beastie/dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: beastie:main
Branches Tags
beastie:main
..
compare: beastie:5fb0c51777de5a50e9786c4312d313ba859b7728
Branches Tags
beastie:main

17 Commits
main ... 5fb0c51777

Author SHA1 Message Date
Jérémie SALVI
5fb0c51777 flake update 2025-12-02 16:30:27 +01:00
Jérémie SALVI
91e8ccbb4f flake update 2025-12-02 16:25:57 +01:00
Jérémie SALVI
ff17f33531 Creating kvm test server 2025-11-22 13:05:42 +01:00
Jérémie SALVI
59b184cc2c before flake update 2025-11-21 10:17:59 +01:00
Jérémie SALVI
a925119154 flake update 2025-11-08 15:14:53 +01:00
Jérémie SALVI
e406793840 flake update 2025-11-08 15:10:23 +01:00
Jérémie SALVI
9c0bf5fabf add libvirt and virt manager 2025-10-29 21:27:18 +01:00
Jérémie SALVI
7fa9f95ce4 after flake update 2025-10-29 14:26:06 +01:00
Jérémie SALVI
e5e4fe04ea after flake update 2025-10-28 14:17:30 +01:00
Jérémie SALVI
73cc922bed Add aider 2025-10-20 12:51:18 +02:00
Jérémie SALVI
3e07666c13 after flake update 2025-10-20 11:36:11 +02:00
Jérémie SALVI
b4cd147221 add autosuggestions to zsh 2025-10-20 03:30:41 +02:00
Jérémie SALVI
4a65f5e537 use only nmcli with nmaplet 2025-10-16 00:29:12 +02:00
Jérémie SALVI
f16f941daf use only nmcli 2025-10-16 00:19:15 +02:00
Jérémie SALVI
24fa6a4700 some work improvments 2025-10-15 23:22:24 +02:00
Jérémie SALVI
3b74e79fed Change waybar colors 2025-10-13 20:29:02 +02:00
Jérémie SALVI
18cc8751c9 Improve waybar and custom scripts 2025-10-13 20:23:43 +02:00
31 changed files with 144 additions and 647 deletions
Expand all files Collapse all files

71
CLAUDE.md
View File

@@ -1,71 +0,0 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Overview
NixOS dotfiles repository using Nix Flakes for managing multiple machines. Configuration is in French (comments, docs).
## Build & Deploy Commands
```bash
# Rebuild and switch configuration (local)
sudo nixos-rebuild switch --flake .#<hostname>
# Rebuild on remote machine
nixos-rebuild switch --flake .#<hostname> --target-host beastie@<ip> --sudo
# Bootstrap new machine with nixos-anywhere
nixos-anywhere --flake .#generic --target-host root@<ip> \
--generate-hardware-config nixos-generate-config ./hosts/generic/hardware-configuration.nix
# Generate custom ISO
nixos-generate --format iso --configuration ./iso/customiso.nix -o ~/Downloads/nixos.iso
# Update flake inputs
nix flake update
# Update secrets after adding new host key
sops updatekeys secrets.yaml
nix flake update mysecrets
```
## Architecture
**Flake Inputs:**
- `nixpkgs-stable` (25.05) and `nixpkgs-unstable` channels
- `disko` for declarative disk partitioning
- `sops-nix` for encrypted secrets
- `mysecrets` - local git repo at `/home/beastie/nixos/secrets` (required dependency)
**Hosts:** `generic` (ISO), `test-kvm` (stable), `home-nix` (unstable), `work-nix` (unstable)
**Module Hierarchy:**
1. `modules/core/` - Applied to ALL hosts (grub, ssh, packages, users, tty, system)
2. `modules/optionnals/` - Selectively imported per host
3. `modules/optionnals/hosts/<hostname>.nix` - Host-specific networking, services
4. `modules/optionnals/desktop/` - Desktop environment modules (Hyprland, apps)
## Key Patterns
**Custom Options** (`modules/optionnals/options.nix`):
- `my.laninterface`, `my.ipv4address`, `my.ipv4netmask`, `my.ipv4gateway`, `my.wolipv6address`
**Special Args** passed to all modules via flake.nix:
- `hostname` and `username` - used for host/user-specific configuration
**Secrets (sops-nix):**
- Encrypted YAML in separate `mysecrets` repo
- Referenced via `config.sops.secrets.<name>.path` or `config.sops.templates`
- Age encryption with SSH host keys
**XDG Config Distribution:**
- Desktop configs (hyprland, waybar, kitty, rofi) use `environment.etc."xdg/<app>".source`
- Host-specific variants: `hyprland-${hostname}.conf`
## Important Considerations
- Test changes on `test-kvm` before deploying to production hosts
- `mysecrets` flake input must exist locally at `/home/beastie/nixos/secrets`
- Different hosts use different `stateVersion` (25.05 vs 25.11)
- Core module changes affect ALL machines

32
flake.lock generated
View File

@@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1769524058,
"narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
"lastModified": 1764627417,
"narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
"owner": "nix-community",
"repo": "disko",
"rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
"rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
"type": "github"
},
"original": {
@@ -23,11 +23,11 @@
"mysecrets": {
"flake": false,
"locked": {
"lastModified": 1769035388,
"narHash": "sha256-Uaih4r++akPmfACCTAUZ21tb5wKD6ms2dLtzqE8f304=",
"lastModified": 1763731770,
"narHash": "sha256-ThIVf8jtBOKV7JzShnL/gzHEm7axiLshPie8BYkMYAI=",
"ref": "refs/heads/main",
"rev": "d3c44cb624ae2c1a13a172346fb5422d27e59348",
"revCount": 20,
"rev": "07b3f415bd89a6b571f154278c1d9b6b5ca9e473",
"revCount": 16,
"type": "git",
"url": "file:///home/beastie/nixos/secrets"
},
@@ -38,11 +38,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1767313136,
"narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
"lastModified": 1764560356,
"narHash": "sha256-M5aFEFPppI4UhdOxwdmceJ9bDJC4T6C6CzCK1E2FZyo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d",
"rev": "6c8f0cca84510cc79e09ea99a299c9bc17d03cb6",
"type": "github"
},
"original": {
@@ -54,11 +54,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1770115704,
"narHash": "sha256-KHFT9UWOF2yRPlAnSXQJh6uVcgNcWlFqqiAZ7OVlHNc=",
"lastModified": 1764517877,
"narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e6eae2ee2110f3d31110d5c222cd395303343b08",
"rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
"type": "github"
},
"original": {
@@ -84,11 +84,11 @@
]
},
"locked": {
"lastModified": 1770145881,
"narHash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=",
"lastModified": 1764483358,
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c",
"rev": "5aca6ff67264321d47856a2ed183729271107c9c",
"type": "github"
},
"original": {

54
hosts/home-nix/disk-config.nix
View File

@@ -37,69 +37,27 @@
subvolumes = {
"@" = {
mountpoint = "/";
mountOptions = [
"defaults"
"ssd"
"compress=zstd"
"autodefrag"
"noatime"
"nodiscard"
];
mountOptions = [ "defaults" "ssd" "compress=zstd" "autodefrag" "noatime" "nodiscard" ];
};
"@root" = {
mountpoint = "/root";
mountOptions = [
"defaults"
"ssd"
"compress=zstd"
"autodefrag"
"noatime"
"nodiscard"
];
mountOptions = [ "defaults" "ssd" "compress=zstd" "autodefrag" "noatime" "nodiscard" ];
};
"@home" = {
mountpoint = "/home";
mountOptions = [
"defaults"
"ssd"
"compress=zstd"
"autodefrag"
"noatime"
"nodiscard"
];
mountOptions = [ "defaults" "ssd" "compress=zstd" "autodefrag" "noatime" "nodiscard" ];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [
"defaults"
"ssd"
"compress=zstd"
"autodefrag"
"noatime"
"nodiscard"
];
mountOptions = [ "defaults" "ssd" "compress=zstd" "autodefrag" "noatime" "nodiscard" ];
};
"@var" = {
mountpoint = "/var";
mountOptions = [
"defaults"
"ssd"
"compress=zstd"
"autodefrag"
"noatime"
"nodiscard"
];
mountOptions = [ "defaults" "ssd" "compress=zstd" "autodefrag" "noatime" "nodiscard" ];
};
"@games" = {
mountpoint = "/games";
mountOptions = [
"defaults"
"ssd"
"compress=zstd"
"autodefrag"
"noatime"
"nodiscard"
];
mountOptions = [ "defaults" "ssd" "compress=zstd" "autodefrag" "noatime" "nodiscard" ];
};
};
};

39
hosts/home-nix/hardware-configuration.nix
View File

@@ -1,47 +1,18 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
environment.etc."crypttab".text = ''
datafs UUID=5ca962a7-537f-46ce-ba50-9cc9cefd012b /etc/secrets/datafs.key luks
'';
fileSystems."/data" = {
device = "/dev/disk/by-uuid/a8ea6a7b-3733-40d8-bee8-45806aaacfe1";
fsType = "btrfs";
options = [
"defaults"
"compress=zstd"
"autodefrag"
"noatime"
"nofail"
];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
modules/core/default.nix
View File

@@ -5,7 +5,6 @@
imports = [
./grub.nix
./packages.nix
./sops.nix
./ssh.nix
./system.nix
./tty.nix

3
modules/core/packages.nix
View File

@@ -15,7 +15,6 @@
pkgs.unzip
pkgs.sops
pkgs.ssh-to-age
pkgs.age
pkgs.nixos-anywhere
pkgs.nixos-generators
pkgs.efibootmgr
@@ -25,8 +24,6 @@
pkgs.bash
pkgs.fzf
pkgs.bc
pkgs.wakeonlan
pkgs.openssl
];
services = {
locate = {

19
modules/core/sops.nix
View File

@@ -1,19 +0,0 @@
{
inputs,
...
}:
let
secretsPath = builtins.toString inputs.mysecrets;
in
{
sops = {
defaultSopsFile = "${secretsPath}/secrets.yaml";
age = {
sshKeyPaths = [
"/etc/ssh/ssh_host_ed25519_key"
];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
};
}

5
modules/core/users.nix
View File

@@ -5,11 +5,6 @@
...
}:
{
sops.secrets = {
"users_password/beastie" = {
neededForUsers = true;
};
};
users = {
users = {
${username} = {

20
modules/optionnals/ai.nix
View File

@@ -4,16 +4,16 @@
}:
{
# Activer Ollama comme service
# services.ollama = {
# enable = true;
# acceleration = "cuda";
# environmentVariables = {
# OLLAMA_FLASH_ATTENTION = "1"; # ← Flash Attention
# OLLAMA_NUM_PARALLEL = "2"; # ← Requêtes parallèles
# OLLAMA_MAX_LOADED_MODELS = "1"; # ← Garder 2 modèles en VRAM
# OLLAMA_KEEP_ALIVE = "5m";
# };
# };
services.ollama = {
enable = true;
acceleration = "cuda";
environmentVariables = {
OLLAMA_FLASH_ATTENTION = "1"; # ← Flash Attention
OLLAMA_NUM_PARALLEL = "2"; # ← Requêtes parallèles
OLLAMA_MAX_LOADED_MODELS = "1"; # ← Garder 2 modèles en VRAM
OLLAMA_KEEP_ALIVE = "5m";
};
};
# services.open-webui = {
# enable = true;
# port = 8080; # Port par défaut

34
modules/optionnals/desktop/code.nix
View File

@@ -71,31 +71,27 @@ let
in
{
environment.systemPackages = [
# (pkgs.vscode-with-extensions.override {
# vscode = pkgs.vscodium;
# vscodeExtensions = [
# # pkgs.vscode-extensions.continue.continue
# pkgs.vscode-extensions.catppuccin.catppuccin-vsc
# pkgs.vscode-extensions.catppuccin.catppuccin-vsc-icons
# pkgs.vscode-extensions.jnoortheen.nix-ide
# pkgs.vscode-extensions.redhat.ansible
# pkgs.vscode-extensions.redhat.vscode-yaml
# pkgs.vscode-extensions.ms-azuretools.vscode-docker
# pkgs.vscode-extensions.mads-hartmann.bash-ide-vscode
# ]
# ++ [ open-remote-ssh ];
# })
pkgs.vscodium
(pkgs.vscode-with-extensions.override {
vscode = pkgs.vscodium;
vscodeExtensions = [
# pkgs.vscode-extensions.continue.continue
pkgs.vscode-extensions.catppuccin.catppuccin-vsc
pkgs.vscode-extensions.catppuccin.catppuccin-vsc-icons
pkgs.vscode-extensions.jnoortheen.nix-ide
pkgs.vscode-extensions.redhat.ansible
pkgs.vscode-extensions.redhat.vscode-yaml
pkgs.vscode-extensions.ms-azuretools.vscode-docker
pkgs.vscode-extensions.mads-hartmann.bash-ide-vscode
]
++ [ open-remote-ssh ];
})
pkgs.nodejs_24
pkgs.nodePackages.npm
pkgs.gcc
pkgs.gnumake
pkgs.nixd
pkgs.nixfmt
pkgs.nixfmt-rfc-style
pkgs.ansible
pkgs.python313
pkgs.claude-code
pkgs.nodejs
pkgs.php
];
}

2
modules/optionnals/desktop/config/etc/xdg/hypr/hyprland-home-nix.conf
View File

@@ -13,5 +13,3 @@ workspace = 5, monitor:HDMI-A-2
workspace = 6, monitor:HDMI-A-2
workspace = 7, monitor:HDMI-A-2
workspace = 8, monitor:HDMI-A-2
exec-once = nextcloud

21
modules/optionnals/desktop/config/etc/xdg/hypr/hyprland.conf
View File

@@ -22,6 +22,7 @@ $terminal = kitty
exec-once = hyprpaper
exec-once = waybar
#############################
### ENVIRONMENT VARIABLES ###
#############################
@@ -164,8 +165,8 @@ master {
# https://wiki.hyprland.org/Configuring/Variables/#misc
misc {
force_default_wallpaper = 1 # Set to 0 or 1 to disable the anime mascot wallpapers
disable_hyprland_logo = true # If true disables the random hyprland logo / anime girl background. :(
force_default_wallpaper = -1 # Set to 0 or 1 to disable the anime mascot wallpapers
disable_hyprland_logo = false # If true disables the random hyprland logo / anime girl background. :(
}
@@ -308,17 +309,15 @@ bindl = , XF86AudioPrev, exec, playerctl previous
# windowrule = float,class:^(kitty)$,title:^(kitty)$
# Ignore maximize requests from apps. You'll probably like this.
# windowrule = suppressevent maximize, class:.*
windowrule = suppressevent maximize, class:.*
# Fix some dragging issues with XWayland
# windowrule = nofocus,class:^$,title:^$,xwayland:1,floating:1,fullscreen:0,pinned:0
windowrule = nofocus,class:^$,title:^$,xwayland:1,floating:1,fullscreen:0,pinned:0
# Supprimer la transparence pour des applications spécifiques
# Opacity order : active, inactive, fullscreen
windowrule = match:class firefox, opacity 1.0 override 0.95 override 1.0 override
windowrule = match:class chromium, opacity 1.0 override 0.95 override 1.0 override
windowrule = match:class mpv, opacity 0.95 override 0.80 override 1.0 override
#windowrule = match:class mpv, fullscreen override
#windowrulev2 = fullscreen,class:^(mpv)$
windowrulev2 = opacity 1.0 override,class:firefox
windowrulev2 = opacity 1.0 override,class:^(chromium)$
windowrulev2 = opacity 1.0 override,class:^(mpv)$
windowrulev2 = opacity 1.0 override,class:^(mpv)$
windowrulev2 = fullscreen,class:^(mpv)$

9
modules/optionnals/desktop/config/etc/xdg/hypr/hyprpaper.conf
View File

@@ -1,7 +1,2 @@
wallpaper {
monitor =
path = ~/Downloads/wallpaper.jpeg
fit_mode = cover
}
splash = false
preload = ~/Downloads/wallpaper.jpeg
wallpaper = , ~/Downloads/wallpaper.jpeg

2
modules/optionnals/desktop/config/etc/xdg/scripts/waybar-mailbox.sh
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env bash
_USER=beastie
_PASSWD=$(cat /run/secrets/ldap_unxiyourbrain/password)
_PASSWD='}q6658JD~{}{oiRWsb~Q{P@SV=Qsy,ae'
_SERVER=unixyourbrain.org
_FOLDER=Admin

6
modules/optionnals/desktop/config/etc/xdg/scripts/waybar-update.sh
View File

@@ -3,13 +3,13 @@
cd ~/nixos/dotfiles || exit
# Obtenir le hash actuel
current_hash=$(nix flake metadata --json 2>/dev/null | jq -r '.locks.nodes."nixpkgs-unstable".locked.rev')
current_hash=$(nix flake metadata --json 2>/dev/null | jq -r '.locks.nodes.nixpkgs.locked.rev')
# Obtenir le hash le plus récent
latest_hash=$(nix flake metadata github:NixOS/nixpkgs/nixos-unstable --json | jq -r '.locked.rev')
# Date du commit local
local_commit_date=$(nix flake metadata --json 2>/dev/null | jq -r '.locks.nodes."nixpkgs-unstable".locked.lastModified')
local_commit_date=$(nix flake metadata --json 2>/dev/null | jq -r '.locks.nodes.nixpkgs.locked.lastModified')
local_commit_date=$(date -d "@${local_commit_date}" "+%d/%m/%Y à %H:%M")
if [ "$current_hash" != "$latest_hash" ]; then
@@ -17,7 +17,7 @@ if [ "$current_hash" != "$latest_hash" ]; then
maj_count=$(curl -s "https://api.github.com/repos/NixOS/nixpkgs/compare/${current_hash}...${latest_hash}" | jq -r '.ahead_by // 0' 2>/dev/null || echo "?")
# Date du commit distant
remote_commit_date=$(curl -s https://api.github.com/repos/NixOS/nixpkgs/commits/${latest_hash} | jq -r '.commit.author.date')
remote_commit_date=$(curl -s https://api.github.com/repos/NixOS/nixpkgs/commits/c87b95e25065c028d31a94f06a62927d18763fdf | jq -r '.commit.author.date')
remote_commit_date=$(date -d "${remote_commit_date}" "+%d/%m/%Y à %H:%M")
printf '{"text": "%s ", "tooltip": "Commit distant : %s\\nCommit local : %s"}' "${maj_count}" "${remote_commit_date}" "${local_commit_date}"
# Compter les commits entre les deux

18
modules/optionnals/desktop/gaming.nix
View File

@@ -1,18 +0,0 @@
{
pkgs,
...
}:
{
hardware.graphics.enable32Bit = true;
programs.steam.enable = true;
programs.steam.gamescopeSession.enable = true;
programs.gamemode.enable = true;
environment.systemPackages = with pkgs; [
vulkan-tools
lutris
wine-staging
winetricks
mangohud
protonup-ng
];
}

2
modules/optionnals/desktop/kitty.nix
View File

@@ -23,7 +23,7 @@
[[ "$TERM" == "xterm-kitty" ]] && export TERM="xterm-256color"
[[ -f ${pkgs.nitch}/bin/nitch ]] && nitch
if [[ -z $DISPLAY ]] && [[ $(tty) = /dev/tty1 ]]; then
start-hyprland -- --config /etc/xdg/hypr/hyprland.conf
hyprland --config /etc/xdg/hypr/hyprland.conf
fi
'';
};

12
modules/optionnals/desktop/nextcloud.nix
View File

@@ -1,12 +0,0 @@
{
pkgs,
...
}:
{
services.gnome.gnome-keyring.enable = true;
environment.systemPackages = [
pkgs.nextcloud-client
pkgs.seahorse
];
}

4
modules/optionnals/desktop/nvidia.nix
View File

@@ -20,7 +20,5 @@
package = config.boot.kernelPackages.nvidiaPackages.latest;
};
};
environment.systemPackages = [
pkgs.nvtopPackages.full
];
environment.systemPackages = [ pkgs.nvtopPackages.full ];
}

7
modules/optionnals/desktop/packages.nix
View File

@@ -6,11 +6,9 @@
environment.systemPackages = [
pkgs.remmina
pkgs.mpv
pkgs.jellyfin-mpv-shim
pkgs.yt-dlp
pkgs.chromium
pkgs.firefox
pkgs.thunderbird
pkgs.keepassxc
pkgs.nwg-look
pkgs.gimp
@@ -26,11 +24,6 @@
pkgs.catppuccin-cursors
pkgs.catppuccin-gtk
pkgs.postman
pkgs.samba
pkgs.openldap
pkgs.argocd
pkgs.talosctl
pkgs.talhelper
];
fonts.packages = [
pkgs.nerd-fonts.dejavu-sans-mono

8
modules/optionnals/docker.nix
View File

@@ -1,8 +0,0 @@
{
username,
...
}:
{
virtualisation.docker.enable = true;
users.users.${username}.extraGroups = [ "docker" ];
}

58
modules/optionnals/hosts/home-nix.nix
View File

@@ -5,25 +5,20 @@
}:
{
imports = [
#../ai.nix
../ai.nix
../autologin.nix
../docker.nix
../k8s.nix
../libvirt.nix
../openfortivpn.nix
../options.nix
../packages.nix
../sops-desktop.nix
../ssh.nix
../sudo-nopasswd.nix
../wakeonlan.nix
### Import GUI modules
../desktop/code.nix
../desktop/dunst.nix
../desktop/gaming.nix
../desktop/kitty.nix
../desktop/nextcloud.nix
../desktop/packages.nix
../desktop/pipewire.nix
../desktop/qwerty-fr.nix
@@ -36,11 +31,6 @@
../desktop/nvidia.nix
];
my.laninterface = "enp5s0";
my.ipv4address = "192.168.0.2";
my.ipv4netmask = 24;
my.ipv4gateway = "192.168.0.254";
sops = {
secrets = {
"wireguard_home/publickey" = { };
@@ -49,31 +39,25 @@
};
};
#services.resolved.enable = false;
networking = {
#useNetworkd = true;
#useHostResolvConf = false;
interfaces.${config.my.laninterface} = {
interfaces.enp5s0 = {
ipv4.addresses = [
{
address = config.my.ipv4address;
prefixLength = config.my.ipv4netmask;
address = "192.168.0.2";
prefixLength = 24;
}
];
};
defaultGateway = {
address = config.my.ipv4gateway;
interface = config.my.laninterface;
address = "192.168.0.254";
interface = "enp5s0";
};
nameservers = [
"10.0.0.1"
"9.9.9.9"
#"9.9.9.9"
"2001:41d0:303:20da::1"
"217.182.138.218"
];
extraHosts = ''
#172.18.229.240 test-mycarto.grandbesancon.fr
172.18.21.172 errorpages.grandbesancon.fr
#172.18.23.4 dozzle.grandbesancon.fr
#172.18.22.206 toto.grandbesancon.fr
@@ -81,8 +65,6 @@
#172.18.20.37 sso.grandbesancon.fr
#172.18.20.229 auth.grandbesancon.fr
#172.18.20.181 traefikauth.grandbesancon.fr
172.18.21.174 test-patchmon.grandbesancon.fr
172.18.229.240 test-mycarto-autonome.grandbesancon.fr
'';
wireguard = {
interfaces = {
@@ -110,29 +92,5 @@
};
};
};
sops.secrets."home-nix/myipv6address" = { };
systemd.services.ipv6-setup = {
description = "Configure IPv6";
after = [
"network.target"
"sops-nix.service"
];
wants = [ "sops-nix.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "setup-ipv6" ''
${pkgs.iproute2}/bin/ip -6 addr add $(cat ${
config.sops.secrets."home-nix/myipv6address".path
})/64 dev ${config.my.laninterface} || true
'';
};
};
environment.systemPackages = [
pkgs.tor-browser
];
environment.systemPackages = [ pkgs.tor-browser ];
}

49
modules/optionnals/hosts/test-kvm.nix
View File

@@ -11,7 +11,6 @@
## Server
../server/starship.nix
../server/wireguard-ui.nix
];
## Enable virtualisation guest settings
@@ -25,52 +24,4 @@
pkgs.spice-gtk # Outils SPICE
pkgs.spice-protocol # Protocoles SPICE
];
systemd.network.links."10-eth0" = {
matchConfig.MACAddress = "52:54:00:a3:d7:56";
linkConfig.Name = "eth0";
};
systemd.network.netdevs."10-dummy0" = {
netdevConfig = {
Kind = "dummy";
Name = "dummy0";
};
};
networking = {
useNetworkd = true;
useDHCP = false;
interfaces = {
dummy0 = {
ipv4.addresses = [
{
address = "192.168.2.1";
prefixLength = 24;
}
];
};
eth0 = {
ipv4.addresses = [
{
address = "192.168.122.10";
prefixLength = 24;
}
];
};
};
defaultGateway = {
address = "192.168.122.1";
interface = "eth0";
};
nameservers = [
#"9.9.9.9"
"2001:41d0:303:20da::1"
"217.182.138.218"
];
extraHosts = ''
172.18.21.172 errorpages.grandbesancon.fr
'';
};
}

12
modules/optionnals/hosts/work-nix.nix
View File

@@ -1,12 +1,10 @@
{
pkgs,
username,
...
}:
{
imports = [
../autologin.nix
../docker.nix
../k8s.nix
../libvirt.nix
../openfortivpn.nix
@@ -35,17 +33,11 @@
networking = {
networkmanager.enable = true;
extraHosts = ''
carto-interavtive 172.18.20.134
test-patchmon.grandbesancon.fr 172.18.21.174
test-crowdsec.grandbesancon.fr 172.18.21.67
test-syslog.grandbesancon.fr 172.18.21.67
carto-interavtive 172.18.20.134
'';
};
users.users.${username} = {
users.users.${username} = {
extraGroups = [ "networkmanager" ];
};
programs.nm-applet.enable = true;
environment.systemPackages = [
pkgs.wireguard-tools
];
}

17
modules/optionnals/libvirt.nix
View File

@@ -4,24 +4,19 @@
...
}:
{
users.users.${username} = {
extraGroups = [ "libvirtd" ];
};
virtualisation = {
libvirtd = {
enable = true;
qemu = {
package = pkgs.qemu_full;
#package = pkgs.qemu;
# package = pkgs.qemu_full;
package = pkgs.qemu;
runAsRoot = true;
swtpm.enable = true;
vhostUserPackages = [
pkgs.virtiofsd
];
};
};
};
users.users.${username} = {
extraGroups = [ "libvirtd" ];
};
environment.systemPackages = with pkgs; [
virtiofsd
];
}

26
modules/optionnals/options.nix
View File

@@ -1,26 +0,0 @@
{
lib,
...
}:
{
options.my.laninterface = lib.mkOption {
type = lib.types.str;
default = "enp5s0";
};
options.my.ipv4address = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
};
options.my.ipv4netmask = lib.mkOption {
type = lib.types.int;
default = 8;
};
options.my.ipv4gateway = lib.mkOption {
type = lib.types.str;
default = "127.0.0.254";
};
options.my.wolipv6address = lib.mkOption {
type = lib.types.str;
default = "fc::0";
};
}

5
modules/optionnals/server/starship.nix
View File

@@ -58,11 +58,6 @@
disabled = false;
};
fill = {
symbol = "";
style = "surface1";
};
kubernetes = {
disabled = false;
format = "[](fg:blue bg:base)[ ($namespace)/($cluster) ](fg:base bg:blue)[](bg:blue fg:mauve)";

97
modules/optionnals/server/wireguard-ui.nix
View File

@@ -1,97 +0,0 @@
{
pkgs,
...
}:
{
environment.systemPackages = [
pkgs.wireguard-tools
pkgs.wireguard-ui
];
users.users.wireguard-ui = {
isSystemUser = true;
group = "wireguard-ui";
home = "/var/lib/wireguard-ui";
createHome = true;
description = "WireGuard UI service user";
};
users.groups.wireguard-ui = { };
systemd = {
tmpfiles.rules = [
"d /etc/wireguard 0750 wireguard-ui wireguard-ui -"
"d /var/lib/wireguard-ui 0750 wireguard-ui wireguard-ui -"
];
services = {
wg-quick-wg0 = {
description = "WireGuard via wg-quick(8) for wg0";
after = [
"network-online.target"
"wireguard-ui.service"
];
wants = [ "network-online.target" ];
wantedBy = [
"multi-user.target"
"sshd.service"
];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.wireguard-tools}/bin/wg-quick up wg0";
ExecStop = "${pkgs.wireguard-tools}/bin/wg-quick down wg0";
ExecReload = "${pkgs.bash}/bin/bash -c 'exec ${pkgs.wireguard-tools}/bin/wg syncconf wg0 <(exec ${pkgs.wireguard-tools}/bin/wg-quick strip wg0)'";
Environment = [ "WG_ENDPOINT_RESOLUTION_RETRIES=infinity" ];
};
};
wireguard-ui = {
description = "WireGuard UI";
documentation = [ "https://github.com/ngoduykhanh/wireguard-ui" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.wireguard-ui}/bin/wireguard-ui";
Restart = "on-failure";
WorkingDirectory = "/var/lib/wireguard-ui";
StateDirectory = "wireguard-ui";
User = "wireguard-ui";
Group = "wireguard-ui";
ReadWritePaths = [
"/var/lib/wireguard-ui"
"/etc/wireguard"
];
Environment = [
# "WGUI_ENDPOINT_ADDRESS=${config.custom.wireguard-ui.endpointAddress}"
# "WGUI_DNS=${config.custom.wireguard-ui.dns}"
];
AmbientCapabilities = "CAP_NET_ADMIN";
};
};
wg-quick-wg0-reload = {
description = "Reload WireGuard config";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl reload wg-quick-wg0.service";
};
};
};
paths.wg-quick-wg0-reload = {
description = "Watch /etc/wireguard/wg0.conf for changes";
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathModified = "/etc/wireguard/wg0.conf";
};
};
};
networking.firewall.allowedTCPPorts = [ 5000 ];
networking.firewall.allowedUDPPorts = [ 51820 ];
}

109
modules/optionnals/sops-desktop.nix
View File

@@ -1,61 +1,66 @@
{
inputs,
username,
...
}:
let
secretsPath = builtins.toString inputs.mysecrets;
in
{
sops.secrets = {
"users_password/beastie" = {
neededForUsers = true;
sops = {
defaultSopsFile = "${secretsPath}/secrets.yaml";
age = {
sshKeyPaths = [
"/etc/ssh/ssh_host_ed25519_key"
];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
"ssh_keys/default_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519.pub";
};
"ssh_keys/default_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519";
};
"ssh_keys/ansible_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_ansible.pub";
};
"ssh_keys/ansible_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_ansible";
};
"ssh_keys/beastie_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_beastie.pub";
};
"ssh_keys/beastie_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_beastie";
};
"ssh_keys/gitea_semaphore_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore.pub";
};
"ssh_keys/gitea_semaphore_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore";
};
"ssh_keys/wol_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_wol";
};
"ssh_keys/wol_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_wol.priv";
secrets = {
"users_password/beastie" = {
neededForUsers = true;
};
"ssh_keys/default_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519.pub";
};
"ssh_keys/default_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519";
};
"ssh_keys/ansible_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_ansible.pub";
};
"ssh_keys/ansible_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_ansible";
};
"ssh_keys/beastie_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_beastie.pub";
};
"ssh_keys/beastie_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_beastie";
};
"ssh_keys/gitea_semaphore_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore.pub";
};
"ssh_keys/gitea_semaphore_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore";
};
};
};
}

47
modules/optionnals/wakeonlan.nix
View File

@@ -1,47 +0,0 @@
{
config,
pkgs,
hostname,
...
}:
{
systemd.services."wol${config.my.laninterface}" = {
description = "Wake-on-LAN for ${config.my.laninterface}";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.ethtool}/bin/ethtool -s ${config.my.laninterface} wol g";
RandomizedDelaySec = "30s";
};
};
environment.systemPackages = [ pkgs.ethtool ];
my.wolipv6address = "2a01:e0a:f5d:3400:6b2c:41d7:e9f5";
boot.initrd = {
network = {
enable = true;
ssh = {
enable = true;
port = 65234;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2+PXfG/37rsvcVr2RAHzXmGHMr8+8iBH//1YS+zWd3"
]; # ta clé publique
hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
postCommands = ''
ip -6 addr add ${config.my.wolipv6address}/64 dev ${config.my.laninterface}
ip -6 route add default via fe80::3a07:16ff:fe11:45a8 dev ${config.my.laninterface}
'';
};
availableKernelModules = [ "r8169" ];
};
boot = {
kernelParams = [
"ip=${config.my.ipv4address}::255.255.255.0:${config.my.ipv4gateway}:${hostname}:${config.my.laninterface}:off"
];
};
}