s0mev1rtn0de-nix -> kyra + {hazel, lynn, ivy, mel}: rename + modularity

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
2026-02-08 22:16:49 +03:00 · 2026-02-08 22:16:49 +03:00 · 91d145fc9b
commit 91d145fc9b
parent c1445349f0
50 changed files with 377 additions and 278 deletions
--- a/kyra/boot/initrd/availableKernelModules.nix
+++ b/kyra/boot/initrd/availableKernelModules.nix
@ -0,0 +1,19 @@
+_: {
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "xen_blkfront"
+        "vmw_pvscsi"
+        "virtio_net"
+        "virtio_pci"
+        "virtio_mmio"
+        "virtio_blk"
+        "virtio_scsi"
+        "9p"
+        "9pnet_virtio"
+      ];
+    };
+  };
+}
--- a/kyra/boot/initrd/kernelModules.nix
+++ b/kyra/boot/initrd/kernelModules.nix
@ -0,0 +1,14 @@
+_: {
+  boot = {
+    initrd = {
+      kernelModules = [
+        "virtio_balloon"
+        "virtio_console"
+        "virtio_rng"
+        "virtio_gpu"
+        "nvme"
+        "kvm-amd"
+      ];
+    };
+  };
+}
--- a/kyra/boot/kernel.nix
+++ b/kyra/boot/kernel.nix
@ -0,0 +1,12 @@
+_: {
+  boot = {
+    kernel = {
+      sysctl = {
+        "net.ipv4.ip_forward" = 1;
+        "net.ipv6.conf.all.forwarding" = 1;
+        "net.ipv4.ip_nonlocal_bind" = 1;
+        "net.ipv6.ip_nonlocal_bind" = 1;
+      };
+    };
+  };
+}
--- a/kyra/boot/loader/grub.nix
+++ b/kyra/boot/loader/grub.nix
@ -0,0 +1,11 @@
+_: {
+  boot = {
+    loader = {
+      grub = {
+        enable = true;
+        efiSupport = true;
+        efiInstallAsRemovable = true;
+      };
+    };
+  };
+}
--- a/kyra/boot/tmp.nix
+++ b/kyra/boot/tmp.nix
@ -0,0 +1,7 @@
+_: {
+  boot = {
+    tmp = {
+      cleanOnBoot = true;
+    };
+  };
+}
--- a/kyra/default.nix
+++ b/kyra/default.nix
@ -0,0 +1,57 @@
+{self, ...}: {
+  imports = [
+    "${self}/kyra/disko/disk.nix"
+    "${self}/kyra/disko/lvm_vg.nix"
+
+    "${self}/kyra/boot/initrd/availableKernelModules.nix"
+    "${self}/kyra/boot/initrd/kernelModules.nix"
+    "${self}/kyra/boot/loader/grub.nix"
+    "${self}/kyra/boot/kernel.nix"
+    "${self}/kyra/boot/tmp.nix"
+
+    "${self}/kyra/environment/systemPackages.nix"
+
+    "${self}/kyra/hardware/zram.nix"
+
+    "${self}/kyra/home-manager/users.nix"
+
+    "${self}/kyra/networking/interfaces/ens3.nix"
+    "${self}/kyra/networking/firewall/ens3.nix"
+    "${self}/kyra/networking/firewall.nix"
+    "${self}/kyra/networking/dns.nix"
+    "${self}/kyra/networking/wireguard.nix"
+    "${self}/kyra/networking/defaultGateway.nix"
+
+    "${self}/kyra/nix/settings/allowed-users.nix"
+    "${self}/kyra/nix/settings/experimental-features.nix"
+    "${self}/kyra/nix/settings/substituters.nix"
+    "${self}/kyra/nix/settings/trusted-public-keys.nix"
+    "${self}/kyra/nix/settings/trusted-users.nix"
+    "${self}/kyra/nix/settings/auto-optimise-store.nix"
+
+    "${self}/kyra/nixpkgs/config.nix"
+    "${self}/kyra/nixpkgs/platform.nix"
+
+    "${self}/kyra/programs/nh.nix"
+
+    "${self}/kyra/services/openssh.nix"
+    "${self}/kyra/services/fail2ban.nix"
+    "${self}/kyra/services/netbird.nix"
+    "${self}/kyra/services/qemuGuest.nix"
+    "${self}/kyra/services/caddy.nix"
+    "${self}/kyra/services/sing-box.nix"
+
+    "${self}/kyra/sops/age.nix"
+    "${self}/kyra/sops/defaults.nix"
+    "${self}/kyra/sops/secrets.nix"
+
+    "${self}/kyra/system/stateVersion.nix"
+
+    "${self}/kyra/users/users.nix"
+    "${self}/kyra/users/users/alep0u.nix"
+    "${self}/kyra/users/users/hand7s.nix"
+    "${self}/kyra/users/users/root.nix"
+
+    "${self}/kyra/virtualisation/docker.nix"
+  ];
+}
--- a/kyra/disko/disk.nix
+++ b/kyra/disko/disk.nix
@ -0,0 +1,44 @@
+{
+  disko = {
+    devices = {
+      disk = {
+        virt_main = {
+          device = "/dev/sda";
+          type = "disk";
+          content = {
+            type = "gpt";
+            partitions = {
+              boot = {
+                name = "boot";
+                size = "1M";
+                type = "EF02";
+              };
+
+              ESP = {
+                name = "ESP";
+                size = "1024M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [
+                    "umask=0077"
+                  ];
+                };
+              };
+
+              root = {
+                size = "100%";
+                content = {
+                  type = "lvm_pv";
+                  vg = "pool";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/kyra/disko/lvm_vg.nix
+++ b/kyra/disko/lvm_vg.nix
@ -0,0 +1,27 @@
+{
+  disko = {
+    devices = {
+      lvm_vg = {
+        pool = {
+          type = "lvm_vg";
+          lvs = {
+            root = {
+              size = "100%FREE";
+              content = {
+                type = "btrfs";
+                mountpoint = "/";
+                extraArgs = [
+                  "-f"
+                ];
+
+                mountOptions = [
+                  "compress=zstd"
+                ];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/kyra/environment/systemPackages.nix
+++ b/kyra/environment/systemPackages.nix
@ -0,0 +1,10 @@
+{pkgs, ...}: {
+  environment = {
+    systemPackages = [
+      pkgs.helix
+      pkgs.comma
+    ];
+
+    enableAllTerminfo = true;
+  };
+}
--- a/kyra/hardware/zram.nix
+++ b/kyra/hardware/zram.nix
@ -0,0 +1,8 @@
+_: {
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+    priority = 100;
+    memoryPercent = 100;
+  };
+}
--- a/kyra/home-manager/users.nix
+++ b/kyra/home-manager/users.nix
@ -0,0 +1,27 @@
+{self, ...}: {
+  home-manager = {
+    users = {
+      "hand7s" = {
+        imports = [
+          "${self}/hand7s/"
+          self.inputs.agenix.homeManagerModules.default
+          self.inputs.spicetify-nix.homeManagerModules.default
+          self.inputs.hyprland.homeManagerModules.default
+          self.inputs.chaotic.homeManagerModules.default
+          self.inputs.sops-nix.homeManagerModules.sops
+
+          self.inputs.nix-index-database.homeModules.nix-index
+          self.inputs.noctalia.homeModules.default
+        ];
+      };
+    };
+
+    backupFileExtension = "force";
+
+    extraSpecialArgs = {
+      inherit
+        self
+        ;
+    };
+  };
+}
--- a/kyra/networking/defaultGateway.nix
+++ b/kyra/networking/defaultGateway.nix
@ -0,0 +1,17 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  networking = {
+    defaultGateway = lib.mkIf (config.networking.hostName == "mel") {
+      address = "45.11.229.1";
+      interface = "ens3";
+    };
+
+    defaultGateway6 = lib.mkIf (config.networking.hostName == "mel") {
+      address = "2a0e:97c0:3e3:2Oa::1";
+      interface = "ens3";
+    };
+  };
+}
--- a/kyra/networking/dns.nix
+++ b/kyra/networking/dns.nix
@ -0,0 +1,29 @@
+_: {
+  networking = {
+    nameservers = [
+      # cf dns
+      "1.1.1.1"
+      "1.0.0.1"
+      "2606:4700:4700::1111"
+      "2606:4700:4700::1001"
+
+      # google dns
+      "8.8.8.8"
+      "8.8.4.4"
+      "2001:4860:4860::8888"
+      "2001:4860:4860::8844"
+
+      # q9 dns
+      "9.9.9.9"
+      "149.112.112.112"
+      "2620:fe::fe"
+      "2620:fe::9"
+
+      # open dns
+      "208.67.222.222"
+      "208.67.220.220"
+      "2620:119:35::35"
+      "2620:119:53::53"
+    ];
+  };
+}
--- a/kyra/networking/firewall.nix
+++ b/kyra/networking/firewall.nix
@ -0,0 +1,11 @@
+_: {
+  networking = {
+    firewall = {
+      enable = true;
+      allowPing = true;
+      checkReversePath = false;
+    };
+
+    useNetworkd = true;
+  };
+}
--- a/kyra/networking/firewall/ens3.nix
+++ b/kyra/networking/firewall/ens3.nix
@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  networking = {
+    firewall = {
+      interfaces = {
+        ens3 = {
+          allowedUDPPorts =
+            [
+              53580
+              53590
+            ]
+            ++ lib.optionals (config.networking.hostName == "hazel") [
+              443
+
+              25565
+
+              24
+              25
+              110
+              143
+              465
+              587
+              993
+              995
+              4190
+              53570
+            ];
+
+          allowedTCPPorts =
+            [
+              53580
+              53590
+            ]
+            ++ lib.optionals (config.networking.hostName == "hazel") [
+              443
+
+              25565
+
+              24
+              25
+              110
+              143
+              465
+              587
+              993
+              995
+              4190
+              53570
+            ];
+        };
+      };
+    };
+  };
+}
--- a/kyra/networking/hostname.nix
+++ b/kyra/networking/hostname.nix
@ -0,0 +1,5 @@
+_: {
+  networking = {
+    hostName = "kyra";
+  };
+}
--- a/kyra/networking/interfaces/ens3.nix
+++ b/kyra/networking/interfaces/ens3.nix
@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  networking = {
+    interfaces = {
+      ens3 = {
+        ipv4 = {
+          addresses = lib.optionals (config.networking.hostName == "mel") [
+            {
+              address = "45.11.229.254";
+              prefixLength = 24;
+            }
+          ];
+        };
+
+        ipv6 = {
+          addresses =
+            lib.optionals (config.networking.hostName == "hazel") [
+              {
+                address = "2a03:6f01:1:2::cb1e";
+                prefixLength = 64;
+              }
+            ]
+            ++ lib.optionals (config.networking.hostName == "mel") [
+              {
+                address = "2a0e:97c0:3e3:2Oa::1";
+                prefixLength = 64;
+              }
+            ];
+        };
+      };
+    };
+  };
+}
--- a/kyra/networking/wireguard.nix
+++ b/kyra/networking/wireguard.nix
@ -0,0 +1,7 @@
+_: {
+  networking = {
+    wireguard = {
+      enable = true;
+    };
+  };
+}
--- a/kyra/nix/settings/allowed-users.nix
+++ b/kyra/nix/settings/allowed-users.nix
@ -0,0 +1,10 @@
+_: {
+  nix = {
+    settings = {
+      sandbox = true;
+      allowed-users = [
+        "@wheel"
+      ];
+    };
+  };
+}
--- a/kyra/nix/settings/auto-optimise-store.nix
+++ b/kyra/nix/settings/auto-optimise-store.nix
@ -0,0 +1,7 @@
+_: {
+  nix = {
+    settings = {
+      auto-optimise-store = true;
+    };
+  };
+}
--- a/kyra/nix/settings/experimental-features.nix
+++ b/kyra/nix/settings/experimental-features.nix
@ -0,0 +1,10 @@
+_: {
+  nix = {
+    settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+    };
+  };
+}
--- a/kyra/nix/settings/substituters.nix
+++ b/kyra/nix/settings/substituters.nix
@ -0,0 +1,19 @@
+_: {
+  nix = {
+    settings = {
+      substituters = [
+        # cache.nixos.org
+        "https://cache.nixos.org"
+        # cache.garnix.org
+        "https://cache.garnix.io"
+        # cachix
+        "https://nix-community.cachix.org/"
+        "https://chaotic-nyx.cachix.org/"
+        "https://hyprland.cachix.org"
+        "https://chaotic-nyx.cachix.org/"
+        # nix-community
+        "https://hydra.nix-community.org/"
+      ];
+    };
+  };
+}
--- a/kyra/nix/settings/trusted-public-keys.nix
+++ b/kyra/nix/settings/trusted-public-keys.nix
@ -0,0 +1,18 @@
+_: {
+  nix = {
+    settings = {
+      trusted-public-keys = [
+        # cache.nixos.org
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        # cache.garnix.io
+        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+        # cachix.org
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
+        "ags.cachix.org-1:naAvMrz0CuYqeyGNyLgE010iUiuf/qx6kYrUv3NwAJ8="
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+        "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
+      ];
+    };
+  };
+}
--- a/kyra/nix/settings/trusted-users.nix
+++ b/kyra/nix/settings/trusted-users.nix
@ -0,0 +1,9 @@
+_: {
+  nix = {
+    settings = {
+      trusted-users = [
+        "@wheel"
+      ];
+    };
+  };
+}
--- a/kyra/nixpkgs/config.nix
+++ b/kyra/nixpkgs/config.nix
@ -0,0 +1,8 @@
+_: {
+  nixpkgs = {
+    config = {
+      allowBroken = true;
+      allowUnfree = true;
+    };
+  };
+}
--- a/kyra/nixpkgs/platform.nix
+++ b/kyra/nixpkgs/platform.nix
@ -0,0 +1,6 @@
+_: {
+  nixpkgs = {
+    system = "x86_64-linux";
+    hostPlatform = "x86_64-linux";
+  };
+}
--- a/kyra/programs/nh.nix
+++ b/kyra/programs/nh.nix
@ -0,0 +1,7 @@
+_: {
+  programs = {
+    nh = {
+      enable = true;
+    };
+  };
+}
--- a/kyra/services/caddy.nix
+++ b/kyra/services/caddy.nix
@ -0,0 +1,60 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  services = {
+    caddy = {
+      enable =
+        lib.mkIf (
+          config.networking.hostName == "hazel"
+        )
+        true;
+
+      package = pkgs.caddy.withPlugins {
+        plugins = [
+          "github.com/mholt/caddy-l4@v0.0.0-20250902102621-4a517a98d7fa"
+          "github.com/caddy-dns/cloudflare@v0.2.1"
+        ];
+        hash = "sha256-1/jRWotKCvx7QncjVSVGYXb2gAmIiokC/ZbCUelG5Rc=";
+      };
+
+      globalConfig = ''
+        debug
+        email me@hand7s.org
+
+        acme_ca https://acme-v02.api.letsencrypt.org/directory
+
+      '';
+
+      # acme_ca https://api.zerossl.com/directory
+
+      virtualHosts = {
+        "hand7s.org" = {
+          extraConfig = ''
+            respond "hi! :D WIP btw"
+          '';
+        };
+
+        "git.hand7s.org" = {
+          extraConfig = ''
+            reverse_proxy ${homeIP}:53350
+          '';
+        };
+
+        "bin.hand7s.org" = {
+          extraConfig = ''
+            reverse_proxy ${homeIP}:80
+          '';
+        };
+
+        "zitadel.hand7s.org" = {
+          extraConfig = ''
+            reverse_proxy ${homeIP}:8443
+          '';
+        };
+      };
+    };
+  };
+}
--- a/kyra/services/fail2ban.nix
+++ b/kyra/services/fail2ban.nix
@ -0,0 +1,14 @@
+_: {
+  services = {
+    fail2ban = {
+      enable = true;
+      bantime-increment = {
+        enable = true;
+        factor = "10";
+        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+        overalljails = true;
+        maxtime = "500h";
+      };
+    };
+  };
+}
--- a/kyra/services/netbird.nix
+++ b/kyra/services/netbird.nix
@ -0,0 +1,7 @@
+{...}: {
+  services = {
+    netbird = {
+      enable = true;
+    };
+  };
+}
--- a/kyra/services/openssh.nix
+++ b/kyra/services/openssh.nix
@ -0,0 +1,23 @@
+_: {
+  services = {
+    openssh = {
+      enable = true;
+      ports = [
+        58693
+      ];
+
+      settings = {
+        PrintMotd = false;
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+        MaxAuthTries = 3;
+        LoginGraceTime = 10;
+        PermitEmptyPasswords = "no";
+        ChallengeResponseAuthentication = "no";
+        KerberosAuthentication = "no";
+        GSSAPIAuthentication = "no";
+        X11Forwarding = false;
+      };
+    };
+  };
+}
--- a/kyra/services/qemuGuest.nix
+++ b/kyra/services/qemuGuest.nix
@ -0,0 +1,7 @@
+_: {
+  services = {
+    qemuGuest = {
+      enable = true;
+    };
+  };
+}
--- a/kyra/services/sing-box.nix
+++ b/kyra/services/sing-box.nix
@ -0,0 +1,88 @@
+{...}: {
+  services = {
+    sing-box = {
+      enable = true;
+      settings = {
+        log = {
+          level = "debug";
+        };
+
+        dns = {
+          servers = [
+            {
+              type = "local";
+              tag = "local";
+            }
+          ];
+
+          final = "local";
+          strategy = "prefer_ipv6";
+        };
+
+        route = {
+          final = "direct-out";
+          auto_detect_interface = true;
+        };
+
+        outbounds = [
+          {
+            tag = "direct-out";
+            type = "direct";
+          }
+        ];
+
+        inbounds = [
+          {
+            type = "vless";
+            tag = "vless-inbound";
+
+            listen = "::";
+            listen_port = 53570;
+
+            users = [
+              {
+                name = "hand7s_1";
+                uuid = "${singboxUUID2}";
+                flow = "xtls-rprx-vision";
+              }
+
+              {
+                name = "hand7s_2";
+                uuid = "${singboxUUID2}";
+                flow = "xtls-rprx-vision";
+              }
+            ];
+
+            tls = rec {
+              enabled = true;
+              server_name = "vk.com";
+              reality = {
+                enabled = true;
+                max_time_difference = "5m";
+                handshake = {
+                  server = server_name;
+                  server_port = 443;
+                };
+
+                private_key = "${singboxKey}";
+
+                short_id = [
+                  "${singboxId}"
+                ];
+              };
+            };
+
+            transport = {
+              type = "httpupgrade";
+            };
+
+            multiplex = {
+              enabled = true;
+              padding = false;
+            };
+          }
+        ];
+      };
+    };
+  };
+}
--- a/kyra/system/stateVersion.nix
+++ b/kyra/system/stateVersion.nix
@ -0,0 +1,5 @@
+_: {
+  system = {
+    stateVersion = "23.11";
+  };
+}
--- a/kyra/users/users.nix
+++ b/kyra/users/users.nix
@ -0,0 +1,5 @@
+_: {
+  users = {
+    mutableUsers = false;
+  };
+}
--- a/kyra/users/users/alep0u.nix
+++ b/kyra/users/users/alep0u.nix
@ -0,0 +1,23 @@
+_: {
+  users = {
+    users = {
+      "alep0u" = {
+        description = "alep0u";
+        isNormalUser = true;
+        password = "alep0u";
+        extraGroups = [
+          "wheel"
+          "docker"
+        ];
+
+        openssh = {
+          authorizedKeys = {
+            keys = [
+              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItDketCj5COoCvAPLhqOcBhWC1H50MApP2gDt/lkW7E alep0u@alep0u"
+            ];
+          };
+        };
+      };
+    };
+  };
+}
--- a/kyra/users/users/hand7s.nix
+++ b/kyra/users/users/hand7s.nix
@ -0,0 +1,23 @@
+_: {
+  users = {
+    users = {
+      "hand7s" = {
+        description = "hands";
+        isNormalUser = true;
+        hashedPassword = "$y$j9T$eHfq328GBp7Ga8xsbOTV/0$kcihv7zWLqSkj2jKAhI1pdbTSwvaf2RY5Rokm69XTL/";
+        extraGroups = [
+          "wheel"
+          "docker"
+        ];
+
+        openssh = {
+          authorizedKeys = {
+            keys = [
+              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDp2IIdR5jV1HyG4aiRX7SfTNrXDhCx5rTiFU40qkOKq litvinovb0@gmail.com"
+            ];
+          };
+        };
+      };
+    };
+  };
+}
--- a/kyra/users/users/root.nix
+++ b/kyra/users/users/root.nix
@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  users = {
+    users = {
+      "root" = {
+        shell = "${pkgs.util-linux}/bin/nologin";
+      };
+    };
+  };
+}
--- a/kyra/virtualisation/docker.nix
+++ b/kyra/virtualisation/docker.nix
@ -0,0 +1,14 @@
+_: {
+  virtualisation = {
+    oci-containers = {
+      backend = "docker";
+    };
+
+    docker = {
+      enable = true;
+      rootless = {
+        enable = true;
+      };
+    };
+  };
+}