diff --git a/home/modules/baseline.nix b/home/modules/baseline.nix index 70f0e83..fd61864 100644 --- a/home/modules/baseline.nix +++ b/home/modules/baseline.nix @@ -13,17 +13,6 @@ in { config = mkIf cfg.enable { xdg = { enable = true; - mimeApps = { - enable = true; - defaultApplications = {}; - }; - portal = { - # this shouldnt be on baseline, as servers have no GUI - enable = true; - xdgOpenUsePortal = true; - extraPortals = with pkgs; [xdg-desktop-portal-gtk]; #wtf is this - configPackages = with pkgs; [xdg-desktop-portal-gtk]; #wtf is this - }; }; home = { diff --git a/home/modules/default.nix b/home/modules/default.nix index 31109a9..fb90319 100644 --- a/home/modules/default.nix +++ b/home/modules/default.nix @@ -8,7 +8,7 @@ ./terminal ./neovim.nix ./baseline.nix - ./gaming + ./gaming.nix ./yubikey.nix ./browsers.nix ./gui diff --git a/home/modules/defaultDesktopPack.nix b/home/modules/defaultDesktopPack.nix index 436a05e..29fbf7a 100644 --- a/home/modules/defaultDesktopPack.nix +++ b/home/modules/defaultDesktopPack.nix @@ -28,7 +28,6 @@ in { vpsfree-client vscodium-fhs zola - zoom-us ]; }; } diff --git a/home/modules/gaming/default.nix b/home/modules/gaming.nix similarity index 64% rename from home/modules/gaming/default.nix rename to home/modules/gaming.nix index 5be0efd..5048854 100644 --- a/home/modules/gaming/default.nix +++ b/home/modules/gaming.nix @@ -12,11 +12,6 @@ in { }; config = mkIf cfg.enable { home.packages = [ - # Steam. todo: move to the steam module later - (pkgs.callPackage ./package.nix {}) - pkgs.protonup - pkgs.winetricks - pkgs.protontricks pkgs.lutris pkgs.openrct2 pkgs.prismlauncher diff --git a/home/modules/gaming/package.nix b/home/modules/gaming/package.nix deleted file mode 100644 index 19f241f..0000000 --- a/home/modules/gaming/package.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - writeShellScriptBin, - steam-run, - steam, - ... -}: -writeShellScriptBin "steam" '' - exec ${steam-run}/bin/steam-run ${steam}/bin/steam -console -'' diff --git a/home/modules/gui/default.nix b/home/modules/gui/default.nix index 54bf1bb..bca09e9 100644 --- a/home/modules/gui/default.nix +++ b/home/modules/gui/default.nix @@ -81,8 +81,9 @@ in { ./fonts.nix ./i3.nix ./polybar.nix - ./startx.nix # move to ly once 24.11 comes out :( + ./startx.nix ./picom.nix + ./theme.nix ]; config = let @@ -113,45 +114,16 @@ in { picom.enable = true; }; - gtk = { + xdg = { enable = true; - - iconTheme = { - name = "Papirus-Dark"; - package = pkgs.papirus-icon-theme; + mimeApps = { + enable = true; + defaultApplications = { + "application/pdf" = with pkgs; ["qpdfview"]; + "text/uri-list" = with pkgs; ["firefox"]; + "x-scheme-handler/file" = with pkgs; ["kitty"]; + }; }; - theme = { - package = pkgs.materia-theme; - name = "Materia-dark"; - }; - - gtk2.extraConfig = '' - gtk-toolbar-style=GTK_TOOLBAR_BOTH_HORIZ - gtk-menu-images=1 - gtk-button-images=1 - ''; - - gtk3.extraConfig = { - gtk-application-prefer-dark-theme = 1; - }; - gtk4.extraConfig = { - gtk-application-prefer-dark-theme = 1; - }; - }; - - #qt = { mentioning qt makes qt applications not work, I should probably check how to fix this - # enable = true; - # style.name = "bb10dark"; - #}; - - home.sessionVariables = { - # Use gtk in jvm apps - _JAVA_OPTIONS = concatStringsSep " " [ - "-Dawt.useSystemAAFontSettings=on" - "-Dswing.aatext=true" - "-Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel" - "-Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel" - ]; }; }; } diff --git a/home/modules/gui/theme.nix b/home/modules/gui/theme.nix new file mode 100644 index 0000000..fa1e098 --- /dev/null +++ b/home/modules/gui/theme.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; { + gtk = { + enable = true; + + iconTheme = { + name = "Papirus-Dark"; + package = pkgs.papirus-icon-theme; + }; + theme = { + package = pkgs.materia-theme; + name = "Materia-dark"; + }; + + gtk2.extraConfig = '' + gtk-toolbar-style=GTK_TOOLBAR_BOTH_HORIZ + gtk-menu-images=1 + gtk-button-images=1 + ''; + + gtk3.extraConfig = { + gtk-application-prefer-dark-theme = 1; + }; + gtk4.extraConfig = { + gtk-application-prefer-dark-theme = 1; + }; + }; + + home.sessionVariables = { + # Use gtk in jvm apps + _JAVA_OPTIONS = concatStringsSep " " [ + "-Dawt.useSystemAAFontSettings=on" + "-Dswing.aatext=true" + "-Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel" + "-Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel" + ]; + }; +} diff --git a/pkgs/config/unfree.nix b/pkgs/config/unfree.nix index 5028b08..9f6ff13 100644 --- a/pkgs/config/unfree.nix +++ b/pkgs/config/unfree.nix @@ -8,5 +8,4 @@ with lib; "steam-original" "steam-unwrapped" "steam-run" - "zoom" ] diff --git a/sys/modules/default.nix b/sys/modules/default.nix index 2f2bccf..27d719e 100644 --- a/sys/modules/default.nix +++ b/sys/modules/default.nix @@ -13,5 +13,7 @@ ./android.nix ./users.nix ./bluetooth.nix + ./net.nix + ./steam.nix ]; } diff --git a/sys/modules/net.nix b/sys/modules/net.nix new file mode 100644 index 0000000..7ff7721 --- /dev/null +++ b/sys/modules/net.nix @@ -0,0 +1,186 @@ +{ + config, + lib, + ... +}: +with lib; { + options.local.sys.nets = with lib.types; + mkOption { + readOnly = true; + + type = attrsOf (submodule ({config, ...}: { + options = let + v4config = config.v4; + v6config = config.v6; + in { + hosts = mkOption { + default = {}; + + type = attrsOf (submodule { + options = { + v4 = mkOption { + default = null; + + type = nullOr (submodule ({config, ...}: { + options = { + suffix = mkOption { + type = str; + }; + + address = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + + single = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + address = + if v4config.bits == 0 + then config.suffix + else if v4config.bits == 32 + then v4config.subnet + else "${v4config.prefix}.${config.suffix}"; + + cidr = "${config.address}/${toString v4config.bits}"; + single = "${config.address}/32"; + }; + })); + }; + + v6 = mkOption { + default = null; + + type = nullOr (submodule ({config, ...}: { + options = { + suffix = mkOption { + type = str; + }; + + address = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + + single = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + address = let + hextets = fragment: length (splitString ":" fragment); + separator = + if doubleColon + then "::" + else ":"; + doubleColon = hextets v6config.prefix + hextets config.suffix < 8; + + joined = + if v6config.bits == 128 + then v6config.prefix + else if v6config.bits == 0 + then config.suffix + else "${v6config.prefix}${separator}${config.suffix}"; + in + joined; + + cidr = "${config.address}/${toString v6config.bits}"; + single = "${config.address}/128"; + }; + })); + }; + }; + }); + }; + + v4 = mkOption { + default = null; + + type = nullOr (submodule ({config, ...}: { + options = { + bits = mkOption { + type = enum [0 8 16 24 32]; + }; + + prefix = mkOption { + type = str; + }; + + subnet = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + cidr = "${config.subnet}/${toString config.bits}"; + subnet = + if config.bits != 0 + then config.prefix + strings.replicate (4 - config.bits / 8) ".0" + else "0.0.0.0"; + }; + })); + }; + + v6 = mkOption { + default = null; + + type = nullOr (submodule ({config, ...}: { + options = { + bits = mkOption { + type = + addCheck (ints.between 0 128) (b: mod b 4 == 0) + // { + description = "IPv6 subnet bits at nibble boundary"; + }; + }; + + prefix = mkOption { + type = str; + }; + + subnet = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + cidr = "${config.subnet}/${toString config.bits}"; + subnet = + if config.bits == 128 || length (splitString "::" config.prefix) > 1 + then config.prefix + else "${config.prefix}::"; + }; + })); + }; + }; + })); + }; +} diff --git a/sys/modules/steam.nix b/sys/modules/steam.nix new file mode 100644 index 0000000..a6cd543 --- /dev/null +++ b/sys/modules/steam.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.sys.steam; +in { + options.local.sys.steam = { + enable = mkEnableOption "steam settings"; + }; + config = mkIf cfg.enable { + programs.steam = { + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + localNetworkGameTransfers.openFirewall = true; + }; + + environment = { + systemPackages = with pkgs; + [ + protontricks + protonup + protonup-ng + winetricks + ]; + }; + }; +} diff --git a/sys/platforms/posixlycorrect/default.nix b/sys/platforms/posixlycorrect/default.nix index 23409ac..b4caa87 100644 --- a/sys/platforms/posixlycorrect/default.nix +++ b/sys/platforms/posixlycorrect/default.nix @@ -19,6 +19,7 @@ graphics.enable = true; virtualisation.enable = true; androidSupport.enable = true; + steam.enable = true; users = { fabian = { diff --git a/sys/platforms/vps/default.nix b/sys/platforms/vps/default.nix index b949d4c..9801183 100644 --- a/sys/platforms/vps/default.nix +++ b/sys/platforms/vps/default.nix @@ -13,6 +13,7 @@ with lib; { flakes.impermanence.nixosModule ./hardware-configuration.nix ./srv + ./networkMap.nix ]; local.sys = { @@ -50,9 +51,67 @@ with lib; { }; }; - systemd.extraConfig = '' - DefaultTimeoutStartSec=900s - ''; + networking.firewall.allowedUDPPorts = [51820]; #TODO + + systemd = { + extraConfig = '' + DefaultTimeoutStartSec=900s + ''; + + network = let + inherit (config.local.sys) nets; + in { + enable = true; + + netdevs = { + wg-vpn = { + netdevConfig = { + Name = "wg-vpn"; + Kind = "wireguard"; + }; + + wireguardConfig = { + PrivateKeyFile = "/var/trust/wg/vpn/key.priv"; + ListenPort = "51820"; + }; + + wireguardPeers = [ + { + PublicKey = "wwUp3Uu/rSxbp+6J745O+cpnZHGWOJYWfWEsTjRE3yU="; + PresharedKeyFile = "/var/trust/wg/vpn/vps-posixlycorrect.psk"; + AllowedIPs = ["${nets.vpn-posixlycorrect.v6.cidr}"]; + } + { + PublicKey = "YFqg/ED26KygSRSmGzvUXpwnXPqMOI3R3caVfAtHVks="; + PresharedKeyFile = "/var/trust/wg/vpn/vps-pixel8.psk"; + AllowedIPs = ["${nets.vpn-pixel8.v6.cidr}"]; + } + ]; + }; + }; + + networks = { + wg-vpn = { + name = "wg-vpn"; + + networkConfig = { + Address = [ + nets.vpn-vps.hosts.vps.v6.cidr + ]; + }; + + routes = [ + { + Destination = nets.vpn.v6.cidr; + } + { + Source = nets.vpn.v6.cidr; + } + ]; + }; + }; + }; + }; time.timeZone = "Europe/Amsterdam"; } diff --git a/sys/platforms/vps/networkMap.nix b/sys/platforms/vps/networkMap.nix new file mode 100644 index 0000000..473815e --- /dev/null +++ b/sys/platforms/vps/networkMap.nix @@ -0,0 +1,78 @@ +{ + config, + pkgs, + lib, + flakes, + ... +}: +with lib; { + local.sys.nets = { + default = { + v4 = { + bits = 32; + prefix = "37.205.12.34"; + }; + + v6 = { + bits = 64; + prefix = "2a03:3b40:fe:102"; + }; + + hosts = { + vps.v6.suffix = "1"; + vps.v4.suffix = ""; + }; + }; + + vpn = { + v6 = { + bits = 48; + prefix = "2a03:3b40:2b"; + }; + }; + + vpn-vps = { + v6 = { + bits = 64; + prefix = "2a03:3b40:2b:1000"; + }; + + hosts = { + vps.v6.suffix = "1"; + }; + }; + + vpn-posixlycorrect = { + v6 = { + bits = 64; + prefix = "2a03:3b40:2b:1001"; + }; + + hosts = { + posixlycorrect.v6.suffix = "1"; + }; + }; + + vpn-pixel8 = { + v6 = { + bits = 64; + prefix = "2a03:3b40:2b:1002"; + }; + + hosts = { + pixel8.v6.suffix = "1"; + }; + }; + + vpn-t14 = { + v6 = { + bits = 64; + prefix = "2a03:3b40:2b:1003"; + }; + + hosts = { + t14.v6.suffix = "1"; + }; + }; + }; +} diff --git a/sys/platforms/vps/srv/immich.nix b/sys/platforms/vps/srv/immich.nix index 9aadc3d..1fb0fc8 100644 --- a/sys/platforms/vps/srv/immich.nix +++ b/sys/platforms/vps/srv/immich.nix @@ -28,6 +28,46 @@ with lib; { environment = { IMMICH_TELEMETRY_EXCLUDE = "host,api,io,repo,job"; }; + settings = { + machineLearning = { + enabled = false; + }; + job = { + backgroundTask = { + concurrency = 1; + }; + smartSearch = { + concurrency = 1; + }; + metadataExtraction = { + concurrency = 1; + }; + faceDetection = { + concurrency = 1; + }; + search = { + concurrency = 1; + }; + sidecar = { + concurrency = 1; + }; + library = { + concurrency = 1; + }; + migration = { + concurrency = 1; + }; + thumbnailGeneration = { + concurrency = 1; + }; + videoConversion = { + concurrency = 1; + }; + notifications = { + concurrency = 1; + }; + }; + }; }; }; } diff --git a/sys/platforms/vps/srv/net.nix b/sys/platforms/vps/srv/net.nix index fdd3dd8..fc97444 100644 --- a/sys/platforms/vps/srv/net.nix +++ b/sys/platforms/vps/srv/net.nix @@ -3,9 +3,11 @@ pkgs, ... }: -with lib; { +with lib; let + inherit (config.local.sys) nets; +in { networking = { - nftables.enable = true; + nftables.enable = false; # learn how to use this later firewall = { enable = true; allowedTCPPorts = [80 443]; @@ -52,7 +54,11 @@ with lib; { fail2ban = { enable = true; bantime = "10m"; - ignoreIP = ["37.205.12.34"]; # Never ban the server's own IP + ignoreIP = [ + nets.default.hosts.vps.v6.cidr + nets.default.hosts.vps.v4.address + nets.vpn.v6.cidr + ]; bantime-increment = { enable = true; formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; diff --git a/sys/platforms/vps/srv/syncthing.nix b/sys/platforms/vps/srv/syncthing.nix index cdcbb41..0d4f9e8 100644 --- a/sys/platforms/vps/srv/syncthing.nix +++ b/sys/platforms/vps/srv/syncthing.nix @@ -13,6 +13,7 @@ with lib; { openDefaultPorts = true; guiAddress = "127.0.0.1:8384"; settings.options.urAccepted = -1; + dataDir = "/mnt/export2179/syncthing"; relay = { enable = true; pools = [];