diff --git a/config/globals.nix b/config/globals.nix index 7c64ec5..b6e4dd0 100644 --- a/config/globals.nix +++ b/config/globals.nix @@ -16,17 +16,13 @@ pennsardin = { ip = "192.168.50.12"; }; - terre-neuvas = { - ip = "192.168.50.11"; - }; }; services = { forgejo = { - home = "/var/lib/forgejo"; + home = "/var/lib/services/forgejo"; url = "govel.porzh.me"; - user = "git"; - port = 3000; + port = "3000"; }; goaccess = { home = "/var/lib/www/goaccess"; @@ -36,11 +32,10 @@ home = "/var/lib/services/levr"; build = "/var/lib/www/levr"; url = "levr.porzh.me"; - user = "levr"; }; - wikijs = { + outline = { url = "notes.porzh.me"; - port = 3002 ; + port = "3001"; }; }; } diff --git a/disko/pennsardin.nix b/disko/pennsardin.nix deleted file mode 100644 index 3f1e614..0000000 --- a/disko/pennsardin.nix +++ /dev/null @@ -1,185 +0,0 @@ -{ ... }: { - disko.devices = { - disk.main = { - type = "disk"; - device = "/dev/nvme0n1"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "512MiB"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot/efi"; - mountOptions = [ "umask=0077" "noauto" ]; - }; - }; - - rescue = { - size = "8GiB"; - type = "8300"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/rescue"; - mountOptions = [ "nofail" "noauto" "nosuid" "nodev" "noexec" ]; - }; - }; - - root = { - size = "100%"; - type = "8e00"; # LVM partition - content = { - type = "lvm_pv"; - vg = "vg-main"; - }; - }; - }; - }; - }; - - lvm_vg."vg-main" = { - type = "lvm_vg"; - lvs = { - # -- Système principal -- - lv-root = { - size = "100G"; - content = { - type = "btrfs"; - mountpoint = "/"; - mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" "discard=async" ]; - }; - }; - - lv-home = { - size = "100G"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - mountpoint = "/home"; - mountOptions = [ - "compress=zstd:3" - "noatime" - "nodev" - "nosuid" - "space_cache=v2" - "discard=async" - ]; - subvolumes = { - "@homebin" = { - mountpoint = "/home/dunoz/bin"; - mountOptions = [ - "compress=zstd:3" - "noatime" - "nodev" - "nosuid" - "space_cache=v2" - "discard=async" - "subvol=@homebin" - ]; - }; - }; - }; - }; - - lv-nix = { - size = "80G"; - content = { - type = "btrfs"; - mountpoint = "/nix"; - mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" "discard=async" ]; - }; - }; - - lv-var = { - size = "50G"; - content = { - type = "btrfs"; - mountpoint = "/var"; - mountOptions = [ "compress=zstd:3" "noatime" "nodev" "nosuid" "space_cache=v2" "discard=async" ]; - }; - }; - - # -- Données & builds (no COW) -- - lv-work = { - size = "100G"; - content = { - type = "btrfs"; - mountpoint = "/home/dunoz/Work"; - mountOptions = [ "nodatacow" "noatime" "nodev" "space_cache=v2" "discard=async" ]; - }; - }; - - lv-games = { - size = "200G"; - content = { - type = "btrfs"; - mountpoint = "/home/dunoz/.local/share/Steam"; - mountOptions = [ "nodatacow" "noatime" "nodev" "space_cache=v2" "discard=async" ]; - }; - }; - - lv-qemu = { - size = "200G"; - content = { - type = "btrfs"; - mountpoint = "/var/lib/libvirt/images"; - mountOptions = [ "nodatacow" "noatime" "nodev" "nosuid" "space_cache=v2" "discard=async" ]; - }; - }; - - lv-container = { - size = "20G"; - content = { - type = "btrfs"; - mountpoint = "/var/lib/machines"; - mountOptions = [ "nodatacow" "noatime" "nodev" "nosuid" "space_cache=v2" "discard=async" ]; - }; - }; - }; - }; - - filesystem.raid = { - type = "filesystem"; - device = "/dev/md0"; - format = "btrfs"; - mountpoint = "/srv/raid"; - mountOptions = [ "compress=zstd:3" "noatime" "nofail" "noexec" "nodev" "nosuid" "space_cache=v2" "discard=async" ]; - }; - - bindmounts = { - docs = { - device = "/srv/raid/home-data/Documents"; - mountpoint = "/home/dunoz/Documents"; - options = [ "bind" "nofail" "nosuid" "nodev" "noexec" ]; - }; - images = { - device = "/srv/raid/home-data/Images"; - mountpoint = "/home/dunoz/Images"; - options = [ "bind" "nofail" "nosuid" "nodev" "noexec" ]; - }; - music = { - device = "/srv/raid/home-data/Musique"; - mountpoint = "/home/dunoz/Musique"; - options = [ "bind" "nofail" "nosuid" "nodev" "noexec" ]; - }; - downloads = { - device = "/srv/raid/home-data/Téléchargements"; - mountpoint = "/home/dunoz/Téléchargements"; - options = [ "bind" "nofail" "nosuid" "nodev" "noexec" ]; - }; - videos = { - device = "/srv/raid/home-data/Vidéos"; - mountpoint = "/home/dunoz/Vidéos"; - options = [ "bind" "nofail" "nosuid" "nodev" "noexec" ]; - }; - config = { - device = "/srv/raid/home-data/nixos-config"; - mountpoint = "/home/dunoz/nixos-config"; - options = [ "bind" "nofail" "nosuid" "nodev" ]; - }; - }; - }; -} diff --git a/flake.lock b/flake.lock index e353458..a155089 100644 --- a/flake.lock +++ b/flake.lock @@ -1,48 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "systems": "systems" - }, - "locked": { - "lastModified": 1762618334, - "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", - "owner": "ryantm", - "repo": "agenix", - "rev": "fcdea223397448d35d9b31f798479227e80183f6", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1744478979, - "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "43975d782b418ebf4969e9ccba82466728c2851b", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -67,16 +24,15 @@ "home-manager": { "inputs": { "nixpkgs": [ - "agenix", - "nixpkgs" + "nixpkgs-unstable" ] }, "locked": { - "lastModified": 1745494811, - "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "lastModified": 1759573136, + "narHash": "sha256-ILSPD0Dm8p0w0fCVzOx98ZH8yFDrR75GmwmH3fS2VnE=", "owner": "nix-community", "repo": "home-manager", - "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "rev": "5f06ceafc6c9b773a776b9195c3f47bbe1defa43", "type": "github" }, "original": { @@ -106,49 +62,29 @@ "type": "github" } }, - "home-manager_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs-unstable" - ] - }, - "locked": { - "lastModified": 1763963090, - "narHash": "sha256-zR7uDZdQUUC+gBOi4byefMvIZuSBeMC6GswGNsTgQlM=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "7702d14879e8f0148fa168e38f3eaa2650fa0d85", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1754028485, - "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", - "owner": "NixOS", + "lastModified": 1759381078, + "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "59e69648d345d6e8fef86158c555730fa12af9de", + "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-25.05", + "owner": "nixos", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable": { "locked": { - "lastModified": 1763622513, - "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=", + "lastModified": 1759439645, + "narHash": "sha256-oiAyQaRilPk525Z5aTtTNWNzSrcdJ7IXM0/PL3CGlbI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b", + "rev": "879bd460b3d3e8571354ce172128fbcbac1ed633", "type": "github" }, "original": { @@ -160,61 +96,31 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1763835633, - "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=", + "lastModified": 1759543899, + "narHash": "sha256-yu9gsM5Tw4wHxZLSywbyvLnNkn/0qvcQ0r3D5FbIf9w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "050e09e091117c3d7328c7b2b7b577492c43c134", + "rev": "6c4f138b35597e4676611e7ea341c251a98112f9", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1763835633, - "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "050e09e091117c3d7328c7b2b7b577492c43c134", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1763806073, - "narHash": "sha256-FHsEKDvfWpzdADWj99z7vBk4D716Ujdyveo5+A048aI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "878e468e02bfabeda08c79250f7ad583037f2227", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, "nur": { "inputs": { "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1763983952, - "narHash": "sha256-nSWNqQezb6bhu5eYxF+lqzXj8h/sVD2C/CMV/JXK7Bw=", + "lastModified": 1759614609, + "narHash": "sha256-psvkqVBJDv/A2I5pXOIn5rFWYCx0C2ogUmYNA/WH1ys=", "owner": "nix-community", "repo": "NUR", - "rev": "3f55dad0778bfaa302e87d87326ec02e7100ff98", + "rev": "2edcb08c08b541088834d35cf560601038b3c3a2", "type": "github" }, "original": { @@ -223,48 +129,13 @@ "type": "github" } }, - "nvim-config": { - "inputs": { - "nixpkgs": "nixpkgs_3" - }, - "locked": { - "lastModified": 1761113802, - "narHash": "sha256-HuP5TTFNzrxuro6UeA8+++BCV9x9rLhQ0bW5lbU3fTM=", - "ref": "refs/heads/master", - "rev": "154c606ecbc9069df8289e81b46025a6f9820867", - "revCount": 5, - "type": "git", - "url": "https://govel.porzh.me/DuN0z/neovim-config.git" - }, - "original": { - "type": "git", - "url": "https://govel.porzh.me/DuN0z/neovim-config.git" - } - }, "root": { "inputs": { - "agenix": "agenix", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "home-manager-stable": "home-manager-stable", "nixpkgs-stable": "nixpkgs-stable", "nixpkgs-unstable": "nixpkgs-unstable", - "nur": "nur", - "nvim-config": "nvim-config" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" + "nur": "nur" } } }, diff --git a/flake.nix b/flake.nix index e81df2e..37e242a 100644 --- a/flake.nix +++ b/flake.nix @@ -7,14 +7,12 @@ url = "github:nix-community/home-manager/release-25.05"; inputs.nixpkgs.follows = "nixpkgs-stable"; }; - nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; nur.url = "github:nix-community/NUR"; - agenix.url = "github:ryantm/agenix"; - nvim-config.url = "git+https://govel.porzh.me/DuN0z/neovim-config.git"; }; outputs = { @@ -23,8 +21,6 @@ home-manager-stable, home-manager, nur, - agenix, - nvim-config, ... }: let mkUnstablePkgsWithNur = { @@ -39,7 +35,6 @@ in { nixosConfigurations = { pennsardin = nixpkgs-unstable.lib.nixosSystem { - specialArgs = { inherit nvim-config; }; system = "x86_64-linux"; pkgs = mkUnstablePkgsWithNur { system = "x86_64-linux"; @@ -51,59 +46,17 @@ modules = [ ./hosts/pennsardin/configuration.nix home-manager.nixosModules.home-manager - { - home-manager = { - useGlobalPkgs = true ; - useUserPackages = true ; - extraSpecialArgs = {inherit nvim-config; }; - }; - } ]; }; terre-neuvas = nixpkgs-stable.lib.nixosSystem { - specialArgs = { inherit agenix; inherit nvim-config; }; system = "x86_64-linux"; modules = [ ./hosts/terre-neuvas/configuration.nix home-manager-stable.nixosModules.home-manager - { - home-manager = { - useGlobalPkgs = true ; - useUserPackages = true ; - extraSpecialArgs = {inherit nvim-config; }; - }; - } - agenix.nixosModules.default ]; }; - penduick = nixpkgs-unstable.lib.nixosSystem { - specialArgs = { inherit nvim-config; }; - system = "x86_64-linux"; - pkgs = mkUnstablePkgsWithNur { - system = "x86_64-linux"; - config = { - allowUnfree = true; - allowUnsupportedSystem = true; - }; - }; - - modules = [ - ./hosts/penduick/configuration.nix - home-manager.nixosModules.home-manager - { - home-manager = { - useGlobalPkgs = true ; - useUserPackages = true ; - extraSpecialArgs = {inherit nvim-config; }; - }; - } - agenix.nixosModules.default - ]; - - }; - forbann = nixpkgs-stable.lib.nixosSystem { system = "x86_64-linux"; modules = [ diff --git a/hm/common/betterlockscreen.nix b/hm/common/betterlockscreen.nix deleted file mode 100644 index 7261626..0000000 --- a/hm/common/betterlockscreen.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ pkgs, ... }:{ - home.packages = with pkgs; [ - xidlehook - betterlockscreen - ]; - - systemd.user.services.xidlehook = { - Unit.Description = "Idle: lock at 5min, suspend at ~8min"; - Service = { - ExecStart = '' - ${pkgs.xidlehook}/bin/xidlehook \ - --detect-sleep \ - --not-when-fullscreen \ - --timer 300 "${pkgs.betterlockscreen}/bin/betterlockscreen -l dim" "" \ - --timer 500 "systemctl suspend" "" - ''; - Restart = "always"; - }; - Install.WantedBy = ["graphical-session.target"]; - }; -} diff --git a/hm/common/colours.nix b/hm/common/colours.nix new file mode 100644 index 0000000..eed7124 --- /dev/null +++ b/hm/common/colours.nix @@ -0,0 +1 @@ +_: {} diff --git a/hm/common/git.nix b/hm/common/git.nix index 770d55d..2399f41 100644 --- a/hm/common/git.nix +++ b/hm/common/git.nix @@ -1,20 +1,12 @@ -{ lib, config, ...}: +_: let globals = import ../../config/globals.nix; -nixosRelease = lib.attrByPath [ "system" "nixos" "release" ] "0.0" config; -newGit = lib.versionAtLeast nixosRelease "25.11"; in { - programs.git = if newGit then { + programs.git = { enable = true; - settings.user = { - name = globals.admin.name; - email = globals.admin.email; - }; - } else { - enable = true; - userName = globals.admin.name; - userEmail = globals.admin.email; - }; + userName = globals.admin.name; + userEmail = globals.admin.email; + }; } # vim: set ts=2 sw=2 sts=2 et : diff --git a/hm/common/nvim.nix b/hm/common/nvim.nix index 64c9a1c..81ad9f0 100644 --- a/hm/common/nvim.nix +++ b/hm/common/nvim.nix @@ -1,32 +1,125 @@ -{ pkgs, nvim-config, ...}: { - home.packages = with pkgs; [ - ruff - pyright - gcc - marksman - lua-language-server - ]; - +{pkgs, ...}: { programs.neovim = { - enable = true ; - viAlias = true ; + enable = true; + withNodeJs = true; + withPython3 = true; + + defaultEditor = true; + viAlias = true; vimAlias = true; - }; - home.file.".config/nvim" = { - source = nvim-config ; - recursive = true ; - }; - programs.ruff = { - enable = true ; - settings = { - line-length = 100; - per-file-ignores = { "__init__.py" = [ "F401" ]; }; - lint = { - select = [ "E4" "E7" "E9" "F" ]; - ignore = [ ]; - }; - }; + + coc.enable = true; + + plugins = with pkgs.vimPlugins; [ + goyo-vim + nerdtree + limelight-vim + ]; + + extraConfig = '' + set number + set relativenumber + set scrolloff=4 + set signcolumn=yes + + set mouse=a + set clipboard=unnamedplus + + set ignorecase + set smartcase + set incsearch + + set tabstop=2 + set shiftwidth=2 + set expandtab + + set splitright + set splitbelow + set termguicolors + set updatetime=300 + + set undofile + + let mapleader = " " + + colorscheme retrobox + syntax enable + + nnoremap :Goyo + inoremap :Goyo + + let g:goyo_width = 100 + + command! Q qall! + + " --- Fichiers d’état : swap / backup / undo --- + let s:state = has('unix') ? $HOME . '/.local/state/nvim' : $HOME . '/nvim-state' + + " Crée les dossiers si besoin (silencieusement) + silent! call mkdir(s:state . '/swap', 'p') + silent! call mkdir(s:state . '/backup', 'p') + silent! call mkdir(s:state . '/undo', 'p') + + augroup MdNoSuggest + autocmd! + autocmd FileType markdown let b:coc_suggest_disable = 1 | let b:coc_diagnostic_disable = 1 + augroup END + + " Goyo : pas de coupure de mots + Limelight auto + autocmd User GoyoEnter + \ let w:_wrap=&l:wrap | let w:_tw=&l:textwidth | let w:_fo=&l:formatoptions | + \ setlocal wrap linebreak nolist textwidth=0 | + \ setlocal formatoptions-=t formatoptions-=c formatoptions-=r formatoptions-=o formatoptions-=l | + \ Limelight + + autocmd User GoyoLeave + \ if exists('w:_wrap') | let &l:wrap=w:_wrap | unlet w:_wrap | endif | + \ if exists('w:_tw') | let &l:textwidth=w:_tw | unlet w:_tw | endif | + \ if exists('w:_fo') | let &l:formatoptions=w:_fo | unlet w:_fo | endif | + \ Limelight! + + " Swap files (fichiers d’échange) + set directory^=~/.local/state/nvim/swap// + + " Backups (copie avant écriture) – optionnel mais utile + set backup + set writebackup + set backupdir=~/.local/state/nvim/backup// + + " Undo persistant (♥ pour la rédaction) + set undofile + set undodir=~/.local/state/nvim/undo// + + " --- Résolution auto des conflits de swap --- + augroup ResolveSwap + autocmd! + " Si un swap existe quand on ouvre un fichier… + autocmd SwapExists * call s:ResolveSwap(v:swapname, expand('')) + augroup END + + function! s:ResolveSwap(swapname, filename) abort + " Si le fichier sur disque est plus récent que le swap -> on édite quand même (e) + if getftime(a:filename) > getftime(a:swapname) + let v:swapchoice = 'e' " edit anyway (ignore le swap) + else + " Sinon, ouvre en lecture seule par prudence (o). + " Tu pourras décider ensuite (écraser, récupérer, diff). + let v:swapchoice = 'o' + endif + endfunction + + " Rendre les messages de swap moins dramatiques + set shortmess+=A + + inoremap pumvisible() ? coc#pum#confirm() : "\" + ''; + + extraPackages = with pkgs; [ + ripgrep + fd + xclip + ]; }; } - # vim: set ts=2 sw=2 sts=2 et : + diff --git a/hm/common/polybar.nix b/hm/common/polybar.nix deleted file mode 100644 index 446d013..0000000 --- a/hm/common/polybar.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ pkgs, ... }: { - services = { - polybar = { - enable = true; - script = "polybar main &"; - config = { - "bar/main" = { - width = "100%"; - height = "28"; - font-0 = "Iosevka Nerd Font:style=regular:pixelsize=12;2"; - font-1 = "Font Awesome 6 Free:style=Solid:pixelsize=10;2"; - modules-left = "bspwm"; - modules-center = "date"; - modules-right = "pulseaudio memory cpu"; - }; - "module/bspwm" = { - type = "internal/bspwm"; - label-focused = "%name%"; - label-focused-foreground = "#e6e0de"; - label-focused-padding = 2; - label-occupied = "%name%"; - label-occupied-padding = 2; - label-urgent = "%name%"; - label-urgent-background = "#e42127"; - label-urgent-foreground = "#ffffff"; - label-empty = "%name%"; - label-empty-foreground = "#645d56"; - label-empty-padding = 2; - }; - "module/date" = { - type = "internal/date"; - interval = 60; - date = "%d-%m-%Y %H:%M"; - }; - }; - }; - }; -} diff --git a/hm/common/zsh.nix b/hm/common/zsh.nix index 2cd45b5..7f1a8f1 100644 --- a/hm/common/zsh.nix +++ b/hm/common/zsh.nix @@ -20,7 +20,6 @@ _: { shellAliases = { h = "history"; upd = "sudo nixos-rebuild switch --flake $HOME/nixos-config#pennsardin; source ~/.zshrc"; - agenix = "nix run github:ryantm/agenix --"; }; shellGlobalAliases = { G = "| grep"; diff --git a/hm/desktop/bspwm.nix b/hm/desktop/bspwm.nix index a8d371c..b92376e 100644 --- a/hm/desktop/bspwm.nix +++ b/hm/desktop/bspwm.nix @@ -5,9 +5,7 @@ ... }: { imports = [ - ../common/betterlockscreen.nix - ../common/picom.nix - ../common/polybar.nix + ../common/browser.nix ]; home.packages = with pkgs; [ bspwm @@ -18,6 +16,10 @@ rofi feh font-awesome + picom + xorg.xset + xidlehook + betterlockscreen pywal16 imagemagick pulsemixer @@ -30,6 +32,7 @@ protonvpn-gui ]; + # Gère le ssh-agent proprement côté user services.ssh-agent.enable = true; xsession = { @@ -37,6 +40,7 @@ windowManager.bspwm = { enable = true; + # Démarrages au login X startupPrograms = [ "sxhkd -m 1" "setxkbmap bepovim" @@ -54,6 +58,14 @@ }; }; + # xsession.initExtra = '' + # xset s 300 300 + # xset s on + # xset s noblank + # xset +dpms + # xset dpms 0 0 500 + # ''; + services = { sxhkd = { enable = true; @@ -94,6 +106,55 @@ "super + t" = "bspc node -t tiled"; }; }; + polybar = { + enable = true; + script = "polybar main &"; + config = { + "bar/main" = { + width = "100%"; + height = "28"; + font-1 = "Font Awesome 6 Free:style=Solid:pixelsize=10;2"; + modules-left = "bspwm"; + modules-center = "date"; + modules-right = "pulseaudio memory cpu"; + }; + "module/bspwm" = { + type = "internal/bspwm"; + label-focused = "%name%"; + label-focused-foreground = "#e6e0de"; + label-focused-padding = 2; + label-occupied = "%name%"; + label-occupied-padding = 2; + label-urgent = "%name%"; + label-urgent-background = "#e42127"; + label-urgent-foreground = "#ffffff"; + label-empty = "%name%"; + label-empty-foreground = "#645d56"; + label-empty-padding = 2; + }; + "module/date" = { + type = "internal/date"; + interval = 60; + date = "%d-%m-%Y %H:%M"; + }; + }; + }; + }; + + # xidlehook (user service) + systemd.user.services.xidlehook = { + Unit.Description = "Idle: lock at 5min, suspend at ~8min"; + Service = { + ExecStart = '' + ${pkgs.xidlehook}/bin/xidlehook \ + --detect-sleep \ + --not-when-fullscreen \ + --timer 300 "${pkgs.betterlockscreen}/bin/betterlockscreen -l dim" "" \ + --timer 500 "systemctl suspend" "" + ''; + Restart = "always"; + }; + Install.WantedBy = ["graphical-session.target"]; }; programs = { @@ -114,7 +175,7 @@ family = lib.mkForce "Iosevka Nerd Font"; style = "Italic"; }; - size = lib.mkForce 8; + size = lib.mkForce 9; }; }; }; diff --git a/hm/common/picom.nix b/hm/desktop/common/picom.nix similarity index 95% rename from hm/common/picom.nix rename to hm/desktop/common/picom.nix index 1b215aa..8f21aa2 100644 --- a/hm/common/picom.nix +++ b/hm/desktop/common/picom.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: { - home.packages = [ pkgs.picom ] ; +_: { services.picom = { enable = true; backend = "glx"; # plus fluide si ta carte gère bien OpenGL diff --git a/hm/users/dunoz-desktop.nix b/hm/users/dunoz-desktop.nix deleted file mode 100644 index 6db724f..0000000 --- a/hm/users/dunoz-desktop.nix +++ /dev/null @@ -1,17 +0,0 @@ -{pkgs, ...}: { - imports = [ - ../common/browser.nix - ../common/nvim.nix - ./dunoz.nix - ]; - home = { - packages = with pkgs; [ - fastfetch - nerd-fonts.iosevka - proton-pass - smug - ]; - }; -} -# vim: set ts=2 sw=2 sts=2 et : - diff --git a/hm/users/dunoz.nix b/hm/users/dunoz.nix deleted file mode 100644 index b32120c..0000000 --- a/hm/users/dunoz.nix +++ /dev/null @@ -1,19 +0,0 @@ -{pkgs, nvim-config, ...}: { - imports = [ - ../../hm/common/git.nix - ../../hm/common/zsh.nix - ]; - home = { - username = "dunoz"; - homeDirectory = "/home/dunoz"; - packages = with pkgs; [ - bat - tree - ]; - }; - - programs.zsh.enable = true; - - home.stateVersion = "25.05"; # ou ton actuelle -} -# vim: set ts=2 sw=2 sts=2 et : diff --git a/hm/users/lomig-desktop.nix b/hm/users/lomig-desktop.nix index 392ce71..9be4152 100644 --- a/hm/users/lomig-desktop.nix +++ b/hm/users/lomig-desktop.nix @@ -1,8 +1,6 @@ {pkgs, ...}: { imports = [ ../desktop/bspwm.nix - ../common/browser.nix - ../common/nvim.nix ./lomig.nix ]; home = { diff --git a/hm/users/lomig.nix b/hm/users/lomig.nix index 965c91c..54ece41 100644 --- a/hm/users/lomig.nix +++ b/hm/users/lomig.nix @@ -1,8 +1,10 @@ -{pkgs, nvim-config, ...}: { +{pkgs, ...}: { imports = [ + ../common/nvim.nix ../../hm/common/git.nix ../../hm/common/zsh.nix ]; + home.stateVersion = "25.05"; # ou ton actuelle home = { username = "lomig"; homeDirectory = "/home/lomig"; @@ -11,9 +13,7 @@ tree ]; }; - programs.zsh.enable = true; - - home.stateVersion = "25.05"; # ou ton actuelle } # vim: set ts=2 sw=2 sts=2 et : + diff --git a/hosts/penduick/configuration.nix b/hosts/penduick/configuration.nix deleted file mode 100644 index f5ef4a2..0000000 --- a/hosts/penduick/configuration.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ config, pkgs, ... }: -let - globals = import ../../config/globals.nix; -in { - imports = [ - ./hardware-configuration.nix - ../../modules/desktop/plasma.nix - ../../modules/common/nix.nix - ../../modules/common/base.nix - ../../modules/common/fonts.nix - ../../modules/common/networking.nix - ../../modules/common/plymouth.nix - ../../modules/common/audio.nix - ]; - - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.initrd.luks.devices.cryptroot.device = "/dev/nvme0n1p3"; - - networking.hostName = "penduick"; - networking.networkmanager.enable = true; - - console.keyMap = "fr"; - - services.openssh.enable = true; - services.openssh.settings = { - PermitRootLogin = "no"; - PasswordAuthentication = true; - }; - - age.identityPaths = [ "/etc/agenix/penduick.key" "/etc/agenix/dunoz-admin.key" ]; - # age.secrets."dunoz-password-penduick".file = ../../secrets/dunoz-password-penduick.age; - users= { - # mutableUsers = false ; - users.dunoz = { - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" ]; - # passwordFile = config.age.secrets."dunoz-password-penduick".path; - shell = pkgs.zsh; - }; - }; - - home-manager = { - useGlobalPkgs = true ; - users.dunoz = import ../../hm/users/dunoz-desktop.nix ; - }; - - environment.systemPackages = with pkgs; [ - git htop wget curl - neovim - age ssh-to-age - weechat - ]; - - -# Optionnel mais utile pour SSH au démarrage -systemd.services.sshd.wantedBy = [ "multi-user.target" ]; - - system.stateVersion = "25.05"; -} diff --git a/hosts/penduick/hardware-configuration.nix b/hosts/penduick/hardware-configuration.nix deleted file mode 100644 index a473630..0000000 --- a/hosts/penduick/hardware-configuration.nix +++ /dev/null @@ -1,66 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/233c2886-05e4-4f9f-a708-6c920c7d9e32"; - fsType = "btrfs"; - }; - - fileSystems."/home" = - { device = "/dev/disk/by-uuid/09b55bee-0134-4e96-8183-e85412fa7724"; - fsType = "btrfs"; - }; - - fileSystems."/nix" = - { device = "/dev/disk/by-uuid/4ce480f5-8212-4b28-b275-a0250c2edae1"; - fsType = "btrfs"; - }; - - fileSystems."/var" = - { device = "/dev/disk/by-uuid/f54d2ebe-f1ca-4471-a9a5-6959280984ee"; - fsType = "btrfs"; - }; - - fileSystems."/persist" = - { device = "/dev/disk/by-uuid/829b6a38-e49a-46ca-8737-b21c86c93352"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/B68E-0AAC"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - fileSystems."/rescue" = - { device = "/dev/disk/by-uuid/af3f9f20-2a6c-44e2-ad81-f07bd18ae283"; - fsType = "ext4"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/41fcc628-50bf-43df-9daa-0095b45fd9bd"; } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/pennsardin/configuration.nix b/hosts/pennsardin/configuration.nix index dd1a899..149c804 100644 --- a/hosts/pennsardin/configuration.nix +++ b/hosts/pennsardin/configuration.nix @@ -1,72 +1,18 @@ -{pkgs, config, ...}: +{pkgs, ...}: let globals = import ../../config/globals.nix; in { imports = [ - ../../modules/common/nix.nix + ../../profiles/workstation-bspwm.nix ../../modules/hardware/bepovim.nix - ../../modules/desktop/xorg-bspwm.nix - ../../modules/common/base.nix - ../../modules/common/fonts.nix - ../../modules/common/networking.nix - ../../modules/common/plymouth.nix - ../../modules/common/audio.nix - ../../modules/common/bluetooth.nix - ../../modules/common/gaming.nix - ../../modules/common/lockscreen.nix - ../../modules/common/energy.nix - ../../modules/common/qemu.nix - ../../modules/common/smtp.nix - - ../../modules/hardware/firmware.nix - ../../modules/hardware/gpu-amd.nix - ../../modules/hardware/sensors-zenpower.nix - - ../../modules/services/printing.nix - - ../../modules/virtual/kvm-amd.nix - ../../modules/virtual/vfio.nix + ../../modules/common/nix.nix ]; networking.hostName = "pennsardin"; boot.kernelPackages = pkgs.linuxPackages_latest; - boot.extraModulePackages = [ config.boot.kernelPackages.nct6687d ]; - boot.kernelModules = [ "nct6683" "k10temp" "i2c-dev" ] ; boot.swraid.enable = true; - environment.systemPackages = with pkgs; [ - lm_sensors - btrfs-progs - cifs-utils - evtest - git - vim - wget - curl - ripgrep - fd - pciutils - usbutils - p7zip - gdu - glances - parted - tmux - xorg.xauth - xorg.xkbcomp - xorg.xev - ]; - - services.openssh = { - enable = true; - settings = { - X11Forwarding = true; - X11DisplayOffset = 10; - X11UseLocalhost = true ; - }; - }; - fileSystems = { "/" = { device = "/dev/disk/by-uuid/b1a1ae71-4277-45d5-a3d2-f49354f263d4"; @@ -83,30 +29,6 @@ in { options = ["defaults" "hidepid=2"]; neededForBoot = true; }; - "/home/lomig/Documents" = { - device = "/srv/raid/home-data/Documents"; - options = [ "bind" ]; - }; - "/home/lomig/Images" = { - device = "/srv/raid/home-data/Images"; - options = [ "bind" ]; - }; - "/home/lomig/Musique" = { - device = "/srv/raid/home-data/Musique"; - options = [ "bind" ]; - }; - "/home/lomig/Téléchargements" = { - device = "/srv/raid/home-data/Téléchargements"; - options = [ "bind" ]; - }; - "/home/lomig/Vidéos" = { - device = "/srv/raid/home-data/Vidéos"; - options = [ "bind" ]; - }; - "/home/lomig/nixos-config" = { - device = "/srv/raid/home-data/nixos-config"; - options = [ "bind" ]; - }; "/srv/raid" = { device = "/dev/disk/by-uuid/85f72160-4720-463a-9dc6-7c5216733f2b"; fsType = "btrfs"; @@ -134,7 +56,6 @@ in { enp11s0 = { useDHCP = false; wakeOnLan.enable = true ; - }; br0 = { useDHCP = false; ipv4.addresses = [ diff --git a/hosts/terre-neuvas/configuration.nix b/hosts/terre-neuvas/configuration.nix index 9fa6a92..77b7456 100644 --- a/hosts/terre-neuvas/configuration.nix +++ b/hosts/terre-neuvas/configuration.nix @@ -5,24 +5,14 @@ config, pkgs, ... -}: let -globals = import ../../config/globals.nix ; -in { +}: { nix.settings.experimental-features = ["nix-command" "flakes"]; imports = [ # Include the results of the hardware scan. ./hardware.nix - ../../modules/common/nix.nix - ../../modules/common/base.nix - ../../modules/common/smtp.nix - ../../modules/common/qemu.nix - - ../../modules/services/goaccess.nix - ../../modules/services/wikijs.nix + ../../profiles/server-selfhosted.nix + ../../modules/services/ftp.nix ../../modules/services/forgejo.nix - ../../modules/sites/porzh.me.nix - ../../modules/sites/levr.porzh.me.nix - ]; # Bootloader. @@ -56,51 +46,25 @@ in { environment.systemPackages = with pkgs; [ neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. git - - btrfs-progs - cifs-utils - lm_sensors - wakeonlan - wget - curl - ripgrep - fd - pciutils - usbutils - p7zip - gdu - glances - tmux - ]; - - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PubkeyAuthentication = true; - }; - }; - networking = { useNetworkd = true; firewall.allowedTCPPorts = [22 80 5900 5901 5902]; - firewall.enable = true ; interfaces.eno1.useDHCP = false; interfaces.br0 = { useDHCP = false; ipv4.addresses = [ { - address = globals.network.terre-neuvas.ip; + address = "192.168.0.3"; prefixLength = 24; } ]; }; defaultGateway = { interface = "br0"; - address = globals.network.gateway; + address = "192.168.0.254"; }; - nameservers = [ globals.network.gateway "1.1.1.1"]; + nameservers = ["192.168.0.254" "1.1.1.1"]; bridges.br0.interfaces = ["eno1"]; }; systemd.network = { @@ -119,7 +83,5 @@ in { networkConfig.Bridge = "br0"; }; }; - - system.stateVersion = "25.05"; # Did you read the comment? } diff --git a/modules/common/energy.nix b/modules/common/energy.nix index eed44d0..31635c5 100644 --- a/modules/common/energy.nix +++ b/modules/common/energy.nix @@ -1,42 +1,8 @@ -{ config, pkgs, ... }: { +_: { services.logind.settings.Login = { IdleAction = "suspend"; IdleActionSec = "5min"; HandleLidSwitch = "suspend"; HandleLidSwitchDocked = "ignore"; }; - - systemd.services.ssh-suspend-inhibitor = { - description = "Prevent suspend when SSH sessions are active"; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - ExecStart = pkgs.writeShellScript "ssh-inhibitor" '' - while true; do - # Vérifie s'il y a des sessions SSH actives - if ${pkgs.procps}/bin/pgrep -x sshd >/dev/null && \ - [ $(${pkgs.procps}/bin/pgrep -P $(${pkgs.procps}/bin/pgrep -x sshd) | wc -l) -gt 0 ]; then - # Il y a des sessions SSH, on crée un inhibitor s'il n'existe pas - if [ ! -f /tmp/ssh-inhibitor.lock ]; then - ${pkgs.systemd}/bin/systemd-inhibit --what=idle:sleep \ - --who="SSH Session" \ - --why="SSH session active" \ - --mode=block \ - sleep infinity & - echo $! > /tmp/ssh-inhibitor.lock - fi - else - # Pas de sessions SSH, on retire l'inhibitor - if [ -f /tmp/ssh-inhibitor.lock ]; then - kill $(cat /tmp/ssh-inhibitor.lock) 2>/dev/null || true - rm /tmp/ssh-inhibitor.lock - fi - fi - sleep 10 - done - ''; - }; - }; } diff --git a/modules/common/nix.nix b/modules/common/nix.nix index 13de898..f1f6fd4 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -4,12 +4,6 @@ experimental-features = ["nix-command" "flakes"]; }; - nix.gc = { - automatic = true ; - dates = "daily" ; - options = "--delete-older-than 7d" ; - }; - nixpkgs.config = { # allowUnfree = true; # allowUnsupportedSystem = true; diff --git a/modules/common/qemu.nix b/modules/common/qemu.nix index c86e61c..ddb4ecf 100644 --- a/modules/common/qemu.nix +++ b/modules/common/qemu.nix @@ -8,7 +8,6 @@ environment.systemPackages = with pkgs; [ qemu qemu_kvm - tunctl virtiofsd ]; diff --git a/modules/hardware/gpu-amd.nix b/modules/hardware/gpu-amd.nix index dc65bfc..caa4f31 100644 --- a/modules/hardware/gpu-amd.nix +++ b/modules/hardware/gpu-amd.nix @@ -23,6 +23,7 @@ libva-utils libvdpau libva-vdpau-driver + vaapiVdpau libvdpau-va-gl vulkan-tools vulkan-loader @@ -43,4 +44,6 @@ "radeon.cik_support=0" ]; + # Si un module sonde "k10temp" gêne : + boot.blacklistedKernelModules = ["k10temp"]; } diff --git a/modules/roles/server.nix b/modules/roles/server.nix new file mode 100644 index 0000000..67c158d --- /dev/null +++ b/modules/roles/server.nix @@ -0,0 +1,19 @@ +{pkgs, ...}: { + imports = [ + ../common/nix.nix + ]; + + environment.systemPackages = with pkgs; [ + git + wget + curl + ripgrep + fd + pciutils + usbutils + p7zip + gdu + glances + tmux + ]; +} diff --git a/modules/roles/workstation.nix b/modules/roles/workstation.nix new file mode 100644 index 0000000..b99a5c7 --- /dev/null +++ b/modules/roles/workstation.nix @@ -0,0 +1,27 @@ +{pkgs, ...}: { + imports = [ + ../common/nix.nix + ../hardware/gpu-amd.nix + ../hardware/sensors-zenpower.nix + ../virtual/kvm-amd.nix + ../virtual/vfio.nix + ]; + + environment.systemPackages = with pkgs; [ + git + vim + wget + curl + ripgrep + fd + pciutils + usbutils + p7zip + gdu + glances + parted + tmux + discord + xorg.xauth + ]; +} diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index 0cee315..be5b644 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -1,25 +1,25 @@ {pkgs, ...}: let - globals = import ../../config/globals.nix; + import ../../config/globals.nix; in { # --- Utilisateur dédié --- - users.users.${globals.services.forgejo.user} = { + users.users.git = { isSystemUser = true; - home = globals.services.forgejo.home; + home = "/var/lib/forgejo"; shell = pkgs.bash; - group = globals.services.forgejo.user; + group = "git"; }; - users.groups.${globals.services.forgejo.user} = {}; + users.groups.git = {}; # --- Forgejo --- services = { forgejo = { enable = true; - user = globals.services.forgejo.user; - group = globals.services.forgejo.user; + user = "git"; + group = "git"; database = { type = "sqlite3"; - path = "${globals.services.forgejo.home}/data/gitea.db"; + path = "/var/lib/forgejo/data/gitea.db"; }; settings = { server = { @@ -27,6 +27,7 @@ in { ROOT_URL = "https://${globals.services.forgejo.url}/"; SSH_DOMAIN = globals.services.forgejo.url; HTTP_PORT = globals.services.forgejo.port; + SSH_PORT = 22; START_SSH_SERVER = false; }; service = { @@ -43,10 +44,27 @@ in { enable = true; virtualHosts.${globals.services.forgejo.url} = { extraConfig = '' - reverse_proxy localhost:${toString globals.services.forgejo.port} + reverse_proxy localhost:${globals.services.forgejo.port} ''; }; }; }; - networking.firewall.allowedTCPPorts = [80 443 22 ]; + + # --- Ouvrir les ports nécessaires --- + networking.firewall = { + allowedTCPPorts = [80 443 2222]; + interfaces."eth0".allowedTCPPorts = [22]; + }; + # --- Pour que Forgejo génère les bonnes URLs Git --- + # networking.hostName = "git"; # non strictement obligatoire + + # --- Optionnel : config DNS --- + # git.lomig.me -> ton IP publique (ou IP locale si LAN) + + # --- Pour te cloner un dépôt : --- + # git clone git@git.lomig.me:lomig/nom-du-repo.git + + # --- Astuce : génère une paire de clés pour l’accès SSH Git --- + # ssh-keygen -t ed25519 -f ~/.ssh/id_git_forgejo + # puis ajoute la clé publique dans ton compte Forgejo } diff --git a/modules/services/ftp.nix b/modules/services/ftp.nix new file mode 100644 index 0000000..d077278 --- /dev/null +++ b/modules/services/ftp.nix @@ -0,0 +1,67 @@ +_: { + # ------------------------------------------------- + # 1️⃣ Création de l’utilisateur système dédié FTP + # ------------------------------------------------- + users.users.ftpuser = { + isSystemUser = true; # pas de login shell + description = "Compte FTP dédié"; + home = "/srv/ftp/ftpuser"; + createHome = true; + group = "ftpuser"; + shell = "/usr/bin/nologin"; + }; + users.groups.ftpuser = {}; + + services.openssh = { + extraConfig = '' + Match User ftpuser + ChrootDirectory /srv/ftp/ftpuser + ForceCommand internal-sftp + AllowTcpForwarding no + X11Forwarding no + ''; + }; + + # ------------------------------------------------- + # 2️⃣ Permissions du répertoire home (méthode A) + # ------------------------------------------------- + system.activationScripts.setupFtp = '' + # Répertoire racine du chroot – lecture‑seule + chmod a-w /srv/ftp/ftpuser + # Sous‑répertoire où l’on peut écrire + mkdir -p /srv/ftp/ftpuser/upload + chown ftpuser:ftpuser /srv/ftp/ftpuser/upload + chmod 755 /srv/ftp/ftpuser/upload + ''; + + # ------------------------------------------------- + # 3️⃣ Configuration du serveur vsftpd + # ------------------------------------------------- + services.vsftpd = { + enable = true; + + # Autoriser les comptes locaux (system users) + localUsers = true; + + # Refuser l’accès anonyme (sécurité renforcée) + anonymousUser = false; + + # Chroot chaque utilisateur local dans son $HOME + chrootlocalUser = true; + allowWriteableChroot = true; + + extraConfig = '' + pasv_min_port=40000 + pasv_max_port=40004 + ''; + }; + + # ------------------------------------------------- + # 4️⃣ Ouverture des ports dans le firewall NixOS + # ------------------------------------------------- + networking.firewall = { + allowedTCPPorts = [21 40000 40001 40002 40003 40004]; + # Si vous utilisez FTPS implicite (port 990) : + # allowedTCPPorts = [ 21 990 40000 40001 40002 40003 40004 ]; + }; +} diff --git a/modules/services/goaccess.nix b/modules/services/goaccess.nix index b403917..c39c469 100644 --- a/modules/services/goaccess.nix +++ b/modules/services/goaccess.nix @@ -1,38 +1,20 @@ -{pkgs, config, ...}: +{pkgs, ...}: let - globals = import ../../config/globals.nix ; + imports = ../../config/globals.nix ; in { - age.secrets.goaccess-password = { - file = ../../secrets/goaccess-password.age; - owner = "caddy"; - group = "caddy"; - mode = "0400"; - }; - environment.systemPackages = with pkgs; [ goaccess ]; - environment.etc."local/bin/generate-goaccess.sh".text = '' - #!/bin/sh - set -eu - - RAW_LOG="/var/log/caddy/access-${globals.services.levr.url}.log" - CLEAN_LOG="/tmp/goaccess-clean.log" - REPORT="${globals.services.goaccess.home}/index.html" - - ${pkgs.gnugrep}/bin/grep -v '192.168.' "$RAW_LOG" > "$CLEAN_LOG" - ${pkgs.goaccess}/bin/goaccess "$CLEAN_LOG" --log-format=CADDY -o "$REPORT"; - ''; - environment.etc."local/bin/generate-goaccess.sh".mode = "0755"; - + # Service pour générer le rapport statique GoAccess systemd.services.goaccess-report = { description = "Generate GoAccess HTML report"; serviceConfig = { - ExecStart = "/etc/local/bin/generate-goaccess.sh"; + ExecStart = "${pkgs.goaccess}/bin/goaccess /var/log/caddy/access-${globals.services.levr.url}.log --log-format=CADDY -o ${globals.services.goaccess.home}/index.html"; }; }; + # Timer pour régénérer le rapport toutes les heures systemd.timers.goaccess-report = { description = "Hourly GoAccess report generation"; wantedBy = ["timers.target"]; @@ -41,43 +23,16 @@ in { Persistent = true; }; }; - - systemd.services."goaccess-auth-sync" = { - description = "Sync goaccess password for Caddy"; - wantedBy = [ "caddy.service" ]; - before = [ "caddy.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = pkgs.writeScript "sync-goaccess-auth" '' - #!${pkgs.bash}/bin/bash - mkdir -p /etc/caddy/extra - cp /run/agenix/goaccess-password /etc/caddy/extra/goaccess-auth.conf - chown caddy:caddy /etc/caddy/extra/goaccess-auth.conf - chmod 400 /etc/caddy/extra/goaccess-auth.conf - ''; - }; - }; - services.caddy = { virtualHosts = { - "${globals.services.goaccess.url}" = { + globals.services.goaccess.url = { extraConfig = '' root * ${globals.services.goaccess.home} - - basic_auth /* { - import /etc/caddy/extra/goaccess-auth.conf - } - file_server browse try_files {path} {path}/ /index.html - ''; + ''; }; }; }; - - systemd.tmpfiles.rules = [ - "d ${globals.services.goaccess.home} 0755 root root -" - "d /etc/caddy/extra 0750 caddy caddy -" - ]; } diff --git a/modules/services/outline.nix b/modules/services/outline.nix new file mode 100644 index 0000000..8aaefd8 --- /dev/null +++ b/modules/services/outline.nix @@ -0,0 +1,31 @@ +{ config, pkgs, lib, ... }: +let + import ../../config/globals.nix ; +in { + services = { + outline = { + enable = true; + port = globals.services.outline.port ; + publicUrl = "http://${globals.services.outline.url}"; + forceHttps = true; + smtp = { + host = globals.smtp.host ; + username = globals.smtp.user ; + passwordFile = "/run/secrets/proton_pass"; + fromEmail = globals.smtp.user; + replyEmail = globals.smtp.user; + port = globals.smtp.port; + secure = false; + }; + storage.storageType = "local"; + }; + caddy = { + enable = true; + virtualHosts.${globals.services.outline.url} = { + extraConfig = '' + reverse_proxy localhost:${globals.services.outline.port} + ''; + }; + }; + }; +} diff --git a/modules/services/pihole.nix b/modules/services/pihole.nix new file mode 100644 index 0000000..78e4dc4 --- /dev/null +++ b/modules/services/pihole.nix @@ -0,0 +1,24 @@ +{ + virtualisation.oci-containers.containers.pihole = { + image = "pihole/pihole:latest"; + autoStart = true; + + ports = [ + "53:53/udp" + "53:53/tcp" + "80:80/tcp" + ]; + + environment = { + TZ = "Europe/Paris"; + WEBPASSWORD = "changeme"; # Change à ta convenance + PIHOLE_DNS_ = "1.1.1.1;1.0.0.1"; + }; + + volumes = [ + "/srv/pihole/etc-pihole:/etc/pihole" + "/srv/pihole/etc-dnsmasq.d:/etc/dnsmasq.d" + ]; + extraOptions = ["--cap-add=NET_ADMIN"]; + }; +} diff --git a/modules/services/wikijs.nix b/modules/services/wikijs.nix deleted file mode 100644 index 8da2a7e..0000000 --- a/modules/services/wikijs.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ pkgs, ... }: -let - globals = import ../../config/globals.nix ; -in { - systemd.services.wiki-js = { - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - }; - services.wiki-js = { - enable = true; - settings = { - db = { - db = "wiki-js"; - host = "/run/postgresql"; - type = "postgres"; - user = "wiki-js"; - }; - port = 3002 ; - }; - }; - services.postgresql = { - enable = true; - ensureDatabases = [ "wiki-js" ]; - ensureUsers = [{ - name = "wiki-js"; - ensureDBOwnership = true; - }]; - }; - - services.caddy.virtualHosts.${globals.services.wikijs.url}.extraConfig = '' - reverse_proxy localhost:${toString globals.services.wikijs.port} - ''; -} diff --git a/modules/sites/levr.porzh.me.nix b/modules/sites/levr.porzh.me.nix index 7215cd7..08c0839 100644 --- a/modules/sites/levr.porzh.me.nix +++ b/modules/sites/levr.porzh.me.nix @@ -1,6 +1,6 @@ { pkgs, lib, ...}: let - globals = import ../../config/globals.nix ; + import = ../../config/globals.nix ; in { environment.systemPackages = with pkgs; [ hugo @@ -11,7 +11,7 @@ in { Type = "oneshot"; WorkingDirectory = globals.services.levr.home ; ExecStart = ''${pkgs.hugo}/bin/hugo --minify build -d ${globals.services.levr.build}''; - User = "levr"; + User = "lomig"; }; }; systemd.timers.hugo-build = { @@ -27,8 +27,8 @@ in { serviceConfig = { Type = "oneshot"; WorkingDirectory = globals.services.levr.home; - ExecStart = "${pkgs.git}/bin/git pull --rebase origin master"; - User = "levr"; + ExecStart = "${pkgs.git}/bin/git pull origin master"; + User = "lomig"; }; environment = { PATH = lib.mkForce "${pkgs.openssh}/bin"; @@ -44,7 +44,7 @@ in { services.caddy = { enable = true; virtualHosts = { - "${globals.services.levr.url}" = { + globals.services.levr.url = { extraConfig = '' @http { protocol http @@ -54,27 +54,10 @@ in { file_server log { - output file /var/log/caddy/access-${globals.services.levr.url}.log + output file /var/log/caddy/access-${global.services.levr.url}.log } ''; }; }; }; - users = { - users = { - "${globals.services.levr.user}" = { - isSystemUser = true ; - group = globals.services.levr.user ; - home = globals.services.levr.home ; - createHome = true ; - description = "User for hugo-blog builds and deployments"; - }; - }; - groups.${globals.services.levr.user} = {}; - }; - - systemd.tmpfiles.rules = [ - "d ${globals.services.levr.home} 0755 levr levr -" - "d ${globals.services.levr.build} 0755 levr levr -" - ]; -} + } diff --git a/modules/sites/porzh.me.nix b/modules/sites/porzh.me.nix index 5491bb3..5ce0726 100644 --- a/modules/sites/porzh.me.nix +++ b/modules/sites/porzh.me.nix @@ -1,5 +1,5 @@ {pkgs, ...}: let - globals = import ../../config/globals.nix ; + import ../../config/globals.nix ; porzhSite = pkgs.stdenv.mkDerivation { pname = "porzh-site"; version = "1.0"; @@ -14,7 +14,7 @@ in { services.caddy = { enable = true; virtualHosts = { - "${globals.domain}" = { + globals.domain = { serverAliases = [ "www.${globals.domain}" ]; extraConfig = '' root * ${porzhSite} diff --git a/profiles/server-selfhosted.nix b/profiles/server-selfhosted.nix new file mode 100644 index 0000000..f2a1dff --- /dev/null +++ b/profiles/server-selfhosted.nix @@ -0,0 +1,30 @@ +{pkgs, ...}: { + imports = [ + ../modules/roles/server.nix + ../modules/common/base.nix + ../modules/common/smtp.nix + ../modules/common/qemu.nix + ../modules/services/printing.nix + ../modules/services/goaccess.nix + ../modules/services/outline.nix + ../modules/sites/porzh.me.nix + ../modules/sites/levr.porzh.me.nix + ]; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PubkeyAuthentication = true; + }; + }; + + environment.systemPackages = with pkgs; [ + btrfs-progs + cifs-utils + lm_sensors + wakeonlan + ]; +} +# vim: set ts=2 sw=2 sts=2 et : + diff --git a/profiles/workstation-bspwm.nix b/profiles/workstation-bspwm.nix new file mode 100644 index 0000000..6a1fa38 --- /dev/null +++ b/profiles/workstation-bspwm.nix @@ -0,0 +1,39 @@ +{pkgs, ...}: { + imports = [ + ../modules/roles/workstation.nix + ../modules/desktop/xorg-bspwm.nix + ../modules/common/base.nix + ../modules/common/fonts.nix + ../modules/common/networking.nix + ../modules/common/plymouth.nix + ../modules/hardware/firmware.nix + ../modules/hardware/gpu-amd.nix + ../modules/common/audio.nix + ../modules/common/bluetooth.nix + ../modules/common/gaming.nix + ../modules/services/printing.nix + ../modules/common/lockscreen.nix + ../modules/common/energy.nix + ../modules/common/qemu.nix + ../modules/common/smtp.nix + ]; + + services.openssh = { + enable = true; + settings = { + X11Forwarding = true; + X11DisplayOffset = 10; + }; + }; + + environment.systemPackages = with pkgs; [ + btrfs-progs + cifs-utils + evtest + lm_sensors + xorg.xev + xorg.xkbcomp + ]; +} +# vim: set ts=2 sw=2 sts=2 et : + diff --git a/scripts/imports.sh b/scripts/imports.sh deleted file mode 100755 index 101e153..0000000 --- a/scripts/imports.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -find $HOME/nixos-config -name "*.nix" | while read -r file; do - imports=$(awk ' - /imports[[:space:]]*=/ {flag=1} - flag {print} - /\]/ && flag {flag=0} - ' "$file" | grep -vE 'imports[[:space:]]*=' | grep -v '\[' | grep -v '\]' | sed 's/^[[:space:]]*//; s/[[:space:]]*$//') - - if [[ -n "$imports" ]]; then - echo "$file imports:" - echo "$imports" | sed 's/^/ |--- /' - echo - fi -done diff --git a/secrets/agenix/pennsardin.pub b/secrets/agenix/pennsardin.pub deleted file mode 100644 index e16be5e..0000000 --- a/secrets/agenix/pennsardin.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZto2/k9ZiYzWxWM6sfZLq/fIUVDc3BwPb+00dOahkk root@pennsardin diff --git a/secrets/dunoz-password-penduick.age b/secrets/dunoz-password-penduick.age deleted file mode 100644 index 69cddd9..0000000 --- a/secrets/dunoz-password-penduick.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> X25519 t5/4zFfNo5Hq/EacMKriedzv9je2ThBpq/WLegedg2A -sq35AzCE5HVTgqi0cNOcbW5C50sLeCAw4SIR6fbMg2M --> X25519 yHHx+6CF7VEf331RchlwC9povVUwZBTq9cgAfo3gqjQ -RUsB7tMZRJYGy5Ggw+pnaNPOEiFYwAJn+gquCcNUnQo ---- jJVkAQ9fNSwyrWiyvIVzuTuJuudhL3zv29PI5pdKDz4 -ш.f=5IWiNPlSwwM* \ No newline at end of file diff --git a/secrets/goaccess-password.age b/secrets/goaccess-password.age deleted file mode 100644 index 20d710c..0000000 Binary files a/secrets/goaccess-password.age and /dev/null differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix deleted file mode 100644 index bc436c2..0000000 --- a/secrets/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -let - serveur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPRVxB7usThGHf8cuSPE4sjdqSaPNlwWAZPEo1wUgHz6 root@terre-neuvas"; - admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxranFaz3jRfvYE2M6FvRUWjzviIWjWd1mucgKeuSK2 lomig@nixos"; - penduick = "age1rnyey8shjxyaq43dzlnhtfkcm3ra4hy3ygh6c46w4xmr7fe9fe3s00nh2r"; - dunoz = "age1ppu60aw0v5wxhrc0gyqmgrukh2a5uaxwqxxmuy0w3fv4tnt02ycqrrgmue"; -in -{ - "goaccess-password.age".publicKeys = [ serveur admin ]; - "dunoz-password-penduick.age".publicKeys = [ penduick dunoz ]; -} -