rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: clean up tree-wide

Browse source
This commit is contained in:
Mohammad Rafiq 2025-07-02 06:02:47 +08:00
parent 45afd6bea5
commit b9ad8ac2ca
No known key found for this signature in database
50 changed files with 247 additions and 511 deletions
Download patch file Download diff file Expand all files Collapse all files

37
modules/nixos/default.nix
View file

@ -2,7 +2,6 @@
inputs,
lib,
config,
system,
...
}:
let
@ -50,7 +49,6 @@ in
default = [ ];
};
};
config = {
# Helper options
environment.persistence."/persist".directories = config.persistDirs;
@ -60,63 +58,50 @@ in
"/var/lib/systemd"
"/var/lib/nixos"
];
stylix.enable = true;
nixpkgs = {
hostPlatform = system;
config.allowUnfree = true;
};
nix.settings = {
experimental-features = [
"nix-command"
"flakes"
"pipe-operators"
];
trusted-users = [ "@wheel" ];
};
system.stateVersion = "25.05"; # Did you read the comment?
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = [
"nix-command"
"flakes"
"pipe-operators"
];
nix.settings.trusted-users = [ "@wheel" ];
system.stateVersion = "25.05";
time.timeZone = "Asia/Singapore";
i18n.defaultLocale = "en_US.UTF-8";
users = {
# Don't allow imperative configuration
mutableUsers = false;
users.root.openssh.authorizedKeys.keys = [ config.mainUser.publicKey ];
groups.users = {
gid = 100;
members = [ "${config.mainUser.name}" ];
};
users."${config.mainUser.name}" = {
linger = true;
uid = 1000;
isNormalUser = true;
hashedPasswordFile = config.sops.secrets."${config.mainUser.name}/hashedPassword".path;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ config.mainUser.publicKey ];
};
users.root.openssh.authorizedKeys.keys = singleton config.mainUser.publicKey;
};
services.getty.autologinUser = config.mainUser.name;
security.sudo.wheelNeedsPassword = false;
sops = {
defaultSopsFile = get-file "secrets/secrets.yaml";
age.sshKeyPaths = [ "/persist/home/rafiq/.ssh/id_ed25519" ];
age.sshKeyPaths = [ "/persist/home/${config.mainUser.name}/.ssh/id_ed25519" ];
secrets = {
"keys/openrouter" = { };
"keys/gemini" = { };
"keys/cvt-jira" = { };
"keys/cloudflare" = { };
"keys/telegram_bot" = { };
"misc/cvt-jira-link" = { };
"rafiq/hashedPassword".neededForUsers = true;
"rafiq/personalEmailPassword" = { };
"rafiq/workEmailPassword" = { };
"tailscale/client-id" = { };
"tailscale/client-secret" = { };
};
};
environment.shellInit = # sh
''
export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path})
export CVT_JIRA_KEY=$(sudo cat ${config.sops.secrets."keys/cvt-jira".path})
export CVT_JIRA_LINK=$(sudo cat ${config.sops.secrets."misc/cvt-jira-link".path})
'';
};
}

9
modules/nixos/desktop/audio/default.nix
View file

@ -1,9 +1,6 @@
{ config, ... }:
{
config = {
services.pipewire = {
enable = true;
pulse.enable = true;
};
services.pipewire = {
enable = true;
pulse.enable = true;
};
}

18
modules/nixos/desktop/browser/firefox/default.nix
View file

@ -1,18 +0,0 @@
{ lib, config, ... }:
let
inherit (lib)
mkEnableOption
optional
singleton
;
cfg = config.desktop.browser.firefox;
in
{
options.desktop.browser.firefox.enable = mkEnableOption "";
config.home-manager.sharedModules = optional cfg.enable {
persistDirs = singleton ".mozilla/firefox";
programs.firefox.enable = true;
stylix.targets.firefox.colorTheme.enable = true;
};
}

4
modules/nixos/desktop/browser/tor-browser/default.nix
View file

@ -12,10 +12,6 @@ in
options.desktop.browser.tor-browser.enable = mkEnableOption "";
config = mkIf cfg.enable {
services.tor = {
enable = true;
client.enable = true;
};
home-manager.sharedModules = singleton {
persistDirs = singleton ".tor project";
home.packages = singleton pkgs.tor-browser;

1
modules/nixos/desktop/default.nix
View file

@ -29,6 +29,7 @@ in
config = mkIf cfg.enable {
fonts.packages = singleton font-awesome;
services.getty.autologinUser = config.mainUser.name;
home-manager.sharedModules = optional cfg.enableWaylandUtilities {
home.packages = [ wl-clipboard-rs ];
};

14
modules/nixos/desktop/notification-daemon/default.nix
View file

@ -1,14 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) mkEnableOption singleton;
cfg = config.desktop.notification-daemon;
in
{
options.desktop.notification-daemon = {
mako.enable = mkEnableOption "";
};
config.home-manager.sharedModules = singleton {
services.mako.enable = cfg.mako.enable;
};
}

12
modules/nixos/desktop/status-bar/default.nix
View file

@ -1,12 +0,0 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption singleton;
cfg = config.desktop.status-bar;
in
{
options.desktop.status-bar = {
waybar.enable = mkEnableOption "";
};
config.home-manager.sharedModules = singleton { programs.waybar.enable = cfg.waybar.enable; };
}

24
modules/nixos/desktop/terminal/default.nix
View file

@ -1,24 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkEnableOption singleton optional;
inherit (pkgs) kitty;
cfg = config.desktop.terminal;
in
{
options.desktop.terminal = {
kitty.enable = mkEnableOption "";
ghostty.enable = mkEnableOption "";
};
config = {
home-manager.sharedModules = singleton {
home.packages = optional cfg.kitty.enable kitty;
programs.ghostty.enable = cfg.ghostty.enable;
};
};
}

1
modules/nixos/desktop/window-manager/hyprland/default.nix
View file

@ -37,6 +37,7 @@ in
# Null the packages since we use them system wide
package = null;
portalPackage = null;
settings.monitor = [ "${mainMonitor.id}, ${mainMonitor.resolution}@${mainMonitor.refresh-rate}, auto, ${mainMonitor.scale}" ];
};
xdg.configFile."uwsm/env".text = # sh
''

4
modules/nixos/networking/default.nix
View file

@ -3,6 +3,10 @@ let
inherit (lib) mkDefault singleton;
in
{
sops.secrets = {
"tailscale/client-id".sopsFile = ./tailscale.yaml;
"tailscale/client-secret".sopsFile = ./tailscale.yaml;
};
networking = {
enableIPv6 = false;
useDHCP = mkDefault true;

18
modules/nixos/networking/tailscale.yaml Normal file
View file

@ -0,0 +1,18 @@
tailscale:
client-id: ENC[AES256_GCM,data:kQ4H9b2h8DN+5eTvwIYHZ6s=,iv:/nC3LM0qDNj3wIm9XZd7UUn5SxmAOA1dofsDGElKjVU=,tag:AIj5F7KkORujLDe+ZOxJgw==,type:str]
client-secret: ENC[AES256_GCM,data:O0cKyuK+FfK2E1mzQpkgybPrqEs0fH1y3jCOG6usT++6x3sWuJNvT56OIHpVNu8GH/6BIBsnenC1J/sVNTYIzA==,iv:FugIzSjNpoe9Bwy+x/GHl0BpCtbogQXpY7s3ICevQc0=,tag:1kQIO4ekjKuvexQ923YE3g==,type:str]
sops:
age:
- recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbTNsZE5lN2JOT1Jsd2hz
OWpDWTFzTW05Nzl5K1AyMmgxcVV2eHlBRlF3Cnc3VW5IN014ck8zM3BIWnBMNFFt
UnE4aGhGNERUOTlwZEJyNWF1Q1o0RXcKLS0tIFlZSFFoaDlOMnBMSFVyT3FMbFZj
ckl5RVZiMnkzV0RFQXN1aHZKM2doMnMKD6BjRdqsHiKDth4aBiZ1lvlcO1OgY36O
cGkZjuH45L4a0Y0kvptq3iZ/iPnmX8hw8n/gdplzUkpBzdsNPebvSg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-01T21:11:39Z"
mac: ENC[AES256_GCM,data:YWgrMqqJgrGe+40a9CSDpAAgwPOeGXRFb58c6X6PxDHve3u5vQfHh+wkC0TFxadMsYcJTczRYf8YWuAwf7kFoO7ofYs+PfEi4ydKhl8WY9nXTsq+BFT4rDl/BaCfQw6qWD5/TKTtxm2pdtBNrG7bNeZJ8cVSOO/wsjoqrrbh3fk=,iv:8BXOX5O5apYLhZOWihagQBVldmsVoV+uEcejcO3cC0I=,tag:vansSul5Ebwooay48uYNZQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

93
modules/nixos/server/web-apps/mattermost/default.nix
View file

@ -1,93 +0,0 @@
{ config, lib, ... }:
let
inherit (lib) singleton;
inherit (lib.pantheon) mkStrOption;
inherit (lib.pantheon.modules) mkWebApp;
cfg = config.server.web-apps.mattermost;
upstreamCfg = config.services.mattermost;
mkDir = directory: {
inherit directory;
inherit (upstreamCfg) user group;
mode = "0750";
};
in
mkWebApp {
inherit config;
name = "mattermost";
defaultPort = 8065;
persistDirs = [
(mkDir cfg.configDir)
(mkDir cfg.logDir)
(mkDir cfg.dataDir)
];
extraOptions = {
teamName = mkStrOption;
configDir = mkStrOption // {
default = "/etc/mattermost";
};
dataDir = mkStrOption // {
default = "/var/lib/mattermost";
};
logDir = mkStrOption // {
default = "/var/log/mattermost";
};
};
extraConfig = {
assertions = [
{
assertion = config.services.postgresql.enable;
message = "You must enable a local instance of postgresql.";
}
];
services.mattermost = {
enable = true;
inherit (cfg)
configDir
dataDir
logDir
port
;
host = "0.0.0.0";
siteUrl = "https://${cfg.domain}";
};
services.matterbridge = {
enable = true;
inherit (upstreamCfg) user group;
configPath = config.sops.templates."matterbridge-conf".path;
};
sops.secrets."matterbridge/mattermost-password" = { };
sops.templates."matterbridge-conf" = {
owner = upstreamCfg.user;
content = # toml
''
[[gateway]]
name="gateway1"
enable=true
[[gateway.inout]]
account="mattermost.${config.hostname}"
channel="matterbridge"
[mattermost.${config.hostname}]
Server="${cfg.domain}"
Team="${cfg.teamName}"
Login="matterbridge"
Password="${config.sops.placeholder."matterbridge/mattermost-password"}"
RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
PrefixMessagesWithNick=true
PreserveThreading=true
'';
};
services.nginx.virtualHosts.${cfg.domain}.locations."~ /api/v[0-9]+/(users/)?websocket$" = {
proxyPass = "http://${config.hostname}:${toString cfg.port}";
proxyWebsockets = true;
};
services.postgresql = {
ensureDatabases = singleton upstreamCfg.database.name;
ensureUsers = singleton {
name = upstreamCfg.database.user;
ensureDBOwnership = true;
};
};
};
}