From c495445e91ab9255c4eba01949ca2e428b72ae85 Mon Sep 17 00:00:00 2001 From: DuN0z Date: Sun, 5 Oct 2025 08:20:57 +0200 Subject: [PATCH] CLEAN: nix develop --- flake.nix | 35 ++-- hm/common/browser.nix | 18 +- hm/common/git.nix | 2 +- hm/desktop/bspwm.nix | 273 +++++++++++++++------------ hosts/forbann/configuration.nix | 101 +++++----- hosts/pennsardin/configuration.nix | 70 ++++--- hosts/terre-neuvas/configuration.nix | 54 +++--- hosts/terre-neuvas/hardware.nix | 55 +++--- modules/common/fonts.nix | 2 +- modules/common/networking.nix | 4 +- modules/common/nix.nix | 4 +- modules/common/qemu.nix | 13 +- modules/desktop/xorg-bspwm.nix | 8 +- modules/roles/workstation.nix | 4 +- modules/services/forgejo.nix | 81 ++++---- modules/services/ftp.nix | 34 ++-- modules/services/goaccess.nix | 14 +- modules/services/pihole.nix | 4 +- modules/sites/levr.porzh.me.nix | 65 ++++--- modules/sites/porzh.me.nix | 9 +- profiles/server-selfhosted.nix | 6 +- profiles/workstation-bspwm.nix | 6 +- 22 files changed, 439 insertions(+), 423 deletions(-) diff --git a/flake.nix b/flake.nix index 7333bc4..37e242a 100644 --- a/flake.nix +++ b/flake.nix @@ -22,29 +22,30 @@ home-manager, nur, ... - } @ inputs: let - mkUnstablePkgsWithNur = { system, config ? {} }: - import nixpkgs-unstable { - inherit system; - overlays = [ nur.overlays.default ]; - config = config ; - }; - in - - { + }: let + mkUnstablePkgsWithNur = { + system, + config ? {}, + }: + import nixpkgs-unstable { + inherit system; + overlays = [nur.overlays.default]; + inherit config; + }; + in { nixosConfigurations = { pennsardin = nixpkgs-unstable.lib.nixosSystem { system = "x86_64-linux"; - pkgs = mkUnstablePkgsWithNur { + pkgs = mkUnstablePkgsWithNur { system = "x86_64-linux"; config = { - allowUnfree = true ; - allowUnsupportedSystem = true ; + allowUnfree = true; + allowUnsupportedSystem = true; }; }; modules = [ ./hosts/pennsardin/configuration.nix - home-manager.nixosModules.home-manager + home-manager.nixosModules.home-manager ]; }; @@ -52,7 +53,7 @@ system = "x86_64-linux"; modules = [ ./hosts/terre-neuvas/configuration.nix - home-manager-stable.nixosModules.home-manager + home-manager-stable.nixosModules.home-manager ]; }; @@ -65,12 +66,12 @@ }; }; -# --- DevShell (x86_64 uniquement) --- + # --- DevShell (x86_64 uniquement) --- devShells.x86_64-linux.default = import ./devshell.nix { pkgs = import nixpkgs-stable {system = "x86_64-linux";}; }; -# --- Formatter (x86_64 uniquement) --- + # --- Formatter (x86_64 uniquement) --- formatter.x86_64-linux = (import nixpkgs-stable {system = "x86_64-linux";}).alejandra; }; diff --git a/hm/common/browser.nix b/hm/common/browser.nix index 9c8390b..51d867e 100644 --- a/hm/common/browser.nix +++ b/hm/common/browser.nix @@ -1,15 +1,19 @@ -{pkgs, nur, ... }: { +{ + pkgs, + nur, + ... +}: { programs.firefox = { enable = true; languagePacks = ["fr"]; profiles.default = { settings = { - "intl.locale.requested" = "fr" ; + "intl.locale.requested" = "fr"; "intl.accept_languages" = "fr, en-US, en"; - "layers.acceleration.disabled" = true ; - "gfx.webrender.all" = false ; - "privacy.trackingprotection.enabled" = true ; - "privacy.resistFingerprinting" = true ; + "layers.acceleration.disabled" = true; + "gfx.webrender.all" = false; + "privacy.trackingprotection.enabled" = true; + "privacy.resistFingerprinting" = true; "network.cookie.cookieBehavior" = 1; }; extensions.packages = with pkgs.nur.repos.rycee.firefox-addons; [ @@ -20,6 +24,6 @@ ]; }; }; - } +} # vim: set ts=2 sw=2 sts=2 et : diff --git a/hm/common/git.nix b/hm/common/git.nix index 5070d68..ec4c03b 100644 --- a/hm/common/git.nix +++ b/hm/common/git.nix @@ -1,7 +1,7 @@ _: { programs.git = { enable = true; - userName = "DuN0z" ; + userName = "DuN0z"; userEmail = "dun0z@porzh.me"; }; } diff --git a/hm/desktop/bspwm.nix b/hm/desktop/bspwm.nix index 8247da5..302d6b8 100644 --- a/hm/desktop/bspwm.nix +++ b/hm/desktop/bspwm.nix @@ -1,85 +1,143 @@ # hm/desktop/bspwm.nix -{ pkgs, lib, ... }: { + pkgs, + lib, + ... +}: { imports = [ ../common/browser.nix ]; home.packages = with pkgs; [ - bspwm sxhkd xorg.xinit xterm alacritty rofi feh font-awesome - picom xorg.xset xidlehook betterlockscreen pywal16 imagemagick - pulsemixer ranger jq file highlight unzip mpv + bspwm + sxhkd + xorg.xinit + xterm + alacritty + rofi + feh + font-awesome + picom + xorg.xset + xidlehook + betterlockscreen + pywal16 + imagemagick + pulsemixer + ranger + jq + file + highlight + unzip + mpv protonvpn-gui ]; # Gère le ssh-agent proprement côté user services.ssh-agent.enable = true; - xsession.enable = true; - xsession.windowManager.bspwm = { + xsession = { enable = true; + xsession.windowManager.bspwm = { + enable = true; - # Démarrages au login X - startupPrograms = [ - "sxhkd -m 1" - "setxkbmap bepovim" - "xrandr --output DisplayPort-1 --rate 60 --pos 0x0" - "polybar main" - "bash ~/.fehbg" - ]; + # Démarrages au login X + startupPrograms = [ + "sxhkd -m 1" + "setxkbmap bepovim" + "xrandr --output DisplayPort-1 --rate 60 --pos 0x0" + "polybar main" + "bash ~/.fehbg" + ]; - extraConfigEarly = '' - bspc config borderless_monocle true - bspc config gapless_monocle true - bspc config single_monocle true - bspc monitor -d I II III IV V VI - ''; + extraConfigEarly = '' + bspc config borderless_monocle true + bspc config gapless_monocle true + bspc config single_monocle true + bspc monitor -d I II III IV V VI + ''; + }; }; -# xsession.initExtra = '' -# xset s 300 300 -# xset s on -# xset s noblank -# xset +dpms -# xset dpms 0 0 500 -# ''; + # xsession.initExtra = '' + # xset s 300 300 + # xset s on + # xset s noblank + # xset +dpms + # xset dpms 0 0 500 + # ''; - services.sxhkd = { - enable = true; - extraOptions = [ "-m" "1" ]; - keybindings = { - "super + Return" = "alacritty"; - "super + c" = "bspc node -c"; - "Menu" = "rofi -show drun"; - "super + space" = "rofi -show drun"; + services = { + sxhkd = { + enable = true; + extraOptions = ["-m" "1"]; + keybindings = { + "super + Return" = "alacritty"; + "super + c" = "bspc node -c"; + "Menu" = "rofi -show drun"; + "super + space" = "rofi -show drun"; - "F1" = "bspc desktop -f ^1"; - "F2" = "bspc desktop -f ^2"; - "F3" = "bspc desktop -f ^3"; - "F4" = "bspc desktop -f ^4"; - "F5" = "bspc desktop -f ^5"; - "F6" = "bspc desktop -f ^6"; + "F1" = "bspc desktop -f ^1"; + "F2" = "bspc desktop -f ^2"; + "F3" = "bspc desktop -f ^3"; + "F4" = "bspc desktop -f ^4"; + "F5" = "bspc desktop -f ^5"; + "F6" = "bspc desktop -f ^6"; - "shift + F1" = "bspc node -d ^1 --follow"; - "shift + F2" = "bspc node -d ^2 --follow"; - "shift + F3" = "bspc node -d ^3 --follow"; - "shift + F4" = "bspc node -d ^4 --follow"; - "shift + F5" = "bspc node -d ^5 --follow"; - "shift + F6" = "bspc node -d ^6 --follow"; + "shift + F1" = "bspc node -d ^1 --follow"; + "shift + F2" = "bspc node -d ^2 --follow"; + "shift + F3" = "bspc node -d ^3 --follow"; + "shift + F4" = "bspc node -d ^4 --follow"; + "shift + F5" = "bspc node -d ^5 --follow"; + "shift + F6" = "bspc node -d ^6 --follow"; - "super + h" = "bspc node -f west"; - "super + j" = "bspc node -f south"; - "super + k" = "bspc node -f north"; - "super + l" = "bspc node -f east"; + "super + h" = "bspc node -f west"; + "super + j" = "bspc node -f south"; + "super + k" = "bspc node -f north"; + "super + l" = "bspc node -f east"; - "super + shift + h" = "bspc node -s west"; - "super + shift + j" = "bspc node -s south"; - "super + shift + k" = "bspc node -s north"; - "super + shift + l" = "bspc node -s east"; + "super + shift + h" = "bspc node -s west"; + "super + shift + j" = "bspc node -s south"; + "super + shift + k" = "bspc node -s north"; + "super + shift + l" = "bspc node -s east"; - "super + f" = "bspc node -t fullscreen"; - "super + s" = "bspc node -t floating"; - "super + shift + t" = "bspc node -t pseudo_tiled"; - "super + t" = "bspc node -t tiled"; + "super + f" = "bspc node -t fullscreen"; + "super + s" = "bspc node -t floating"; + "super + shift + t" = "bspc node -t pseudo_tiled"; + "super + t" = "bspc node -t tiled"; + }; + }; + polybar = { + enable = true; + script = "polybar main &"; + config = { + "bar/main" = { + width = "100%"; + height = "28"; + font-1 = "Font Awesome 6 Free:style=Solid:pixelsize=10;2"; + modules-left = "bspwm"; + modules-center = "date"; + modules-right = "pulseaudio memory cpu"; + }; + "module/bspwm" = { + type = "internal/bspwm"; + label-focused = "%name%"; + label-focused-foreground = "#e6e0de"; + label-focused-padding = 2; + label-occupied = "%name%"; + label-occupied-padding = 2; + label-urgent = "%name%"; + label-urgent-background = "#e42127"; + label-urgent-foreground = "#ffffff"; + label-empty = "%name%"; + label-empty-foreground = "#645d56"; + label-empty-padding = 2; + }; + "module/date" = { + type = "internal/date"; + interval = 60; + date = "%d-%m-%Y %H:%M"; + }; + }; }; }; @@ -96,74 +154,49 @@ ''; Restart = "always"; }; - Install.WantedBy = [ "graphical-session.target" ]; + Install.WantedBy = ["graphical-session.target"]; }; - # polybar (config intégrée pour démarrer simple) - services.polybar = { - enable = true; - script = "polybar main &"; - config = { - "bar/main" = { - width = "100%"; - height = "28"; - font-1 = "Font Awesome 6 Free:style=Solid:pixelsize=10;2"; - modules-left = "bspwm"; - modules-center = "date"; - modules-right = "pulseaudio memory cpu"; - }; - "module/bspwm" = { - type = "internal/bspwm"; - label-focused = "%name%"; - label-focused-foreground = "#e6e0de"; - label-focused-padding = 2; - label-occupied = "%name%"; - label-occupied-padding = 2; - label-urgent = "%name%"; - label-urgent-background = "#e42127"; - label-urgent-foreground = "#ffffff"; - label-empty = "%name%"; - label-empty-foreground = "#645d56"; - label-empty-padding = 2; - }; - "module/date" = { - type = "internal/date"; - interval = 60; - date = "%d-%m-%Y %H:%M"; + programs = { + alacritty = { + enable = true; + settings = { + general.import = ["~/.cache/wal/colors-alacritty.toml"]; + font = { + normal = { + family = lib.mkForce "Iosevka Nerd Font"; + style = "Regular"; + }; + bold = { + family = lib.mkForce "Iosevka Nerd Font"; + style = "Bold"; + }; + italic = { + family = lib.mkForce "Iosevka Nerd Font"; + style = "Italic"; + }; + size = lib.mkForce 9; + }; }; }; + + rtorrent = { + enable = true; + extraConfig = '' + directory = /srv/raid + port_range = 6881-6891 + max_peers = 150 + max_peers_seed = 100 + protocol.pex.set = true ; + schedule = watch_directory,5,5,load.start=~/Téléchargements/*.torrent + pieces.hash.on_completion.set = no + network.max_open_files.set = 8192 + session = /home/lomig/.cache/rtorrent/session + ''; + }; }; - # alacritty - programs.alacritty = { - enable = true; - settings = { - general.import = [ "~/.cache/wal/colors-alacritty.toml" ]; - font = { - normal = { family = lib.mkForce "Iosevka Nerd Font"; style = "Regular"; }; - bold = { family = lib.mkForce "Iosevka Nerd Font"; style = "Bold"; }; - italic = { family = lib.mkForce "Iosevka Nerd Font"; style = "Italic"; }; - size = lib.mkForce 9; - }; - }; - }; - - programs.rtorrent = { - enable = true ; - extraConfig = '' - directory = /srv/raid - port_range = 6881-6891 - max_peers = 150 - max_peers_seed = 100 - protocol.pex.set = true ; - schedule = watch_directory,5,5,load.start=~/Téléchargements/*.torrent - pieces.hash.on_completion.set = no - network.max_open_files.set = 8192 - session = /home/lomig/.cache/rtorrent/session -''; - }; home.activation.createRtorrentSessionDir = lib.hm.dag.entryAfter ["writeBoundary"] '' mkdir -p ~/.cache/rtorrent/session ''; } - diff --git a/hosts/forbann/configuration.nix b/hosts/forbann/configuration.nix index bc3b526..2eb7966 100644 --- a/hosts/forbann/configuration.nix +++ b/hosts/forbann/configuration.nix @@ -1,67 +1,70 @@ -{ config, pkgs, ...}: -{ - boot.loader.grub = { - enable = true ; - device = "/dev/vda"; - }; - - fileSystems."/" = { - device = "/dev/vda1" ; - fsType = "ext4" ; - }; - - fileSystems."/srv" = { - device = "shared0" ; - fsType = "9p" ; - options = [ "trans=virtio" "version=9p2000.L" "rw" ]; - neededForBoot = false ; - noCheck = true ; - }; - - systemd.services.mountShared = { - description = "Mount 9p shared folder" ; - after = [ "local-fs.target" "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "oneshot" ; - ExecStart = "${pkgs.util-linux}/bin/mount -t 9p -o trans=virtio,version=9p2000.L shared0 /srv"; - RemainAfterExit = true ; +{pkgs, ...}: { + boot = { + kernelPackages = pkgs.linuxPackages; + initrd.supportedFilesystems = ["ext4"]; + loader.grub = { + enable = true; + device = "/dev/vda"; }; }; - boot.kernelPackages = pkgs.linuxPackages ; - boot.initrd.supportedFilesystems = [ "ext4" ]; + fileSystems = { + "/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; + "/srv" = { + device = "shared0"; + fsType = "9p"; + options = ["trans=virtio" "version=9p2000.L" "rw"]; + neededForBoot = false; + noCheck = true; + }; + }; networking = { useDHCP = true; - useNetworkd = true ; - hostName = "forbann" ; + useNetworkd = true; + hostName = "forbann"; }; - systemd.network = { - enable = true ; - networks."10-eth0" = { - matchConfig.Name = "eth0"; - networkConfig = { - Address = "192.168.1.10/24"; - Gateway = "192.168.0.254" ; - DNS = "192.168.0.254" ; + systemd = { + services.mountShared = { + description = "Mount 9p shared folder"; + after = ["local-fs.target" "network.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.util-linux}/bin/mount -t 9p -o trans=virtio,version=9p2000.L shared0 /srv"; + RemainAfterExit = true; + }; + }; + network = { + enable = true; + networks."10-eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + Address = "192.168.1.10/24"; + Gateway = "192.168.0.254"; + DNS = "192.168.0.254"; + }; }; }; }; - services.openssh.enable = true ; - - services.rtorrent = { - enable = true ; - dataDir = "/home/vmuser/torrents" ; + services = { + openssh.enable = true; + rtorrent = { + enable = true; + dataDir = "/home/vmuser/torrents"; + }; }; users.users.vmuser = { - isNormalUser = true ; - extraGroups = [ "wheel" ]; - password = "changeme" ; + isNormalUser = true; + extraGroups = ["wheel"]; + password = "changeme"; }; - system.stateVersion = "25.05" ; + system.stateVersion = "25.05"; } diff --git a/hosts/pennsardin/configuration.nix b/hosts/pennsardin/configuration.nix index 7753f8e..815166b 100644 --- a/hosts/pennsardin/configuration.nix +++ b/hosts/pennsardin/configuration.nix @@ -8,34 +8,31 @@ networking.hostName = "pennsardin"; boot.kernelPackages = pkgs.linuxPackages_latest; - boot.swraid.enable = true ; + boot.swraid.enable = true; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/b1a1ae71-4277-45d5-a3d2-f49354f263d4"; - fsType = "ext4"; + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/b1a1ae71-4277-45d5-a3d2-f49354f263d4"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/1DB2-7A0F"; + fsType = "vfat"; + options = ["fmask=0077" "dmask=0077"]; + }; + "/proc" = { + device = "proc"; + fsType = "proc"; + options = ["defaults" "hidepid=2"]; + neededForBoot = true; + }; + "/srv/raid" = { + device = "/dev/disk/by-uuid/85f72160-4720-463a-9dc6-7c5216733f2b"; + fsType = "btrfs"; + }; }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/1DB2-7A0F"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - fileSystems."/proc" = - { - device = "proc" ; - fsType = "proc" ; - options = [ "defaults" "hidepid=2" ]; - neededForBoot = true ; - }; - - fileSystems."/srv/raid" = - { device = "/dev/disk/by-uuid/85f72160-4720-463a-9dc6-7c5216733f2b"; - fsType = "btrfs"; - }; - - swapDevices = [ ]; + swapDevices = []; users.users.lomig = { isNormalUser = true; @@ -49,27 +46,27 @@ }; networking = { - useNetworkd = true ; - firewall.allowedTCPPorts = [ 22 80 5900 5901 5902 ]; - interfaces.enp11s0.useDHCP = false ; + useNetworkd = true; + firewall.allowedTCPPorts = [22 80 5900 5901 5902]; + interfaces.enp11s0.useDHCP = false; interfaces.br0 = { - useDHCP = false ; + useDHCP = false; ipv4.addresses = [ { address = "192.168.0.2"; - prefixLength = 24 ; + prefixLength = 24; } ]; }; defaultGateway = { - interface = "br0" ; - address = "192.168.0.254" ; + interface = "br0"; + address = "192.168.0.254"; }; - nameservers = [ "192.168.0.254" "1.1.1.1" ]; - bridges.br0.interfaces = [ "enp11s0" ]; + nameservers = ["192.168.0.254" "1.1.1.1"]; + bridges.br0.interfaces = ["enp11s0"]; }; systemd.network = { - enable = true ; + enable = true; netdevs."br0" = { netdevConfig = { Name = "br0"; @@ -77,7 +74,7 @@ }; }; networks."br0" = { - matchConfig.Name = "br0" ; + matchConfig.Name = "br0"; }; networks."enp11s0" = { matchConfig.Name = "enp11s0"; @@ -87,6 +84,5 @@ system.stateVersion = "25.05"; # pour éviter les hurlements inutiles } - # vim: set ts=2 sw=2 sts=2 et : diff --git a/hosts/terre-neuvas/configuration.nix b/hosts/terre-neuvas/configuration.nix index 86b0267..0a6c5c7 100644 --- a/hosts/terre-neuvas/configuration.nix +++ b/hosts/terre-neuvas/configuration.nix @@ -1,19 +1,19 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - { - - nix.settings.experimental-features = ["nix-command" "flakes" ]; - imports = - [ # Include the results of the hardware scan. - ./hardware.nix - ../../profiles/server-selfhosted.nix - ../../modules/services/ftp.nix - ../../modules/services/forgejo.nix - ]; + config, + pkgs, + ... +}: { + nix.settings.experimental-features = ["nix-command" "flakes"]; + imports = [ + # Include the results of the hardware scan. + ./hardware.nix + ../../profiles/server-selfhosted.nix + ../../modules/services/ftp.nix + ../../modules/services/forgejo.nix + ]; # Bootloader. boot.loader.systemd-boot.enable = true; @@ -32,7 +32,7 @@ users.users.lomig = { isNormalUser = true; - extraGroups = [ "lp" "wheel" "docker" ]; + extraGroups = ["lp" "wheel" "docker"]; shell = pkgs.zsh; }; @@ -44,32 +44,32 @@ nixpkgs.config.allowUnfree = true; environment.systemPackages = with pkgs; [ - neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - git - hugo + neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + git + hugo ]; networking = { - useNetworkd = true ; - firewall.allowedTCPPorts = [ 22 80 5900 5901 5902 ]; - interfaces.eno1.useDHCP = false ; + useNetworkd = true; + firewall.allowedTCPPorts = [22 80 5900 5901 5902]; + interfaces.eno1.useDHCP = false; interfaces.br0 = { - useDHCP = false ; + useDHCP = false; ipv4.addresses = [ { address = "192.168.0.3"; - prefixLength = 24 ; + prefixLength = 24; } ]; }; defaultGateway = { - interface = "br0" ; - address = "192.168.0.254" ; + interface = "br0"; + address = "192.168.0.254"; }; - nameservers = [ "192.168.0.254" "1.1.1.1" ]; - bridges.br0.interfaces = [ "eno1" ]; + nameservers = ["192.168.0.254" "1.1.1.1"]; + bridges.br0.interfaces = ["eno1"]; }; systemd.network = { - enable = true ; + enable = true; netdevs."br0" = { netdevConfig = { Name = "br0"; @@ -77,7 +77,7 @@ }; }; networks."br0" = { - matchConfig.Name = "br0" ; + matchConfig.Name = "br0"; }; networks."eno1" = { matchConfig.Name = "eno1"; diff --git a/hosts/terre-neuvas/hardware.nix b/hosts/terre-neuvas/hardware.nix index 8c1dc15..16831e6 100644 --- a/hosts/terre-neuvas/hardware.nix +++ b/hosts/terre-neuvas/hardware.nix @@ -1,45 +1,42 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = lib.mkAfter [ "kvm-intel" "tun" ]; - boot.extraModulePackages = [ ]; + boot = { + initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"]; + initrd.kernelModules = []; + kernelModules = lib.mkAfter ["kvm-intel" "tun"]; + extraModulePackages = []; + }; - fileSystems."/" = - { device = "/dev/disk/by-uuid/f37e4afb-1ee2-4f70-a93c-398461405181"; + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/f37e4afb-1ee2-4f70-a93c-398461405181"; fsType = "ext4"; }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/111D-E5E8"; + "/boot" = { + device = "/dev/disk/by-uuid/111D-E5E8"; fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; + options = ["fmask=0077" "dmask=0077"]; }; - - fileSystems."/srv" = - { device = "/dev/disk/by-uuid/2ef442a9-0eab-4dc5-b17c-076e18a54873"; + "/srv" = { + device = "/dev/disk/by-uuid/2ef442a9-0eab-4dc5-b17c-076e18a54873"; fsType = "btrfs"; }; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/c3a69154-ead9-4fcc-a9b1-3b741a42ee97"; } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + swapDevices = [ + {device = "/dev/disk/by-uuid/c3a69154-ead9-4fcc-a9b1-3b741a42ee97";} + ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/modules/common/fonts.nix b/modules/common/fonts.nix index c04d82d..7db1fe9 100644 --- a/modules/common/fonts.nix +++ b/modules/common/fonts.nix @@ -1,4 +1,4 @@ -{ pkgs, ...}: { +{pkgs, ...}: { fonts.packages = with pkgs; [ dejavu_fonts ]; diff --git a/modules/common/networking.nix b/modules/common/networking.nix index 17e8015..54957af 100644 --- a/modules/common/networking.nix +++ b/modules/common/networking.nix @@ -1,8 +1,8 @@ _: { networking = { nameservers = ["1.1.1.1" "8.8.8.8"]; -# dhcpcd.extraConfig = "nohook resolv.conf"; + # dhcpcd.extraConfig = "nohook resolv.conf"; firewall.enable = true; - interfaces.enp11s0.wakeOnLan.enable = true ; + interfaces.enp11s0.wakeOnLan.enable = true; }; } diff --git a/modules/common/nix.nix b/modules/common/nix.nix index 458187f..f1f6fd4 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -5,7 +5,7 @@ }; nixpkgs.config = { -# allowUnfree = true; -# allowUnsupportedSystem = true; + # allowUnfree = true; + # allowUnsupportedSystem = true; }; } diff --git a/modules/common/qemu.nix b/modules/common/qemu.nix index b452c4a..ddb4ecf 100644 --- a/modules/common/qemu.nix +++ b/modules/common/qemu.nix @@ -1,7 +1,7 @@ { lib, pkgs, - config, + config, ... }: { boot.kernelModules = lib.mkAfter ["tun"]; @@ -22,21 +22,20 @@ virtualisation.libvirtd = { enable = true; - qemu = + qemu = if lib.versionOlder config.system.nixos.release "25.11" then { ovmf.enable = true; ovmf.packages = [pkgs.OVMFFull.fd]; runAsRoot = false; swtpm.enable = true; - } else { + } + else { runAsRoot = false; swtpm.enable = true; - }; + }; }; - - users.users.lomig.extraGroups = ["libvirtd" "kvm" "input"]; environment.etc."qemu/bridge.conf".text = '' @@ -47,7 +46,7 @@ source = "${pkgs.qemu}/libexec/qemu-bridge-helper"; owner = "root"; group = "kvm"; - setuid = true ; + setuid = true; permissions = "u+rwx,g+rx,o+rx"; }; } diff --git a/modules/desktop/xorg-bspwm.nix b/modules/desktop/xorg-bspwm.nix index 8e3736a..8d3a1b0 100644 --- a/modules/desktop/xorg-bspwm.nix +++ b/modules/desktop/xorg-bspwm.nix @@ -1,15 +1,11 @@ -{ - config, - lib, - ... -}: { +{lib, ...}: { services = { xserver = { enable = true; displayManager = { lightdm.enable = true; }; - windowManager.bspwm.enable = true ; + windowManager.bspwm.enable = true; }; displayManager = { gdm.enable = lib.mkForce false; diff --git a/modules/roles/workstation.nix b/modules/roles/workstation.nix index 4732e83..0ccf5d6 100644 --- a/modules/roles/workstation.nix +++ b/modules/roles/workstation.nix @@ -11,8 +11,8 @@ ../virtual/vfio.nix # Dev -# ../dev/qemu.nix -# ../virtual/truenas.nix # seulement si tu l’utilises sur ce host + # ../dev/qemu.nix + # ../virtual/truenas.nix # seulement si tu l’utilises sur ce host ]; environment.systemPackages = with pkgs; [ diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index 4042456..14c4c94 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -1,6 +1,4 @@ -# NixOS module Forgejo avec SQLite, SSH et reverse proxy Caddy -{ config, pkgs, lib, ... }: { - +{pkgs, ...}: { # --- Utilisateur dédié --- users.users.git = { isSystemUser = true; @@ -11,52 +9,51 @@ users.groups.git = {}; # --- Forgejo --- - services.forgejo = { - enable = true; - user = "git"; - group = "git"; - database = { - type = "sqlite3"; - path = "/var/lib/forgejo/data/gitea.db"; + services = { + forgejo = { + enable = true; + user = "git"; + group = "git"; + database = { + type = "sqlite3"; + path = "/var/lib/forgejo/data/gitea.db"; + }; + settings = { + server = { + DOMAIN = "govel.porzh.me"; + ROOT_URL = "https://govel.porzh.me/"; + SSH_DOMAIN = "govel.porzh.me"; + HTTP_PORT = 3000; + SSH_PORT = 22; + START_SSH_SERVER = false; + }; + service = { + DISABLE_REGISTRATION = true; + REGISTER_EMAIL_CONFIRM = false; + }; + repository = { + DEFAULT_BRANCH = "main"; + }; + }; }; - settings = { - server = { - DOMAIN = "govel.porzh.me"; - ROOT_URL = "https://govel.porzh.me/"; - SSH_DOMAIN = "govel.porzh.me"; - HTTP_PORT = 3000; - SSH_PORT = 22; - START_SSH_SERVER = false; - }; - service = { - DISABLE_REGISTRATION = true; - REGISTER_EMAIL_CONFIRM = false; - }; - repository = { - DEFAULT_BRANCH = "main"; + openssh.enable = true; + caddy = { + enable = true; + virtualHosts."govel.porzh.me" = { + extraConfig = '' + reverse_proxy localhost:3000 + ''; }; }; }; # --- Ouvrir les ports nécessaires --- - networking.firewall.allowedTCPPorts = [ 80 443 2222 ]; - - # --- Rediriger port SSH interne de Forgejo --- - services.openssh.enable = true; - networking.firewall.interfaces."eth0".allowedTCPPorts = [ 22 ]; # pour admin - - # --- Caddy pour govel.porzh.me --- - services.caddy = { - enable = true; - virtualHosts."govel.porzh.me" = { - extraConfig = '' - reverse_proxy localhost:3000 - ''; - }; + networking.firewall = { + allowedTCPPorts = [80 443 2222]; + interfaces."eth0".allowedTCPPorts = [22]; }; - # --- Pour que Forgejo génère les bonnes URLs Git --- -# networking.hostName = "git"; # non strictement obligatoire + # networking.hostName = "git"; # non strictement obligatoire # --- Optionnel : config DNS --- # git.lomig.me -> ton IP publique (ou IP locale si LAN) @@ -67,6 +64,4 @@ # --- Astuce : génère une paire de clés pour l’accès SSH Git --- # ssh-keygen -t ed25519 -f ~/.ssh/id_git_forgejo # puis ajoute la clé publique dans ton compte Forgejo - } - diff --git a/modules/services/ftp.nix b/modules/services/ftp.nix index f1b3d89..d077278 100644 --- a/modules/services/ftp.nix +++ b/modules/services/ftp.nix @@ -1,14 +1,14 @@ -{ config, pkgs, lib, ... }: { +_: { # ------------------------------------------------- # 1️⃣ Création de l’utilisateur système dédié FTP # ------------------------------------------------- users.users.ftpuser = { - isSystemUser = true; # pas de login shell - description = "Compte FTP dédié"; - home = "/srv/ftp/ftpuser"; - createHome = true; - group = "ftpuser"; - shell = "/usr/bin/nologin"; + isSystemUser = true; # pas de login shell + description = "Compte FTP dédié"; + home = "/srv/ftp/ftpuser"; + createHome = true; + group = "ftpuser"; + shell = "/usr/bin/nologin"; }; users.groups.ftpuser = {}; @@ -16,11 +16,11 @@ extraConfig = '' Match User ftpuser ChrootDirectory /srv/ftp/ftpuser - ForceCommand internal-sftp - AllowTcpForwarding no + ForceCommand internal-sftp + AllowTcpForwarding no X11Forwarding no ''; - }; + }; # ------------------------------------------------- # 2️⃣ Permissions du répertoire home (méthode A) @@ -48,22 +48,20 @@ # Chroot chaque utilisateur local dans son $HOME chrootlocalUser = true; - allowWriteableChroot = true ; - -extraConfig = '' - pasv_min_port=40000 - pasv_max_port=40004 - ''; + allowWriteableChroot = true; + extraConfig = '' + pasv_min_port=40000 + pasv_max_port=40004 + ''; }; # ------------------------------------------------- # 4️⃣ Ouverture des ports dans le firewall NixOS # ------------------------------------------------- networking.firewall = { - allowedTCPPorts = [ 21 40000 40001 40002 40003 40004 ]; + allowedTCPPorts = [21 40000 40001 40002 40003 40004]; # Si vous utilisez FTPS implicite (port 990) : # allowedTCPPorts = [ 21 990 40000 40001 40002 40003 40004 ]; }; } - diff --git a/modules/services/goaccess.nix b/modules/services/goaccess.nix index a7ae395..35e95f8 100644 --- a/modules/services/goaccess.nix +++ b/modules/services/goaccess.nix @@ -1,9 +1,9 @@ -{ pkgs, ... }: { +{pkgs, ...}: { environment.systemPackages = with pkgs; [ goaccess ]; -# Service pour générer le rapport statique GoAccess + # Service pour générer le rapport statique GoAccess systemd.services.goaccess-report = { description = "Generate GoAccess HTML report"; serviceConfig = { @@ -11,10 +11,10 @@ }; }; -# Timer pour régénérer le rapport toutes les heures + # Timer pour régénérer le rapport toutes les heures systemd.timers.goaccess-report = { description = "Hourly GoAccess report generation"; - wantedBy = [ "timers.target" ]; + wantedBy = ["timers.target"]; timerConfig = { OnCalendar = "hourly"; Persistent = true; @@ -28,10 +28,8 @@ file_server browse try_files {path} {path}/ /index.html - ''; + ''; }; }; }; - - } - +} diff --git a/modules/services/pihole.nix b/modules/services/pihole.nix index f3c7783..78e4dc4 100644 --- a/modules/services/pihole.nix +++ b/modules/services/pihole.nix @@ -11,7 +11,7 @@ environment = { TZ = "Europe/Paris"; - WEBPASSWORD = "changeme"; # Change à ta convenance + WEBPASSWORD = "changeme"; # Change à ta convenance PIHOLE_DNS_ = "1.1.1.1;1.0.0.1"; }; @@ -19,6 +19,6 @@ "/srv/pihole/etc-pihole:/etc/pihole" "/srv/pihole/etc-dnsmasq.d:/etc/dnsmasq.d" ]; - extraOptions = [ "--cap-add=NET_ADMIN" ]; + extraOptions = ["--cap-add=NET_ADMIN"]; }; } diff --git a/modules/sites/levr.porzh.me.nix b/modules/sites/levr.porzh.me.nix index bd556c7..cc1d9ed 100644 --- a/modules/sites/levr.porzh.me.nix +++ b/modules/sites/levr.porzh.me.nix @@ -1,49 +1,48 @@ -{ config, pkgs, ... }: -{ -# ----------------------------------------------------------------- -# 1️⃣ Caddy (reverse‑proxy / serveur web statique) -# ----------------------------------------------------------------- +_: { + # ----------------------------------------------------------------- + # 1️⃣ Caddy (reverse‑proxy / serveur web statique) + # ----------------------------------------------------------------- services.caddy = { enable = true; -# Caddy démarre en tant qu’utilisateur « caddy ». -# On lui donne accès au répertoire du blog via les ACL créées plus haut. -# (Pas besoin de config supplémentaire côté OS.) + # Caddy démarre en tant qu’utilisateur « caddy ». + # On lui donne accès au répertoire du blog via les ACL créées plus haut. + # (Pas besoin de config supplémentaire côté OS.) -# ----------------------------------------------------------------- -# 2️⃣ Sites gérés par Caddy (Caddyfile intégré) -# ----------------------------------------------------------------- + # ----------------------------------------------------------------- + # 2️⃣ Sites gérés par Caddy (Caddyfile intégré) + # ----------------------------------------------------------------- virtualHosts = { "levr.porzh.me" = { -# Le domaine sera automatiquement provisionné avec TLS via ACME -# (Let's Encrypt) grâce à l’option `autoHTTPS = true` (défaut). -# Aucun certificat manuel n’est requis. + # Le domaine sera automatiquement provisionné avec TLS via ACME + # (Let's Encrypt) grâce à l’option `autoHTTPS = true` (défaut). + # Aucun certificat manuel n’est requis. -# Le répertoire contenant les fichiers générés par Hugo + # Le répertoire contenant les fichiers générés par Hugo -# (Optionnel) Rediriger HTTP → HTTPS – Caddy le fait déjà, -# mais on le rend explicite pour la clarté. + # (Optionnel) Rediriger HTTP → HTTPS – Caddy le fait déjà, + # mais on le rend explicite pour la clarté. extraConfig = '' - @http { - protocol http - } - redir @http https://{host}{uri} permanent - root * /srv/blog/public - file_server + @http { + protocol http + } + redir @http https://{host}{uri} permanent + root * /srv/blog/public + file_server - log { - output file /var/log/caddy/access-levr.porzh.me.log - } + log { + output file /var/log/caddy/access-levr.porzh.me.log + } ''; }; }; }; -# ----------------------------------------------------------------- -# 3️⃣ Ouverture du firewall (ports 80 et 443) -# ----------------------------------------------------------------- -# networking.firewall.allowedTCPPorts = [ -# 80 # HTTP (pour la redirection ACME) -# 443 # HTTPS (site final) -# ]; + # ----------------------------------------------------------------- + # 3️⃣ Ouverture du firewall (ports 80 et 443) + # ----------------------------------------------------------------- + # networking.firewall.allowedTCPPorts = [ + # 80 # HTTP (pour la redirection ACME) + # 443 # HTTPS (site final) + # ]; } diff --git a/modules/sites/porzh.me.nix b/modules/sites/porzh.me.nix index 4a39496..145e665 100644 --- a/modules/sites/porzh.me.nix +++ b/modules/sites/porzh.me.nix @@ -1,10 +1,8 @@ -{ config, pkgs, ... }: - -let +{pkgs, ...}: let porzhSite = pkgs.stdenv.mkDerivation { pname = "porzh-site"; version = "1.0"; - src = ./porzh.me; # le dossier avec ton index.html, image, etc. + src = ./porzh.me; # le dossier avec ton index.html, image, etc. installPhase = '' mkdir -p $out @@ -16,7 +14,7 @@ in { enable = true; virtualHosts = { "porzh.me" = { - serverAliases = [ "www.porzh.me" ]; + serverAliases = ["www.porzh.me"]; extraConfig = '' root * ${porzhSite} file_server @@ -25,4 +23,3 @@ in { }; }; } - diff --git a/profiles/server-selfhosted.nix b/profiles/server-selfhosted.nix index 123364a..c5cca16 100644 --- a/profiles/server-selfhosted.nix +++ b/profiles/server-selfhosted.nix @@ -12,9 +12,9 @@ services.openssh = { enable = true; settings = { - PasswordAuthentication = false ; - PubkeyAuthentication = true ; - }; + PasswordAuthentication = false; + PubkeyAuthentication = true; + }; }; environment.systemPackages = with pkgs; [ diff --git a/profiles/workstation-bspwm.nix b/profiles/workstation-bspwm.nix index 44f789a..9c9534e 100644 --- a/profiles/workstation-bspwm.nix +++ b/profiles/workstation-bspwm.nix @@ -20,10 +20,10 @@ services.openssh = { enable = true; settings = { - X11Forwarding = true ; - X11DisplayOffset = 10 ; + X11Forwarding = true; + X11DisplayOffset = 10; }; - }; + }; environment.systemPackages = with pkgs; [ btrfs-progs