Andromeda/conf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Andromeda:e1c510fc641825d51da12aa1dce7885dd5aee0de
Branches Tags
Andromeda:master Andromeda:dev Andromeda:phoenix Andromeda:flake-parts Andromeda:r0-persist
Andromeda:nixos-anywhere
...
compare: Andromeda:dev
Branches Tags
Andromeda:dev Andromeda:master Andromeda:phoenix Andromeda:flake-parts Andromeda:r0-persist
Andromeda:nixos-anywhere

3 Commits
e1c510fc64 ... dev

Author SHA1 Message Date
andromeda
0647d9a8e0 fix certs? 2026-01-26 21:58:55 +01:00
andromeda
8c0db96ca4 robot, also continuwuity, also zram 2026-01-26 21:40:03 +01:00
andromeda
2386fea0eb split out phoenix overlay 2026-01-25 15:44:32 +01:00
11 changed files with 283 additions and 231 deletions
Expand all files Collapse all files

171
flake.lock generated
View File

@@ -23,6 +23,27 @@
"type": "github" "type": "github"
} }
}, },
"androidPkgs": {
"inputs": {
"devshell": "devshell",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1750710155,
"narHash": "sha256-2lBEwXgclOrSsrhubSfifU91+sXqikC8qbiZ6yFeaEY=",
"owner": "tadfisher",
"repo": "android-nixpkgs",
"rev": "0846fab1f060f646e1017053077ad38dedc5207b",
"type": "github"
},
"original": {
"owner": "tadfisher",
"ref": "stable",
"repo": "android-nixpkgs",
"type": "github"
}
},
"base16": { "base16": {
"inputs": { "inputs": {
"fromYaml": "fromYaml" "fromYaml": "fromYaml"
@@ -129,6 +150,28 @@
"type": "github" "type": "github"
} }
}, },
"devshell": {
"inputs": {
"nixpkgs": [
"robotnix",
"androidPkgs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1741473158,
"narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
"owner": "numtide",
"repo": "devshell",
"rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -198,6 +241,21 @@
"url": "https://git.lix.systems/lix-project/flake-compat.git" "url": "https://git.lix.systems/lix-project/flake-compat.git"
} }
}, },
"flake-compat_3": {
"locked": {
"lastModified": 1746162366,
"narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
@@ -261,6 +319,24 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"fromYaml": { "fromYaml": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -608,6 +684,38 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": {
"locked": {
"lastModified": 1750506804,
"narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4206c4cb56751df534751b058295ea61357bbbaa",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1767313136,
"narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nmd": { "nmd": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -737,23 +845,24 @@
"type": "github" "type": "github"
} }
}, },
"phoenix": { "robotnix": {
"inputs": { "inputs": {
"nixpkgs": [ "androidPkgs": "androidPkgs",
"nixpkgs" "flake-compat": "flake-compat_3",
] "nixpkgs": "nixpkgs_4",
"treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1769035606, "lastModified": 1768481330,
"narHash": "sha256-I9pKhfhAz3JsGBLIqr9MNycTEQn0Bc3jzf0mKeWLlsE=", "narHash": "sha256-hYKnwFBPI0IyH8YbW3kqci8AS6ZtV7QSEa0E5Wt401M=",
"owner": "celenityy", "owner": "nix-community",
"repo": "Phoenix", "repo": "robotnix",
"rev": "07d9be8cbf938962f9847b0970274b885ff48792", "rev": "4ee0f9c86c3ae076bcbc41cbeebff054fe3d11a8",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "celenityy", "owner": "nix-community",
"repo": "Phoenix", "repo": "robotnix",
"type": "github" "type": "github"
} }
}, },
@@ -770,7 +879,7 @@
"noshell": "noshell", "noshell": "noshell",
"nur": "nur", "nur": "nur",
"nvf": "nvf", "nvf": "nvf",
"phoenix": "phoenix", "robotnix": "robotnix",
"stylix": "stylix" "stylix": "stylix"
} }
}, },
@@ -803,7 +912,7 @@
"nixpkgs" "nixpkgs"
], ],
"nur": "nur_2", "nur": "nur_2",
"systems": "systems_3", "systems": "systems_4",
"tinted-foot": "tinted-foot", "tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty", "tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes", "tinted-schemes": "tinted-schemes",
@@ -869,6 +978,21 @@
"type": "github" "type": "github"
} }
}, },
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tinted-foot": { "tinted-foot": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -949,6 +1073,27 @@
"repo": "base16-zed", "repo": "base16-zed",
"type": "github" "type": "github"
} }
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"robotnix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1766000401,
"narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

10
flake.nix
View File

@@ -38,10 +38,7 @@
url = "github:notashelf/nvf"; url = "github:notashelf/nvf";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
phoenix = { robotnix.url = "github:nix-community/robotnix";
url = "github:celenityy/Phoenix";
inputs.nixpkgs.follows = "nixpkgs";
};
stylix = { stylix = {
url = "github:nix-community/stylix"; url = "github:nix-community/stylix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@@ -59,11 +56,10 @@
noshell, noshell,
nur, nur,
nvf, nvf,
phoenix, robotnix,
stylix, stylix,
... ...
}: let }: let
phoenix' = (import ./modules/nixos/phoenix.nix) {inherit phoenix;};
nix-zulip' = (import "${nix-zulip}/nix/default.nix" {}).output; nix-zulip' = (import "${nix-zulip}/nix/default.nix" {}).output;
machines = import ./machines.nix; machines = import ./machines.nix;
configuration = machine: modules: configuration = machine: modules:
@@ -81,7 +77,6 @@
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
nixos-mailserver.nixosModule nixos-mailserver.nixosModule
noshell.nixosModules.default noshell.nixosModules.default
phoenix'.phoenixModule
nix-zulip'.nixosModules.zulip nix-zulip'.nixosModules.zulip
{ {
nixpkgs.overlays = [ nixpkgs.overlays = [
@@ -124,6 +119,7 @@
builtins.mapAttrs builtins.mapAttrs
(hostname: value: configurationWithHomeManager value) (hostname: value: configurationWithHomeManager value)
machines; machines;
robotnixConfigurations.payton = robotnix.lib.robotnixSystem ./robotnix/payton.nix;
nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration { nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
pkgs = import nixpkgs {system = "aarch64-linux";}; pkgs = import nixpkgs {system = "aarch64-linux";};
modules = [ modules = [

10
machines.nix
View File

@@ -11,6 +11,7 @@
# hardware configuration # hardware configuration
# includes `system.stateVersion` # includes `system.stateVersion`
./modules/nixos/machines/lenovo.nix ./modules/nixos/machines/lenovo.nix
./modules/nixos/zram.nix
# boot process # boot process
# systemd-boot # systemd-boot
@@ -30,6 +31,7 @@
# apps # apps
./modules/nixos/steam.nix ./modules/nixos/steam.nix
./modules/nixos/phoenix.nix
# substitutors # substitutors
./substitutors.nix ./substitutors.nix
@@ -74,20 +76,16 @@
# matrix homeserver # matrix homeserver
# matrix.domain # matrix.domain
# ./modules/nixos/matrix-conduit.nix ./modules/nixos/matrix-continuwuity.nix
# matrix homeserver
./modules/nixos/matrix-synapse.nix
# BROKEN # BROKEN
# forgejo # forgejo
# git.domain # git.domain
# ./modules/nixos/forgejo.nix # ./modules/nixos/forgejo.nix
# BROKEN
# zulip chat client # zulip chat client
# chat.domain # chat.domain
./modules/nixos/zulip.nix # ./modules/nixos/zulip.nix
]; ];
}; };
} }

8
modules/nixos/mailserver.nix
View File

@@ -37,6 +37,14 @@
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}; };
"matrix.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
};
"${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
};
}; };
}; };
security.acme = { security.acme = {

82
modules/nixos/matrix-conduit.nix
View File

@@ -1,82 +0,0 @@
{
config,
pkgs,
...
}: let
well_known_server = pkgs.writeText "well-known-matrix-server" ''
{
"m.server": "matrix.${config.services.matrix-conduit.settings.global.server_name}"
}
'';
well_known_client = pkgs.writeText "well-known-matrix-client" ''
{
"m.homeserver": {
"base_url": "https://matrix.${config.services.matrix-conduit.settings.global.server_name}"
}
'';
in {
services.matrix-conduit = {
enable = true;
settings.global = {
server_name = "${config.networking.domain}";
};
};
services.nginx = {
enable = true;
virtualHosts = {
"matrix.${config.services.matrix-conduit.settings.global.server_name}" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
];
locations."/_matrix/" = {
proxyPass = "http://backend_conduit$request_uri";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
extraConfig = ''
merge_slashes off;
'';
};
"${config.services.matrix-conduit.settings.global.server_name}" = {
forceSSL = true;
enableACME = true;
locations."/.well-known/matrix/server/" = {
alias = "${well_known_server}";
extraConfig = ''
default_type application/json;
'';
};
locations."/.well-known/matrix/client/" = {
alias = "${well_known_client}";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "";
'';
};
};
};
upstreams = {
backend-conduit = {
servers = {
"localhost:${builtins.toString config.services.matrix-conduit.settings.global.port}" = {};
};
};
};
};
networking.firewall.allowedTCPPorts = [8448];
networking.firewall.allowedUDPPorts = [8448];
}

26
modules/nixos/matrix-continuwuity.nix Normal file
View File

@@ -0,0 +1,26 @@
{config, ...}: {
services = {
matrix-continuwuity = {
enable = true;
settings = {
global = {
server_name = "${config.networking.domain}";
address = ["127.0.0.1"];
port = [6167];
well_known = {
server = "matrix.${config.networking.domain}";
client = "https://matrix.${config.networking.domain}";
};
};
};
};
nginx = {
upstreams.matrix.servers."127.0.0.1:6167" = {};
virtualHosts = {
"matrix.${config.networking.domain}".locations."/".proxyPass = "http://matrix";
"${config.networking.domain}".locations."/.well-known/matrix".proxyPass = "http://matrix";
};
};
};
}

65
modules/nixos/matrix-synapse.nix
View File

@@ -1,65 +0,0 @@
{
pkgs,
lib,
config,
...
}: let
fqdn = "${config.networking.hostName}.${config.networking.domain}";
baseUrl = "https://${fqdn}";
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
services.postgresql.enable = true;
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
"${fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix".proxyPass = "http://[::1]:8008";
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
};
};
};
services.matrix-synapse = {
enable = true;
settings.server_name = config.networking.domain;
settings.public_baseurl = baseUrl;
settings.listeners = [
{
port = 8008;
bind_addresses = ["::1"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [
"client"
"federation"
];
compress = true;
}
];
}
];
};
}

22
modules/nixos/phoenix.nix
View File

@@ -1,24 +1,9 @@
{phoenix, ...}: rec { {
phoenixOverlay = final: prev: {
phoenix = (final.callPackage (import "${phoenix}/nix/package.nix")
{
}).overrideAttrs {
patches = [
../../patches/0001-autoDisableScopes-unlocked.patch
];
};
withPhoenix = firefoxPackage:
firefoxPackage.override {
extraPoliciesFiles = ["${final.phoenix}/policies.json"];
extraPrefsFiles = ["${final.phoenix}/phoenix.cfg"];
};
};
phoenixModule = {
pkgs, pkgs,
config, config,
lib, lib,
... ...
}: { }: {
options.programs.firefox.phoenix = { options.programs.firefox.phoenix = {
enable = enable =
lib.mkEnableOption "Enable privacy & security hardening of Firefox using the Phoenix configs" lib.mkEnableOption "Enable privacy & security hardening of Firefox using the Phoenix configs"
@@ -48,7 +33,7 @@
programs.firefox.policies = programs.firefox.policies =
(builtins.fromJSON (builtins.readFile "${pkgs.phoenix}/policies.json")).policies; (builtins.fromJSON (builtins.readFile "${pkgs.phoenix}/policies.json")).policies;
nixpkgs.overlays = [ nixpkgs.overlays = [
phoenixOverlay (import ../../overlays/phoenix.nix)
( (
final: prev: final: prev:
builtins.listToAttrs ( builtins.listToAttrs (
@@ -57,5 +42,4 @@
) )
]; ];
}; };
};
} }

8
modules/nixos/zram.nix Normal file
View File

@@ -0,0 +1,8 @@
{
zramSwap = {
enable = true;
priority = 100;
algorithm = "zstd";
memoryPercent = 75;
};
}

21
overlays/phoenix.nix Normal file
View File

@@ -0,0 +1,21 @@
final: prev: let
phoenix-src = prev.fetchFromGitHub {
owner = "celenityy";
repo = "Phoenix";
rev = "07d9be8cbf938962f9847b0970274b885ff48792";
hash = "sha256-I9pKhfhAz3JsGBLIqr9MNycTEQn0Bc3jzf0mKeWLlsE=";
};
in {
phoenix = (final.callPackage (import "${phoenix-src}/nix/package.nix")
{
}).overrideAttrs {
patches = [
../patches/0001-autoDisableScopes-unlocked.patch
];
};
withPhoenix = firefoxPackage:
firefoxPackage.override {
extraPoliciesFiles = ["${final.phoenix}/policies.json"];
extraPrefsFiles = ["${final.phoenix}/phoenix.cfg"];
};
}

13
robotnix/payton.nix Normal file
View File

@@ -0,0 +1,13 @@
{...}: {
flavor = "lineageos";
# motorola moto x4 (payton)
device = "payton";
# latest supported version:
# check https://download.lineageos.org/devices/payton/builds
flavorVersion = "22.2";
apps.fdroid.enable = true;
microg.enable = true;
}