type": "string",
"value": "2001:41d0:305:2100::271e"
}
}

13
infra/providers.tf
View File

@@ -1,13 +0,0 @@
provider "gandi" {
personal_access_token = var.gandi_token
}
provider "hcloud" {
token = var.hcloud_token
}
provider "ovh" {
endpoint = "ovh-eu"
client_id = var.ovh_client_id
client_secret = var.ovh_client_secret
}

52
infra/radicle.nix Normal file
View File

@@ -0,0 +1,52 @@
{
config,
infra,
lib,
...
}:
{
resource.hcloud_zone_rrset =
let
zone = config.resource.hcloud_zone.rpqt_fr "name";
in
{
radicle_a = {
inherit zone;
name = "radicle";
type = "A";
records = [ { value = infra.machines.crocus.ipv4; } ];
};
radicle_aaaa = {
inherit zone;
name = "radicle";
type = "AAAA";
records = [ { value = infra.machines.crocus.ipv6; } ];
};
radicles_srv = {
inherit zone;
name = "seed._radicle-node._tcp";
type = "SRV";
records = [ { value = "32767 32767 58776 radicle.rpqt.fr."; } ];
};
radicles_nid = {
inherit zone;
name = "seed._radicle-node._tcp";
type = "TXT";
records = [
{
value = lib.tf.ref ''provider::hcloud::txt_record("nid=z6MkuivFHDPg6Bd25v4bEWm7T7qLUYMWk1eVTE7exvum5Rvd")'';
}
];
};
radicle_ptr = {
inherit zone;
name = "_radicle-node._tcp";
type = "PTR";
records = [ { value = "seed._radicle-node._tcp.radicle.rpqt.fr."; } ];
};
};
}

32
infra/templates/turifer.dev.zone
View File

@@ -1,32 +0,0 @@
$TTL 3600
@ IN SOA dns100.ovh.net. tech.ovh.net. (2025071505 86400 3600 3600000 60)
IN NS dns100.ovh.net.
IN NS ns100.ovh.net.
turifer.dev. 3000 IN TXT "hosted-email-verify=k5z4lcfc"
turifer.dev. 3000 IN MX 10 aspmx1.migadu.com.
turifer.dev. 3000 IN MX 20 aspmx2.migadu.com.
turifer.dev. 3000 IN TXT "v=spf1 include:spf.migadu.com -all"
key1._domainkey.turifer.dev. 3000 IN CNAME key1.turifer.dev._domainkey.migadu.com.
key2._domainkey.turifer.dev. 3000 IN CNAME key2.turifer.dev._domainkey.migadu.com.
key3._domainkey.turifer.dev. 3000 IN CNAME key3.turifer.dev._domainkey.migadu.com.
_dmarc.turifer.dev. 3000 IN TXT "v=DMARC1; p=quarantine;"
autoconfig.turifer.dev. 3000 IN CNAME autoconfig.migadu.com.
_autodiscover._tcp.turifer.dev. 3000 IN SRV 0 1 443 autodiscover.migadu.com.
_submissions._tcp.turifer.dev. 3000 IN SRV 0 1 465 smtp.migadu.com.
_imaps._tcp.turifer.dev. 3000 IN SRV 0 1 993 imap.migadu.com.
_pop3s._tcp.turifer.dev. 3000 IN SRV 0 1 995 pop.migadu.com.
%{ for addr in verbena_ipv4_addresses ~}
git.turifer.dev. 10800 IN A ${addr}
%{ endfor ~}
%{ for addr in verbena_ipv6_addresses ~}
git.turifer.dev. 10800 IN AAAA ${addr}
%{ endfor ~}
%{ for addr in verbena_ipv4_addresses ~}
buildbot.turifer.dev. 10800 IN A ${addr}
%{ endfor ~}
%{ for addr in verbena_ipv6_addresses ~}
buildbot.turifer.dev. 10800 IN AAAA ${addr}
%{ endfor ~}

15
infra/variables.tf
View File

@@ -1,15 +0,0 @@
variable "gandi_token" {
sensitive = true
}
variable "hcloud_token" {
sensitive = true
}
variable "ovh_client_id" {
sensitive = true
}
variable "ovh_client_secret" {
sensitive = true
}

96
infra/web.nix Normal file
View File

@@ -0,0 +1,96 @@
{ config, infra, ... }:
{
resource.hcloud_zone_rrset =
let
sourcehut_pages = {
ipv4 = "46.23.81.157";
ipv6 = "2a03:6000:1813:1337::157";
};
zone = config.resource.hcloud_zone.rpqt_fr "name";
in
{
a = {
inherit zone;
name = "@";
type = "A";
records = [ { value = sourcehut_pages.ipv4; } ];
};
aaaa = {
inherit zone;
name = "@";
type = "AAAA";
records = [ { value = sourcehut_pages.ipv6; } ];
};
cloud_a = {
inherit zone;
name = "cloud";
type = "A";
records = [ { value = infra.machines.verbena.ipv4; } ];
};
cloud_aaaa = {
inherit zone;
name = "cloud";
type = "AAAA";
records = [ { value = infra.machines.verbena.ipv6; } ];
};
git_turifer_dev_a = {
zone = config.resource.hcloud_zone.turifer_dev "name";
name = "git";
type = "A";
records = [ { value = infra.machines.verbena.ipv4; } ];
};
git_turifer_dev_aaaa = {
zone = config.resource.hcloud_zone.turifer_dev "name";
name = "git";
type = "AAAA";
records = [ { value = infra.machines.verbena.ipv6; } ];
};
git_rpqt_fr_a = {
zone = config.resource.hcloud_zone.rpqt_fr "name";
name = "git";
type = "A";
records = [ { value = infra.machines.verbena.ipv4; } ];
};
git_rpqt_fr_aaaa = {
zone = config.resource.hcloud_zone.rpqt_fr "name";
name = "git";
type = "AAAA";
records = [ { value = infra.machines.verbena.ipv6; } ];
};
buildbot_turifer_dev_a = {
zone = config.resource.hcloud_zone.turifer_dev "name";
name = "buildbot";
type = "A";
records = [ { value = infra.machines.verbena.ipv4; } ];
};
buildbot_turifer_dev_aaaa = {
zone = config.resource.hcloud_zone.turifer_dev "name";
name = "buildbot";
type = "AAAA";
records = [ { value = infra.machines.verbena.ipv6; } ];
};
wg1_turifer_dev_a = {
zone = config.resource.hcloud_zone.turifer_dev "name";
name = "wg1";
type = "A";
records = [ { value = infra.machines.verbena.ipv4; } ];
};
wg1_turifer_dev_aaaa = {
zone = config.resource.hcloud_zone.turifer_dev "name";
name = "wg1";
type = "AAAA";
records = [ { value = infra.machines.verbena.ipv6; } ];
};
};
}

4
machines/crocus/configuration.nix
View File

@@ -4,11 +4,9 @@
}: }:
{ {
imports = [ imports = [
./radicle.nix self.nixosModules.radicle
self.nixosModules.nix-defaults self.nixosModules.nix-defaults
../../modules/remote-builder.nix ../../modules/remote-builder.nix
../../modules/unbound.nix
../../modules/unbound-auth.nix
self.inputs.srvos.nixosModules.server self.inputs.srvos.nixosModules.server
self.inputs.srvos.nixosModules.hardware-hetzner-cloud self.inputs.srvos.nixosModules.hardware-hetzner-cloud
]; ];

11
machines/genepi/actual.nix
View File

@@ -1,4 +1,7 @@
{ config, ... }: { config, ... }:
let
domain = "actual.val";
in
{ {
services.actual = { services.actual = {
enable = true; enable = true;
@@ -8,12 +11,14 @@
}; };
}; };
services.nginx.virtualHosts."actual.home.rpqt.fr" = { services.nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
useACMEHost = "home.rpqt.fr"; enableACME = true;
locations."/".proxyPass = locations."/".proxyPass =
"http://127.0.0.1:${builtins.toString config.services.actual.settings.port}"; "http://127.0.0.1:${builtins.toString config.services.actual.settings.port}";
}; };
clan.core.state.acutal.folders = [ "/var/lib/actual" ]; security.acme.certs.${domain}.server = "https://ca.val/acme/acme/directory";
clan.core.state.actual.folders = [ "/var/lib/actual" ];
} }

6
machines/genepi/configuration.nix
View File

@@ -12,20 +12,18 @@
./homeassistant.nix ./homeassistant.nix
./immich.nix ./immich.nix
./monitoring ./monitoring
./mpd.nix
./network.nix ./network.nix
./nginx.nix ./nginx.nix
./pinchflat.nix ./pinchflat.nix
./syncthing.nix ./syncthing.nix
./taskchampion.nix
../../modules/acme-home.nix ../../modules/acme-home.nix
../../modules/lounge.nix ../../modules/lounge.nix
../../modules/unbound.nix
../../modules/unbound-auth.nix
self.nixosModules.nix-defaults self.nixosModules.nix-defaults
self.nixosModules.user-rpqt self.nixosModules.user-rpqt
self.inputs.srvos.nixosModules.mixins-terminfo
]; ];
networking.hostName = "genepi"; networking.hostName = "genepi";

12
machines/genepi/freshrss.nix
View File

@@ -1,13 +1,13 @@
{ config, ... }: { config, ... }:
let let
domain = "home.rpqt.fr"; tld = "val";
subdomain = "rss.${domain}"; domain = "rss.${tld}";
in in
{ {
services.freshrss = { services.freshrss = {
enable = true; enable = true;
baseUrl = "https://${subdomain}"; baseUrl = "https://${domain}";
virtualHost = "${subdomain}"; virtualHost = "${domain}";
defaultUser = "rpqt"; defaultUser = "rpqt";
passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path; passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path;
@@ -15,9 +15,11 @@ in
services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = { services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = {
forceSSL = true; forceSSL = true;
useACMEHost = "${domain}"; enableACME = true;
}; };
security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
clan.core.vars.generators.freshrss = { clan.core.vars.generators.freshrss = {
prompts.freshrss-password = { prompts.freshrss-password = {
description = "freshrss default user password"; description = "freshrss default user password";

26
machines/genepi/glance-config.nix
View File

@@ -1,3 +1,4 @@
{ tld }:
{ {
theme = { theme = {
light = true; light = true;
@@ -41,22 +42,22 @@
sites = [ sites = [
{ {
title = "Immich"; title = "Immich";
url = "https://images.home.rpqt.fr"; url = "https://images.${tld}";
icon = "sh:immich"; icon = "sh:immich";
} }
{ {
title = "FreshRSS"; title = "FreshRSS";
url = "https://rss.home.rpqt.fr"; url = "https://rss.${tld}";
icon = "sh:freshrss"; icon = "sh:freshrss";
} }
{ {
title = "Syncthing"; title = "Syncthing";
url = "https://genepi.home.rpqt.fr/syncthing"; url = "https://genepi.${tld}/syncthing";
icon = "sh:syncthing"; icon = "sh:syncthing";
} }
{ {
title = "Actual Budget"; title = "Actual Budget";
url = "https://actual.home.rpqt.fr"; url = "https://actual.${tld}";
icon = "sh:actual-budget"; icon = "sh:actual-budget";
} }
{ {
@@ -64,14 +65,19 @@
url = "https://git.turifer.dev"; url = "https://git.turifer.dev";
icon = "sh:gitea"; icon = "sh:gitea";
} }
{
title = "Forgejo";
url = "https://git.rpqt.fr";
icon = "sh:forgejo";
}
{ {
title = "Pinchflat"; title = "Pinchflat";
url = "https://pinchflat.home.rpqt.fr"; url = "https://pinchflat.${tld}";
icon = "https://cdn.jsdelivr.net/gh/selfhst/icons/png/pinchflat.png"; icon = "https://cdn.jsdelivr.net/gh/selfhst/icons/png/pinchflat.png";
} }
{ {
title = "Home Assistant"; title = "Home Assistant";
url = "https://assistant.home.rpqt.fr"; url = "https://assistant.${tld}";
icon = "sh:home-assistant"; icon = "sh:home-assistant";
} }
{ {
@@ -98,12 +104,12 @@
sites = [ sites = [
{ {
title = "Grafana"; title = "Grafana";
url = "https://grafana.home.rpqt.fr"; url = "https://grafana.${tld}";
icon = "sh:grafana"; icon = "sh:grafana";
} }
{ {
title = "Prometheus"; title = "Prometheus";
url = "http://genepi.home.rpqt.fr:9090"; url = "http://genepi.${tld}:9090";
icon = "sh:prometheus"; icon = "sh:prometheus";
} }
]; ];
@@ -115,7 +121,7 @@
sites = [ sites = [
{ {
title = "Lounge"; title = "Lounge";
url = "https://lounge.home.rpqt.fr"; url = "https://lounge.${tld}";
icon = "si:html5"; icon = "si:html5";
} }
{ {
@@ -178,7 +184,7 @@
cache = "12h"; cache = "12h";
feeds = [ feeds = [
{ {
url = "https://rss.home.rpqt.fr/api/query.php?user=rpqt&t=74HfeLZ6Wu9h4MmjNR38Rz&f=rss"; url = "https://rss.${tld}/api/query.php?user=rpqt&t=74HfeLZ6Wu9h4MmjNR38Rz&f=rss";
} }
]; ];
} }

12
machines/genepi/glance.nix
View File

@@ -1,18 +1,20 @@
{ config, ... }: { config, ... }:
let let
domain = "home.rpqt.fr"; tld = "val";
subdomain = "glance.${domain}"; domain = "glance.${tld}";
in in
{ {
services.glance = { services.glance = {
enable = true; enable = true;
settings = ./glance-config.nix; settings = (import ./glance-config.nix) { inherit tld; };
}; };
services.nginx.virtualHosts.${subdomain} = { services.nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
useACMEHost = "${domain}"; enableACME = true;
locations."/".proxyPass = locations."/".proxyPass =
"http://127.0.0.1:${toString config.services.glance.settings.server.port}"; "http://127.0.0.1:${toString config.services.glance.settings.server.port}";
}; };
security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
} }

10
machines/genepi/homeassistant.nix
View File

@@ -1,7 +1,7 @@
{ config, ... }: { config, ... }:
let let
domain = "home.rpqt.fr"; tld = "val";
subdomain = "assistant.${domain}"; domain = "assistant.${tld}";
in in
{ {
services.home-assistant = { services.home-assistant = {
@@ -26,9 +26,9 @@ in
}; };
}; };
services.nginx.virtualHosts.${subdomain} = { services.nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
useACMEHost = "${domain}"; enableACME = true;
extraConfig = '' extraConfig = ''
proxy_buffering off; proxy_buffering off;
''; '';
@@ -37,4 +37,6 @@ in
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
} }

12
machines/genepi/immich.nix
View File

@@ -1,19 +1,19 @@
{ config, ... }: { config, ... }:
let let
domain = "home.rpqt.fr"; tld = "val";
subdomain = "images.${domain}"; domain = "images.${tld}";
in in
{ {
services.immich = { services.immich = {
enable = true; enable = true;
settings = { settings = {
server.externalDomain = "https://${subdomain}"; server.externalDomain = "https://${domain}";
}; };
}; };
services.nginx.virtualHosts.${subdomain} = { services.nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
useACMEHost = "${domain}"; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://${toString config.services.immich.host}:${toString config.services.immich.port}"; proxyPass = "http://${toString config.services.immich.host}:${toString config.services.immich.port}";
proxyWebsockets = true; proxyWebsockets = true;
@@ -26,5 +26,7 @@ in
}; };
}; };
security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
clan.core.state.immich.folders = [ "/var/lib/immich" ]; clan.core.state.immich.folders = [ "/var/lib/immich" ];
} }

9
machines/genepi/monitoring/grafana.nix
View File

@@ -1,6 +1,6 @@
{ config, ... }: { config, ... }:
let let
domain = "home.rpqt.fr"; tld = "val";
in in
{ {
services.grafana = { services.grafana = {
@@ -8,7 +8,7 @@ in
settings = { settings = {
server = { server = {
http_port = 3000; http_port = 3000;
domain = "grafana.${domain}"; domain = "grafana.${tld}";
}; };
}; };
provision = { provision = {
@@ -31,10 +31,13 @@ in
services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = { services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
forceSSL = true; forceSSL = true;
useACMEHost = "${domain}"; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
security.acme.certs.${config.services.grafana.settings.server.domain}.server =
"https://ca.${tld}/acme/acme/directory";
} }

27
machines/genepi/mpd.nix
View File

@@ -1,27 +0,0 @@
{ config, ... }:
{
services.mpd = {
enable = true;
musicDirectory = "/home/rpqt/Media/Music";
extraConfig = ''
audio_output {
type "pulse"
name "Pulse Audio"
}
'';
network.listenAddress = "any";
};
services.pulseaudio.enable = true;
# Workaround: run PulseAudio system-wide so that the mpd user can access it
services.pulseaudio.systemWide = true;
# Fixes the stutter when changing volume (found this randomly)
services.pulseaudio.daemon.config.flat-volumes = "no";
users.users.${config.services.mpd.user}.extraGroups = [ "pulse-access" ];
users.users.rpqt.homeMode = "755";
}

4
machines/genepi/nginx.nix
View File

@@ -6,4 +6,8 @@
}; };
networking.firewall.interfaces."zts7mq7onf".allowedTCPPorts = [ 443 ]; networking.firewall.interfaces."zts7mq7onf".allowedTCPPorts = [ 443 ];
networking.firewall.interfaces."wireguard".allowedTCPPorts = [
80
443
];
} }

10
machines/genepi/pinchflat.nix
View File

@@ -3,6 +3,10 @@
pkgs, pkgs,
... ...
}: }:
let
tld = "val";
domain = "pinchflat.${tld}";
in
{ {
services.pinchflat = { services.pinchflat = {
enable = true; enable = true;
@@ -23,9 +27,11 @@
clan.core.state.pinchflat.folders = [ "/var/lib/pinchflat" ]; clan.core.state.pinchflat.folders = [ "/var/lib/pinchflat" ];
services.nginx.virtualHosts."pinchflat.home.rpqt.fr" = { services.nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
useACMEHost = "home.rpqt.fr"; enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.pinchflat.port}"; locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.pinchflat.port}";
}; };
security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
} }

32
machines/genepi/syncthing.nix
View File

@@ -1,21 +1,26 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
let let
user = "rpqt"; user = "rpqt";
home = config.users.users.${user}.home; home = config.users.users.${user}.home;
domain = "home.rpqt.fr"; tld = "val";
subdomain = "genepi.${domain}"; domain = "genepi.${tld}";
in in
{ {
services.nginx.virtualHosts.${subdomain} = { services.nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
useACMEHost = "${domain}"; enableACME = true;
locations."/syncthing".proxyPass = "http://${config.services.syncthing.guiAddress}"; locations."/syncthing" = {
proxyPass = "http://${config.services.syncthing.guiAddress}";
}; };
};
security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
services.syncthing = { services.syncthing = {
enable = true; enable = true;
@@ -23,5 +28,22 @@ in
group = lib.mkForce "users"; group = lib.mkForce "users";
dataDir = home; dataDir = home;
configDir = lib.mkForce "${home}/.config/syncthing"; configDir = lib.mkForce "${home}/.config/syncthing";
guiAddress = "0.0.0.0:8384";
guiPasswordFile = config.clan.core.vars.generators.syncthing-gui.files.password.path;
};
networking.firewall.interfaces.wireguard = {
allowedTCPPorts = [ 8384 ];
};
clan.core.vars.generators.syncthing-gui = {
files.password = {
secret = true;
owner = user;
};
runtimeInputs = [ pkgs.xkcdpass ];
script = ''
xkcdpass -n 7 > $out/password
'';
}; };
} }

15
machines/genepi/taskchampion.nix
View File

@@ -1,15 +0,0 @@
{ config, ... }:
let
domain = "home.rpqt.fr";
subdomain = "tw.${domain}";
in
{
services.taskchampion-sync-server.enable = true;
services.nginx.virtualHosts.${subdomain} = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyPass =
"http://127.0.0.1:${toString config.services.taskchampion-sync-server.port}";
};
}

13
machines/haze/configuration.nix
View File

@@ -17,6 +17,8 @@
./syncthing.nix ./syncthing.nix
self.nixosModules.desktop self.nixosModules.desktop
self.nixosModules.dev
self.nixosModules.lanzaboote
self.nixosModules.nix-defaults self.nixosModules.nix-defaults
self.inputs.home-manager.nixosModules.home-manager self.inputs.home-manager.nixosModules.home-manager
@@ -35,7 +37,8 @@
clan.core.networking.targetHost = "rpqt@haze.local"; clan.core.networking.targetHost = "rpqt@haze.local";
networking.search = [ networking.search = [
"home.rpqt.fr" "val"
"wireguard"
]; ];
time.timeZone = "Europe/Paris"; time.timeZone = "Europe/Paris";
@@ -44,15 +47,13 @@
clan.core.settings.state-version.enable = true; clan.core.settings.state-version.enable = true;
networking.nameservers = [
self.nixosConfigurations.genepi.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value
self.nixosConfigurations.crocus.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value
];
environment.systemPackages = [ environment.systemPackages = [
self.inputs.clan-core.packages.x86_64-linux.clan-app self.inputs.clan-core.packages.x86_64-linux.clan-app
pkgs.aseprite pkgs.aseprite
pkgs.linux-wifi-hotspot pkgs.linux-wifi-hotspot
pkgs.anytype
pkgs.typst
pkgs.anki
]; ];
programs.kdeconnect.enable = true; programs.kdeconnect.enable = true;

1
machines/haze/home.nix
View File

@@ -9,7 +9,6 @@
../../home-manager/minecraft.nix ../../home-manager/minecraft.nix
../../home-manager/desktop ../../home-manager/desktop
../../home-manager/desktop/gnome.nix ../../home-manager/desktop/gnome.nix
../../home-manager/desktop/dank.nix
../../home-manager/desktop/niri.nix ../../home-manager/desktop/niri.nix
../../home-manager/desktop/vicinae.nix ../../home-manager/desktop/vicinae.nix
]; ];

2
machines/haze/niri.nix
View File

@@ -11,4 +11,6 @@
services.gnome.gnome-keyring.enable = true; services.gnome.gnome-keyring.enable = true;
environment.sessionVariables.NIXOS_OZONE_WL = "1"; environment.sessionVariables.NIXOS_OZONE_WL = "1";
programs.dms-shell.enable = true;
} }

11
machines/haze/sway.nix
View File

@@ -1,11 +0,0 @@
{
services.gnome.gnome-keyring.enable = true;
programs.sway = {
enable = true;
wrapperFeatures.gtk = true;
};
users.users."rpqt".extraGroups = [ "video" ];
programs.light.enable = true;
}

40
machines/verbena/configuration.nix
View File

@@ -2,12 +2,30 @@
{ {
imports = [ imports = [
self.nixosModules.nix-defaults self.nixosModules.nix-defaults
../../modules/unbound.nix
../../modules/unbound-auth.nix
self.nixosModules.nextcloud self.nixosModules.nextcloud
self.nixosModules.gitea self.nixosModules.gitea
self.nixosModules.forgejo
self.nixosModules.vaultwarden
self.inputs.srvos.nixosModules.server self.inputs.srvos.nixosModules.server
{
# Add Pixel-7a as external device for clan wireguard network
networking.wireguard.interfaces.wireguard = {
ips = [ "100.42.42.1/32" ];
peers = [
{
publicKey = "BVgDQM18SfNofQsWs7m6fblaTB04Gk74VxR/zK8AKQ4=";
allowedIPs =
let
suffix = "cafe:cafe";
in
[ "fd28:387a:90:c400:${suffix}::/96" ];
persistentKeepalive = 25;
}
];
};
}
]; ];
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
@@ -16,6 +34,19 @@
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
networking.defaultGateway6 = {
address = self.infra.machines.verbena.gateway6;
interface = "ens3";
};
networking.interfaces."ens3" = {
ipv6.addresses = [
{
address = self.infra.machines.verbena.ipv6;
prefixLength = 64;
}
];
};
clan.core.settings.state-version.enable = true; clan.core.settings.state-version.enable = true;
services.nginx = { services.nginx = {
@@ -29,8 +60,5 @@
443 443
]; ];
security.acme = { security.acme.acceptTerms = true;
acceptTerms = true;
defaults.email = "admin@turifer.dev";
};
} }

44
modules/acme-home.nix
View File

@@ -1,26 +1,34 @@
{ config, lib, ... }:
{ {
imports = [ config,
./gandi.nix lib,
]; pkgs,
...
}:
{
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = lib.mkDefault "admin@rpqt.fr"; defaults.email = lib.mkDefault "admin@rpqt.fr";
}; };
security.acme = { # security.acme = {
certs."home.rpqt.fr" = { # certs."home.rpqt.fr" = {
group = config.services.nginx.group; # group = config.services.nginx.group;
domain = "home.rpqt.fr"; # domain = "home.rpqt.fr";
extraDomainNames = [ "*.home.rpqt.fr" ]; # extraDomainNames = [ "*.home.rpqt.fr" ];
dnsProvider = "gandiv5"; # dnsProvider = "rfc2136";
dnsPropagationCheck = true; # dnsPropagationCheck = true;
environmentFile = config.clan.core.vars.generators.gandi.files.gandi-env.path; # credentialFiles = {
email = "admin@rpqt.fr"; # RFC2136_TSIG_SECRET_FILE = config.clan.core.vars.generators.coredns.files.tsig-key.path;
dnsResolver = "1.1.1.1:53"; # };
}; # environmentFile = pkgs.writeFile ''
}; # RFC2136_NAMESERVER=fd28:387a:90:c400::1
# '';
# email = "admin@rpqt.fr";
# dnsResolver = "1.1.1.1:53";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # TODO: use production api
# };
# };
clan.core.vars.generators.gandi.files.gandi-env.owner = "acme"; # clan.core.vars.generators.coredns.files.tsig-key.group = "acme";
# clan.core.vars.generators.coredns.files.tsig-key.mode = "0440";
} }

10
modules/desktop.nix
View File

@@ -1,4 +1,4 @@
{ self, pkgs, ... }: { pkgs, ... }:
{ {
environment.systemPackages = [ environment.systemPackages = [
pkgs.mpv # video player pkgs.mpv # video player
@@ -6,6 +6,7 @@
pkgs.alacritty pkgs.alacritty
pkgs.ghostty pkgs.ghostty
pkgs.libreoffice pkgs.libreoffice
pkgs.nautilus
]; ];
programs.firefox = { programs.firefox = {
@@ -14,4 +15,11 @@
}; };
programs.thunderbird.enable = true; programs.thunderbird.enable = true;
programs.nautilus-open-any-terminal = {
enable = true;
terminal = "ghostty";
};
services.pcscd.enable = true;
} }

6
modules/dev.nix Normal file
View File

@@ -0,0 +1,6 @@
{
clan.core.vars.generators.atuin = {
prompts.key.persist = true;
files.key.owner = "rpqt";
};
}

29
modules/flake-module.nix
View File

@@ -1,20 +1,19 @@
{ lib, ... }: { lib, ... }:
{ {
flake.nixosModules = { flake.nixosModules =
gitea.imports = [ (
./gitea.nix (builtins.readDir ./.)
]; |> lib.filterAttrs (path: type: type == "regular" && (lib.hasSuffix ".nix" path))
|> lib.mapAttrs' (
desktop.imports = [ path: _: {
./desktop.nix name = lib.removeSuffix ".nix" path;
]; value = {
imports = [ ./${path} ];
nix-defaults.imports = [ ./nix-defaults.nix ]; };
tailscale.imports = [ ./tailscale.nix ]; }
user-rpqt.imports = [ ./user-rpqt.nix ]; )
hardened-ssh-server.imports = [ ./hardened-ssh-server.nix ]; )
nextcloud.imports = [ ./nextcloud.nix ]; // {
server.imports = [ server.imports = [
./motd.nix ./motd.nix
]; ];

75
modules/forgejo.nix Normal file
View File

@@ -0,0 +1,75 @@
{ config, lib, ... }:
let
cfg = config.services.forgejo;
in
{
services.forgejo = {
enable = true;
lfs.enable = true;
settings = {
# storage = {
# };
server = {
ROOT_URL = "https://${cfg.settings.server.DOMAIN}";
DOMAIN = "git.rpqt.fr";
HTTP_PORT = 3001;
};
session.PROVIDER = "db";
session.COOKIE_SECURE = true;
service.DISABLE_REGISTRATION = true;
# Create a repository by pushing to it
repository.ENABLE_PUSH_CREATE_USER = true;
};
};
systemd.services.forgejo.environment = {
FORGEJO__storage__STORAGE_TYPE = "minio";
FORGEJO__storage__MINIO_ENDPOINT = "localhost:3900";
FORGEJO__storage__MINIO_BUCKET = "forgejo";
FORGEJO__storage__MINIO_LOCATION = "garage";
FORGEJO__storage__MINIO_USE_SSL = "false";
};
systemd.services.forgejo.serviceConfig = {
LoadCredential = [
"minio_access_key_id:${config.clan.core.vars.generators.forgejo-s3-storage.files.access-key-id.path}"
"minio_secret_access_key:${config.clan.core.vars.generators.forgejo-s3-storage.files.access-key-secret.path}"
];
Environment = [
"FORGEJO__storage__MINIO_ACCESS_KEY_ID__FILE=%d/minio_access_key_id"
"FORGEJO__storage__MINIO_SECRET_ACCESS_KEY__FILE=%d/minio_secret_access_key"
];
};
clan.core.vars.generators.forgejo-s3-storage = {
prompts.access-key-id = {
description = "s3 access key id";
type = "line";
persist = true;
};
prompts.access-key-secret = {
description = "s3 access key secret";
type = "hidden";
persist = true;
};
};
clan.core.state.forgejo.folders = [ config.services.forgejo.stateDir ];
services.nginx.virtualHosts."git.rpqt.fr" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${builtins.toString (cfg.settings.server.HTTP_PORT)}";
};
};
security.acme.certs."git.rpqt.fr" = {
email = "admin@rpqt.fr";
};
}

15
modules/gandi.nix
View File

@@ -1,15 +0,0 @@
{
clan.core.vars.generators.gandi = {
prompts.gandi-token = {
description = "gandi access token";
type = "hidden";
};
files.gandi-env = {
secret = true;
};
script = ''
printf %s "GANDIV5_PERSONAL_ACCESS_TOKEN=" >> $out/gandi-env
cat $prompts/gandi-token >> $out/gandi-env
'';
};
}

13
modules/garage.nix
View File

@@ -25,10 +25,10 @@ in
replication_factor = 3; replication_factor = 3;
rpc_bind_addr = "[::]:${toString rpc_port}"; rpc_bind_addr = "[::]:${toString rpc_port}";
rpc_public_addr = "[${zerotier_ip}]:${toString rpc_port}"; rpc_public_addr = "[::]:${toString rpc_port}";
s3_api = { s3_api = {
api_bind_addr = "[${zerotier_ip}]:${toString s3_port}"; api_bind_addr = "[::]:${toString s3_port}";
s3_region = "garage"; s3_region = "garage";
root_domain = ".s3.garage.home.rpqt.fr"; root_domain = ".s3.garage.home.rpqt.fr";
}; };
@@ -39,17 +39,22 @@ in
}; };
admin = { admin = {
api_bind_addr = "[${zerotier_ip}]:${toString admin_port}"; api_bind_addr = "[::]:${toString admin_port}";
# TODO: use metrics_token # TODO: use metrics_token
}; };
}; };
}; };
networking.firewall.interfaces.${zerotier_interface} = { networking.firewall.interfaces =
let
allowedTCPPorts = [ allowedTCPPorts = [
s3_port s3_port
rpc_port rpc_port
admin_port admin_port
]; ];
in
{
${zerotier_interface} = { inherit allowedTCPPorts; };
wireguard = { inherit allowedTCPPorts; };
}; };
} }

23
modules/lanzaboote.nix Normal file
View File

@@ -0,0 +1,23 @@
{
self,
lib,
pkgs,
...
}:
{
imports = [
self.inputs.lanzaboote.nixosModules.lanzaboote
];
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
}

10
modules/lounge.nix
View File

@@ -1,7 +1,13 @@
let
tld = "val";
domain = "lounge.${tld}";
in
{ {
services.nginx.virtualHosts."lounge.home.rpqt.fr" = { services.nginx.virtualHosts.${domain} = {
useACMEHost = "home.rpqt.fr"; enableACME = true;
forceSSL = true; forceSSL = true;
root = "/var/www/lounge"; root = "/var/www/lounge";
}; };
security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
} }

2
modules/nextcloud.nix
View File

@@ -34,7 +34,7 @@ in
}; };
extraAppsEnable = true; extraAppsEnable = true;
extraApps = { extraApps = {
# inherit (pkgs.nextcloud32Packages.apps) tasks; inherit (config.services.nextcloud.package.packages.apps) tasks contacts calendar;
}; };
}; };

1
modules/nix-defaults.nix
View File

@@ -9,6 +9,7 @@
experimental-features = [ experimental-features = [
"nix-command" "nix-command"
"flakes" "flakes"
"pipe-operators"
]; ];
trusted-users = [ trusted-users = [

9
machines/crocus/radicle.nix → modules/radicle.nix
View File

@@ -21,8 +21,13 @@
}; };
settings = { settings = {
# FIXME: activation fails with rad saying the config is invalid # FIXME: activation fails with rad saying the config is invalid
# web.avatarUrl = "https://rpqt.fr/favicon.svg"; web.avatarUrl = "https://rpqt.fr/favicon.svg";
# web.description = "rpqt's radicle node"; web.description = "rpqt's radicle node";
web.pinned.repositories = [
"rad:z2DH9K384tPCrM5HJcpiKEoZZdftY" # lila
"rad:z29gVX1f6HC1XGx755RL1m1hhMp6x" # corner
"rad:z36HRN3Soay4wMXBSiR4aW7Hg9rT7" # flocon
];
}; };
}; };

35
modules/unbound-auth.nix
View File

@@ -1,35 +0,0 @@
{
services.unbound = {
settings = {
auth-zone = [
{
name = "home.rpqt.fr.";
zonefile = builtins.toFile "home.rpqt.fr.zone" ''
$TTL 3600 ; 1 Hour
$ORIGIN home.rpqt.fr.
home.rpqt.fr. IN SOA ns1 admin.rpqt.fr. (
2025063000 ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
300 ; minimum
)
@ 1D IN NS ns1.home.rpqt.fr.
@ 1D IN NS ns2.home.rpqt.fr.
@ 1D IN NS ns3.home.rpqt.fr.
ns1 10800 IN CNAME crocus.home.rpqt.fr.
ns2 10800 IN CNAME genepi.home.rpqt.fr.
ns3 10800 IN CNAME verbena.home.rpqt.fr.
crocus 10800 IN AAAA fd80:150d:17cc:2ae:6999:9380:150d:17cc
genepi 10800 IN AAAA fd80:150d:17cc:2ae:6999:9358:3e0e:d738
verbena 10800 IN AAAA fd80:150d:17cc:2ae:6999:9306:9a0e:c197
haze 10800 IN AAAA fd80:150d:17cc:2ae:6999:935a:e8:b04d
'';
}
];
};
};
}

109
modules/unbound.nix
View File

@@ -1,109 +0,0 @@
{
self,
config,
lib,
...
}:
let
domain = "home.rpqt.fr";
machines = {
genepi = {
subdomains = [
"actual"
"assistant"
"glance"
"grafana"
"images"
"lounge"
"pinchflat"
"rss"
"tw"
];
};
crocus = {
subdomains = [
"cloud"
];
};
};
zerotierInterface = "zts7mq7onf";
machinesZerotierIpRecords =
lib.map
(
host:
''"${host}.infra.rpqt.fr. 10800 IN AAAA ${
self.nixosConfigurations.${host}.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value
}"''
)
[
"crocus"
"genepi"
];
in
{
services.resolved.enable = false;
networking.firewall.interfaces.${zerotierInterface} = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
services.unbound = {
enable = true;
resolveLocalQueries = true;
checkconf = true;
settings = {
server = {
interface = [
"127.0.0.1"
"::1"
"::0"
];
access-control = [
"127.0.0.1 allow"
"${config.clan.core.networking.zerotier.subnet} allow"
];
local-zone = [
''"*.home.rpqt.fr." redirect''
];
local-data =
# machinesZerotierIpRecords ++
lib.concatMap (
host:
lib.map (
subdomain:
''"${subdomain}.${domain}. 10800 IN AAAA ${
self.nixosConfigurations.${host}.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value
}"''
) machines.${host}.subdomains
) (lib.attrNames machines);
private-address = [
"127.0.0.1/8"
"${config.clan.core.networking.zerotier.subnet}"
];
private-domain = [
"home.rpqt.fr"
];
};
forward-zone = [
{
name = ".";
forward-tls-upstream = true;
forward-addr = [
"9.9.9.9#dns.quad9.net"
"149.112.112.112#dns.quad9.net"
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
"2606:4700:4700::1111@853#cloudflare-dns.com"
"2606:4700:4700::1001@853#cloudflare-dns.com"
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
"2001:4860:4860::8888#dns.google"
"2001:4860:4860::8844#dns.google"
];
}
];
};
};
}

4
modules/user-rpqt.nix
View File

@@ -8,7 +8,7 @@
description = "Romain Paquet"; description = "Romain Paquet";
shell = pkgs.zsh; shell = pkgs.fish;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze"
@@ -17,5 +17,5 @@
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
}; };
programs.zsh.enable = true; programs.fish.enable = true;
} }

Some files were not shown because too many files have changed in this diff Show More