diff --git a/config/globals.nix b/config/globals.nix index b6e4dd0..7c64ec5 100644 --- a/config/globals.nix +++ b/config/globals.nix @@ -16,13 +16,17 @@ pennsardin = { ip = "192.168.50.12"; }; + terre-neuvas = { + ip = "192.168.50.11"; + }; }; services = { forgejo = { - home = "/var/lib/services/forgejo"; + home = "/var/lib/forgejo"; url = "govel.porzh.me"; - port = "3000"; + user = "git"; + port = 3000; }; goaccess = { home = "/var/lib/www/goaccess"; @@ -32,10 +36,11 @@ home = "/var/lib/services/levr"; build = "/var/lib/www/levr"; url = "levr.porzh.me"; + user = "levr"; }; - outline = { + wikijs = { url = "notes.porzh.me"; - port = "3001"; + port = 3002 ; }; }; } diff --git a/disko/pennsardin.nix b/disko/pennsardin.nix new file mode 100644 index 0000000..3f1e614 --- /dev/null +++ b/disko/pennsardin.nix @@ -0,0 +1,185 @@ +{ ... }: { + disko.devices = { + disk.main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "512MiB"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot/efi"; + mountOptions = [ "umask=0077" "noauto" ]; + }; + }; + + rescue = { + size = "8GiB"; + type = "8300"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/rescue"; + mountOptions = [ "nofail" "noauto" "nosuid" "nodev" "noexec" ]; + }; + }; + + root = { + size = "100%"; + type = "8e00"; # LVM partition + content = { + type = "lvm_pv"; + vg = "vg-main"; + }; + }; + }; + }; + }; + + lvm_vg."vg-main" = { + type = "lvm_vg"; + lvs = { + # -- Système principal -- + lv-root = { + size = "100G"; + content = { + type = "btrfs"; + mountpoint = "/"; + mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" "discard=async" ]; + }; + }; + + lv-home = { + size = "100G"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + mountpoint = "/home"; + mountOptions = [ + "compress=zstd:3" + "noatime" + "nodev" + "nosuid" + "space_cache=v2" + "discard=async" + ]; + subvolumes = { + "@homebin" = { + mountpoint = "/home/dunoz/bin"; + mountOptions = [ + "compress=zstd:3" + "noatime" + "nodev" + "nosuid" + "space_cache=v2" + "discard=async" + "subvol=@homebin" + ]; + }; + }; + }; + }; + + lv-nix = { + size = "80G"; + content = { + type = "btrfs"; + mountpoint = "/nix"; + mountOptions = [ "compress=zstd:3" "noatime" "space_cache=v2" "discard=async" ]; + }; + }; + + lv-var = { + size = "50G"; + content = { + type = "btrfs"; + mountpoint = "/var"; + mountOptions = [ "compress=zstd:3" "noatime" "nodev" "nosuid" "space_cache=v2" "discard=async" ]; + }; + }; + + # -- Données & builds (no COW) -- + lv-work = { + size = "100G"; + content = { + type = "btrfs"; + mountpoint = "/home/dunoz/Work"; + mountOptions = [ "nodatacow" "noatime" "nodev" "space_cache=v2" "discard=async" ]; + }; + }; + + lv-games = { + size = "200G"; + content = { + type = "btrfs"; + mountpoint = "/home/dunoz/.local/share/Steam"; + mountOptions = [ "nodatacow" "noatime" "nodev" "space_cache=v2" "discard=async" ]; + }; + }; + + lv-qemu = { + size = "200G"; + content = { + type = "btrfs"; + mountpoint = "/var/lib/libvirt/images"; + mountOptions = [ "nodatacow" "noatime" "nodev" "nosuid" "space_cache=v2" "discard=async" ]; + }; + }; + + lv-container = { + size = "20G"; + content = { + type = "btrfs"; + mountpoint = "/var/lib/machines"; + mountOptions = [ "nodatacow" "noatime" "nodev" "nosuid" "space_cache=v2" "discard=async" ]; + }; + }; + }; + }; + + filesystem.raid = { + type = "filesystem"; + device = "/dev/md0"; + format = "btrfs"; + mountpoint = "/srv/raid"; + mountOptions = [ "compress=zstd:3" "noatime" "nofail" "noexec" "nodev" "nosuid" "space_cache=v2" "discard=async" ]; + }; + + bindmounts = { + docs = { + device = "/srv/raid/home-data/Documents"; + mountpoint = "/home/dunoz/Documents"; + options = [ "bind" "nofail" "nosuid" "nodev" "noexec" ]; + }; + images = { + device = "/srv/raid/home-data/Images"; + mountpoint = "/home/dunoz/Images"; + options = [ "bind" "nofail" "nosuid" "nodev" "noexec" ]; + }; + music = { + device = "/srv/raid/home-data/Musique"; + mountpoint = "/home/dunoz/Musique"; + options = [ "bind" "nofail" "nosuid" "nodev" "noexec" ]; + }; + downloads = { + device = "/srv/raid/home-data/Téléchargements"; + mountpoint = "/home/dunoz/Téléchargements"; + options = [ "bind" "nofail" "nosuid" "nodev" "noexec" ]; + }; + videos = { + device = "/srv/raid/home-data/Vidéos"; + mountpoint = "/home/dunoz/Vidéos"; + options = [ "bind" "nofail" "nosuid" "nodev" "noexec" ]; + }; + config = { + device = "/srv/raid/home-data/nixos-config"; + mountpoint = "/home/dunoz/nixos-config"; + options = [ "bind" "nofail" "nosuid" "nodev" ]; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index a155089..e353458 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,48 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1762618334, + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "owner": "ryantm", + "repo": "agenix", + "rev": "fcdea223397448d35d9b31f798479227e80183f6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -24,15 +67,16 @@ "home-manager": { "inputs": { "nixpkgs": [ - "nixpkgs-unstable" + "agenix", + "nixpkgs" ] }, "locked": { - "lastModified": 1759573136, - "narHash": "sha256-ILSPD0Dm8p0w0fCVzOx98ZH8yFDrR75GmwmH3fS2VnE=", + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "owner": "nix-community", "repo": "home-manager", - "rev": "5f06ceafc6c9b773a776b9195c3f47bbe1defa43", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", "type": "github" }, "original": { @@ -62,29 +106,49 @@ "type": "github" } }, - "nixpkgs": { + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, "locked": { - "lastModified": 1759381078, - "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", + "lastModified": 1763963090, + "narHash": "sha256-zR7uDZdQUUC+gBOi4byefMvIZuSBeMC6GswGNsTgQlM=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "7702d14879e8f0148fa168e38f3eaa2650fa0d85", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1754028485, + "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "59e69648d345d6e8fef86158c555730fa12af9de", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable": { "locked": { - "lastModified": 1759439645, - "narHash": "sha256-oiAyQaRilPk525Z5aTtTNWNzSrcdJ7IXM0/PL3CGlbI=", + "lastModified": 1763622513, + "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "879bd460b3d3e8571354ce172128fbcbac1ed633", + "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b", "type": "github" }, "original": { @@ -96,31 +160,61 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1759543899, - "narHash": "sha256-yu9gsM5Tw4wHxZLSywbyvLnNkn/0qvcQ0r3D5FbIf9w=", + "lastModified": 1763835633, + "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6c4f138b35597e4676611e7ea341c251a98112f9", + "rev": "050e09e091117c3d7328c7b2b7b577492c43c134", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable-small", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1763835633, + "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "050e09e091117c3d7328c7b2b7b577492c43c134", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1763806073, + "narHash": "sha256-FHsEKDvfWpzdADWj99z7vBk4D716Ujdyveo5+A048aI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "878e468e02bfabeda08c79250f7ad583037f2227", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, "nur": { "inputs": { "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1759614609, - "narHash": "sha256-psvkqVBJDv/A2I5pXOIn5rFWYCx0C2ogUmYNA/WH1ys=", + "lastModified": 1763983952, + "narHash": "sha256-nSWNqQezb6bhu5eYxF+lqzXj8h/sVD2C/CMV/JXK7Bw=", "owner": "nix-community", "repo": "NUR", - "rev": "2edcb08c08b541088834d35cf560601038b3c3a2", + "rev": "3f55dad0778bfaa302e87d87326ec02e7100ff98", "type": "github" }, "original": { @@ -129,13 +223,48 @@ "type": "github" } }, + "nvim-config": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1761113802, + "narHash": "sha256-HuP5TTFNzrxuro6UeA8+++BCV9x9rLhQ0bW5lbU3fTM=", + "ref": "refs/heads/master", + "rev": "154c606ecbc9069df8289e81b46025a6f9820867", + "revCount": 5, + "type": "git", + "url": "https://govel.porzh.me/DuN0z/neovim-config.git" + }, + "original": { + "type": "git", + "url": "https://govel.porzh.me/DuN0z/neovim-config.git" + } + }, "root": { "inputs": { - "home-manager": "home-manager", + "agenix": "agenix", + "home-manager": "home-manager_2", "home-manager-stable": "home-manager-stable", "nixpkgs-stable": "nixpkgs-stable", "nixpkgs-unstable": "nixpkgs-unstable", - "nur": "nur" + "nur": "nur", + "nvim-config": "nvim-config" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 37e242a..e81df2e 100644 --- a/flake.nix +++ b/flake.nix @@ -7,12 +7,14 @@ url = "github:nix-community/home-manager/release-25.05"; inputs.nixpkgs.follows = "nixpkgs-stable"; }; - nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; nur.url = "github:nix-community/NUR"; + agenix.url = "github:ryantm/agenix"; + nvim-config.url = "git+https://govel.porzh.me/DuN0z/neovim-config.git"; }; outputs = { @@ -21,6 +23,8 @@ home-manager-stable, home-manager, nur, + agenix, + nvim-config, ... }: let mkUnstablePkgsWithNur = { @@ -35,6 +39,7 @@ in { nixosConfigurations = { pennsardin = nixpkgs-unstable.lib.nixosSystem { + specialArgs = { inherit nvim-config; }; system = "x86_64-linux"; pkgs = mkUnstablePkgsWithNur { system = "x86_64-linux"; @@ -46,17 +51,59 @@ modules = [ ./hosts/pennsardin/configuration.nix home-manager.nixosModules.home-manager + { + home-manager = { + useGlobalPkgs = true ; + useUserPackages = true ; + extraSpecialArgs = {inherit nvim-config; }; + }; + } ]; }; terre-neuvas = nixpkgs-stable.lib.nixosSystem { + specialArgs = { inherit agenix; inherit nvim-config; }; system = "x86_64-linux"; modules = [ ./hosts/terre-neuvas/configuration.nix home-manager-stable.nixosModules.home-manager + { + home-manager = { + useGlobalPkgs = true ; + useUserPackages = true ; + extraSpecialArgs = {inherit nvim-config; }; + }; + } + agenix.nixosModules.default ]; }; + penduick = nixpkgs-unstable.lib.nixosSystem { + specialArgs = { inherit nvim-config; }; + system = "x86_64-linux"; + pkgs = mkUnstablePkgsWithNur { + system = "x86_64-linux"; + config = { + allowUnfree = true; + allowUnsupportedSystem = true; + }; + }; + + modules = [ + ./hosts/penduick/configuration.nix + home-manager.nixosModules.home-manager + { + home-manager = { + useGlobalPkgs = true ; + useUserPackages = true ; + extraSpecialArgs = {inherit nvim-config; }; + }; + } + agenix.nixosModules.default + ]; + + }; + forbann = nixpkgs-stable.lib.nixosSystem { system = "x86_64-linux"; modules = [ diff --git a/hm/common/betterlockscreen.nix b/hm/common/betterlockscreen.nix new file mode 100644 index 0000000..7261626 --- /dev/null +++ b/hm/common/betterlockscreen.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }:{ + home.packages = with pkgs; [ + xidlehook + betterlockscreen + ]; + + systemd.user.services.xidlehook = { + Unit.Description = "Idle: lock at 5min, suspend at ~8min"; + Service = { + ExecStart = '' + ${pkgs.xidlehook}/bin/xidlehook \ + --detect-sleep \ + --not-when-fullscreen \ + --timer 300 "${pkgs.betterlockscreen}/bin/betterlockscreen -l dim" "" \ + --timer 500 "systemctl suspend" "" + ''; + Restart = "always"; + }; + Install.WantedBy = ["graphical-session.target"]; + }; +} diff --git a/hm/common/colours.nix b/hm/common/colours.nix deleted file mode 100644 index eed7124..0000000 --- a/hm/common/colours.nix +++ /dev/null @@ -1 +0,0 @@ -_: {} diff --git a/hm/common/git.nix b/hm/common/git.nix index 2399f41..770d55d 100644 --- a/hm/common/git.nix +++ b/hm/common/git.nix @@ -1,12 +1,20 @@ -_: +{ lib, config, ...}: let globals = import ../../config/globals.nix; +nixosRelease = lib.attrByPath [ "system" "nixos" "release" ] "0.0" config; +newGit = lib.versionAtLeast nixosRelease "25.11"; in { - programs.git = { + programs.git = if newGit then { enable = true; - userName = globals.admin.name; - userEmail = globals.admin.email; - }; + settings.user = { + name = globals.admin.name; + email = globals.admin.email; + }; + } else { + enable = true; + userName = globals.admin.name; + userEmail = globals.admin.email; + }; } # vim: set ts=2 sw=2 sts=2 et : diff --git a/hm/common/nvim.nix b/hm/common/nvim.nix index 81ad9f0..64c9a1c 100644 --- a/hm/common/nvim.nix +++ b/hm/common/nvim.nix @@ -1,125 +1,32 @@ -{pkgs, ...}: { +{ pkgs, nvim-config, ...}: { + home.packages = with pkgs; [ + ruff + pyright + gcc + marksman + lua-language-server + ]; + programs.neovim = { - enable = true; - withNodeJs = true; - withPython3 = true; - - defaultEditor = true; - viAlias = true; + enable = true ; + viAlias = true ; vimAlias = true; - - coc.enable = true; - - plugins = with pkgs.vimPlugins; [ - goyo-vim - nerdtree - limelight-vim - ]; - - extraConfig = '' - set number - set relativenumber - set scrolloff=4 - set signcolumn=yes - - set mouse=a - set clipboard=unnamedplus - - set ignorecase - set smartcase - set incsearch - - set tabstop=2 - set shiftwidth=2 - set expandtab - - set splitright - set splitbelow - set termguicolors - set updatetime=300 - - set undofile - - let mapleader = " " - - colorscheme retrobox - syntax enable - - nnoremap :Goyo - inoremap :Goyo - - let g:goyo_width = 100 - - command! Q qall! - - " --- Fichiers d’état : swap / backup / undo --- - let s:state = has('unix') ? $HOME . '/.local/state/nvim' : $HOME . '/nvim-state' - - " Crée les dossiers si besoin (silencieusement) - silent! call mkdir(s:state . '/swap', 'p') - silent! call mkdir(s:state . '/backup', 'p') - silent! call mkdir(s:state . '/undo', 'p') - - augroup MdNoSuggest - autocmd! - autocmd FileType markdown let b:coc_suggest_disable = 1 | let b:coc_diagnostic_disable = 1 - augroup END - - " Goyo : pas de coupure de mots + Limelight auto - autocmd User GoyoEnter - \ let w:_wrap=&l:wrap | let w:_tw=&l:textwidth | let w:_fo=&l:formatoptions | - \ setlocal wrap linebreak nolist textwidth=0 | - \ setlocal formatoptions-=t formatoptions-=c formatoptions-=r formatoptions-=o formatoptions-=l | - \ Limelight - - autocmd User GoyoLeave - \ if exists('w:_wrap') | let &l:wrap=w:_wrap | unlet w:_wrap | endif | - \ if exists('w:_tw') | let &l:textwidth=w:_tw | unlet w:_tw | endif | - \ if exists('w:_fo') | let &l:formatoptions=w:_fo | unlet w:_fo | endif | - \ Limelight! - - " Swap files (fichiers d’échange) - set directory^=~/.local/state/nvim/swap// - - " Backups (copie avant écriture) – optionnel mais utile - set backup - set writebackup - set backupdir=~/.local/state/nvim/backup// - - " Undo persistant (♥ pour la rédaction) - set undofile - set undodir=~/.local/state/nvim/undo// - - " --- Résolution auto des conflits de swap --- - augroup ResolveSwap - autocmd! - " Si un swap existe quand on ouvre un fichier… - autocmd SwapExists * call s:ResolveSwap(v:swapname, expand('')) - augroup END - - function! s:ResolveSwap(swapname, filename) abort - " Si le fichier sur disque est plus récent que le swap -> on édite quand même (e) - if getftime(a:filename) > getftime(a:swapname) - let v:swapchoice = 'e' " edit anyway (ignore le swap) - else - " Sinon, ouvre en lecture seule par prudence (o). - " Tu pourras décider ensuite (écraser, récupérer, diff). - let v:swapchoice = 'o' - endif - endfunction - - " Rendre les messages de swap moins dramatiques - set shortmess+=A - - inoremap pumvisible() ? coc#pum#confirm() : "\" - ''; - - extraPackages = with pkgs; [ - ripgrep - fd - xclip - ]; + }; + home.file.".config/nvim" = { + source = nvim-config ; + recursive = true ; + }; + programs.ruff = { + enable = true ; + settings = { + line-length = 100; + per-file-ignores = { "__init__.py" = [ "F401" ]; }; + lint = { + select = [ "E4" "E7" "E9" "F" ]; + ignore = [ ]; + }; + }; }; } -# vim: set ts=2 sw=2 sts=2 et : +# vim: set ts=2 sw=2 sts=2 et : diff --git a/hm/desktop/common/picom.nix b/hm/common/picom.nix similarity index 95% rename from hm/desktop/common/picom.nix rename to hm/common/picom.nix index 8f21aa2..1b215aa 100644 --- a/hm/desktop/common/picom.nix +++ b/hm/common/picom.nix @@ -1,4 +1,5 @@ -_: { +{ pkgs, ... }: { + home.packages = [ pkgs.picom ] ; services.picom = { enable = true; backend = "glx"; # plus fluide si ta carte gère bien OpenGL diff --git a/hm/common/polybar.nix b/hm/common/polybar.nix new file mode 100644 index 0000000..446d013 --- /dev/null +++ b/hm/common/polybar.nix @@ -0,0 +1,38 @@ +{ pkgs, ... }: { + services = { + polybar = { + enable = true; + script = "polybar main &"; + config = { + "bar/main" = { + width = "100%"; + height = "28"; + font-0 = "Iosevka Nerd Font:style=regular:pixelsize=12;2"; + font-1 = "Font Awesome 6 Free:style=Solid:pixelsize=10;2"; + modules-left = "bspwm"; + modules-center = "date"; + modules-right = "pulseaudio memory cpu"; + }; + "module/bspwm" = { + type = "internal/bspwm"; + label-focused = "%name%"; + label-focused-foreground = "#e6e0de"; + label-focused-padding = 2; + label-occupied = "%name%"; + label-occupied-padding = 2; + label-urgent = "%name%"; + label-urgent-background = "#e42127"; + label-urgent-foreground = "#ffffff"; + label-empty = "%name%"; + label-empty-foreground = "#645d56"; + label-empty-padding = 2; + }; + "module/date" = { + type = "internal/date"; + interval = 60; + date = "%d-%m-%Y %H:%M"; + }; + }; + }; + }; +} diff --git a/hm/common/zsh.nix b/hm/common/zsh.nix index 7f1a8f1..2cd45b5 100644 --- a/hm/common/zsh.nix +++ b/hm/common/zsh.nix @@ -20,6 +20,7 @@ _: { shellAliases = { h = "history"; upd = "sudo nixos-rebuild switch --flake $HOME/nixos-config#pennsardin; source ~/.zshrc"; + agenix = "nix run github:ryantm/agenix --"; }; shellGlobalAliases = { G = "| grep"; diff --git a/hm/desktop/bspwm.nix b/hm/desktop/bspwm.nix index b92376e..a8d371c 100644 --- a/hm/desktop/bspwm.nix +++ b/hm/desktop/bspwm.nix @@ -5,7 +5,9 @@ ... }: { imports = [ - ../common/browser.nix + ../common/betterlockscreen.nix + ../common/picom.nix + ../common/polybar.nix ]; home.packages = with pkgs; [ bspwm @@ -16,10 +18,6 @@ rofi feh font-awesome - picom - xorg.xset - xidlehook - betterlockscreen pywal16 imagemagick pulsemixer @@ -32,7 +30,6 @@ protonvpn-gui ]; - # Gère le ssh-agent proprement côté user services.ssh-agent.enable = true; xsession = { @@ -40,7 +37,6 @@ windowManager.bspwm = { enable = true; - # Démarrages au login X startupPrograms = [ "sxhkd -m 1" "setxkbmap bepovim" @@ -58,14 +54,6 @@ }; }; - # xsession.initExtra = '' - # xset s 300 300 - # xset s on - # xset s noblank - # xset +dpms - # xset dpms 0 0 500 - # ''; - services = { sxhkd = { enable = true; @@ -106,55 +94,6 @@ "super + t" = "bspc node -t tiled"; }; }; - polybar = { - enable = true; - script = "polybar main &"; - config = { - "bar/main" = { - width = "100%"; - height = "28"; - font-1 = "Font Awesome 6 Free:style=Solid:pixelsize=10;2"; - modules-left = "bspwm"; - modules-center = "date"; - modules-right = "pulseaudio memory cpu"; - }; - "module/bspwm" = { - type = "internal/bspwm"; - label-focused = "%name%"; - label-focused-foreground = "#e6e0de"; - label-focused-padding = 2; - label-occupied = "%name%"; - label-occupied-padding = 2; - label-urgent = "%name%"; - label-urgent-background = "#e42127"; - label-urgent-foreground = "#ffffff"; - label-empty = "%name%"; - label-empty-foreground = "#645d56"; - label-empty-padding = 2; - }; - "module/date" = { - type = "internal/date"; - interval = 60; - date = "%d-%m-%Y %H:%M"; - }; - }; - }; - }; - - # xidlehook (user service) - systemd.user.services.xidlehook = { - Unit.Description = "Idle: lock at 5min, suspend at ~8min"; - Service = { - ExecStart = '' - ${pkgs.xidlehook}/bin/xidlehook \ - --detect-sleep \ - --not-when-fullscreen \ - --timer 300 "${pkgs.betterlockscreen}/bin/betterlockscreen -l dim" "" \ - --timer 500 "systemctl suspend" "" - ''; - Restart = "always"; - }; - Install.WantedBy = ["graphical-session.target"]; }; programs = { @@ -175,7 +114,7 @@ family = lib.mkForce "Iosevka Nerd Font"; style = "Italic"; }; - size = lib.mkForce 9; + size = lib.mkForce 8; }; }; }; diff --git a/hm/users/dunoz-desktop.nix b/hm/users/dunoz-desktop.nix new file mode 100644 index 0000000..6db724f --- /dev/null +++ b/hm/users/dunoz-desktop.nix @@ -0,0 +1,17 @@ +{pkgs, ...}: { + imports = [ + ../common/browser.nix + ../common/nvim.nix + ./dunoz.nix + ]; + home = { + packages = with pkgs; [ + fastfetch + nerd-fonts.iosevka + proton-pass + smug + ]; + }; +} +# vim: set ts=2 sw=2 sts=2 et : + diff --git a/hm/users/dunoz.nix b/hm/users/dunoz.nix new file mode 100644 index 0000000..b32120c --- /dev/null +++ b/hm/users/dunoz.nix @@ -0,0 +1,19 @@ +{pkgs, nvim-config, ...}: { + imports = [ + ../../hm/common/git.nix + ../../hm/common/zsh.nix + ]; + home = { + username = "dunoz"; + homeDirectory = "/home/dunoz"; + packages = with pkgs; [ + bat + tree + ]; + }; + + programs.zsh.enable = true; + + home.stateVersion = "25.05"; # ou ton actuelle +} +# vim: set ts=2 sw=2 sts=2 et : diff --git a/hm/users/lomig-desktop.nix b/hm/users/lomig-desktop.nix index 9be4152..392ce71 100644 --- a/hm/users/lomig-desktop.nix +++ b/hm/users/lomig-desktop.nix @@ -1,6 +1,8 @@ {pkgs, ...}: { imports = [ ../desktop/bspwm.nix + ../common/browser.nix + ../common/nvim.nix ./lomig.nix ]; home = { diff --git a/hm/users/lomig.nix b/hm/users/lomig.nix index 54ece41..965c91c 100644 --- a/hm/users/lomig.nix +++ b/hm/users/lomig.nix @@ -1,10 +1,8 @@ -{pkgs, ...}: { +{pkgs, nvim-config, ...}: { imports = [ - ../common/nvim.nix ../../hm/common/git.nix ../../hm/common/zsh.nix ]; - home.stateVersion = "25.05"; # ou ton actuelle home = { username = "lomig"; homeDirectory = "/home/lomig"; @@ -13,7 +11,9 @@ tree ]; }; + programs.zsh.enable = true; + + home.stateVersion = "25.05"; # ou ton actuelle } # vim: set ts=2 sw=2 sts=2 et : - diff --git a/hosts/penduick/configuration.nix b/hosts/penduick/configuration.nix new file mode 100644 index 0000000..f5ef4a2 --- /dev/null +++ b/hosts/penduick/configuration.nix @@ -0,0 +1,61 @@ +{ config, pkgs, ... }: +let + globals = import ../../config/globals.nix; +in { + imports = [ + ./hardware-configuration.nix + ../../modules/desktop/plasma.nix + ../../modules/common/nix.nix + ../../modules/common/base.nix + ../../modules/common/fonts.nix + ../../modules/common/networking.nix + ../../modules/common/plymouth.nix + ../../modules/common/audio.nix + ]; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.initrd.luks.devices.cryptroot.device = "/dev/nvme0n1p3"; + + networking.hostName = "penduick"; + networking.networkmanager.enable = true; + + console.keyMap = "fr"; + + services.openssh.enable = true; + services.openssh.settings = { + PermitRootLogin = "no"; + PasswordAuthentication = true; + }; + + age.identityPaths = [ "/etc/agenix/penduick.key" "/etc/agenix/dunoz-admin.key" ]; + # age.secrets."dunoz-password-penduick".file = ../../secrets/dunoz-password-penduick.age; + users= { + # mutableUsers = false ; + users.dunoz = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" ]; + # passwordFile = config.age.secrets."dunoz-password-penduick".path; + shell = pkgs.zsh; + }; + }; + + home-manager = { + useGlobalPkgs = true ; + users.dunoz = import ../../hm/users/dunoz-desktop.nix ; + }; + + environment.systemPackages = with pkgs; [ + git htop wget curl + neovim + age ssh-to-age + weechat + ]; + + +# Optionnel mais utile pour SSH au démarrage +systemd.services.sshd.wantedBy = [ "multi-user.target" ]; + + system.stateVersion = "25.05"; +} diff --git a/hosts/penduick/hardware-configuration.nix b/hosts/penduick/hardware-configuration.nix new file mode 100644 index 0000000..a473630 --- /dev/null +++ b/hosts/penduick/hardware-configuration.nix @@ -0,0 +1,66 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/233c2886-05e4-4f9f-a708-6c920c7d9e32"; + fsType = "btrfs"; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/09b55bee-0134-4e96-8183-e85412fa7724"; + fsType = "btrfs"; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/4ce480f5-8212-4b28-b275-a0250c2edae1"; + fsType = "btrfs"; + }; + + fileSystems."/var" = + { device = "/dev/disk/by-uuid/f54d2ebe-f1ca-4471-a9a5-6959280984ee"; + fsType = "btrfs"; + }; + + fileSystems."/persist" = + { device = "/dev/disk/by-uuid/829b6a38-e49a-46ca-8737-b21c86c93352"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/B68E-0AAC"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + fileSystems."/rescue" = + { device = "/dev/disk/by-uuid/af3f9f20-2a6c-44e2-ad81-f07bd18ae283"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/41fcc628-50bf-43df-9daa-0095b45fd9bd"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/pennsardin/configuration.nix b/hosts/pennsardin/configuration.nix index 149c804..dd1a899 100644 --- a/hosts/pennsardin/configuration.nix +++ b/hosts/pennsardin/configuration.nix @@ -1,18 +1,72 @@ -{pkgs, ...}: +{pkgs, config, ...}: let globals = import ../../config/globals.nix; in { imports = [ - ../../profiles/workstation-bspwm.nix - ../../modules/hardware/bepovim.nix ../../modules/common/nix.nix + ../../modules/hardware/bepovim.nix + ../../modules/desktop/xorg-bspwm.nix + ../../modules/common/base.nix + ../../modules/common/fonts.nix + ../../modules/common/networking.nix + ../../modules/common/plymouth.nix + ../../modules/common/audio.nix + ../../modules/common/bluetooth.nix + ../../modules/common/gaming.nix + ../../modules/common/lockscreen.nix + ../../modules/common/energy.nix + ../../modules/common/qemu.nix + ../../modules/common/smtp.nix + + ../../modules/hardware/firmware.nix + ../../modules/hardware/gpu-amd.nix + ../../modules/hardware/sensors-zenpower.nix + + ../../modules/services/printing.nix + + ../../modules/virtual/kvm-amd.nix + ../../modules/virtual/vfio.nix ]; networking.hostName = "pennsardin"; boot.kernelPackages = pkgs.linuxPackages_latest; + boot.extraModulePackages = [ config.boot.kernelPackages.nct6687d ]; + boot.kernelModules = [ "nct6683" "k10temp" "i2c-dev" ] ; boot.swraid.enable = true; + environment.systemPackages = with pkgs; [ + lm_sensors + btrfs-progs + cifs-utils + evtest + git + vim + wget + curl + ripgrep + fd + pciutils + usbutils + p7zip + gdu + glances + parted + tmux + xorg.xauth + xorg.xkbcomp + xorg.xev + ]; + + services.openssh = { + enable = true; + settings = { + X11Forwarding = true; + X11DisplayOffset = 10; + X11UseLocalhost = true ; + }; + }; + fileSystems = { "/" = { device = "/dev/disk/by-uuid/b1a1ae71-4277-45d5-a3d2-f49354f263d4"; @@ -29,6 +83,30 @@ in { options = ["defaults" "hidepid=2"]; neededForBoot = true; }; + "/home/lomig/Documents" = { + device = "/srv/raid/home-data/Documents"; + options = [ "bind" ]; + }; + "/home/lomig/Images" = { + device = "/srv/raid/home-data/Images"; + options = [ "bind" ]; + }; + "/home/lomig/Musique" = { + device = "/srv/raid/home-data/Musique"; + options = [ "bind" ]; + }; + "/home/lomig/Téléchargements" = { + device = "/srv/raid/home-data/Téléchargements"; + options = [ "bind" ]; + }; + "/home/lomig/Vidéos" = { + device = "/srv/raid/home-data/Vidéos"; + options = [ "bind" ]; + }; + "/home/lomig/nixos-config" = { + device = "/srv/raid/home-data/nixos-config"; + options = [ "bind" ]; + }; "/srv/raid" = { device = "/dev/disk/by-uuid/85f72160-4720-463a-9dc6-7c5216733f2b"; fsType = "btrfs"; @@ -56,6 +134,7 @@ in { enp11s0 = { useDHCP = false; wakeOnLan.enable = true ; + }; br0 = { useDHCP = false; ipv4.addresses = [ diff --git a/hosts/terre-neuvas/configuration.nix b/hosts/terre-neuvas/configuration.nix index 77b7456..9fa6a92 100644 --- a/hosts/terre-neuvas/configuration.nix +++ b/hosts/terre-neuvas/configuration.nix @@ -5,14 +5,24 @@ config, pkgs, ... -}: { +}: let +globals = import ../../config/globals.nix ; +in { nix.settings.experimental-features = ["nix-command" "flakes"]; imports = [ # Include the results of the hardware scan. ./hardware.nix - ../../profiles/server-selfhosted.nix - ../../modules/services/ftp.nix + ../../modules/common/nix.nix + ../../modules/common/base.nix + ../../modules/common/smtp.nix + ../../modules/common/qemu.nix + + ../../modules/services/goaccess.nix + ../../modules/services/wikijs.nix ../../modules/services/forgejo.nix + ../../modules/sites/porzh.me.nix + ../../modules/sites/levr.porzh.me.nix + ]; # Bootloader. @@ -46,25 +56,51 @@ environment.systemPackages = with pkgs; [ neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. git + + btrfs-progs + cifs-utils + lm_sensors + wakeonlan + wget + curl + ripgrep + fd + pciutils + usbutils + p7zip + gdu + glances + tmux + ]; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PubkeyAuthentication = true; + }; + }; + networking = { useNetworkd = true; firewall.allowedTCPPorts = [22 80 5900 5901 5902]; + firewall.enable = true ; interfaces.eno1.useDHCP = false; interfaces.br0 = { useDHCP = false; ipv4.addresses = [ { - address = "192.168.0.3"; + address = globals.network.terre-neuvas.ip; prefixLength = 24; } ]; }; defaultGateway = { interface = "br0"; - address = "192.168.0.254"; + address = globals.network.gateway; }; - nameservers = ["192.168.0.254" "1.1.1.1"]; + nameservers = [ globals.network.gateway "1.1.1.1"]; bridges.br0.interfaces = ["eno1"]; }; systemd.network = { @@ -83,5 +119,7 @@ networkConfig.Bridge = "br0"; }; }; + + system.stateVersion = "25.05"; # Did you read the comment? } diff --git a/modules/common/energy.nix b/modules/common/energy.nix index 31635c5..eed44d0 100644 --- a/modules/common/energy.nix +++ b/modules/common/energy.nix @@ -1,8 +1,42 @@ -_: { +{ config, pkgs, ... }: { services.logind.settings.Login = { IdleAction = "suspend"; IdleActionSec = "5min"; HandleLidSwitch = "suspend"; HandleLidSwitchDocked = "ignore"; }; + + systemd.services.ssh-suspend-inhibitor = { + description = "Prevent suspend when SSH sessions are active"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + ExecStart = pkgs.writeShellScript "ssh-inhibitor" '' + while true; do + # Vérifie s'il y a des sessions SSH actives + if ${pkgs.procps}/bin/pgrep -x sshd >/dev/null && \ + [ $(${pkgs.procps}/bin/pgrep -P $(${pkgs.procps}/bin/pgrep -x sshd) | wc -l) -gt 0 ]; then + # Il y a des sessions SSH, on crée un inhibitor s'il n'existe pas + if [ ! -f /tmp/ssh-inhibitor.lock ]; then + ${pkgs.systemd}/bin/systemd-inhibit --what=idle:sleep \ + --who="SSH Session" \ + --why="SSH session active" \ + --mode=block \ + sleep infinity & + echo $! > /tmp/ssh-inhibitor.lock + fi + else + # Pas de sessions SSH, on retire l'inhibitor + if [ -f /tmp/ssh-inhibitor.lock ]; then + kill $(cat /tmp/ssh-inhibitor.lock) 2>/dev/null || true + rm /tmp/ssh-inhibitor.lock + fi + fi + sleep 10 + done + ''; + }; + }; } diff --git a/modules/common/nix.nix b/modules/common/nix.nix index f1f6fd4..13de898 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -4,6 +4,12 @@ experimental-features = ["nix-command" "flakes"]; }; + nix.gc = { + automatic = true ; + dates = "daily" ; + options = "--delete-older-than 7d" ; + }; + nixpkgs.config = { # allowUnfree = true; # allowUnsupportedSystem = true; diff --git a/modules/common/qemu.nix b/modules/common/qemu.nix index ddb4ecf..c86e61c 100644 --- a/modules/common/qemu.nix +++ b/modules/common/qemu.nix @@ -8,6 +8,7 @@ environment.systemPackages = with pkgs; [ qemu qemu_kvm + tunctl virtiofsd ]; diff --git a/modules/hardware/gpu-amd.nix b/modules/hardware/gpu-amd.nix index caa4f31..dc65bfc 100644 --- a/modules/hardware/gpu-amd.nix +++ b/modules/hardware/gpu-amd.nix @@ -23,7 +23,6 @@ libva-utils libvdpau libva-vdpau-driver - vaapiVdpau libvdpau-va-gl vulkan-tools vulkan-loader @@ -44,6 +43,4 @@ "radeon.cik_support=0" ]; - # Si un module sonde "k10temp" gêne : - boot.blacklistedKernelModules = ["k10temp"]; } diff --git a/modules/roles/server.nix b/modules/roles/server.nix deleted file mode 100644 index 67c158d..0000000 --- a/modules/roles/server.nix +++ /dev/null @@ -1,19 +0,0 @@ -{pkgs, ...}: { - imports = [ - ../common/nix.nix - ]; - - environment.systemPackages = with pkgs; [ - git - wget - curl - ripgrep - fd - pciutils - usbutils - p7zip - gdu - glances - tmux - ]; -} diff --git a/modules/roles/workstation.nix b/modules/roles/workstation.nix deleted file mode 100644 index b99a5c7..0000000 --- a/modules/roles/workstation.nix +++ /dev/null @@ -1,27 +0,0 @@ -{pkgs, ...}: { - imports = [ - ../common/nix.nix - ../hardware/gpu-amd.nix - ../hardware/sensors-zenpower.nix - ../virtual/kvm-amd.nix - ../virtual/vfio.nix - ]; - - environment.systemPackages = with pkgs; [ - git - vim - wget - curl - ripgrep - fd - pciutils - usbutils - p7zip - gdu - glances - parted - tmux - discord - xorg.xauth - ]; -} diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index be5b644..0cee315 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -1,25 +1,25 @@ {pkgs, ...}: let - import ../../config/globals.nix; + globals = import ../../config/globals.nix; in { # --- Utilisateur dédié --- - users.users.git = { + users.users.${globals.services.forgejo.user} = { isSystemUser = true; - home = "/var/lib/forgejo"; + home = globals.services.forgejo.home; shell = pkgs.bash; - group = "git"; + group = globals.services.forgejo.user; }; - users.groups.git = {}; + users.groups.${globals.services.forgejo.user} = {}; # --- Forgejo --- services = { forgejo = { enable = true; - user = "git"; - group = "git"; + user = globals.services.forgejo.user; + group = globals.services.forgejo.user; database = { type = "sqlite3"; - path = "/var/lib/forgejo/data/gitea.db"; + path = "${globals.services.forgejo.home}/data/gitea.db"; }; settings = { server = { @@ -27,7 +27,6 @@ in { ROOT_URL = "https://${globals.services.forgejo.url}/"; SSH_DOMAIN = globals.services.forgejo.url; HTTP_PORT = globals.services.forgejo.port; - SSH_PORT = 22; START_SSH_SERVER = false; }; service = { @@ -44,27 +43,10 @@ in { enable = true; virtualHosts.${globals.services.forgejo.url} = { extraConfig = '' - reverse_proxy localhost:${globals.services.forgejo.port} + reverse_proxy localhost:${toString globals.services.forgejo.port} ''; }; }; }; - - # --- Ouvrir les ports nécessaires --- - networking.firewall = { - allowedTCPPorts = [80 443 2222]; - interfaces."eth0".allowedTCPPorts = [22]; - }; - # --- Pour que Forgejo génère les bonnes URLs Git --- - # networking.hostName = "git"; # non strictement obligatoire - - # --- Optionnel : config DNS --- - # git.lomig.me -> ton IP publique (ou IP locale si LAN) - - # --- Pour te cloner un dépôt : --- - # git clone git@git.lomig.me:lomig/nom-du-repo.git - - # --- Astuce : génère une paire de clés pour l’accès SSH Git --- - # ssh-keygen -t ed25519 -f ~/.ssh/id_git_forgejo - # puis ajoute la clé publique dans ton compte Forgejo + networking.firewall.allowedTCPPorts = [80 443 22 ]; } diff --git a/modules/services/ftp.nix b/modules/services/ftp.nix deleted file mode 100644 index d077278..0000000 --- a/modules/services/ftp.nix +++ /dev/null @@ -1,67 +0,0 @@ -_: { - # ------------------------------------------------- - # 1️⃣ Création de l’utilisateur système dédié FTP - # ------------------------------------------------- - users.users.ftpuser = { - isSystemUser = true; # pas de login shell - description = "Compte FTP dédié"; - home = "/srv/ftp/ftpuser"; - createHome = true; - group = "ftpuser"; - shell = "/usr/bin/nologin"; - }; - users.groups.ftpuser = {}; - - services.openssh = { - extraConfig = '' - Match User ftpuser - ChrootDirectory /srv/ftp/ftpuser - ForceCommand internal-sftp - AllowTcpForwarding no - X11Forwarding no - ''; - }; - - # ------------------------------------------------- - # 2️⃣ Permissions du répertoire home (méthode A) - # ------------------------------------------------- - system.activationScripts.setupFtp = '' - # Répertoire racine du chroot – lecture‑seule - chmod a-w /srv/ftp/ftpuser - # Sous‑répertoire où l’on peut écrire - mkdir -p /srv/ftp/ftpuser/upload - chown ftpuser:ftpuser /srv/ftp/ftpuser/upload - chmod 755 /srv/ftp/ftpuser/upload - ''; - - # ------------------------------------------------- - # 3️⃣ Configuration du serveur vsftpd - # ------------------------------------------------- - services.vsftpd = { - enable = true; - - # Autoriser les comptes locaux (system users) - localUsers = true; - - # Refuser l’accès anonyme (sécurité renforcée) - anonymousUser = false; - - # Chroot chaque utilisateur local dans son $HOME - chrootlocalUser = true; - allowWriteableChroot = true; - - extraConfig = '' - pasv_min_port=40000 - pasv_max_port=40004 - ''; - }; - - # ------------------------------------------------- - # 4️⃣ Ouverture des ports dans le firewall NixOS - # ------------------------------------------------- - networking.firewall = { - allowedTCPPorts = [21 40000 40001 40002 40003 40004]; - # Si vous utilisez FTPS implicite (port 990) : - # allowedTCPPorts = [ 21 990 40000 40001 40002 40003 40004 ]; - }; -} diff --git a/modules/services/goaccess.nix b/modules/services/goaccess.nix index c39c469..b403917 100644 --- a/modules/services/goaccess.nix +++ b/modules/services/goaccess.nix @@ -1,20 +1,38 @@ -{pkgs, ...}: +{pkgs, config, ...}: let - imports = ../../config/globals.nix ; + globals = import ../../config/globals.nix ; in { + age.secrets.goaccess-password = { + file = ../../secrets/goaccess-password.age; + owner = "caddy"; + group = "caddy"; + mode = "0400"; + }; + environment.systemPackages = with pkgs; [ goaccess ]; - # Service pour générer le rapport statique GoAccess + environment.etc."local/bin/generate-goaccess.sh".text = '' + #!/bin/sh + set -eu + + RAW_LOG="/var/log/caddy/access-${globals.services.levr.url}.log" + CLEAN_LOG="/tmp/goaccess-clean.log" + REPORT="${globals.services.goaccess.home}/index.html" + + ${pkgs.gnugrep}/bin/grep -v '192.168.' "$RAW_LOG" > "$CLEAN_LOG" + ${pkgs.goaccess}/bin/goaccess "$CLEAN_LOG" --log-format=CADDY -o "$REPORT"; + ''; + environment.etc."local/bin/generate-goaccess.sh".mode = "0755"; + systemd.services.goaccess-report = { description = "Generate GoAccess HTML report"; serviceConfig = { - ExecStart = "${pkgs.goaccess}/bin/goaccess /var/log/caddy/access-${globals.services.levr.url}.log --log-format=CADDY -o ${globals.services.goaccess.home}/index.html"; + ExecStart = "/etc/local/bin/generate-goaccess.sh"; }; }; - # Timer pour régénérer le rapport toutes les heures systemd.timers.goaccess-report = { description = "Hourly GoAccess report generation"; wantedBy = ["timers.target"]; @@ -23,16 +41,43 @@ in { Persistent = true; }; }; + + systemd.services."goaccess-auth-sync" = { + description = "Sync goaccess password for Caddy"; + wantedBy = [ "caddy.service" ]; + before = [ "caddy.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = pkgs.writeScript "sync-goaccess-auth" '' + #!${pkgs.bash}/bin/bash + mkdir -p /etc/caddy/extra + cp /run/agenix/goaccess-password /etc/caddy/extra/goaccess-auth.conf + chown caddy:caddy /etc/caddy/extra/goaccess-auth.conf + chmod 400 /etc/caddy/extra/goaccess-auth.conf + ''; + }; + }; + services.caddy = { virtualHosts = { - globals.services.goaccess.url = { + "${globals.services.goaccess.url}" = { extraConfig = '' root * ${globals.services.goaccess.home} + + basic_auth /* { + import /etc/caddy/extra/goaccess-auth.conf + } + file_server browse try_files {path} {path}/ /index.html - ''; + }; }; }; + + systemd.tmpfiles.rules = [ + "d ${globals.services.goaccess.home} 0755 root root -" + "d /etc/caddy/extra 0750 caddy caddy -" + ]; } diff --git a/modules/services/outline.nix b/modules/services/outline.nix deleted file mode 100644 index 8aaefd8..0000000 --- a/modules/services/outline.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, pkgs, lib, ... }: -let - import ../../config/globals.nix ; -in { - services = { - outline = { - enable = true; - port = globals.services.outline.port ; - publicUrl = "http://${globals.services.outline.url}"; - forceHttps = true; - smtp = { - host = globals.smtp.host ; - username = globals.smtp.user ; - passwordFile = "/run/secrets/proton_pass"; - fromEmail = globals.smtp.user; - replyEmail = globals.smtp.user; - port = globals.smtp.port; - secure = false; - }; - storage.storageType = "local"; - }; - caddy = { - enable = true; - virtualHosts.${globals.services.outline.url} = { - extraConfig = '' - reverse_proxy localhost:${globals.services.outline.port} - ''; - }; - }; - }; -} diff --git a/modules/services/pihole.nix b/modules/services/pihole.nix deleted file mode 100644 index 78e4dc4..0000000 --- a/modules/services/pihole.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - virtualisation.oci-containers.containers.pihole = { - image = "pihole/pihole:latest"; - autoStart = true; - - ports = [ - "53:53/udp" - "53:53/tcp" - "80:80/tcp" - ]; - - environment = { - TZ = "Europe/Paris"; - WEBPASSWORD = "changeme"; # Change à ta convenance - PIHOLE_DNS_ = "1.1.1.1;1.0.0.1"; - }; - - volumes = [ - "/srv/pihole/etc-pihole:/etc/pihole" - "/srv/pihole/etc-dnsmasq.d:/etc/dnsmasq.d" - ]; - extraOptions = ["--cap-add=NET_ADMIN"]; - }; -} diff --git a/modules/services/wikijs.nix b/modules/services/wikijs.nix new file mode 100644 index 0000000..8da2a7e --- /dev/null +++ b/modules/services/wikijs.nix @@ -0,0 +1,33 @@ +{ pkgs, ... }: +let + globals = import ../../config/globals.nix ; +in { + systemd.services.wiki-js = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + services.wiki-js = { + enable = true; + settings = { + db = { + db = "wiki-js"; + host = "/run/postgresql"; + type = "postgres"; + user = "wiki-js"; + }; + port = 3002 ; + }; + }; + services.postgresql = { + enable = true; + ensureDatabases = [ "wiki-js" ]; + ensureUsers = [{ + name = "wiki-js"; + ensureDBOwnership = true; + }]; + }; + + services.caddy.virtualHosts.${globals.services.wikijs.url}.extraConfig = '' + reverse_proxy localhost:${toString globals.services.wikijs.port} + ''; +} diff --git a/modules/sites/levr.porzh.me.nix b/modules/sites/levr.porzh.me.nix index 08c0839..7215cd7 100644 --- a/modules/sites/levr.porzh.me.nix +++ b/modules/sites/levr.porzh.me.nix @@ -1,6 +1,6 @@ { pkgs, lib, ...}: let - import = ../../config/globals.nix ; + globals = import ../../config/globals.nix ; in { environment.systemPackages = with pkgs; [ hugo @@ -11,7 +11,7 @@ in { Type = "oneshot"; WorkingDirectory = globals.services.levr.home ; ExecStart = ''${pkgs.hugo}/bin/hugo --minify build -d ${globals.services.levr.build}''; - User = "lomig"; + User = "levr"; }; }; systemd.timers.hugo-build = { @@ -27,8 +27,8 @@ in { serviceConfig = { Type = "oneshot"; WorkingDirectory = globals.services.levr.home; - ExecStart = "${pkgs.git}/bin/git pull origin master"; - User = "lomig"; + ExecStart = "${pkgs.git}/bin/git pull --rebase origin master"; + User = "levr"; }; environment = { PATH = lib.mkForce "${pkgs.openssh}/bin"; @@ -44,7 +44,7 @@ in { services.caddy = { enable = true; virtualHosts = { - globals.services.levr.url = { + "${globals.services.levr.url}" = { extraConfig = '' @http { protocol http @@ -54,10 +54,27 @@ in { file_server log { - output file /var/log/caddy/access-${global.services.levr.url}.log + output file /var/log/caddy/access-${globals.services.levr.url}.log } ''; }; }; }; - } + users = { + users = { + "${globals.services.levr.user}" = { + isSystemUser = true ; + group = globals.services.levr.user ; + home = globals.services.levr.home ; + createHome = true ; + description = "User for hugo-blog builds and deployments"; + }; + }; + groups.${globals.services.levr.user} = {}; + }; + + systemd.tmpfiles.rules = [ + "d ${globals.services.levr.home} 0755 levr levr -" + "d ${globals.services.levr.build} 0755 levr levr -" + ]; +} diff --git a/modules/sites/porzh.me.nix b/modules/sites/porzh.me.nix index 5ce0726..5491bb3 100644 --- a/modules/sites/porzh.me.nix +++ b/modules/sites/porzh.me.nix @@ -1,5 +1,5 @@ {pkgs, ...}: let - import ../../config/globals.nix ; + globals = import ../../config/globals.nix ; porzhSite = pkgs.stdenv.mkDerivation { pname = "porzh-site"; version = "1.0"; @@ -14,7 +14,7 @@ in { services.caddy = { enable = true; virtualHosts = { - globals.domain = { + "${globals.domain}" = { serverAliases = [ "www.${globals.domain}" ]; extraConfig = '' root * ${porzhSite} diff --git a/profiles/server-selfhosted.nix b/profiles/server-selfhosted.nix deleted file mode 100644 index f2a1dff..0000000 --- a/profiles/server-selfhosted.nix +++ /dev/null @@ -1,30 +0,0 @@ -{pkgs, ...}: { - imports = [ - ../modules/roles/server.nix - ../modules/common/base.nix - ../modules/common/smtp.nix - ../modules/common/qemu.nix - ../modules/services/printing.nix - ../modules/services/goaccess.nix - ../modules/services/outline.nix - ../modules/sites/porzh.me.nix - ../modules/sites/levr.porzh.me.nix - ]; - - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PubkeyAuthentication = true; - }; - }; - - environment.systemPackages = with pkgs; [ - btrfs-progs - cifs-utils - lm_sensors - wakeonlan - ]; -} -# vim: set ts=2 sw=2 sts=2 et : - diff --git a/profiles/workstation-bspwm.nix b/profiles/workstation-bspwm.nix deleted file mode 100644 index 6a1fa38..0000000 --- a/profiles/workstation-bspwm.nix +++ /dev/null @@ -1,39 +0,0 @@ -{pkgs, ...}: { - imports = [ - ../modules/roles/workstation.nix - ../modules/desktop/xorg-bspwm.nix - ../modules/common/base.nix - ../modules/common/fonts.nix - ../modules/common/networking.nix - ../modules/common/plymouth.nix - ../modules/hardware/firmware.nix - ../modules/hardware/gpu-amd.nix - ../modules/common/audio.nix - ../modules/common/bluetooth.nix - ../modules/common/gaming.nix - ../modules/services/printing.nix - ../modules/common/lockscreen.nix - ../modules/common/energy.nix - ../modules/common/qemu.nix - ../modules/common/smtp.nix - ]; - - services.openssh = { - enable = true; - settings = { - X11Forwarding = true; - X11DisplayOffset = 10; - }; - }; - - environment.systemPackages = with pkgs; [ - btrfs-progs - cifs-utils - evtest - lm_sensors - xorg.xev - xorg.xkbcomp - ]; -} -# vim: set ts=2 sw=2 sts=2 et : - diff --git a/scripts/imports.sh b/scripts/imports.sh new file mode 100755 index 0000000..101e153 --- /dev/null +++ b/scripts/imports.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +find $HOME/nixos-config -name "*.nix" | while read -r file; do + imports=$(awk ' + /imports[[:space:]]*=/ {flag=1} + flag {print} + /\]/ && flag {flag=0} + ' "$file" | grep -vE 'imports[[:space:]]*=' | grep -v '\[' | grep -v '\]' | sed 's/^[[:space:]]*//; s/[[:space:]]*$//') + + if [[ -n "$imports" ]]; then + echo "$file imports:" + echo "$imports" | sed 's/^/ |--- /' + echo + fi +done diff --git a/secrets/agenix/pennsardin.pub b/secrets/agenix/pennsardin.pub new file mode 100644 index 0000000..e16be5e --- /dev/null +++ b/secrets/agenix/pennsardin.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZto2/k9ZiYzWxWM6sfZLq/fIUVDc3BwPb+00dOahkk root@pennsardin diff --git a/secrets/dunoz-password-penduick.age b/secrets/dunoz-password-penduick.age new file mode 100644 index 0000000..69cddd9 --- /dev/null +++ b/secrets/dunoz-password-penduick.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> X25519 t5/4zFfNo5Hq/EacMKriedzv9je2ThBpq/WLegedg2A +sq35AzCE5HVTgqi0cNOcbW5C50sLeCAw4SIR6fbMg2M +-> X25519 yHHx+6CF7VEf331RchlwC9povVUwZBTq9cgAfo3gqjQ +RUsB7tMZRJYGy5Ggw+pnaNPOEiFYwAJn+gquCcNUnQo +--- jJVkAQ9fNSwyrWiyvIVzuTuJuudhL3zv29PI5pdKDz4 +ш.f=5IWiNPlSwwM* \ No newline at end of file diff --git a/secrets/goaccess-password.age b/secrets/goaccess-password.age new file mode 100644 index 0000000..20d710c Binary files /dev/null and b/secrets/goaccess-password.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..bc436c2 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,11 @@ +let + serveur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPRVxB7usThGHf8cuSPE4sjdqSaPNlwWAZPEo1wUgHz6 root@terre-neuvas"; + admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxranFaz3jRfvYE2M6FvRUWjzviIWjWd1mucgKeuSK2 lomig@nixos"; + penduick = "age1rnyey8shjxyaq43dzlnhtfkcm3ra4hy3ygh6c46w4xmr7fe9fe3s00nh2r"; + dunoz = "age1ppu60aw0v5wxhrc0gyqmgrukh2a5uaxwqxxmuy0w3fv4tnt02ycqrrgmue"; +in +{ + "goaccess-password.age".publicKeys = [ serveur admin ]; + "dunoz-password-penduick.age".publicKeys = [ penduick dunoz ]; +} +