diff --git a/.gitignore b/.gitignore index 6324adf..bdb48ac 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,2 @@ result -*-iso *.iso diff --git a/desktop.nix b/desktop.nix deleted file mode 100644 index 4c400e3..0000000 --- a/desktop.nix +++ /dev/null @@ -1,168 +0,0 @@ -{ config, pkgs, ... }: -let - Xresources = "${pkgs.writeText "Xresources" '' - Xft.dpi: 96 - Xft.antialias: true - Xft.hinting: true - Xft.rgba: rgb - Xft.autohint: false - Xft.hintstyle: hintslight - Xft.lcdfilter: lcddefault - - Xcursor.theme: xcursor-breeze - Xcursor.size: 0 - ''}"; -in -{ - assertions = [ - { - assertion = config.users.users ? "vili"; - message = "User 'vili' needed for desktop!"; - } - ]; - - imports = [ ./program-config-files/firefox.nix ]; - - environment.systemPackages = with pkgs; [ - alacritty - i3status - rofi - arandr - telegram-desktop - signal-desktop - discord - vlc - pavucontrol - viewnior - xfce.mousepad - pcmanfm - libreoffice - evince - brightnessctl - networkmanagerapplet - flameshot - speedcrunch - bitwarden - - zotero - kile - texliveFull - imagemagick - ghostscript - kdePackages.okular - ]; - programs.zsh.interactiveShellInit = "export SSH_AUTH_SOCK=/home/vili/.bitwarden-ssh-agent.sock"; - security = { - pam = { - rssh.enable = true; - services = { - sudo.rssh = true; - }; - }; - sudo.execWheelOnly = true; - }; - - programs.i3lock.enable = true; - services = { - displayManager = { - defaultSession = "none+i3"; - autoLogin.enable = true; - autoLogin.user = "vili"; - }; - xserver = { - enable = true; - displayManager = { - lightdm.enable = true; - sessionCommands = ''${pkgs.xorg.xrdb}/bin/xrdb -merge < ${Xresources}''; - }; - windowManager.i3 = { - enable = true; - extraPackages = [ ]; - configFile = "${ - (import ./program-config-files/i3.nix { - inherit config; - inherit pkgs; - }) - }"; - }; - }; - - printing.enable = true; - avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - - pipewire.enable = false; - pulseaudio.enable = true; - }; - nixpkgs.config.pulseaudio = true; - - security.polkit.enable = true; - - xdg.mime.defaultApplications = { - "application/pdf" = "org.gnome.Evince.desktop"; - "text/plain" = "org.xfce.mousepad.desktop"; - "text/x-tex" = "org.kde.kile.desktop"; - "inode/directory" = "pcmanfm.description"; - }; - - qt = { - enable = true; - style = "adwaita-dark"; - platformTheme = "gnome"; - }; - - system.userActivationScripts.mkDesktopSettingsSymlinks.text = - let - home = "/home/vili/"; - paths = [ - rec { - dir = "${home}.config/pcmanfm/default/"; - file = "pcmanfm.conf"; - full = "${dir}${file}"; - source = "${./program-config-files/pcmanfm.conf}"; - } - rec { - dir = "${home}.config/libfm/"; - file = "libfm.conf"; - full = "${dir}${file}"; - source = "${./program-config-files/libfm.conf}"; - } - rec { - dir = "${home}.config/gtk-3.0/"; - file = "bookmarks"; - full = "${dir}${file}"; - source = "${./program-config-files/gtk-bookmarks}"; - } - rec { - dir = "${home}"; - file = ".gtkrc-2.0"; - full = "${dir}${file}"; - source = "${./program-config-files/gtkrc-2.0}"; - } - rec { - dir = "${home}.config/gtk-3.0/"; - file = "settings.ini"; - full = "${dir}${file}"; - source = "${./program-config-files/gtk-3-4-settings.ini}"; - } - rec { - dir = "${home}.config/gtk-4.0/"; - file = "settings.ini"; - full = "${dir}${file}"; - source = "${./program-config-files/gtk-3-4-settings.ini}"; - } - ]; - in - toString ( - map (path: '' - mkdir -p ${path.dir} - if test -e ${path.full} -a ! -L ${path.full}; then - mv -f ${path.full} ${path.full}.old - fi - ln -sf ${path.source} ${path.full} - '') paths - ); -} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..108030b --- /dev/null +++ b/flake.lock @@ -0,0 +1,171 @@ +{ + "nodes": { + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "ixx": { + "inputs": { + "flake-utils": [ + "nixvim", + "nuschtosSearch", + "flake-utils" + ], + "nixpkgs": [ + "nixvim", + "nuschtosSearch", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748294338, + "narHash": "sha256-FVO01jdmUNArzBS7NmaktLdGA5qA3lUMJ4B7a05Iynw=", + "owner": "NuschtOS", + "repo": "ixx", + "rev": "cc5f390f7caf265461d4aab37e98d2292ebbdb85", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "ref": "v0.0.8", + "repo": "ixx", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1749024892, + "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixvim": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "nuschtosSearch": "nuschtosSearch", + "systems": "systems_2" + }, + "locked": { + "lastModified": 1749028068, + "narHash": "sha256-ebxyRA7rK6Jb3eXvz+0QcyKLHzUnUQWRFDbKleLdLZ8=", + "owner": "nix-community", + "repo": "nixvim", + "rev": "1d8724144cef98dad6638e0b6333cc84d0b2f5c3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixvim", + "type": "github" + } + }, + "nuschtosSearch": { + "inputs": { + "flake-utils": "flake-utils", + "ixx": "ixx", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748298102, + "narHash": "sha256-PP11GVwUt7F4ZZi5A5+99isuq39C59CKc5u5yVisU/U=", + "owner": "NuschtOS", + "repo": "search", + "rev": "f8a1c221afb8b4c642ed11ac5ee6746b0fe1d32f", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "repo": "search", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "nixvim": "nixvim" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..0b257e3 --- /dev/null +++ b/flake.nix @@ -0,0 +1,40 @@ +{ + description = "All system configurations for Vili Sinervä"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + nixvim = { + url = "github:nix-community/nixvim"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = + { nixpkgs, nixvim, ... }: + { + nixosConfigurations = ( + let + hosts = builtins.attrNames (builtins.readDir ./hosts); + in + builtins.listToAttrs ( + map ( + host: + nixpkgs.lib.nameValuePair host ( + nixpkgs.lib.nixosSystem { + specialArgs = { + nixpkgs-flake = nixpkgs; + inherit nixvim; + }; + system = "x86_64-linux"; + modules = [ + { networking.hostName = host; } + ./hosts/${host}/configuration.nix + ./hosts/${host}/state.nix + ]; + } + ) + ) hosts + ) + ); + }; +} diff --git a/hosts/cert-store/configuration.nix b/hosts/cert-store/configuration.nix new file mode 100644 index 0000000..ea28884 --- /dev/null +++ b/hosts/cert-store/configuration.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ../../shared/base.nix + ../../shared/hardware/vm.nix + ../../servers/acme-cert-store.nix + ]; +} diff --git a/hosts/cert-store/state.nix b/hosts/cert-store/state.nix new file mode 100644 index 0000000..a5a8d61 --- /dev/null +++ b/hosts/cert-store/state.nix @@ -0,0 +1,39 @@ +{ lib, modulesPath, ... }: +{ + system.stateVersion = "24.11"; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/301cf8bf-93f0-4ba6-b14f-b7be94b075a0"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/9E16-9A5D"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machine-confs/exoplasim.nix b/hosts/exoplasim/configuration.nix similarity index 89% rename from machine-confs/exoplasim.nix rename to hosts/exoplasim/configuration.nix index 2fe83cb..9a17b8f 100644 --- a/machine-confs/exoplasim.nix +++ b/hosts/exoplasim/configuration.nix @@ -1,11 +1,17 @@ -{ config, pkgs, ... }: { - imports = [ ../base.nix ]; + config, + pkgs, + lib, + ... +}: +{ + imports = [ + ../../shared/base.nix + ../../shared/hardware/vm.nix + ]; # Networking conf including WireGuard networking = { - hostName = "exoplasim"; - firewall.allowedUDPPorts = [ 51821 ]; wg-quick.interfaces = { @@ -42,7 +48,7 @@ }; users.groups.worker.gid = 1001; - system.autoUpgrade.allowReboot = pkgs.lib.mkForce false; + system.autoUpgrade.allowReboot = lib.mkForce false; programs.rust-motd = { enable = true; @@ -63,7 +69,4 @@ memory.swap_pos = "beside"; }; }; - - # HARDWARE SPECIFIC - services.qemuGuest.enable = true; } diff --git a/hosts/exoplasim/state.nix b/hosts/exoplasim/state.nix new file mode 100644 index 0000000..c8ead4b --- /dev/null +++ b/hosts/exoplasim/state.nix @@ -0,0 +1,39 @@ +{ lib, modulesPath, ... }: +{ + system.stateVersion = "24.05"; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/17b26343-39c9-4598-97c0-b43aab7ed3a0"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/9F45-5FDF"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/forgejo/configuration.nix b/hosts/forgejo/configuration.nix new file mode 100644 index 0000000..5de4085 --- /dev/null +++ b/hosts/forgejo/configuration.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ../../shared/base.nix + ../../shared/hardware/vm.nix + ../../servers/forgejo.nix + ]; +} diff --git a/hosts/forgejo/state.nix b/hosts/forgejo/state.nix new file mode 100644 index 0000000..82ab26a --- /dev/null +++ b/hosts/forgejo/state.nix @@ -0,0 +1,39 @@ +{ lib, modulesPath, ... }: +{ + system.stateVersion = "24.11"; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/6de79a95-d101-4734-8482-1e0869498ce8"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/78B9-CA51"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/gaming/configuration.nix b/hosts/gaming/configuration.nix new file mode 100644 index 0000000..1d44bc9 --- /dev/null +++ b/hosts/gaming/configuration.nix @@ -0,0 +1,15 @@ +{ lib, ... }: +{ + imports = [ + ../../shared/base.nix + ../../shared/hardware/nvidia.nix + ../../shared/hardware/vm.nix + + ../../personal/desktop.nix + ../../personal/programs/i3.nix + + ../../servers/gaming-server.nix + ]; + + users.users.vili.hashedPasswordFile = lib.mkForce null; +} diff --git a/hosts/gaming/state.nix b/hosts/gaming/state.nix new file mode 100644 index 0000000..73748f0 --- /dev/null +++ b/hosts/gaming/state.nix @@ -0,0 +1,45 @@ +{ lib, modulesPath, ... }: +{ + system.stateVersion = "24.11"; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/22c7a7ae-cedc-43db-b4f1-d591466d8f60"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/1C79-66D7"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + fileSystems."/mnt/data" = { + device = "/dev/disk/by-uuid/dec871b2-5727-486c-978a-8bb2279bd2b8"; + fsType = "ext4"; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/helium/configuration.nix b/hosts/helium/configuration.nix new file mode 100644 index 0000000..353218f --- /dev/null +++ b/hosts/helium/configuration.nix @@ -0,0 +1,59 @@ +{ pkgs, lib, ... }: +{ + custom.home_wg_suffix = "2"; + system.autoUpgrade.allowReboot = lib.mkForce false; + + networking = { + wg-quick.interfaces = { + wg1 = { + autostart = false; + address = [ "10.100.0.7/24" ]; + dns = [ "1.1.1.1" ]; + privateKeyFile = "/root/wireguard-keys/privatekey-netflix"; + listenPort = 51820; + + peers = [ + { + publicKey = "XSYHg0utIR1j7kRsWFwuWNo4RPD47KP53cVa6qDPtRE="; + allowedIPs = [ + "0.0.0.0/0" + "192.168.0.0/24" + ]; + endpoint = "netflix.vsinerva.fi:51821"; + } + ]; + }; + }; + }; + + services.xserver.displayManager.setupCommands = '' + ${pkgs.xorg.xrandr}/bin/xrandr --output DisplayPort-0 --auto --pos 0x0 --primary --output eDP --auto --pos 3840x360 + ''; + + imports = [ + ../../shared/base.nix + + ../../personal/desktop.nix + ../../personal/development.nix + + ../../personal/hardware/amd-laptop.nix + ../../personal/hardware/hibernate.nix + ../../personal/hardware/keychron-q11.nix + ../../personal/hardware/onlykey.nix + ../../personal/hardware/trackball.nix + + ../../personal/networking/home-wg.nix + ../../personal/networking/printing.nix + + ../../personal/programs/bitwarden.nix + ../../personal/programs/communication.nix + ../../personal/programs/firefox.nix + ../../personal/programs/i3.nix + ../../personal/programs/moonlight.nix + ../../personal/programs/redshift.nix + ../../personal/programs/study.nix + ../../personal/programs/usb-automount.nix + + ../../servers/syncthing.nix + ]; +} diff --git a/hosts/helium/state.nix b/hosts/helium/state.nix new file mode 100644 index 0000000..0a99093 --- /dev/null +++ b/hosts/helium/state.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + modulesPath, + ... +}: +{ + system.stateVersion = "23.11"; + boot = { + resumeDevice = "/dev/mapper/luks-f6e1979b-0dee-4ee9-8170-10490019854b"; + kernelParams = [ "resume_offset=44537856" ]; + }; + + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "usbhid" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/25115cdc-3b55-4dbf-a414-98a1a3c44f52"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."luks-f6e1979b-0dee-4ee9-8170-10490019854b".device = + "/dev/disk/by-uuid/f6e1979b-0dee-4ee9-8170-10490019854b"; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/6E23-00AF"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machine-confs/idacloud.nix b/hosts/idacloud/configuration.nix similarity index 88% rename from machine-confs/idacloud.nix rename to hosts/idacloud/configuration.nix index 2ec4498..07ad6fa 100644 --- a/machine-confs/idacloud.nix +++ b/hosts/idacloud/configuration.nix @@ -5,14 +5,13 @@ custom.collabora_domain = "idacollab.sinerva.eu"; imports = [ - ../base.nix - ../services/nextcloud.nix + ../../shared/base.nix + ../../shared/hardware/vm.nix + ../../servers/nextcloud.nix ]; # Networking conf including WireGuard networking = { - hostName = "idacloud"; - firewall.allowedUDPPorts = [ 51822 ]; wg-quick.interfaces = { @@ -38,7 +37,4 @@ }; }; }; - - # HARDWARE SPECIFIC - services.qemuGuest.enable = true; } diff --git a/hosts/idacloud/state.nix b/hosts/idacloud/state.nix new file mode 100644 index 0000000..7bf990f --- /dev/null +++ b/hosts/idacloud/state.nix @@ -0,0 +1,44 @@ +{ lib, modulesPath, ... }: +{ + system.stateVersion = "24.11"; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/aaebdb14-a988-4cf8-bb33-f22419d55fbe"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/E1C0-7A9E"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + fileSystems."/var/lib/nextcloud" = { + device = "/dev/disk/by-uuid/634b600c-8d3e-4021-906a-f00b7750e61e"; + fsType = "ext4"; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/lithium/configuration.nix b/hosts/lithium/configuration.nix new file mode 100644 index 0000000..6027f17 --- /dev/null +++ b/hosts/lithium/configuration.nix @@ -0,0 +1,30 @@ +{ lib, ... }: +{ + custom.home_wg_suffix = "3"; + system.autoUpgrade.allowReboot = lib.mkForce false; + + imports = [ + ../../shared/base.nix + + ../../personal/desktop.nix + ../../personal/development.nix + + ../../personal/hardware/hibernate.nix + ../../personal/hardware/intel-laptop.nix + ../../personal/hardware/onlykey.nix + + ../../personal/networking/home-wg.nix + ../../personal/networking/printing.nix + + ../../personal/programs/bitwarden.nix + ../../personal/programs/communication.nix + ../../personal/programs/firefox.nix + ../../personal/programs/i3.nix + ../../personal/programs/moonlight.nix + ../../personal/programs/redshift.nix + ../../personal/programs/study.nix + ../../personal/programs/usb-automount.nix + + ../../servers/syncthing.nix + ]; +} diff --git a/hosts/lithium/state.nix b/hosts/lithium/state.nix new file mode 100644 index 0000000..3fd06a1 --- /dev/null +++ b/hosts/lithium/state.nix @@ -0,0 +1,45 @@ +{ + config, + lib, + modulesPath, + ... +}: +{ + system.stateVersion = "24.05"; + boot.kernelParams = [ "resume_offset=39292928" ]; + + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "thunderbolt" + "nvme" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/b43fe465-80e9-48d4-a4be-1113c917330e"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."nixos".device = "/dev/disk/by-uuid/4dc2fd8c-71da-4b95-91d5-7a118387172b"; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/D8BB-B91A"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/nextcloud/configuration.nix b/hosts/nextcloud/configuration.nix new file mode 100644 index 0000000..99c2654 --- /dev/null +++ b/hosts/nextcloud/configuration.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + custom.nextcloud_domain = "nextcloud.vsinerva.fi"; + + imports = [ + ../../shared/base.nix + ../../shared/hardware/vm.nix + ../../servers/nextcloud.nix + ]; +} diff --git a/hosts/nextcloud/state.nix b/hosts/nextcloud/state.nix new file mode 100644 index 0000000..9f49631 --- /dev/null +++ b/hosts/nextcloud/state.nix @@ -0,0 +1,39 @@ +{ lib, modulesPath, ... }: +{ + system.stateVersion = "23.05"; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/428cdba7-04a8-4e69-992a-96aa197cd6c7"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/08B5-BFD8"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machine-confs/generic.nix b/hosts/nixos/configuration.nix similarity index 70% rename from machine-confs/generic.nix rename to hosts/nixos/configuration.nix index 32e9ec8..c73a14e 100644 --- a/machine-confs/generic.nix +++ b/hosts/nixos/configuration.nix @@ -1,12 +1,12 @@ -{ pkgs, ... }: +{ lib, ... }: { networking.hostName = "nixos"; - imports = [ ../base.nix ]; + imports = [ ../../shared/base.nix ]; #Many installs will need this, and it won't hurt either way services.qemuGuest.enable = true; #Prevent user from being locked out of the system before switching to proper config - users.mutableUsers = pkgs.lib.mkForce true; + users.mutableUsers = lib.mkForce true; } diff --git a/hosts/siit-dc/configuration.nix b/hosts/siit-dc/configuration.nix new file mode 100644 index 0000000..3471cbe --- /dev/null +++ b/hosts/siit-dc/configuration.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ../../shared/base.nix + ../../shared/hardware/vm.nix + ../../servers/siit-dc.nix + ]; +} diff --git a/hosts/siit-dc/state.nix b/hosts/siit-dc/state.nix new file mode 100644 index 0000000..00c45f5 --- /dev/null +++ b/hosts/siit-dc/state.nix @@ -0,0 +1,39 @@ +{ lib, modulesPath, ... }: +{ + system.stateVersion = "24.05"; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/81dc35b1-5a34-4924-b864-b53e5ca9df24"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/D171-033F"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/syncthing/configuration.nix b/hosts/syncthing/configuration.nix new file mode 100644 index 0000000..e401e25 --- /dev/null +++ b/hosts/syncthing/configuration.nix @@ -0,0 +1,12 @@ +{ lib, ... }: +{ + imports = [ + ../../shared/base.nix + ../../shared/hardware/vm.nix + ../../shared/users/vili.nix + + ../../servers/syncthing.nix + ]; + + users.users.vili.hashedPasswordFile = lib.mkForce null; +} diff --git a/hosts/syncthing/state.nix b/hosts/syncthing/state.nix new file mode 100644 index 0000000..eef4aba --- /dev/null +++ b/hosts/syncthing/state.nix @@ -0,0 +1,44 @@ +{ lib, modulesPath, ... }: +{ + system.stateVersion = "22.11"; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/895d2004-3bd2-4bc5-bb46-62f94a0a68e3"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/38AD-EFDC"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + fileSystems."/home/vili" = { + device = "/dev/disk/by-uuid/d08136ed-7950-412c-bcf6-7c6e9f015e47"; + fsType = "ext4"; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/vaultwarden/configuration.nix b/hosts/vaultwarden/configuration.nix new file mode 100644 index 0000000..ccfb135 --- /dev/null +++ b/hosts/vaultwarden/configuration.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ../../shared/base.nix + ../../shared/hardware/vm.nix + ../../servers/vaultwarden.nix + ]; +} diff --git a/hosts/vaultwarden/state.nix b/hosts/vaultwarden/state.nix new file mode 100644 index 0000000..931558c --- /dev/null +++ b/hosts/vaultwarden/state.nix @@ -0,0 +1,35 @@ +{ lib, modulesPath, ... }: +{ + system.stateVersion = "23.11"; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/22f0fb39-e264-450d-b575-9dedd2a02361"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A604-6A7B"; + fsType = "vfat"; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machine-confs/wg-rpi.nix b/hosts/wg-rpi/configuration.nix similarity index 98% rename from machine-confs/wg-rpi.nix rename to hosts/wg-rpi/configuration.nix index 0ef3e8d..afe65be 100644 --- a/machine-confs/wg-rpi.nix +++ b/hosts/wg-rpi/configuration.nix @@ -8,7 +8,7 @@ let ddPassFile = "/root/wg-conf/ddPassFile"; in { - imports = [ ../base.nix ]; + imports = [ ../../shared/base.nix ]; environment.systemPackages = with pkgs; [ wireguard-tools diff --git a/misc/custom-iso-base.nix b/installer/base.nix similarity index 76% rename from misc/custom-iso-base.nix rename to installer/base.nix index 37d10ab..237b949 100644 --- a/misc/custom-iso-base.nix +++ b/installer/base.nix @@ -46,7 +46,7 @@ let nixos-generate-config --root /mnt mv /mnt/etc/nixos/configuration.nix configuration.nix.old - curl https://forgejo.sinerva.eu/VSinerva/nixos-conf/raw/branch/main/misc/template-configuration.nix -o /mnt/etc/nixos/configuration.nix + curl https://forgejo.sinerva.eu/VSinerva/nixos-conf/raw/branch/main/installer/template-configuration.nix -o /mnt/etc/nixos/configuration.nix ''; in { @@ -57,18 +57,7 @@ in environment.systemPackages = (with pkgs; [ - (onlykey.override (prev: { - node_webkit = prev.node_webkit.overrideAttrs { - src = fetchurl { - url = "https://dl.nwjs.io/v0.71.1/nwjs-v0.71.1-linux-x64.tar.gz"; - hash = "sha256-bnObpwfJ6SNJdOvzWTnh515JMcadH1+fxx5W9e4gl/4="; - }; - }; - })) - cryptsetup - onlykey-cli - onlykey-agent ]) ++ [ create-partitions @@ -76,13 +65,6 @@ in prep-install ]; - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryPackage = pkgs.pinentry-curses; - }; - hardware.onlykey.enable = true; - isoImage.squashfsCompression = "gzip -Xcompression-level 1"; #Many installs will need this, and it won't hurt either way diff --git a/misc/custom-gnome-iso.nix b/installer/graphical.nix similarity index 64% rename from misc/custom-gnome-iso.nix rename to installer/graphical.nix index d76c90b..dfd8bec 100644 --- a/misc/custom-gnome-iso.nix +++ b/installer/graphical.nix @@ -1,7 +1,7 @@ { ... }: { imports = [ - - ./custom-iso-base.nix + + ./base.nix ]; } diff --git a/installer/minimal.nix b/installer/minimal.nix new file mode 100644 index 0000000..30f4160 --- /dev/null +++ b/installer/minimal.nix @@ -0,0 +1,9 @@ +{ lib, ... }: +{ + imports = [ + + ./base.nix + ]; + + networking.networkmanager.enable = lib.mkForce false; +} diff --git a/machine-confs/cert-store.nix b/machine-confs/cert-store.nix deleted file mode 100644 index 93e3e0c..0000000 --- a/machine-confs/cert-store.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -{ - networking.hostName = "cert-store"; - - imports = [ - ../base.nix - ../services/acme-cert-store.nix - ]; - - #Many installs will need this, and it won't hurt either way - services.qemuGuest.enable = true; - - #Prevent user from being locked out of the system before switching to proper config - users.mutableUsers = pkgs.lib.mkForce true; -} diff --git a/machine-confs/forgejo.nix b/machine-confs/forgejo.nix deleted file mode 100644 index 53f4f78..0000000 --- a/machine-confs/forgejo.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - networking.hostName = "forgejo"; - - imports = [ - ../base.nix - ../services/forgejo.nix - ]; - - # HARDWARE SPECIFIC - services.qemuGuest.enable = true; -} diff --git a/machine-confs/gaming.nix b/machine-confs/gaming.nix deleted file mode 100644 index 4e2201b..0000000 --- a/machine-confs/gaming.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ lib, ... }: -{ - networking.hostName = "gaming"; - - imports = [ - ../base.nix - ../desktop.nix - ../users/vili.nix - ../services/gaming-server.nix - ../hardware-specific/nvidia.nix - ]; - - users.users.vili.hashedPasswordFile = lib.mkForce null; - services.qemuGuest.enable = true; -} diff --git a/machine-confs/helium.nix b/machine-confs/helium.nix deleted file mode 100644 index 470a029..0000000 --- a/machine-confs/helium.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ pkgs, config, ... }: -{ - networking = { - hostName = "helium"; - - wg-quick.interfaces = { - wg0 = { - autostart = true; - address = [ "${config.custom.gua_pref}ff::2/64" ]; - dns = [ - "${config.custom.gua_pref}ff::1" - "vsinerva.fi" - ]; - privateKeyFile = "/root/wireguard-keys/privatekey-home"; - listenPort = 51820; - - peers = [ - { - publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34="; - presharedKeyFile = "/root/wireguard-keys/psk-home"; - allowedIPs = [ "::/0" ]; - endpoint = "wg.vsinerva.fi:51820"; - } - ]; - }; - wg1 = { - autostart = false; - address = [ "10.100.0.7/24" ]; - dns = [ "1.1.1.1" ]; - privateKeyFile = "/root/wireguard-keys/privatekey-netflix"; - listenPort = 51820; - - peers = [ - { - publicKey = "XSYHg0utIR1j7kRsWFwuWNo4RPD47KP53cVa6qDPtRE="; - allowedIPs = [ - "0.0.0.0/0" - "192.168.0.0/24" - ]; - endpoint = "netflix.vsinerva.fi:51821"; - } - ]; - }; - }; - }; - # Dirty hack to fix autostart failing due to DNS lookups - systemd.services."wg-quick-wg0".serviceConfig = { - Restart = "on-failure"; - RestartSec = "1s"; - }; - services.clatd = { - enable = true; - settings.clat-v6-addr = "${config.custom.gua_pref}ff::c2"; - }; - systemd.services.clatd.wants = [ "wg-quick-wg0.service" ]; - - services.openssh.openFirewall = false; - services.fail2ban.enable = pkgs.lib.mkForce false; - - imports = [ - ../base.nix - ../users/vili.nix - ../desktop.nix - ../development.nix - ../services/syncthing.nix - ../services/redshift.nix - ../services/moonlight.nix - ../hardware-specific/onlykey.nix - ../hardware-specific/keychron-q11.nix - ../hardware-specific/trackball.nix - ../hardware-specific/amd-laptop.nix - ../hardware-specific/usb-automount.nix - ]; - - services.xserver.displayManager.setupCommands = '' - ${pkgs.xorg.xrandr}/bin/xrandr --output DisplayPort-0 --auto --pos 0x0 --primary --output eDP --auto --pos 3840x360 - ''; - - system.autoUpgrade.allowReboot = pkgs.lib.mkForce false; - - swapDevices = pkgs.lib.mkForce [ - { - device = "/var/lib/swapfile"; - size = 16 * 1024; - } - ]; - - boot = { - loader.timeout = 3; - initrd.luks = { - fido2Support = true; - devices."luks-f6e1979b-0dee-4ee9-8170-10490019854b".fido2 = { - passwordLess = true; - credential = "df9233221fa09173fea61d8b8516d184f8ede475024a88201b34d838ecf306ee070052dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec014d86afa01"; - }; - }; - resumeDevice = "/dev/mapper/luks-f6e1979b-0dee-4ee9-8170-10490019854b"; - kernelParams = [ "resume_offset=44537856" ]; - }; -} diff --git a/machine-confs/lithium.nix b/machine-confs/lithium.nix deleted file mode 100644 index 1061d7d..0000000 --- a/machine-confs/lithium.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ pkgs, config, ... }: -{ - networking = { - hostName = "lithium"; - - wg-quick.interfaces = { - wg0 = { - autostart = true; - address = [ "${config.custom.gua_pref}ff::3/64" ]; - dns = [ - "${config.custom.gua_pref}ff::1" - "vsinerva.fi" - ]; - privateKeyFile = "/root/wireguard-keys/privatekey-home"; - listenPort = 51820; - - peers = [ - { - publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34="; - presharedKeyFile = "/root/wireguard-keys/psk-home"; - allowedIPs = [ "::/0" ]; - endpoint = "wg.vsinerva.fi:51820"; - } - ]; - }; - }; - }; - # Dirty hack to fix autostart failing due to DNS lookups - systemd.services."wg-quick-wg0".serviceConfig = { - Restart = "on-failure"; - RestartSec = "1s"; - }; - services.clatd = { - enable = true; - settings.clat-v6-addr = "${config.custom.gua_pref}ff::c3"; - }; - systemd.services.clatd.wants = [ "wg-quick-wg0.service" ]; - - services.openssh.openFirewall = false; - services.fail2ban.enable = pkgs.lib.mkForce false; - - imports = [ - ../base.nix - ../users/vili.nix - ../desktop.nix - ../development.nix - ../services/syncthing.nix - ../services/redshift.nix - ../services/moonlight.nix - ../hardware-specific/onlykey.nix - ../hardware-specific/keychron-q11.nix - ../hardware-specific/trackball.nix - ../hardware-specific/usb-automount.nix - ../hardware-specific/intel-laptop.nix - ]; - - system.autoUpgrade.allowReboot = pkgs.lib.mkForce false; - - swapDevices = pkgs.lib.mkForce [ - { - device = "/var/lib/swapfile"; - size = 16 * 1024; - } - ]; - - boot = { - loader.timeout = 10; - initrd.luks = { - fido2Support = true; - devices."nixos".fido2 = { - passwordLess = true; - credential = "f29b0760a6ec3b18b0a9958d77d8be8b15ff4fd90d42c3ceaeeb5d24a19c8f81315f52dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec014225afa01"; - }; - }; - resumeDevice = "/dev/mapper/nixos"; - kernelParams = [ "resume_offset=39292928" ]; - }; -} diff --git a/machine-confs/nextcloud.nix b/machine-confs/nextcloud.nix deleted file mode 100644 index a974cd9..0000000 --- a/machine-confs/nextcloud.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ ... }: -{ - networking.hostName = "nextcloud"; - custom.nextcloud_domain = "nextcloud.vsinerva.fi"; - - imports = [ - ../base.nix - ../services/nextcloud.nix - ]; - - # HARDWARE SPECIFIC - services.qemuGuest.enable = true; -} diff --git a/machine-confs/siit-dc.nix b/machine-confs/siit-dc.nix deleted file mode 100644 index c0ad541..0000000 --- a/machine-confs/siit-dc.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - networking.hostName = "siit-dc"; - - imports = [ - ../base.nix - ../services/siit-dc.nix - ]; - - # HARDWARE SPECIFIC - services.qemuGuest.enable = true; -} diff --git a/machine-confs/syncthing.nix b/machine-confs/syncthing.nix deleted file mode 100644 index e54391d..0000000 --- a/machine-confs/syncthing.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -{ - networking.hostName = "syncthing"; - - imports = [ - ../base.nix - ../users/vili.nix - ../services/syncthing.nix - ]; - - users.users.vili.hashedPasswordFile = pkgs.lib.mkForce null; - - # HARDWARE SPECIFIC - services.qemuGuest.enable = true; -} diff --git a/machine-confs/vaultwarden.nix b/machine-confs/vaultwarden.nix deleted file mode 100644 index 3371c84..0000000 --- a/machine-confs/vaultwarden.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - networking.hostName = "vaultwarden"; - - imports = [ - ../base.nix - ../services/vaultwarden.nix - ]; - - # HARDWARE SPECIFIC - services.qemuGuest.enable = true; -} diff --git a/misc/custom-minimal-iso.nix b/misc/custom-minimal-iso.nix deleted file mode 100644 index 14508c5..0000000 --- a/misc/custom-minimal-iso.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - - ./custom-iso-base.nix - ]; - - networking.networkmanager.enable = pkgs.lib.mkForce false; -} diff --git a/misc/template-configuration.nix b/misc/template-configuration.nix deleted file mode 100644 index 37e2cf4..0000000 --- a/misc/template-configuration.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ ... }: -let - host = "generic"; - stateVersion = "24.11"; - - repo = builtins.fetchGit { - url = "https://forgejo.sinerva.eu/VSinerva/nixos-conf.git"; - name = "nixos-conf-forgejo"; - ref = "main"; - }; -in -{ - imports = [ - ./hardware-configuration.nix - "${repo}/machine-confs/${host}.nix" - ]; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = stateVersion; # Did you read the comment? -} diff --git a/personal/desktop.nix b/personal/desktop.nix new file mode 100644 index 0000000..9385863 --- /dev/null +++ b/personal/desktop.nix @@ -0,0 +1,49 @@ +{ pkgs, ... }: +{ + imports = [ + ./programs/symlinked/symlinks.nix + ../shared/users/vili.nix + ]; + + environment.systemPackages = with pkgs; [ + alacritty + vlc + flameshot + speedcrunch + ]; + + services = { + displayManager = { + autoLogin.enable = true; + autoLogin.user = "vili"; + }; + xserver = { + enable = true; + displayManager = { + lightdm.enable = true; + sessionCommands = ''${pkgs.xorg.xrdb}/bin/xrdb -merge < ${ + (import ./programs/embedded/xresources.nix { inherit pkgs; }) + }''; + }; + }; + + pipewire.enable = false; + pulseaudio.enable = true; + }; + nixpkgs.config.pulseaudio = true; + + security.polkit.enable = true; + + xdg.mime.defaultApplications = { + "application/pdf" = "org.gnome.Evince.desktop"; + "text/plain" = "org.xfce.mousepad.desktop"; + "text/x-tex" = "org.kde.kile.desktop"; + "inode/directory" = "pcmanfm.description"; + }; + + qt = { + enable = true; + style = "adwaita-dark"; + platformTheme = "gnome"; + }; +} diff --git a/personal/development.nix b/personal/development.nix new file mode 100644 index 0000000..b18ef62 --- /dev/null +++ b/personal/development.nix @@ -0,0 +1,44 @@ +{ pkgs, lib, ... }: +{ + imports = [ ./programs/embedded/nvim.nix ]; + + #################### Git configuration #################### + programs.git = { + enable = true; + lfs.enable = true; + config = { + user = { + email = "vili.m.sinerva@gmail.com"; + name = "Vili Sinervä"; + signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV"; + }; + merge = { + ff = "true"; + }; + pull = { + ff = "only"; + }; + commit = { + verbose = "true"; + }; + gpg.format = "ssh"; + commit.gpgsign = "true"; + }; + }; + + #################### Packages #################### + environment.systemPackages = with pkgs; [ + nixfmt-rfc-style + nixd + + vagrant + nmap + metasploit + armitage + ]; + virtualisation.virtualbox.host.enable = true; + virtualisation.virtualbox.host.addNetworkInterface = false; + users.extraGroups.vboxusers.members = [ "vili" ]; + + fonts.packages = builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts); +} diff --git a/hardware-specific/amd-laptop.nix b/personal/hardware/amd-laptop.nix similarity index 92% rename from hardware-specific/amd-laptop.nix rename to personal/hardware/amd-laptop.nix index ab51886..8adf517 100644 --- a/hardware-specific/amd-laptop.nix +++ b/personal/hardware/amd-laptop.nix @@ -1,4 +1,9 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + lib, + ... +}: { environment.systemPackages = with pkgs; [ zenmonitor ]; @@ -7,7 +12,7 @@ boot.initrd.kernelModules = [ "amdgpu" ]; services = { - xserver = pkgs.lib.mkIf config.services.xserver.enable { + xserver = lib.mkIf config.services.xserver.enable { videoDrivers = [ "amdgpu" "modesetting" diff --git a/personal/hardware/hibernate.nix b/personal/hardware/hibernate.nix new file mode 100644 index 0000000..e79a68e --- /dev/null +++ b/personal/hardware/hibernate.nix @@ -0,0 +1,13 @@ +{ lib, ... }: +{ + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 16 * 1024; + } + ]; + + boot = { + resumeDevice = lib.mkDefault "/dev/mapper/nixos"; + }; +} diff --git a/hardware-specific/intel-laptop.nix b/personal/hardware/intel-laptop.nix similarity index 100% rename from hardware-specific/intel-laptop.nix rename to personal/hardware/intel-laptop.nix diff --git a/hardware-specific/keychron-q11.nix b/personal/hardware/keychron-q11.nix similarity index 100% rename from hardware-specific/keychron-q11.nix rename to personal/hardware/keychron-q11.nix diff --git a/misc/mouse-accel.patch b/personal/hardware/moonlight-trackball-accel.patch similarity index 100% rename from misc/mouse-accel.patch rename to personal/hardware/moonlight-trackball-accel.patch diff --git a/hardware-specific/onlykey.nix b/personal/hardware/onlykey.nix similarity index 64% rename from hardware-specific/onlykey.nix rename to personal/hardware/onlykey.nix index 1a7d389..4aa184d 100644 --- a/hardware-specific/onlykey.nix +++ b/personal/hardware/onlykey.nix @@ -1,12 +1,5 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { - assertions = [ - { - assertion = config.users.users ? "vili"; - message = "User 'vili' needed for onlykey!"; - } - ]; - environment.systemPackages = with pkgs; [ (onlykey.override (prev: { node_webkit = prev.node_webkit.overrideAttrs { @@ -21,7 +14,5 @@ onlykey-cli ]; - security.pam.u2f.enable = true; hardware.onlykey.enable = true; - programs.i3lock.u2fSupport = true; } diff --git a/hardware-specific/trackball.nix b/personal/hardware/trackball.nix similarity index 92% rename from hardware-specific/trackball.nix rename to personal/hardware/trackball.nix index 80ea205..3035958 100644 --- a/hardware-specific/trackball.nix +++ b/personal/hardware/trackball.nix @@ -3,7 +3,7 @@ nixpkgs.overlays = [ (final: prev: { moonlight-qt = prev.moonlight-qt.overrideAttrs (old: { - patches = (old.patches or [ ]) ++ [ ../misc/mouse-accel.patch ]; + patches = (old.patches or [ ]) ++ [ ./moonlight-trackball-accel.patch ]; }); }) ]; diff --git a/personal/networking/home-wg.nix b/personal/networking/home-wg.nix new file mode 100644 index 0000000..bc6f44d --- /dev/null +++ b/personal/networking/home-wg.nix @@ -0,0 +1,50 @@ +{ config, lib, ... }: +{ + options.custom.home_wg_suffix = lib.mkOption { + type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$"); + default = null; + description = "IPv6 GUA Suffix for Home WireGuard config"; + }; + + config = { + networking = { + wg-quick.interfaces = { + wg0 = { + autostart = true; + address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ]; + dns = [ + "${config.custom.gua_pref}ff::1" + "vsinerva.fi" + ]; + privateKeyFile = "/persist/secrets/wireguard/priv-home"; + listenPort = 51820; + + peers = [ + { + publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34="; + presharedKeyFile = "/persist/secrets/wireguard/psk-home"; + allowedIPs = [ "::/0" ]; + endpoint = "wg.vsinerva.fi:51820"; + } + ]; + }; + }; + }; + + services.clatd = { + enable = true; + settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}"; + }; + + systemd.services = { + "wg-quick-wg0" = { + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + }; + clatd = { + wants = [ "wg-quick-wg0.service" ]; + after = [ "wg-quick-wg0.service" ]; + }; + }; + }; +} diff --git a/personal/networking/printing.nix b/personal/networking/printing.nix new file mode 100644 index 0000000..a3bb01b --- /dev/null +++ b/personal/networking/printing.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + programs.i3lock.enable = true; + services = { + printing.enable = true; + avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + }; +} diff --git a/personal/programs/bitwarden.nix b/personal/programs/bitwarden.nix new file mode 100644 index 0000000..1a9e90d --- /dev/null +++ b/personal/programs/bitwarden.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + bitwarden + bitwarden-cli + ]; + + programs.zsh.interactiveShellInit = "export SSH_AUTH_SOCK=/home/vili/.bitwarden-ssh-agent.sock"; + security = { + pam = { + rssh.enable = true; + services = { + sudo.rssh = true; + }; + }; + sudo.execWheelOnly = true; + }; + + # We need SSH for the sudo, but generally don't want it open on machines with Bitwarden client + services.openssh.openFirewall = false; +} diff --git a/personal/programs/communication.nix b/personal/programs/communication.nix new file mode 100644 index 0000000..f092628 --- /dev/null +++ b/personal/programs/communication.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + telegram-desktop + signal-desktop + discord + ]; +} diff --git a/program-config-files/alacritty.nix b/personal/programs/embedded/alacritty.nix similarity index 100% rename from program-config-files/alacritty.nix rename to personal/programs/embedded/alacritty.nix diff --git a/program-config-files/i3.nix b/personal/programs/embedded/i3-conf.nix similarity index 99% rename from program-config-files/i3.nix rename to personal/programs/embedded/i3-conf.nix index 12dede5..08ac961 100644 --- a/program-config-files/i3.nix +++ b/personal/programs/embedded/i3-conf.nix @@ -1,8 +1,7 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: let alacritty-conf = "${ (import ./alacritty.nix { - inherit config; inherit pkgs; }) }"; diff --git a/development.nix b/personal/programs/embedded/nvim.nix similarity index 82% rename from development.nix rename to personal/programs/embedded/nvim.nix index c0f7be8..fbdd0d3 100644 --- a/development.nix +++ b/personal/programs/embedded/nvim.nix @@ -1,54 +1,5 @@ -{ pkgs, lib, ... }: -let - nixvim = import ( - builtins.fetchGit { - url = "https://github.com/nix-community/nixvim"; - ref = "nixos-25.05"; - } - ); -in +{ nixvim, ... }: { - #################### Git configuration #################### - programs.git = { - enable = true; - lfs.enable = true; - config = { - user = { - email = "vili.m.sinerva@gmail.com"; - name = "Vili Sinervä"; - signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV"; - }; - merge = { - ff = "true"; - }; - pull = { - ff = "only"; - }; - commit = { - verbose = "true"; - }; - gpg.format = "ssh"; - commit.gpgsign = "true"; - }; - }; - - #################### Packages #################### - environment.systemPackages = with pkgs; [ - nixfmt-rfc-style - nixd - - vagrant - nmap - metasploit - armitage - ]; - virtualisation.virtualbox.host.enable = true; - virtualisation.virtualbox.host.addNetworkInterface = false; - users.extraGroups.vboxusers.members = [ "vili" ]; - - fonts.packages = builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts); - - #################### Neovim configuration #################### imports = [ nixvim.nixosModules.nixvim ]; programs.nixvim = { diff --git a/personal/programs/embedded/xresources.nix b/personal/programs/embedded/xresources.nix new file mode 100644 index 0000000..7b734c9 --- /dev/null +++ b/personal/programs/embedded/xresources.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +pkgs.writeText "Xresources" '' + Xft.dpi: 96 + Xft.antialias: true + Xft.hinting: true + Xft.rgba: rgb + Xft.autohint: false + Xft.hintstyle: hintslight + Xft.lcdfilter: lcddefault + + Xcursor.theme: xcursor-breeze + Xcursor.size: 0 +'' diff --git a/program-config-files/firefox.nix b/personal/programs/firefox.nix similarity index 100% rename from program-config-files/firefox.nix rename to personal/programs/firefox.nix diff --git a/personal/programs/i3.nix b/personal/programs/i3.nix new file mode 100644 index 0000000..3806dda --- /dev/null +++ b/personal/programs/i3.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + i3status + rofi + arandr + pavucontrol + viewnior + xfce.mousepad + pcmanfm + evince + brightnessctl + networkmanagerapplet + ]; + + programs.i3lock.enable = true; + + services = { + displayManager = { + defaultSession = "none+i3"; + }; + xserver.windowManager.i3 = { + enable = true; + extraPackages = [ ]; + configFile = "${(import ./embedded/i3-conf.nix { inherit pkgs; })}"; + }; + }; +} diff --git a/services/moonlight.nix b/personal/programs/moonlight.nix similarity index 100% rename from services/moonlight.nix rename to personal/programs/moonlight.nix diff --git a/services/redshift.nix b/personal/programs/redshift.nix similarity index 63% rename from services/redshift.nix rename to personal/programs/redshift.nix index 2d4a392..e0bb66d 100644 --- a/services/redshift.nix +++ b/personal/programs/redshift.nix @@ -1,11 +1,5 @@ -{ config, ... }: +{ ... }: { - assertions = [ - { - assertion = config.services.xserver.enable; - message = "Redshift does not work without a desktop!"; - } - ]; services.redshift = { executable = "/bin/redshift-gtk"; enable = true; diff --git a/personal/programs/study.nix b/personal/programs/study.nix new file mode 100644 index 0000000..e77f59f --- /dev/null +++ b/personal/programs/study.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + libreoffice + zotero + kile + texliveFull + imagemagick + ghostscript + kdePackages.okular + ]; +} diff --git a/program-config-files/gtk-3-4-settings.ini b/personal/programs/symlinked/gtk-3-4-settings.ini similarity index 100% rename from program-config-files/gtk-3-4-settings.ini rename to personal/programs/symlinked/gtk-3-4-settings.ini diff --git a/program-config-files/gtk-bookmarks b/personal/programs/symlinked/gtk-bookmarks similarity index 100% rename from program-config-files/gtk-bookmarks rename to personal/programs/symlinked/gtk-bookmarks diff --git a/program-config-files/gtkrc-2.0 b/personal/programs/symlinked/gtkrc-2.0 similarity index 100% rename from program-config-files/gtkrc-2.0 rename to personal/programs/symlinked/gtkrc-2.0 diff --git a/program-config-files/libfm.conf b/personal/programs/symlinked/libfm.conf similarity index 100% rename from program-config-files/libfm.conf rename to personal/programs/symlinked/libfm.conf diff --git a/program-config-files/pcmanfm.conf b/personal/programs/symlinked/pcmanfm.conf similarity index 100% rename from program-config-files/pcmanfm.conf rename to personal/programs/symlinked/pcmanfm.conf diff --git a/personal/programs/symlinked/symlinks.nix b/personal/programs/symlinked/symlinks.nix new file mode 100644 index 0000000..b723402 --- /dev/null +++ b/personal/programs/symlinked/symlinks.nix @@ -0,0 +1,54 @@ +{ ... }: +{ + system.userActivationScripts.mkDesktopSettingsSymlinks.text = + let + home = "/home/vili/"; + paths = [ + rec { + dir = "${home}.config/pcmanfm/default/"; + file = "pcmanfm.conf"; + full = "${dir}${file}"; + source = "${./pcmanfm.conf}"; + } + rec { + dir = "${home}.config/libfm/"; + file = "libfm.conf"; + full = "${dir}${file}"; + source = "${./libfm.conf}"; + } + rec { + dir = "${home}.config/gtk-3.0/"; + file = "bookmarks"; + full = "${dir}${file}"; + source = "${./gtk-bookmarks}"; + } + rec { + dir = "${home}"; + file = ".gtkrc-2.0"; + full = "${dir}${file}"; + source = "${./gtkrc-2.0}"; + } + rec { + dir = "${home}.config/gtk-3.0/"; + file = "settings.ini"; + full = "${dir}${file}"; + source = "${./gtk-3-4-settings.ini}"; + } + rec { + dir = "${home}.config/gtk-4.0/"; + file = "settings.ini"; + full = "${dir}${file}"; + source = "${./gtk-3-4-settings.ini}"; + } + ]; + in + toString ( + map (path: '' + mkdir -p ${path.dir} + if test -e ${path.full} -a ! -L ${path.full}; then + mv -f ${path.full} ${path.full}.old + fi + ln -sf ${path.source} ${path.full} + '') paths + ); +} diff --git a/hardware-specific/usb-automount.nix b/personal/programs/usb-automount.nix similarity index 100% rename from hardware-specific/usb-automount.nix rename to personal/programs/usb-automount.nix diff --git a/services/acme-cert-store.nix b/servers/acme-cert-store.nix similarity index 99% rename from services/acme-cert-store.nix rename to servers/acme-cert-store.nix index dce7d1e..bc335c8 100644 --- a/services/acme-cert-store.nix +++ b/servers/acme-cert-store.nix @@ -13,5 +13,4 @@ users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense" ]; - } diff --git a/services/forgejo.nix b/servers/forgejo.nix similarity index 91% rename from services/forgejo.nix rename to servers/forgejo.nix index 52031b8..07c4ef6 100644 --- a/services/forgejo.nix +++ b/servers/forgejo.nix @@ -1,15 +1,10 @@ { config, ... }: { - networking.firewall.allowedTCPPorts = [ - 80 - 443 + imports = [ + ./utils/nginx-https-server.nix + ./utils/acme-http-client.nix ]; - security.acme = { - acceptTerms = true; - defaults.email = "vili.m.sinerva@gmail.com"; - }; - services = { forgejo = { enable = true; diff --git a/services/gaming-server.nix b/servers/gaming-server.nix similarity index 100% rename from services/gaming-server.nix rename to servers/gaming-server.nix diff --git a/services/nextcloud.nix b/servers/nextcloud.nix similarity index 77% rename from services/nextcloud.nix rename to servers/nextcloud.nix index d86d533..3001a78 100644 --- a/services/nextcloud.nix +++ b/servers/nextcloud.nix @@ -5,7 +5,10 @@ ... }: { - imports = [ ./cert-store-client.nix ]; + imports = [ + ./utils/nginx-https-server.nix + ./utils/cert-store-client.nix + ]; options.custom = { nextcloud_domain = lib.mkOption { @@ -22,8 +25,6 @@ config = lib.mkMerge [ { - networking.firewall.allowedTCPPorts = [ 443 ]; - services = { nextcloud = { package = pkgs.nextcloud31; @@ -46,19 +47,7 @@ }; }; - nginx = { - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - - virtualHosts.${config.services.nextcloud.hostName} = { - forceSSL = true; - kTLS = true; - sslCertificate = "/mnt/acme/fullchain.pem"; - sslCertificateKey = "/mnt/acme/key.pem"; - }; - }; + nginx.virtualHosts.${config.services.nextcloud.hostName} = { }; }; } ( @@ -89,10 +78,6 @@ }; nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = { - forceSSL = true; - kTLS = true; - sslCertificate = "/mnt/acme/fullchain.pem"; - sslCertificateKey = "/mnt/acme/key.pem"; locations."/" = { proxyPass = "http://[::1]:${toString config.services.collabora-online.port}"; proxyWebsockets = true; # collabora uses websockets diff --git a/services/siit-dc.nix b/servers/siit-dc.nix similarity index 100% rename from services/siit-dc.nix rename to servers/siit-dc.nix diff --git a/services/syncthing.nix b/servers/syncthing.nix similarity index 82% rename from services/syncthing.nix rename to servers/syncthing.nix index b4b6a07..c9acaf3 100644 --- a/services/syncthing.nix +++ b/servers/syncthing.nix @@ -1,12 +1,5 @@ -{ config, pkgs, ... }: +{ config, lib, ... }: { - assertions = [ - { - assertion = config.users.users ? "vili"; - message = "User 'vili' needed for syncthing!"; - } - ]; - boot.kernel.sysctl."fs.inotify.max_user_watches" = 204800; services.syncthing = { @@ -27,14 +20,14 @@ relaysEnabled = false; }; - devices = pkgs.lib.mkMerge [ + devices = lib.mkMerge [ { "syncthing" = { id = "J6GNM4Z-2TWASPT-3P3EW4V-KZEQYFF-TXL22QX-4YTZ3WO-WLM7GQ7-NUP66A4"; addresses = [ "tcp://syncthing.vsinerva.fi:22000" ]; }; } - (pkgs.lib.mkIf (config.networking.hostName == "syncthing") { + (lib.mkIf (config.networking.hostName == "syncthing") { "helium" = { id = "2MRUBSY-NHXYMAW-SY22RHP-CNNMHKR-DPDKMM4-2XV5F6M-6KSNLQI-DD4EOAM"; addresses = [ "tcp://helium.vsinerva.fi:22000" ]; @@ -49,9 +42,9 @@ folders = let default = { - devices = pkgs.lib.mkMerge [ + devices = lib.mkMerge [ [ "syncthing" ] - (pkgs.lib.mkIf (config.networking.hostName == "syncthing") [ + (lib.mkIf (config.networking.hostName == "syncthing") [ "helium" "lithium" ]) diff --git a/servers/utils/acme-http-client.nix b/servers/utils/acme-http-client.nix new file mode 100644 index 0000000..6da45bd --- /dev/null +++ b/servers/utils/acme-http-client.nix @@ -0,0 +1,21 @@ +{ lib, ... }: +{ + options.services.nginx.virtualHosts = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + config = lib.mkDefault { + enableACME = true; + }; + } + ); + }; + + config = { + networking.firewall.allowedTCPPorts = [ 80 ]; + + security.acme = { + acceptTerms = true; + defaults.email = "vili.m.sinerva@gmail.com"; + }; + }; +} diff --git a/servers/utils/cert-store-client.nix b/servers/utils/cert-store-client.nix new file mode 100644 index 0000000..b847667 --- /dev/null +++ b/servers/utils/cert-store-client.nix @@ -0,0 +1,34 @@ +{ lib, ... }: +{ + options.services.nginx.virtualHosts = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + config = lib.mkDefault { + sslCertificate = "/mnt/acme/fullchain.pem"; + sslCertificateKey = "/mnt/acme/key.pem"; + }; + } + ); + }; + + config = { + services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7"; + + systemd.services.nginx = { + wants = [ "mnt-acme.mount" ]; + after = [ "mnt-acme.mount" ]; + }; + + fileSystems."/mnt/acme" = { + device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme/-.vsinerva.fi"; + fsType = "sshfs"; + options = [ + "nodev" + "noatime" + "allow_other" + "IdentityFile=/etc/ssh/ssh_host_ed25519_key" + ]; + }; + }; +} diff --git a/servers/utils/nginx-https-server.nix b/servers/utils/nginx-https-server.nix new file mode 100644 index 0000000..deb6250 --- /dev/null +++ b/servers/utils/nginx-https-server.nix @@ -0,0 +1,25 @@ +{ lib, ... }: +{ + options.services.nginx.virtualHosts = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + config = lib.mkDefault { + forceSSL = true; + kTLS = true; + }; + } + ); + }; + + config = { + networking.firewall.allowedTCPPorts = [ 443 ]; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + }; + }; +} diff --git a/services/vaultwarden.nix b/servers/vaultwarden.nix similarity index 67% rename from services/vaultwarden.nix rename to servers/vaultwarden.nix index 368146d..23d5f85 100644 --- a/services/vaultwarden.nix +++ b/servers/vaultwarden.nix @@ -1,9 +1,9 @@ { ... }: { - imports = [ ./cert-store-client.nix ]; - - networking.firewall.allowedTCPPorts = [ 443 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; + imports = [ + ./utils/nginx-https-server.nix + ./utils/cert-store-client.nix + ]; services = { vaultwarden = { @@ -31,17 +31,7 @@ }; nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - virtualHosts."vaultwarden.vsinerva.fi" = { - forceSSL = true; - kTLS = true; - sslCertificate = "/mnt/acme/fullchain.pem"; - sslCertificateKey = "/mnt/acme/key.pem"; locations."/" = { proxyPass = "http://localhost:8000"; }; diff --git a/services/cert-store-client.nix b/services/cert-store-client.nix deleted file mode 100644 index 05a8b57..0000000 --- a/services/cert-store-client.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ ... }: -{ - services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7"; - - systemd.services.nginx = { - wants = [ "mnt-acme.mount" ]; - after = [ "mnt-acme.mount" ]; - }; - - fileSystems."/mnt/acme" = { - device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme/-.vsinerva.fi"; - fsType = "sshfs"; - options = [ - "nodev" - "noatime" - "allow_other" - "IdentityFile=/etc/ssh/ssh_host_ed25519_key" - ]; - }; -} diff --git a/base.nix b/shared/base.nix similarity index 86% rename from base.nix rename to shared/base.nix index ed3c760..cb0fb36 100644 --- a/base.nix +++ b/shared/base.nix @@ -1,4 +1,9 @@ -{ pkgs, lib, ... }: +{ + pkgs, + lib, + nixpkgs-flake, + ... +}: { options.custom.gua_pref = lib.mkOption { type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$"); @@ -44,9 +49,9 @@ ZSH_TMUX_CONFIG=/etc/tmux.conf ''; promptInit = '' - if [ -n "$IN_NIX_SHELL" ]; then + if [ "$SHLVL" != 1 ]; then setopt PROMPT_SUBST - RPROMPT+='[nix]' + RPROMPT+='[depth-''${SHLVL}]' fi ''; }; @@ -83,7 +88,7 @@ set -s escape-time 0 ''; - ######################################## SSH and fail2ban configuration ######################### + ######################################## SSH configuration ######################### services.openssh = { enable = true; settings.PasswordAuthentication = false; @@ -92,21 +97,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV vili-bw-ssh-ed25519-main" ]; - services.fail2ban = { - enable = true; - maxretry = 10; - bantime = "10m"; - bantime-increment = { - enable = true; - maxtime = "1d"; - }; - jails = { - DEFAULT.settings = { - findtime = 3600; - }; - }; - }; - ######################################## Localization ########################################### i18n.defaultLocale = "en_US.UTF-8"; @@ -126,7 +116,7 @@ layout = "us,"; variant = "de_se_fi,"; }; - console = pkgs.lib.mkForce { + console = lib.mkForce { font = "Lat2-Terminus16"; useXkbConfig = true; # use xkbOptions in tty. }; @@ -134,16 +124,11 @@ ######################################## Memory management ###################################### zramSwap.enable = true; - swapDevices = [ - { - device = "/var/lib/swapfile"; - size = 8 * 1024; - } - ]; ######################################## Housekeeping ########################################### system.autoUpgrade = { enable = true; + flake = ''"git+https://forgejo.sinerva.eu/VSinerva/nixos-conf.git?ref=main&shallow=1"''; dates = "04:00"; randomizedDelaySec = "30min"; allowReboot = true; @@ -153,14 +138,17 @@ }; }; + nixpkgs.config.allowUnfree = true; nix = { + registry = { + nixpkgs.flake = nixpkgs-flake; + }; settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; - tarball-ttl = 0; }; gc = { automatic = true; @@ -171,8 +159,6 @@ }; ######################################## Misc. ################################################## - nixpkgs.config.allowUnfree = true; - networking = { # Easiest to use and most distros use this by default. networkmanager = { @@ -187,9 +173,9 @@ users.mutableUsers = false; # Force all user management to happen throught nix-files boot.loader = { - systemd-boot.enable = pkgs.lib.mkDefault true; - efi.canTouchEfiVariables = pkgs.lib.mkDefault true; - timeout = pkgs.lib.mkDefault 0; + systemd-boot.enable = lib.mkDefault true; + efi.canTouchEfiVariables = lib.mkDefault true; + timeout = lib.mkDefault 0; }; }; } diff --git a/hardware-specific/nvidia.nix b/shared/hardware/nvidia.nix similarity index 100% rename from hardware-specific/nvidia.nix rename to shared/hardware/nvidia.nix diff --git a/shared/hardware/vm.nix b/shared/hardware/vm.nix new file mode 100644 index 0000000..a38cdf0 --- /dev/null +++ b/shared/hardware/vm.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 2 * 1024; + } + ]; + + services.qemuGuest.enable = true; +} diff --git a/users/vili.nix b/shared/users/vili.nix similarity index 83% rename from users/vili.nix rename to shared/users/vili.nix index e336e89..f1a12ff 100644 --- a/users/vili.nix +++ b/shared/users/vili.nix @@ -11,7 +11,7 @@ "audio" ]; openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; - hashedPasswordFile = "/root/hashed-passwords/vili"; + hashedPasswordFile = "/persist/secrets/hashed-passwords/vili"; }; users.groups.vili.gid = 1000;