DuN0z/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CLEAN: nix develop

Browse source
This commit is contained in:
DuN0z 2025-10-05 08:20:57 +02:00
parent daeb15f821
commit c495445e91
22 changed files with 439 additions and 423 deletions
Download patch file Download diff file Expand all files Collapse all files

35
flake.nix
View file

@ -22,29 +22,30 @@
home-manager, home-manager,
nur, nur,
... ...
} @ inputs: let }: let
mkUnstablePkgsWithNur = { system, config ? {} }: mkUnstablePkgsWithNur = {
import nixpkgs-unstable { system,
inherit system; config ? {},
overlays = [ nur.overlays.default ]; }:
config = config ; import nixpkgs-unstable {
}; inherit system;
in overlays = [nur.overlays.default];
inherit config;
{ };
in {
nixosConfigurations = { nixosConfigurations = {
pennsardin = nixpkgs-unstable.lib.nixosSystem { pennsardin = nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = mkUnstablePkgsWithNur { pkgs = mkUnstablePkgsWithNur {
system = "x86_64-linux"; system = "x86_64-linux";
config = { config = {
allowUnfree = true ; allowUnfree = true;
allowUnsupportedSystem = true ; allowUnsupportedSystem = true;
}; };
}; };
modules = [ modules = [
./hosts/pennsardin/configuration.nix ./hosts/pennsardin/configuration.nix
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
]; ];
}; };
@ -52,7 +53,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/terre-neuvas/configuration.nix ./hosts/terre-neuvas/configuration.nix
home-manager-stable.nixosModules.home-manager home-manager-stable.nixosModules.home-manager
]; ];
}; };
@ -65,12 +66,12 @@
}; };
}; };
# --- DevShell (x86_64 uniquement) --- # --- DevShell (x86_64 uniquement) ---
devShells.x86_64-linux.default = import ./devshell.nix { devShells.x86_64-linux.default = import ./devshell.nix {
pkgs = import nixpkgs-stable {system = "x86_64-linux";}; pkgs = import nixpkgs-stable {system = "x86_64-linux";};
}; };
# --- Formatter (x86_64 uniquement) --- # --- Formatter (x86_64 uniquement) ---
formatter.x86_64-linux = formatter.x86_64-linux =
(import nixpkgs-stable {system = "x86_64-linux";}).alejandra; (import nixpkgs-stable {system = "x86_64-linux";}).alejandra;
}; };

18
hm/common/browser.nix
View file

@ -1,15 +1,19 @@
{pkgs, nur, ... }: { {
pkgs,
nur,
...
}: {
programs.firefox = { programs.firefox = {
enable = true; enable = true;
languagePacks = ["fr"]; languagePacks = ["fr"];
profiles.default = { profiles.default = {
settings = { settings = {
"intl.locale.requested" = "fr" ; "intl.locale.requested" = "fr";
"intl.accept_languages" = "fr, en-US, en"; "intl.accept_languages" = "fr, en-US, en";
"layers.acceleration.disabled" = true ; "layers.acceleration.disabled" = true;
"gfx.webrender.all" = false ; "gfx.webrender.all" = false;
"privacy.trackingprotection.enabled" = true ; "privacy.trackingprotection.enabled" = true;
"privacy.resistFingerprinting" = true ; "privacy.resistFingerprinting" = true;
"network.cookie.cookieBehavior" = 1; "network.cookie.cookieBehavior" = 1;
}; };
extensions.packages = with pkgs.nur.repos.rycee.firefox-addons; [ extensions.packages = with pkgs.nur.repos.rycee.firefox-addons; [
@ -20,6 +24,6 @@
]; ];
}; };
}; };
} }
# vim: set ts=2 sw=2 sts=2 et : # vim: set ts=2 sw=2 sts=2 et :

2
hm/common/git.nix
View file

@ -1,7 +1,7 @@
_: { _: {
programs.git = { programs.git = {
enable = true; enable = true;
userName = "DuN0z" ; userName = "DuN0z";
userEmail = "dun0z@porzh.me"; userEmail = "dun0z@porzh.me";
}; };
} }

273
hm/desktop/bspwm.nix
View file

@ -1,85 +1,143 @@
# hm/desktop/bspwm.nix # hm/desktop/bspwm.nix
{ pkgs, lib, ... }:
{ {
pkgs,
lib,
...
}: {
imports = [ imports = [
../common/browser.nix ../common/browser.nix
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
bspwm sxhkd xorg.xinit xterm alacritty rofi feh font-awesome bspwm
picom xorg.xset xidlehook betterlockscreen pywal16 imagemagick sxhkd
pulsemixer ranger jq file highlight unzip mpv xorg.xinit
xterm
alacritty
rofi
feh
font-awesome
picom
xorg.xset
xidlehook
betterlockscreen
pywal16
imagemagick
pulsemixer
ranger
jq
file
highlight
unzip
mpv
protonvpn-gui protonvpn-gui
]; ];
# Gère le ssh-agent proprement côté user # Gère le ssh-agent proprement côté user
services.ssh-agent.enable = true; services.ssh-agent.enable = true;
xsession.enable = true; xsession = {
xsession.windowManager.bspwm = {
enable = true; enable = true;
xsession.windowManager.bspwm = {
enable = true;
# Démarrages au login X # Démarrages au login X
startupPrograms = [ startupPrograms = [
"sxhkd -m 1" "sxhkd -m 1"
"setxkbmap bepovim" "setxkbmap bepovim"
"xrandr --output DisplayPort-1 --rate 60 --pos 0x0" "xrandr --output DisplayPort-1 --rate 60 --pos 0x0"
"polybar main" "polybar main"
"bash ~/.fehbg" "bash ~/.fehbg"
]; ];
extraConfigEarly = '' extraConfigEarly = ''
bspc config borderless_monocle true bspc config borderless_monocle true
bspc config gapless_monocle true bspc config gapless_monocle true
bspc config single_monocle true bspc config single_monocle true
bspc monitor -d I II III IV V VI bspc monitor -d I II III IV V VI
''; '';
};
}; };
# xsession.initExtra = '' # xsession.initExtra = ''
# xset s 300 300 # xset s 300 300
# xset s on # xset s on
# xset s noblank # xset s noblank
# xset +dpms # xset +dpms
# xset dpms 0 0 500 # xset dpms 0 0 500
# ''; # '';
services.sxhkd = { services = {
enable = true; sxhkd = {
extraOptions = [ "-m" "1" ]; enable = true;
keybindings = { extraOptions = ["-m" "1"];
"super + Return" = "alacritty"; keybindings = {
"super + c" = "bspc node -c"; "super + Return" = "alacritty";
"Menu" = "rofi -show drun"; "super + c" = "bspc node -c";
"super + space" = "rofi -show drun"; "Menu" = "rofi -show drun";
"super + space" = "rofi -show drun";
"F1" = "bspc desktop -f ^1"; "F1" = "bspc desktop -f ^1";
"F2" = "bspc desktop -f ^2"; "F2" = "bspc desktop -f ^2";
"F3" = "bspc desktop -f ^3"; "F3" = "bspc desktop -f ^3";
"F4" = "bspc desktop -f ^4"; "F4" = "bspc desktop -f ^4";
"F5" = "bspc desktop -f ^5"; "F5" = "bspc desktop -f ^5";
"F6" = "bspc desktop -f ^6"; "F6" = "bspc desktop -f ^6";
"shift + F1" = "bspc node -d ^1 --follow"; "shift + F1" = "bspc node -d ^1 --follow";
"shift + F2" = "bspc node -d ^2 --follow"; "shift + F2" = "bspc node -d ^2 --follow";
"shift + F3" = "bspc node -d ^3 --follow"; "shift + F3" = "bspc node -d ^3 --follow";
"shift + F4" = "bspc node -d ^4 --follow"; "shift + F4" = "bspc node -d ^4 --follow";
"shift + F5" = "bspc node -d ^5 --follow"; "shift + F5" = "bspc node -d ^5 --follow";
"shift + F6" = "bspc node -d ^6 --follow"; "shift + F6" = "bspc node -d ^6 --follow";
"super + h" = "bspc node -f west"; "super + h" = "bspc node -f west";
"super + j" = "bspc node -f south"; "super + j" = "bspc node -f south";
"super + k" = "bspc node -f north"; "super + k" = "bspc node -f north";
"super + l" = "bspc node -f east"; "super + l" = "bspc node -f east";
"super + shift + h" = "bspc node -s west"; "super + shift + h" = "bspc node -s west";
"super + shift + j" = "bspc node -s south"; "super + shift + j" = "bspc node -s south";
"super + shift + k" = "bspc node -s north"; "super + shift + k" = "bspc node -s north";
"super + shift + l" = "bspc node -s east"; "super + shift + l" = "bspc node -s east";
"super + f" = "bspc node -t fullscreen"; "super + f" = "bspc node -t fullscreen";
"super + s" = "bspc node -t floating"; "super + s" = "bspc node -t floating";
"super + shift + t" = "bspc node -t pseudo_tiled"; "super + shift + t" = "bspc node -t pseudo_tiled";
"super + t" = "bspc node -t tiled"; "super + t" = "bspc node -t tiled";
};
};
polybar = {
enable = true;
script = "polybar main &";
config = {
"bar/main" = {
width = "100%";
height = "28";
font-1 = "Font Awesome 6 Free:style=Solid:pixelsize=10;2";
modules-left = "bspwm";
modules-center = "date";
modules-right = "pulseaudio memory cpu";
};
"module/bspwm" = {
type = "internal/bspwm";
label-focused = "%name%";
label-focused-foreground = "#e6e0de";
label-focused-padding = 2;
label-occupied = "%name%";
label-occupied-padding = 2;
label-urgent = "%name%";
label-urgent-background = "#e42127";
label-urgent-foreground = "#ffffff";
label-empty = "%name%";
label-empty-foreground = "#645d56";
label-empty-padding = 2;
};
"module/date" = {
type = "internal/date";
interval = 60;
date = "%d-%m-%Y %H:%M";
};
};
}; };
}; };
@ -96,74 +154,49 @@
''; '';
Restart = "always"; Restart = "always";
}; };
Install.WantedBy = [ "graphical-session.target" ]; Install.WantedBy = ["graphical-session.target"];
}; };
# polybar (config intégrée pour démarrer simple) programs = {
services.polybar = { alacritty = {
enable = true; enable = true;
script = "polybar main &"; settings = {
config = { general.import = ["~/.cache/wal/colors-alacritty.toml"];
"bar/main" = { font = {
width = "100%"; normal = {
height = "28"; family = lib.mkForce "Iosevka Nerd Font";
font-1 = "Font Awesome 6 Free:style=Solid:pixelsize=10;2"; style = "Regular";
modules-left = "bspwm"; };
modules-center = "date"; bold = {
modules-right = "pulseaudio memory cpu"; family = lib.mkForce "Iosevka Nerd Font";
}; style = "Bold";
"module/bspwm" = { };
type = "internal/bspwm"; italic = {
label-focused = "%name%"; family = lib.mkForce "Iosevka Nerd Font";
label-focused-foreground = "#e6e0de"; style = "Italic";
label-focused-padding = 2; };
label-occupied = "%name%"; size = lib.mkForce 9;
label-occupied-padding = 2; };
label-urgent = "%name%";
label-urgent-background = "#e42127";
label-urgent-foreground = "#ffffff";
label-empty = "%name%";
label-empty-foreground = "#645d56";
label-empty-padding = 2;
};
"module/date" = {
type = "internal/date";
interval = 60;
date = "%d-%m-%Y %H:%M";
}; };
}; };
rtorrent = {
enable = true;
extraConfig = ''
directory = /srv/raid
port_range = 6881-6891
max_peers = 150
max_peers_seed = 100
protocol.pex.set = true ;
schedule = watch_directory,5,5,load.start=~/Téléchargements/*.torrent
pieces.hash.on_completion.set = no
network.max_open_files.set = 8192
session = /home/lomig/.cache/rtorrent/session
'';
};
}; };
# alacritty
programs.alacritty = {
enable = true;
settings = {
general.import = [ "~/.cache/wal/colors-alacritty.toml" ];
font = {
normal = { family = lib.mkForce "Iosevka Nerd Font"; style = "Regular"; };
bold = { family = lib.mkForce "Iosevka Nerd Font"; style = "Bold"; };
italic = { family = lib.mkForce "Iosevka Nerd Font"; style = "Italic"; };
size = lib.mkForce 9;
};
};
};
programs.rtorrent = {
enable = true ;
extraConfig = ''
directory = /srv/raid
port_range = 6881-6891
max_peers = 150
max_peers_seed = 100
protocol.pex.set = true ;
schedule = watch_directory,5,5,load.start=~/Téléchargements/*.torrent
pieces.hash.on_completion.set = no
network.max_open_files.set = 8192
session = /home/lomig/.cache/rtorrent/session
'';
};
home.activation.createRtorrentSessionDir = lib.hm.dag.entryAfter ["writeBoundary"] '' home.activation.createRtorrentSessionDir = lib.hm.dag.entryAfter ["writeBoundary"] ''
mkdir -p ~/.cache/rtorrent/session mkdir -p ~/.cache/rtorrent/session
''; '';
} }

101
hosts/forbann/configuration.nix
View file

@ -1,67 +1,70 @@
{ config, pkgs, ...}: {pkgs, ...}: {
{ boot = {
boot.loader.grub = { kernelPackages = pkgs.linuxPackages;
enable = true ; initrd.supportedFilesystems = ["ext4"];
device = "/dev/vda"; loader.grub = {
}; enable = true;
device = "/dev/vda";
fileSystems."/" = {
device = "/dev/vda1" ;
fsType = "ext4" ;
};
fileSystems."/srv" = {
device = "shared0" ;
fsType = "9p" ;
options = [ "trans=virtio" "version=9p2000.L" "rw" ];
neededForBoot = false ;
noCheck = true ;
};
systemd.services.mountShared = {
description = "Mount 9p shared folder" ;
after = [ "local-fs.target" "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot" ;
ExecStart = "${pkgs.util-linux}/bin/mount -t 9p -o trans=virtio,version=9p2000.L shared0 /srv";
RemainAfterExit = true ;
}; };
}; };
boot.kernelPackages = pkgs.linuxPackages ; fileSystems = {
boot.initrd.supportedFilesystems = [ "ext4" ]; "/" = {
device = "/dev/vda1";
fsType = "ext4";
};
"/srv" = {
device = "shared0";
fsType = "9p";
options = ["trans=virtio" "version=9p2000.L" "rw"];
neededForBoot = false;
noCheck = true;
};
};
networking = { networking = {
useDHCP = true; useDHCP = true;
useNetworkd = true ; useNetworkd = true;
hostName = "forbann" ; hostName = "forbann";
}; };
systemd.network = { systemd = {
enable = true ; services.mountShared = {
networks."10-eth0" = { description = "Mount 9p shared folder";
matchConfig.Name = "eth0"; after = ["local-fs.target" "network.target"];
networkConfig = { wantedBy = ["multi-user.target"];
Address = "192.168.1.10/24"; serviceConfig = {
Gateway = "192.168.0.254" ; Type = "oneshot";
DNS = "192.168.0.254" ; ExecStart = "${pkgs.util-linux}/bin/mount -t 9p -o trans=virtio,version=9p2000.L shared0 /srv";
RemainAfterExit = true;
};
};
network = {
enable = true;
networks."10-eth0" = {
matchConfig.Name = "eth0";
networkConfig = {
Address = "192.168.1.10/24";
Gateway = "192.168.0.254";
DNS = "192.168.0.254";
};
}; };
}; };
}; };
services.openssh.enable = true ; services = {
openssh.enable = true;
services.rtorrent = { rtorrent = {
enable = true ; enable = true;
dataDir = "/home/vmuser/torrents" ; dataDir = "/home/vmuser/torrents";
};
}; };
users.users.vmuser = { users.users.vmuser = {
isNormalUser = true ; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = ["wheel"];
password = "changeme" ; password = "changeme";
}; };
system.stateVersion = "25.05" ; system.stateVersion = "25.05";
} }

70
hosts/pennsardin/configuration.nix
View file

@ -8,34 +8,31 @@
networking.hostName = "pennsardin"; networking.hostName = "pennsardin";
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
boot.swraid.enable = true ; boot.swraid.enable = true;
fileSystems = {
fileSystems."/" = "/" = {
{ device = "/dev/disk/by-uuid/b1a1ae71-4277-45d5-a3d2-f49354f263d4"; device = "/dev/disk/by-uuid/b1a1ae71-4277-45d5-a3d2-f49354f263d4";
fsType = "ext4"; fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/1DB2-7A0F";
fsType = "vfat";
options = ["fmask=0077" "dmask=0077"];
};
"/proc" = {
device = "proc";
fsType = "proc";
options = ["defaults" "hidepid=2"];
neededForBoot = true;
};
"/srv/raid" = {
device = "/dev/disk/by-uuid/85f72160-4720-463a-9dc6-7c5216733f2b";
fsType = "btrfs";
};
}; };
fileSystems."/boot" = swapDevices = [];
{ device = "/dev/disk/by-uuid/1DB2-7A0F";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
fileSystems."/proc" =
{
device = "proc" ;
fsType = "proc" ;
options = [ "defaults" "hidepid=2" ];
neededForBoot = true ;
};
fileSystems."/srv/raid" =
{ device = "/dev/disk/by-uuid/85f72160-4720-463a-9dc6-7c5216733f2b";
fsType = "btrfs";
};
swapDevices = [ ];
users.users.lomig = { users.users.lomig = {
isNormalUser = true; isNormalUser = true;
@ -49,27 +46,27 @@
}; };
networking = { networking = {
useNetworkd = true ; useNetworkd = true;
firewall.allowedTCPPorts = [ 22 80 5900 5901 5902 ]; firewall.allowedTCPPorts = [22 80 5900 5901 5902];
interfaces.enp11s0.useDHCP = false ; interfaces.enp11s0.useDHCP = false;
interfaces.br0 = { interfaces.br0 = {
useDHCP = false ; useDHCP = false;
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "192.168.0.2"; address = "192.168.0.2";
prefixLength = 24 ; prefixLength = 24;
} }
]; ];
}; };
defaultGateway = { defaultGateway = {
interface = "br0" ; interface = "br0";
address = "192.168.0.254" ; address = "192.168.0.254";
}; };
nameservers = [ "192.168.0.254" "1.1.1.1" ]; nameservers = ["192.168.0.254" "1.1.1.1"];
bridges.br0.interfaces = [ "enp11s0" ]; bridges.br0.interfaces = ["enp11s0"];
}; };
systemd.network = { systemd.network = {
enable = true ; enable = true;
netdevs."br0" = { netdevs."br0" = {
netdevConfig = { netdevConfig = {
Name = "br0"; Name = "br0";
@ -77,7 +74,7 @@
}; };
}; };
networks."br0" = { networks."br0" = {
matchConfig.Name = "br0" ; matchConfig.Name = "br0";
}; };
networks."enp11s0" = { networks."enp11s0" = {
matchConfig.Name = "enp11s0"; matchConfig.Name = "enp11s0";
@ -87,6 +84,5 @@
system.stateVersion = "25.05"; # pour éviter les hurlements inutiles system.stateVersion = "25.05"; # pour éviter les hurlements inutiles
} }
# vim: set ts=2 sw=2 sts=2 et : # vim: set ts=2 sw=2 sts=2 et :

54
hosts/terre-neuvas/configuration.nix
View file

@ -1,19 +1,19 @@
# Edit this configuration file to define what should be installed on # Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ {
config,
nix.settings.experimental-features = ["nix-command" "flakes" ]; pkgs,
imports = ...
[ # Include the results of the hardware scan. }: {
./hardware.nix nix.settings.experimental-features = ["nix-command" "flakes"];
../../profiles/server-selfhosted.nix imports = [
../../modules/services/ftp.nix # Include the results of the hardware scan.
../../modules/services/forgejo.nix ./hardware.nix
]; ../../profiles/server-selfhosted.nix
../../modules/services/ftp.nix
../../modules/services/forgejo.nix
];
# Bootloader. # Bootloader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@ -32,7 +32,7 @@
users.users.lomig = { users.users.lomig = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "lp" "wheel" "docker" ]; extraGroups = ["lp" "wheel" "docker"];
shell = pkgs.zsh; shell = pkgs.zsh;
}; };
@ -44,32 +44,32 @@
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
git git
hugo hugo
]; ];
networking = { networking = {
useNetworkd = true ; useNetworkd = true;
firewall.allowedTCPPorts = [ 22 80 5900 5901 5902 ]; firewall.allowedTCPPorts = [22 80 5900 5901 5902];
interfaces.eno1.useDHCP = false ; interfaces.eno1.useDHCP = false;
interfaces.br0 = { interfaces.br0 = {
useDHCP = false ; useDHCP = false;
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "192.168.0.3"; address = "192.168.0.3";
prefixLength = 24 ; prefixLength = 24;
} }
]; ];
}; };
defaultGateway = { defaultGateway = {
interface = "br0" ; interface = "br0";
address = "192.168.0.254" ; address = "192.168.0.254";
}; };
nameservers = [ "192.168.0.254" "1.1.1.1" ]; nameservers = ["192.168.0.254" "1.1.1.1"];
bridges.br0.interfaces = [ "eno1" ]; bridges.br0.interfaces = ["eno1"];
}; };
systemd.network = { systemd.network = {
enable = true ; enable = true;
netdevs."br0" = { netdevs."br0" = {
netdevConfig = { netdevConfig = {
Name = "br0"; Name = "br0";
@ -77,7 +77,7 @@
}; };
}; };
networks."br0" = { networks."br0" = {
matchConfig.Name = "br0" ; matchConfig.Name = "br0";
}; };
networks."eno1" = { networks."eno1" = {
matchConfig.Name = "eno1"; matchConfig.Name = "eno1";

55
hosts/terre-neuvas/hardware.nix
View file

@ -1,45 +1,42 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; boot = {
boot.initrd.kernelModules = [ ]; initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
boot.kernelModules = lib.mkAfter [ "kvm-intel" "tun" ]; initrd.kernelModules = [];
boot.extraModulePackages = [ ]; kernelModules = lib.mkAfter ["kvm-intel" "tun"];
extraModulePackages = [];
};
fileSystems."/" = fileSystems = {
{ device = "/dev/disk/by-uuid/f37e4afb-1ee2-4f70-a93c-398461405181"; "/" = {
device = "/dev/disk/by-uuid/f37e4afb-1ee2-4f70-a93c-398461405181";
fsType = "ext4"; fsType = "ext4";
}; };
"/boot" = {
fileSystems."/boot" = device = "/dev/disk/by-uuid/111D-E5E8";
{ device = "/dev/disk/by-uuid/111D-E5E8";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ]; options = ["fmask=0077" "dmask=0077"];
}; };
"/srv" = {
fileSystems."/srv" = device = "/dev/disk/by-uuid/2ef442a9-0eab-4dc5-b17c-076e18a54873";
{ device = "/dev/disk/by-uuid/2ef442a9-0eab-4dc5-b17c-076e18a54873";
fsType = "btrfs"; fsType = "btrfs";
}; };
};
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/c3a69154-ead9-4fcc-a9b1-3b741a42ee97"; } {device = "/dev/disk/by-uuid/c3a69154-ead9-4fcc-a9b1-3b741a42ee97";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

2
modules/common/fonts.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ...}: { {pkgs, ...}: {
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [
dejavu_fonts dejavu_fonts
]; ];

4
modules/common/networking.nix
View file

@ -1,8 +1,8 @@
_: { _: {
networking = { networking = {
nameservers = ["1.1.1.1" "8.8.8.8"]; nameservers = ["1.1.1.1" "8.8.8.8"];
# dhcpcd.extraConfig = "nohook resolv.conf"; # dhcpcd.extraConfig = "nohook resolv.conf";
firewall.enable = true; firewall.enable = true;
interfaces.enp11s0.wakeOnLan.enable = true ; interfaces.enp11s0.wakeOnLan.enable = true;
}; };
} }

4
modules/common/nix.nix
View file

@ -5,7 +5,7 @@
}; };
nixpkgs.config = { nixpkgs.config = {
# allowUnfree = true; # allowUnfree = true;
# allowUnsupportedSystem = true; # allowUnsupportedSystem = true;
}; };
} }

9
modules/common/qemu.nix
View file

@ -29,14 +29,13 @@
ovmf.packages = [pkgs.OVMFFull.fd]; ovmf.packages = [pkgs.OVMFFull.fd];
runAsRoot = false; runAsRoot = false;
swtpm.enable = true; swtpm.enable = true;
} else { }
else {
runAsRoot = false; runAsRoot = false;
swtpm.enable = true; swtpm.enable = true;
}; };
}; };
users.users.lomig.extraGroups = ["libvirtd" "kvm" "input"]; users.users.lomig.extraGroups = ["libvirtd" "kvm" "input"];
environment.etc."qemu/bridge.conf".text = '' environment.etc."qemu/bridge.conf".text = ''
@ -47,7 +46,7 @@
source = "${pkgs.qemu}/libexec/qemu-bridge-helper"; source = "${pkgs.qemu}/libexec/qemu-bridge-helper";
owner = "root"; owner = "root";
group = "kvm"; group = "kvm";
setuid = true ; setuid = true;
permissions = "u+rwx,g+rx,o+rx"; permissions = "u+rwx,g+rx,o+rx";
}; };
} }

8
modules/desktop/xorg-bspwm.nix
View file

@ -1,15 +1,11 @@
{ {lib, ...}: {
config,
lib,
...
}: {
services = { services = {
xserver = { xserver = {
enable = true; enable = true;
displayManager = { displayManager = {
lightdm.enable = true; lightdm.enable = true;
}; };
windowManager.bspwm.enable = true ; windowManager.bspwm.enable = true;
}; };
displayManager = { displayManager = {
gdm.enable = lib.mkForce false; gdm.enable = lib.mkForce false;

4
modules/roles/workstation.nix
View file

@ -11,8 +11,8 @@
../virtual/vfio.nix ../virtual/vfio.nix
# Dev # Dev
# ../dev/qemu.nix # ../dev/qemu.nix
# ../virtual/truenas.nix # seulement si tu lutilises sur ce host # ../virtual/truenas.nix # seulement si tu lutilises sur ce host
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

81
modules/services/forgejo.nix
View file

@ -1,6 +1,4 @@
# NixOS module Forgejo avec SQLite, SSH et reverse proxy Caddy {pkgs, ...}: {
{ config, pkgs, lib, ... }: {
# --- Utilisateur dédié --- # --- Utilisateur dédié ---
users.users.git = { users.users.git = {
isSystemUser = true; isSystemUser = true;
@ -11,52 +9,51 @@
users.groups.git = {}; users.groups.git = {};
# --- Forgejo --- # --- Forgejo ---
services.forgejo = { services = {
enable = true; forgejo = {
user = "git"; enable = true;
group = "git"; user = "git";
database = { group = "git";
type = "sqlite3"; database = {
path = "/var/lib/forgejo/data/gitea.db"; type = "sqlite3";
path = "/var/lib/forgejo/data/gitea.db";
};
settings = {
server = {
DOMAIN = "govel.porzh.me";
ROOT_URL = "https://govel.porzh.me/";
SSH_DOMAIN = "govel.porzh.me";
HTTP_PORT = 3000;
SSH_PORT = 22;
START_SSH_SERVER = false;
};
service = {
DISABLE_REGISTRATION = true;
REGISTER_EMAIL_CONFIRM = false;
};
repository = {
DEFAULT_BRANCH = "main";
};
};
}; };
settings = { openssh.enable = true;
server = { caddy = {
DOMAIN = "govel.porzh.me"; enable = true;
ROOT_URL = "https://govel.porzh.me/"; virtualHosts."govel.porzh.me" = {
SSH_DOMAIN = "govel.porzh.me"; extraConfig = ''
HTTP_PORT = 3000; reverse_proxy localhost:3000
SSH_PORT = 22; '';
START_SSH_SERVER = false;
};
service = {
DISABLE_REGISTRATION = true;
REGISTER_EMAIL_CONFIRM = false;
};
repository = {
DEFAULT_BRANCH = "main";
}; };
}; };
}; };
# --- Ouvrir les ports nécessaires --- # --- Ouvrir les ports nécessaires ---
networking.firewall.allowedTCPPorts = [ 80 443 2222 ]; networking.firewall = {
allowedTCPPorts = [80 443 2222];
# --- Rediriger port SSH interne de Forgejo --- interfaces."eth0".allowedTCPPorts = [22];
services.openssh.enable = true;
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 22 ]; # pour admin
# --- Caddy pour govel.porzh.me ---
services.caddy = {
enable = true;
virtualHosts."govel.porzh.me" = {
extraConfig = ''
reverse_proxy localhost:3000
'';
};
}; };
# --- Pour que Forgejo génère les bonnes URLs Git --- # --- Pour que Forgejo génère les bonnes URLs Git ---
# networking.hostName = "git"; # non strictement obligatoire # networking.hostName = "git"; # non strictement obligatoire
# --- Optionnel : config DNS --- # --- Optionnel : config DNS ---
# git.lomig.me -> ton IP publique (ou IP locale si LAN) # git.lomig.me -> ton IP publique (ou IP locale si LAN)
@ -67,6 +64,4 @@
# --- Astuce : génère une paire de clés pour laccès SSH Git --- # --- Astuce : génère une paire de clés pour laccès SSH Git ---
# ssh-keygen -t ed25519 -f ~/.ssh/id_git_forgejo # ssh-keygen -t ed25519 -f ~/.ssh/id_git_forgejo
# puis ajoute la clé publique dans ton compte Forgejo # puis ajoute la clé publique dans ton compte Forgejo
} }

30
modules/services/ftp.nix
View file

@ -1,14 +1,14 @@
{ config, pkgs, lib, ... }: { _: {
# ------------------------------------------------- # -------------------------------------------------
# 1⃣ Création de lutilisateur système dédié FTP # 1⃣ Création de lutilisateur système dédié FTP
# ------------------------------------------------- # -------------------------------------------------
users.users.ftpuser = { users.users.ftpuser = {
isSystemUser = true; # pas de login shell isSystemUser = true; # pas de login shell
description = "Compte FTP dédié"; description = "Compte FTP dédié";
home = "/srv/ftp/ftpuser"; home = "/srv/ftp/ftpuser";
createHome = true; createHome = true;
group = "ftpuser"; group = "ftpuser";
shell = "/usr/bin/nologin"; shell = "/usr/bin/nologin";
}; };
users.groups.ftpuser = {}; users.groups.ftpuser = {};
@ -20,7 +20,7 @@
AllowTcpForwarding no AllowTcpForwarding no
X11Forwarding no X11Forwarding no
''; '';
}; };
# ------------------------------------------------- # -------------------------------------------------
# 2⃣ Permissions du répertoire home (méthode A) # 2⃣ Permissions du répertoire home (méthode A)
@ -48,22 +48,20 @@
# Chroot chaque utilisateur local dans son $HOME # Chroot chaque utilisateur local dans son $HOME
chrootlocalUser = true; chrootlocalUser = true;
allowWriteableChroot = true ; allowWriteableChroot = true;
extraConfig = ''
pasv_min_port=40000
pasv_max_port=40004
'';
extraConfig = ''
pasv_min_port=40000
pasv_max_port=40004
'';
}; };
# ------------------------------------------------- # -------------------------------------------------
# 4⃣ Ouverture des ports dans le firewall NixOS # 4⃣ Ouverture des ports dans le firewall NixOS
# ------------------------------------------------- # -------------------------------------------------
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 21 40000 40001 40002 40003 40004 ]; allowedTCPPorts = [21 40000 40001 40002 40003 40004];
# Si vous utilisez FTPS implicite (port 990) : # Si vous utilisez FTPS implicite (port 990) :
# allowedTCPPorts = [ 21 990 40000 40001 40002 40003 40004 ]; # allowedTCPPorts = [ 21 990 40000 40001 40002 40003 40004 ];
}; };
} }

14
modules/services/goaccess.nix
View file

@ -1,9 +1,9 @@
{ pkgs, ... }: { {pkgs, ...}: {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
goaccess goaccess
]; ];
# Service pour générer le rapport statique GoAccess # Service pour générer le rapport statique GoAccess
systemd.services.goaccess-report = { systemd.services.goaccess-report = {
description = "Generate GoAccess HTML report"; description = "Generate GoAccess HTML report";
serviceConfig = { serviceConfig = {
@ -11,10 +11,10 @@
}; };
}; };
# Timer pour régénérer le rapport toutes les heures # Timer pour régénérer le rapport toutes les heures
systemd.timers.goaccess-report = { systemd.timers.goaccess-report = {
description = "Hourly GoAccess report generation"; description = "Hourly GoAccess report generation";
wantedBy = [ "timers.target" ]; wantedBy = ["timers.target"];
timerConfig = { timerConfig = {
OnCalendar = "hourly"; OnCalendar = "hourly";
Persistent = true; Persistent = true;
@ -28,10 +28,8 @@
file_server browse file_server browse
try_files {path} {path}/ /index.html try_files {path} {path}/ /index.html
''; '';
}; };
}; };
}; };
}
}

4
modules/services/pihole.nix
View file

@ -11,7 +11,7 @@
environment = { environment = {
TZ = "Europe/Paris"; TZ = "Europe/Paris";
WEBPASSWORD = "changeme"; # Change à ta convenance WEBPASSWORD = "changeme"; # Change à ta convenance
PIHOLE_DNS_ = "1.1.1.1;1.0.0.1"; PIHOLE_DNS_ = "1.1.1.1;1.0.0.1";
}; };
@ -19,6 +19,6 @@
"/srv/pihole/etc-pihole:/etc/pihole" "/srv/pihole/etc-pihole:/etc/pihole"
"/srv/pihole/etc-dnsmasq.d:/etc/dnsmasq.d" "/srv/pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
]; ];
extraOptions = [ "--cap-add=NET_ADMIN" ]; extraOptions = ["--cap-add=NET_ADMIN"];
}; };
} }

65
modules/sites/levr.porzh.me.nix
View file

@ -1,49 +1,48 @@
{ config, pkgs, ... }: _: {
{ # -----------------------------------------------------------------
# ----------------------------------------------------------------- # 1⃣ Caddy (reverseproxy / serveur web statique)
# 1⃣ Caddy (reverseproxy / serveur web statique) # -----------------------------------------------------------------
# -----------------------------------------------------------------
services.caddy = { services.caddy = {
enable = true; enable = true;
# Caddy démarre en tant quutilisateur «caddy». # Caddy démarre en tant quutilisateur «caddy».
# On lui donne accès au répertoire du blog via les ACL créées plus haut. # On lui donne accès au répertoire du blog via les ACL créées plus haut.
# (Pas besoin de config supplémentaire côté OS.) # (Pas besoin de config supplémentaire côté OS.)
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# 2⃣ Sites gérés par Caddy (Caddyfile intégré) # 2⃣ Sites gérés par Caddy (Caddyfile intégré)
# ----------------------------------------------------------------- # -----------------------------------------------------------------
virtualHosts = { virtualHosts = {
"levr.porzh.me" = { "levr.porzh.me" = {
# Le domaine sera automatiquement provisionné avec TLS via ACME # Le domaine sera automatiquement provisionné avec TLS via ACME
# (Let's Encrypt) grâce à loption `autoHTTPS = true` (défaut). # (Let's Encrypt) grâce à loption `autoHTTPS = true` (défaut).
# Aucun certificat manuel nest requis. # Aucun certificat manuel nest requis.
# Le répertoire contenant les fichiers générés par Hugo # Le répertoire contenant les fichiers générés par Hugo
# (Optionnel) Rediriger HTTP → HTTPS Caddy le fait déjà, # (Optionnel) Rediriger HTTP → HTTPS Caddy le fait déjà,
# mais on le rend explicite pour la clarté. # mais on le rend explicite pour la clarté.
extraConfig = '' extraConfig = ''
@http { @http {
protocol http protocol http
} }
redir @http https://{host}{uri} permanent redir @http https://{host}{uri} permanent
root * /srv/blog/public root * /srv/blog/public
file_server file_server
log { log {
output file /var/log/caddy/access-levr.porzh.me.log output file /var/log/caddy/access-levr.porzh.me.log
} }
''; '';
}; };
}; };
}; };
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# 3⃣ Ouverture du firewall (ports 80 et 443) # 3⃣ Ouverture du firewall (ports 80 et 443)
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# networking.firewall.allowedTCPPorts = [ # networking.firewall.allowedTCPPorts = [
# 80 # HTTP (pour la redirection ACME) # 80 # HTTP (pour la redirection ACME)
# 443 # HTTPS (site final) # 443 # HTTPS (site final)
# ]; # ];
} }

9
modules/sites/porzh.me.nix
View file

@ -1,10 +1,8 @@
{ config, pkgs, ... }: {pkgs, ...}: let
let
porzhSite = pkgs.stdenv.mkDerivation { porzhSite = pkgs.stdenv.mkDerivation {
pname = "porzh-site"; pname = "porzh-site";
version = "1.0"; version = "1.0";
src = ./porzh.me; # le dossier avec ton index.html, image, etc. src = ./porzh.me; # le dossier avec ton index.html, image, etc.
installPhase = '' installPhase = ''
mkdir -p $out mkdir -p $out
@ -16,7 +14,7 @@ in {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"porzh.me" = { "porzh.me" = {
serverAliases = [ "www.porzh.me" ]; serverAliases = ["www.porzh.me"];
extraConfig = '' extraConfig = ''
root * ${porzhSite} root * ${porzhSite}
file_server file_server
@ -25,4 +23,3 @@ in {
}; };
}; };
} }

6
profiles/server-selfhosted.nix
View file

@ -12,9 +12,9 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
PasswordAuthentication = false ; PasswordAuthentication = false;
PubkeyAuthentication = true ; PubkeyAuthentication = true;
}; };
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

6
profiles/workstation-bspwm.nix
View file

@ -20,10 +20,10 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
X11Forwarding = true ; X11Forwarding = true;
X11DisplayOffset = 10 ; X11DisplayOffset = 10;
}; };
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
btrfs-progs btrfs-progs