nixos

cross-posted from: https://sh.itjust.works/post/32918427

Hello,

Recently, I've been interested in self-hosting various services after coming across Futo's "How to Self Host Your Life Guide" on their Wiki. They recommend using OpenVPN, but I opted for WireGuard instead as I wanted to learn more about it. After investing many hours into setting up my WireGuard configuration in my Nix config, I planned to replace Tailscale with WireGuard and make the setup declarative.

For context, this computer is located at my residence, and I want to be able to VPN into my home network and access my services. Initially, it was quite straightforward; I forwarded a UDP port on my router to my computer, which responded correctly when using the correct WireGuard keys and established a VPN connection. Everywhere online suggests forwarding only UDP as WireGuard doesn't respond unless the correct key is used.

The Networking Complexity

At first, this setup would be for personal use only, but I soon realized that I had created a Docker stack for me and my friends to play on a Minecraft server running on my LAN using Tailscale as the network host. This allowed them to VPN in and join the server seamlessly. However, I grew tired of having to log in to various accounts (e.g., GitHub, Microsoft, Apple) and dealing with frequent sign-outs due to timeouts or playing around with container stacks.

To manage access to my services, I set up ACLs using Tailscale, allowing only specific IP addresses on my network (192.168.8.170) to access HigherGround, nothing else. Recently, I implemented WireGuard and learned two key things: Firstly, when friends VPN into the server, they have full access to everything, which isn't ideal by no means. not that i dont trust my friends but, i would like to fix that :P. I then tried to set allowed IPs in the WireGuard config to 192.168.8.170, but realized that this means they can only access 192.168.8.170 explicitly, not being able to browse the internet or communicate via Signal until I added their specific IP addresses (10.0.0.2 and 10.0.0.3) to their WireGuard configs.

However, I still face a significant issue: every search they perform goes through my IP address instead of theirs.

The Research

I've researched this problem extensively and believe that split tunneling is the solution: I need to configure the setup so that only 192.168.8.170 gets routed through the VPN, while all other traffic is handled by their local router instead of mine. Ideally, my device should be able to access everything on the LAN and automatically route certain traffic through a VPS (like accessing HigherGround), but when performing general internet tasks (e.g., searching for "how to make a sandwich"), it gets routed from my router to ProtonVPN.

I've managed to get ProtonVPN working, but still struggle with integrating WireGuard on my phone to work with ProtonVPN on the server. From what I've read, using iptables and creating specific rules might be necessary to allow only certain devices to access 192.168.8.170 (HigherGround) while keeping their local internet traffic separate.

My long-term goal is to configure this setup so that my friends' local traffic remains on their network, but for HigherGround services, it routes through the VPN tunnel or ProtonVPN if necessary.

My nix Config for wiregaurd (please let me know if im being stoopid with somthing networking is HARRRD)

#WIREGAURD connect to higher ground networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. caveout0 = { #Goes to ProtonVPN address = [ "10.2.0.2/32" ]; dns = [ "10.2.0.1" ]; privateKeyFile = "/root/wiregaurd/privatekey"; peers = [ { #From HigherGround to Proton publicKey = "magic numbers and letters"; allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "79.135.104.37:51820"; persistentKeepalive = 25; } ]; };

cavein0 = { # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface address = [ "10.0.0.1/24" ]; dns = [ "192.168.8.1" "9.9.9.9" ]; # The port that WireGuard listens to - recommended that this be changed from default listenPort = 51820; # Path to the server's private key privateKeyFile = "magic numbers and letters";

  # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
  postUp = ''
    ${pkgs.iptables}/bin/iptables -A FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
  '';

  # Undo the above
  preDown = ''
    ${pkgs.iptables}/bin/iptables -D FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
  '';

  peers = [
    { #friend1 
     publicKey = "magic numbers and letters";
     allowedIPs = [ "10.0.0.3/32" "192.168.8.170/24" ];
     endpoint = "magic numbers and letters";
     presharedKey = "magic numbers and letters";
     persistentKeepalive = 25;
    }
    { # My phone
      publicKey = "magic numbers and letters";
      allowedIPs = [ "10.0.0.2/32" ];
      endpoint = "magic numbers and letters";
      presharedKey = "magic numbers and letters";
      persistentKeepalive = 25;
    }
    {# friend 2
      publicKey = "magic numbers and letters";
      allowedIPs = [ "10.0.0.4/32" "192.168.8.170/24" ];
      endpoint = "magic numbers and letters";
      presharedKey = "magic numbers and letters";
      persistentKeepalive = 25;
    }
    {# friend 3
     publicKey = "magic numbers and letters";
     allowedIPs = [ "10.0.0.5/32" ];
     endpoint = "magic numbers and letters";
     presharedKey = "magic numbers and letters";
     persistentKeepalive = 25;
    }
    
    # More peers can be added here.
  ];
};

};

#Enable NAT networking.nat = { enable = true; enableIPv6 = false; externalInterface = "enp5s0"; internalInterfaces = [ "cavein0" ]; };

services.dnsmasq.settings = { enable = true; extraConfig = '' interface=cavein0 ''; };

Any help would be appreciated thanks

References: Futo Wiki: https://wiki.futo.org/index.php/Introduction_to_a_Self_Managed_Life:_a_13_hour_%26_28_minute_presentation_by_FUTO_software

NixOS Wireguard: https://wiki.nixos.org/w/index.php?title=WireGuard&mobileaction=toggle_view_desktop

Just a FYI, the main portion of the paragraph was put into llama3.1 with the prompt "take the following prompt and fix the grammer, spelling and spacing to make it more readable" Because im bad at english and didnt want to pain people with my choppy sentences and poor grammer

Does anyone have advice on installing 32bit packages on 64bit systems?

I have tried several times to setup Rocksmith 2014 with wineasio using this guide (and a couple of others, but this seemed like the best one), but it seems to be a little out-of-date. After rebuilding my system wineasio is installed, but only the 64 bit version of the library is installed (the 32 and 64 bit windows dlls are both present, but I assume that those are just copied over for either version of the wineasio package). The script linked in this section fails to find i386-unix/wineasio32.dll.so , and I have not been able to locate it or figure out a way to install it.

I've particularly focused on this section of my nix config:

 programs.steam = {
    enable = true;
    package = pkgs.steam.override {
      extraLibraries = pkgs: [ pkgs.pkgsi686Linux.pipewire.jack ]; # Tried pkgs.pkgsi686Linux.wineasio here
      extraPkgs = pkgs: [ pkgs.wineasio ]; # Also tried pkgs.pkgsi686Linux.wineasio here
    };

but I'm not really sure what to change here or even quite what to search for in the docs.

Probably not very helpful, but this is the latest error I've seen when just trying to insert pkgs.pkgsi686Linux.wineasio into that package declaration:

error: Package ‘wine-wow-10.0’ in /nix/store/pgg4vm83q0kr4hxzcwhdgdiv2yfnh3dw-source/pkgs/applications/emulators/wine/base.nix:194 is not available on the requested hostPlatform:
         hostPlatform.config = "i686-unknown-linux-gnu"
         package.meta.platforms = [
           "x86_64-linux"
         ]
         package.meta.badPlatforms = [
           "x86_64-darwin"
         ]
       , refusing to evaluate.

Any advice on how to troubleshoot this? Solving this would be nice, but learning how to fish would be even better.

Thanks in advance!

As per title, I am mind-blown by the speed and stability of NixOS on this "relic" in IT terms... On this machine i tested:

And the best thing is that I can bring this config with me on any computer! Oh boy, I think i have fallen in love with NixOS

I have tried to allow unfree packages to install steam and discord but nothing worked here are some of the things I have tried; 1. { allowUnfree = true; allowUnfreePredicate = pkg: true; }

{ nixpkgs.config.allowUnfree = true; }

( config, pkgs, allow unfree=true)

Every time I tried to rebuild something would go wrong so I tried temporary stuff like NIXPKGS_ALLOW_UNFREE=1 nix-shell And --impure But nothing worked

What should I do???

I have a program that I wrote, maybe I didn't package it appropriately, but I cannot got it to run. I wrote it on a manjaro install, and tested it on another manjaro install, both were fine. I packaged it with poetry and copied the wheel over.

Today I tried to install it on my nixos surface tablet I use at work. I get this error on installation:

Traceback (most recent call last):                                            File "/home/gzuh/.local/bin/willcallgui", line 5, in <module>
    from willcallgui import willcallgui
  File "/home/gzuh/.local/share/pipx/venvs/willcallgui/lib/python3.11/site-packages/willcallgui/willcallgui.py", line 12, in <module>
    import tkinter as tk
  File "/nix/store/h723hb9m43lybmvfxkk6n7j4v664qy7b-python3-3.11.9/lib/python3.11/tkinter/__init__.py", line 38, in <module>
    import _tkinter # If this fails your Python may not be configured for Tk
    ^^^^^^^^^^^^^^^
ModuleNotFoundError: No module named '_tkinter'

These are the packages i have installed... I'm trying to install it with pipx...

environment.systemPackages = with pkgs; [
    vim
    wget
    screen
    google-chrome
    openssh
    blackbox-terminal
    tailscale
    gnome.gnome-tweaks
    imagemagick
    git
    python311Full
    python311Packages.tkinter
    python311Packages.pip
    python311Packages.pipx

  ];

What am i missing?

Hoe do you self host a nix package repo & install nix packages from 3rd party repos? Is this even possible.

Other package managers allow you to install packages from 3rd party repos such as Flatpaks, apt, F-Droid, Scoop, Winget.

And is there any known 3rd party nix package repos?

Working in a Virtualbox VM using the standard KDE version of the .iso. I get locked out due to inactivity during a live environment session. Trying to enter the empty password doesn't help me. How do I deal with this graciously?

cross-posted from: https://beehaw.org/post/13758256

You can change the color theme of your whole desktop with a single line of code.

Currently supported adapters:

• Adwaita (GTK3, GTK4)
• Alacritty
• dunst
• Firefox (hijacking the default theme with userchrome.css)
• GTK2
• Kvantum
• Rofi
• swaylock
• Wezterm

repo: https://gitlab.com/vfosnar/nix-colors-adapters / https://github.com/vfosnar/nix-colors-adapters

cross-posted from: https://programming.dev/post/13537798

Exciting Partnership Announcement: Framework Community & NixOS Communities Join Forces!

cross-posted from: https://lemmy.world/post/14160134

I want to reset my server soon and I'm toying with the idea of using a different operating system. I am currently using Ubuntu Server LTS. However, I have been toying with the idea of using Fedora Server (I use Fedora on my laptop and made good experiences with it) or even Fedora CoreOS. I also recently installed NixOS on my desktop computer and find the declarativeness pretty cool (but I'm still a complete beginner) and could imagine that it would fit well into a server setup.

I have quite a few services running on my server, such as Nextcloud, Conduit (Matrix), Jellyfin, etc. and all in containers. I would also rather not install programs without containers, because 1. compose is super easy to maintain and set up, 2. it remains very clear with containers (and compose) and 3. I believe that containers are more secure. But since I also want to make the services inside the containers available, I currently have Nginx installed as a reverse proxy (not in the container, but on the system) and always create certificates with certbot so that I can use HTTPS encryption.

In the paragraph above I actually described exactly the use-case of Fedora CoreOS, but I have no experience with the system and how it works. That's why I'm still a bit hesitant at considering the OS at the moment. I can imagine that NixOS with its declarative nature seems well suited, since, as I have heard, you can configure containers as well as Nginx and with Nginx also https certificates declaratively. But I could also use a base system like before (Fedora Server or Ubuntu Server) and simply install podman, nginx and certbot and manage everything that way.

Have you had any experience with Fedora Server, Fedora CoreOS, NixOS or a completely different operating system for servers and what are/were your impressions with this setup? Or do you just want to share your knowledge here? I would be delighted.

cross-posted from: https://leminal.space/post/4750886

It took me some time to work out how to get my ssh agent set up in Niri so I though I would share what I did. I'm using NixOS and Home Manager. I put this in my Home Manager config:

services.gnome-keyring = {
  enable = true;
  components = [ "pkcs11" "secrets" "ssh" ];
};
home.sessionVariables.SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/keyring/ssh";

I'm using GDM according to NixOS' default configuration which I think runs gnome-keyring (I thought I saw it in the process list before I set up the user unit), and I think that configuration is automatically unlocking gnome-keyring when I log in via PAM integration. But apparently I need to run gnome-keyring again in my window manager session. Home Manager's services.gnome-keyring adds a systemd user unit that does that.

cross-posted from: https://lemmy.world/post/13113247

After learning how to add an unstable overlay to nixpkgs, being able to override individual service modules from unstable was something that I still struggled with until fairly recently. Hopefully this helps someone else looking to do common-but-not-very-obvious operation.

Hi, I am a beginner on NixOS and I am confused how to setup fonts on it. I have home-manager working properly and nerd-fonts installed. Now how to setup System,GTK,emoji and Indic fonts.

Any article or part of config please.

So I have been experiencing screen blackout when I use any refresh rate above 60Hz. On Arch I was able to solve this by setting a udev rule as mentioned in this ArchWiki article but it seems like I can't do the same in NixOS using the traditional way. Is there anything I need to add in the configuration.nix file to achieve the same ?

Hi, sorry if that title isn't very clear. I just started learning about nix a couple days ago; I'll explain what I mean.

I'm trying to set up a web application that I'm currently hosting with Docker containers, but do it with nix instead, like what's shown in this blog post: https://carjorvaz.com/posts/the-holy-grail-nextcloud-setup-made-easy-by-nixos/

However, I don't have NixOS on my server. I'm using Debian, with the nix package manager installed.

Is it possible to use a nix config file, like the one below, when only using the nix package manager? Currently it errors when I try to call nix-build with it, giving an error about calling a lambda function that never called self. If I remove the self argument, it complains about config, and so on.

{ self, config, lib, pkgs, ... }:

{
  services = {
    nextcloud = {
      enable = true;
      hostName = "cloud.example.com";

      package = pkgs.nextcloud27;

      # Let NixOS install and configure the database automatically.
      database.createLocally = true;

      # Let NixOS install and configure Redis caching automatically.
      configureRedis = true;

      < other settings here... >
    };
  };
}

From what I've read, the services part of that creates systemd services, which makes me think that it only works if you're on a full NixOS system and not only using the nix package manager. But it's been difficult to find a clear answer on that, probably because I'm still learning what terms to search for.