initial commit

2026-02-23 20:50:47 +01:00 · 2026-02-23 20:50:47 +01:00 · c094b5770c
commit c094b5770c
113 changed files with 6879 additions and 0 deletions
--- a/modules/home/common/default.nix
+++ b/modules/home/common/default.nix
@ -0,0 +1,13 @@
+{
+  imports = [
+    ./overlays.nix
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  # trace: warning: `programs.ssh` default values will be removed in the future.
+  # Consider setting `programs.ssh.enableDefaultConfig` to false,
+  # and manually set the default values you want to keep at
+  # `programs.ssh.matchBlocks."*"`.
+  programs.ssh.enableDefaultConfig = false;
+}
--- a/modules/home/common/overlays.nix
+++ b/modules/home/common/overlays.nix
@ -0,0 +1,12 @@
+{ outputs, ... }:
+
+{
+  nixpkgs.overlays = [
+    outputs.overlays.synix-packages
+    outputs.overlays.local-packages
+    outputs.overlays.modifications
+    outputs.overlays.old-old-stable-packages
+    outputs.overlays.old-stable-packages
+    outputs.overlays.unstable-packages
+  ];
+}
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@ -0,0 +1,3 @@
+{
+  common = import ./common;
+}
--- a/modules/nixos/anything-llm-oci/default.nix
+++ b/modules/nixos/anything-llm-oci/default.nix
@ -0,0 +1,30 @@
+{ config, inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.anything-llm-oci ];
+
+  services.anything-llm-oci = {
+    enable = true;
+    environment = {
+      LLM_PROVIDER = "openrouter";
+      OPENROUTER_MODEL_PREF = "google/gemini-3-pro-preview";
+    };
+    environmentFile = config.sops.templates."anything-llm-oci/environment".path;
+  };
+
+  sops = {
+    secrets."anything-llm-oci/openrouter-api-key" = { };
+
+    # Generate with: nix-shell -p openssl --run "openssl rand -hex 32"
+    secrets."anything-llm-oci/jwt-secret" = { };
+    secrets."anything-llm-oci/sig-key" = { };
+    secrets."anything-llm-oci/sig-salt" = { };
+
+    templates."anything-llm-oci/environment".content = ''
+      OPENROUTER_API_KEY=${config.sops.placeholder."anything-llm-oci/openrouter-api-key"}
+      JWT_SECRET=${config.sops.placeholder."anything-llm-oci/jwt-secret"}
+      SIG_KEY=${config.sops.placeholder."anything-llm-oci/sig-key"}
+      SIG_SALT=${config.sops.placeholder."anything-llm-oci/sig-salt"}
+    '';
+  };
+}
--- a/modules/nixos/appimage/default.nix
+++ b/modules/nixos/appimage/default.nix
@ -0,0 +1,6 @@
+{
+  programs.appimage = {
+    enable = true;
+    binfmt = true;
+  };
+}
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@ -0,0 +1,8 @@
+{
+  imports = [
+    ./nix.nix
+    ./overlays.nix
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+}
--- a/modules/nixos/common/nix.nix
+++ b/modules/nixos/common/nix.nix
@ -0,0 +1,29 @@
+{
+  nix = {
+    # TODO: add distributed build support for portuus.de
+    # distributedBuilds = true;
+    # buildMachines = [
+    #   {
+    #     hostName = "portuus.de";
+    #     supportedFeatures = [
+    #       "benchmark"
+    #       "big-parallel"
+    #       "kvm"
+    #       "nixos-test"
+    #     ];
+    #     maxJobs = 8;
+    #     system = "x86_64-linux";
+    #   }
+    # ];
+
+    settings = {
+      # binary caches
+      # substituters = [
+      #   "https://cache.portuus.de"
+      # ];
+      # trusted-public-keys = [
+      #   "cache.portuus.de:INZRjwImLIbPbIx8Qp38gTVmSNL0PYE4qlkRzQY2IAU="
+      # ];
+    };
+  };
+}
--- a/modules/nixos/common/overlays.nix
+++ b/modules/nixos/common/overlays.nix
@ -0,0 +1,12 @@
+{ outputs, ... }:
+
+{
+  nixpkgs.overlays = [
+    outputs.overlays.synix-packages
+    outputs.overlays.local-packages
+    outputs.overlays.modifications
+    outputs.overlays.old-old-stable-packages
+    outputs.overlays.old-stable-packages
+    outputs.overlays.unstable-packages
+  ];
+}
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -0,0 +1,13 @@
+{
+  anything-llm-oci = import ./anything-llm-oci;
+  appimage = import ./appimage;
+  common = import ./common;
+  docker = import ./docker;
+  docs = import ./docs;
+  forgejo-runner = import ./forgejo-runner;
+  monero = import ./monero;
+  nh = import ./nh;
+  syncthing = import ./syncthing;
+  tailscale = import ./tailscale;
+  wine = import ./wine;
+}
--- a/modules/nixos/docker/default.nix
+++ b/modules/nixos/docker/default.nix
@ -0,0 +1,9 @@
+{
+  virtualisation.docker = {
+    enable = true;
+    rootless = {
+      enable = true;
+      setSocketVariable = true;
+    };
+  };
+}
--- a/modules/nixos/docs/default.nix
+++ b/modules/nixos/docs/default.nix
@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+  documentation = {
+    dev.enable = true;
+    man = {
+      man-db.enable = true;
+      mandoc.enable = false;
+      generateCaches = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    synix.cppman
+    synix.pyman
+    man-pages
+    man-pages-posix
+  ];
+}
--- a/modules/nixos/forgejo-runner/default.nix
+++ b/modules/nixos/forgejo-runner/default.nix
@ -0,0 +1,79 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.services.forgejo-runner;
+
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    types
+    ;
+in
+{
+  options.services.forgejo-runner = {
+    enable = mkEnableOption "Nix-based Forgejo Runner service";
+    url = mkOption {
+      type = types.str;
+      description = "Forgejo instance URL.";
+    };
+    tokenFile = mkOption {
+      type = types.path;
+      description = "Path to EnvironmentFile containing TOKEN=...";
+    };
+    instance = mkOption {
+      type = types.str;
+      default = "default";
+      description = "Name of the runner instance.";
+    };
+    label = mkOption {
+      type = types.str;
+      default = "host";
+      description = "Runner label.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    nix.settings.trusted-users = [ "gitea-runner" ];
+
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-runner;
+      instances."${cfg.instance}" = {
+        enable = true;
+        name = "${config.networking.hostName}-nix";
+        inherit (cfg) url tokenFile;
+
+        labels = [ "${cfg.label}:host" ];
+
+        hostPackages = with pkgs; [
+          bash
+          coreutils
+          curl
+          deploy-rs
+          gitMinimal
+          gnused
+          nix
+          nodejs
+          openssh
+        ];
+
+        settings = {
+          log.level = "info";
+          runner = {
+            capacity = 4;
+            envs = {
+              NIX_CONFIG = "extra-experimental-features = nix-command flakes";
+              NIX_REMOTE = "daemon";
+              # inherit (config.systemd.services."gitea-runner-${cfg.instance}".environment) HOME;
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/monero/default.nix
+++ b/modules/nixos/monero/default.nix
@ -0,0 +1,111 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.services.monero;
+  sops = config.sops;
+
+  inherit (lib) mkDefault mkIf getExe;
+in
+{
+  config = mkIf cfg.enable {
+    services.monero = {
+      environmentFile = sops.templates."monero/environment-file".path;
+      mining.enable = false; # use XMRig + P2Pool
+      rpc = {
+        address = mkDefault "127.0.0.1";
+        port = mkDefault 18081;
+        user = mkDefault "monero";
+        password = mkDefault "$MONERO_RPC_PASSWORD";
+      };
+      extraConfig = ''
+        zmq-pub=tcp://127.0.0.1:18083
+        out-peers=32
+        in-peers=64
+        prune-blockchain=1
+        sync-pruned-blocks=1
+        add-priority-node=p2pmd.xmrvsbeast.com:18080
+        add-priority-node=nodes.hashvault.pro:18080
+        enforce-dns-checkpointing=1
+        enable-dns-blocklist=1
+      '';
+    };
+
+    systemd.services.p2pool = {
+      description = "P2Pool Monero Sidechain Node";
+      after = [
+        "monero.service"
+        "network.target"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.p2pool ];
+
+      serviceConfig = {
+        User = "p2pool";
+        Group = "p2pool";
+        WorkingDirectory = "/var/lib/p2pool";
+        ExecStart = "${getExe pkgs.p2pool} --host 127.0.0.1 --wallet ${cfg.mining.address}";
+        Restart = "always";
+        RestartSec = 10;
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+      };
+    };
+
+    users.users.p2pool = {
+      isSystemUser = true;
+      group = "p2pool";
+      home = "/var/lib/p2pool";
+      createHome = true;
+    };
+    users.groups.p2pool = { };
+
+    services.xmrig = {
+      enable = true;
+      settings = {
+        autosave = true;
+        cpu = {
+          enabled = true;
+          huge-pages = true;
+          hw-aes = null;
+          asm = true;
+          yield = true;
+        };
+        opencl.enabled = false;
+        cuda.enabled = false;
+        pools = [
+          {
+            url = "127.0.0.1:3333";
+            user = "";
+            pass = "";
+          }
+        ];
+        api.enable = true;
+      };
+    };
+
+    sops =
+      let
+        owner = "monero";
+        group = "monero";
+        mode = "0440";
+      in
+      {
+        secrets."monero/rpc-password" = {
+          inherit owner group mode;
+        };
+        templates."monero/environment-file" = {
+          inherit owner group mode;
+          content = ''
+            MONERO_RPC_PASSWORD=${sops.placeholder."monero/rpc-password"}
+          '';
+        };
+      };
+  };
+}
--- a/modules/nixos/nh/default.nix
+++ b/modules/nixos/nh/default.nix
@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+let
+  # NOTE: Add a "main user" option to normalUsers? This would also set a sane default for the Syncthing module.
+  user = "sid";
+
+  inherit (lib) mkDefault mkForce;
+in
+{
+  programs.nh = {
+    enable = mkDefault true;
+    clean.enable = mkDefault true;
+    clean.extraArgs = mkDefault "--keep-since 4d --keep 3";
+    flake = config.users.users."${user}".home + "/.config/nixos";
+  };
+
+  nix.gc.automatic = mkForce false; # collides with `programs.nh.clean`
+}
--- a/modules/nixos/syncthing/default.nix
+++ b/modules/nixos/syncthing/default.nix
@ -0,0 +1,86 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.services.syncthing;
+  guiPort = 8384;
+  transferPort = 22000;
+  fqdn = "sync.local";
+
+  user = "sid";
+  dirs = [
+    "aud"
+    "doc"
+    "img"
+    "vid"
+  ];
+
+  allDevices = {
+    "16ach6" = {
+      id = "5IPAQ5C-V3KFUMD-NJM74SH-6MD246O-JGYCBN4-F77QG6W-W3WNSCA-NQY37AY";
+      addresses = [ "tcp://100.64.0.2:${toString transferPort}" ];
+    };
+    rv2 = {
+      id = "JG6BYOJ-AW67R72-VA25U6I-VIZ57HU-3KXMPGY-HTYT2FQ-ZZL6U7B-Z2RWDQ4";
+      addresses = [ "tcp://100.64.0.11:${toString transferPort}" ];
+    };
+    rx4 = {
+      id = "GBTCUX6-MAXC7NL-IGCJWWE-OEMANRO-BWZGWFU-HHO3NGN-GIUCXJJ-MTWM6QP";
+      addresses = [ "tcp://100.64.0.10:${toString transferPort}" ];
+    };
+  };
+
+  inherit (lib) filterAttrs genAttrs mkIf;
+  inherit (builtins) attrNames toString;
+in
+{
+  services.syncthing = {
+    enable = true;
+    inherit user;
+    group = config.users.users.${user}.group;
+    dataDir = config.users.users.${user}.home;
+
+    guiAddress = "0.0.0.0:${toString guiPort}";
+    guiPasswordFile = config.sops.secrets."syncthing/gui-pw".path;
+    openDefaultPorts = true;
+
+    overrideDevices = true;
+    overrideFolders = true;
+
+    settings = {
+      devices = filterAttrs (n: v: n != config.networking.hostName) allDevices;
+      folders = genAttrs dirs (dir: {
+        path = "${config.users.users.${user}.home}/${dir}";
+        devices = attrNames cfg.settings.devices;
+      });
+      gui = {
+        inherit user;
+      };
+      options = {
+        urAccepted = -1; # disable usage reports
+      };
+    };
+  };
+
+  networking.firewall.interfaces = mkIf config.services.tailscale.enable {
+    ${config.services.tailscale.interfaceName}.allowedTCPPorts = [ guiPort ];
+  };
+
+  networking.hosts."127.0.0.1" = [ fqdn ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${fqdn}" = {
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString guiPort}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  sops.secrets."syncthing/gui-pw" = {
+    owner = cfg.user;
+    group = cfg.group;
+    mode = "0400";
+    restartUnits = [ "syncthing.service" ];
+  };
+}
--- a/modules/nixos/tailscale/default.nix
+++ b/modules/nixos/tailscale/default.nix
@ -0,0 +1,11 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.tailscale ];
+
+  services.tailscale = {
+    enable = true;
+    enableSSH = true;
+    loginServer = "https://hs.sid.ovh";
+  };
+}
--- a/modules/nixos/wine/default.nix
+++ b/modules/nixos/wine/default.nix
@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    wineWowPackages.waylandFull
+    winetricks
+  ];
+
+  hardware.graphics.enable32Bit = true;
+}