diff --git a/.sops.yaml b/.sops.yaml index cadcf9d..f642bf6 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -48,11 +48,13 @@ creation_rules: - pgp: - *admin_alice age: *servers + - path_regex: users/dennis/secrets\.yaml$ key_groups: - pgp: - *admin_dennis age: *servers + - path_regex: users/richie/secrets\.yaml$ key_groups: - pgp: diff --git a/flake.lock b/flake.lock index 99d2767..4b48eb2 100644 --- a/flake.lock +++ b/flake.lock @@ -16,6 +16,25 @@ "type": "gitlab" } }, + "fenix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1706768574, + "narHash": "sha256-4o6TMpzBHO659EiJTzd/EGQGUDdbgwKwhqf3u6b23U8=", + "owner": "nix-community", + "repo": "fenix", + "rev": "668102037129923cd0fc239d864fce71eabdc6a3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -52,6 +71,21 @@ "type": "github" } }, + "flake-utils_2": { + "locked": { + "lastModified": 1637014545, + "narHash": "sha256-26IZAc5yzlD9FlDT54io1oqG/bBoyka+FJk5guaX4x4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "bba5dcc8e0b20ab664967ad83d24d64cb64ec4f4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -59,11 +93,11 @@ ] }, "locked": { - "lastModified": 1706473109, - "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=", + "lastModified": 1706798041, + "narHash": "sha256-BbvuF4CsVRBGRP8P+R+JUilojk0M60D7hzqE0bEvJBQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "d634c3abafa454551f2083b054cd95c3f287be61", + "rev": "4d53427bce7bf3d17e699252fd84dc7468afc46e", "type": "github" }, "original": { @@ -126,22 +160,6 @@ "type": "github" } }, - "nixos-hardware": { - "locked": { - "lastModified": 1706182238, - "narHash": "sha256-Ti7CerGydU7xyrP/ow85lHsOpf+XMx98kQnPoQCSi1g=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "f84eaffc35d1a655e84749228cde19922fcf55f1", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", - "type": "github" - } - }, "nixos-modules": { "inputs": { "flake-utils": [ @@ -152,11 +170,11 @@ ] }, "locked": { - "lastModified": 1706608774, - "narHash": "sha256-kbMofnGXCRPInXWm7UAfMYcvIAuHIZO0vBytNhWt+nc=", + "lastModified": 1706740920, + "narHash": "sha256-uFwu44BZf17WYMAEmYIcdtVyNLDRVselv3rNsm7PYeE=", "owner": "SuperSandro2000", "repo": "nixos-modules", - "rev": "2dae76c258451a2c98e3dee5d1144f5061878e2a", + "rev": "453f941ff2cde75a5aac5d99c695d368fa28b7e1", "type": "github" }, "original": { @@ -167,11 +185,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1706371002, - "narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c002c6aa977ad22c60398daaa9be52f2203d0006", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", "type": "github" }, "original": { @@ -181,19 +199,86 @@ "type": "github" } }, + "nixpkgs-fmt": { + "inputs": { + "fenix": "fenix", + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1706820456, + "narHash": "sha256-2UDso6ALCoqVH0Q0boIYRT9NJtto8CECAc+gUIHi1/o=", + "owner": "rad-development", + "repo": "nixpkgs-fmt", + "rev": "a140f110952dc51d9757c2b6f285691f4e454ef9", + "type": "github" + }, + "original": { + "owner": "rad-development", + "repo": "nixpkgs-fmt", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1637502770, + "narHash": "sha256-C28tuj+AgsRh67iB/Lg9oladquLoC8eamraqndeaO4A=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f508ae889415b51263ea1c20b6b4c0e0ecbfc0bd", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, "root": { "inputs": { "flake-utils": "flake-utils", "home-manager": "home-manager", "mailserver": "mailserver", "nix-pre-commit": "nix-pre-commit", - "nixos-hardware": "nixos-hardware", "nixos-modules": "nixos-modules", "nixpkgs": "nixpkgs", + "nixpkgs-fmt": "nixpkgs-fmt", "sops-nix": "sops-nix", "systems": "systems" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1706735270, + "narHash": "sha256-IJk+UitcJsxzMQWm9pa1ZbJBriQ4ginXOlPyVq+Cu40=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "42cb1a2bd79af321b0cc503d2960b73f34e2f92b", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index d0a0954..7e76b7b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,20 +1,25 @@ { description = "NixOS configuration for RAD-Development Servers"; + nixConfig = { + trusted-substituters = [ "https://cache.nixos.org" "https://nix-community.cachix.org" "https://cache.alicehuston.xyz" ]; + + trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%" ]; + }; + inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - - nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + systems.url = "github:nix-systems/default"; + nixpkgs-fmt = { + url = "github:rad-development/nixpkgs-fmt"; + inputs.fenix.inputs.nixpkgs.follows = "nixpkgs"; + }; flake-utils = { url = "github:numtide/flake-utils"; inputs.systems.follows = "systems"; }; - systems = { - url = "github:nix-systems/default"; - }; - nixos-modules = { url = "github:SuperSandro2000/nixos-modules"; inputs = { @@ -55,40 +60,48 @@ }; }; - outputs = - { home-manager - , mailserver - , nix-pre-commit - , nixos-modules - , nixpkgs - , sops-nix - , ... - }: + outputs = { self, nixpkgs-fmt, home-manager, mailserver, nix-pre-commit, nixos-modules, nixpkgs, sops-nix, ... }: let inherit (nixpkgs) lib; + systems = [ "x86_64-linux" "aarch64-linux" ]; + forEachSystem = lib.genAttrs systems; + src = builtins.filterSource (path: type: type == "directory" || lib.hasSuffix ".nix" (baseNameOf path)) ./.; ls = dir: lib.attrNames (builtins.readDir (src + "/${dir}")); lsdir = dir: if (builtins.pathExists (src + "/${dir}")) then (lib.attrNames (lib.filterAttrs (path: type: type == "directory") (builtins.readDir (src + "/${dir}")))) else [ ]; fileList = dir: map (file: ./. + "/${dir}/${file}") (ls dir); + recursiveMerge = attrList: + let + f = attrPath: + builtins.zipAttrsWith (n: values: + if builtins.tail values == [ ] then + builtins.head values + else if builtins.all builtins.isList values then + builtins.unique (builtins.concatLists values) + else if builtins.all builtins.isAttrs values then + f (attrPath ++ [ n ]) values + else + lib.last values); + in + f [ ] attrList; + config = { repos = [ { repo = "https://gitlab.com/vojko.pribudic/pre-commit-update"; rev = "bbd69145df8741f4f470b8f1cf2867121be52121"; - hooks = [ - { - id = "pre-commit-update"; - args = [ "--dry-run" ]; - } - ]; + hooks = [{ + id = "pre-commit-update"; + args = [ "--dry-run" ]; + }]; } { repo = "local"; hooks = [ { - id = "nixpkgs-fmt check"; - entry = "${nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt}/bin/nixpkgs-fmt"; + id = "nixfmt check"; + entry = "${nixpkgs-fmt.legacyPackages.x86_64-linux.nixpkgs-fmt}/bin/nixpkgs-fmt"; args = [ "--check" ]; language = "system"; files = "\\.nix"; @@ -106,67 +119,55 @@ }; in { - formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; + formatter = forEachSystem (system: nixpkgs-fmt.legacyPackages.${system}.nixpkgs-fmt); nixosConfigurations = let - constructSystem = - { hostname - , system ? "x86_64-linux" - , modules ? [ ] - , users ? [ "dennis" ] - }: lib.nixosSystem { + constructSystem = { hostname, users, home ? true, modules ? [ ], server ? true, sops ? true, system ? "x86_64-linux" }: + lib.nixosSystem { inherit system; - modules = [ + modules = [ nixos-modules.nixosModule sops-nix.nixosModules.sops { config.networking.hostName = "${hostname}"; } ] ++ (if server then [ mailserver.nixosModules.mailserver - nixos-modules.nixosModule - home-manager.nixosModules.home-manager - sops-nix.nixosModules.sops ./systems/programs.nix ./systems/configuration.nix ./systems/${hostname}/hardware.nix ./systems/${hostname}/configuration.nix - { config.networking.hostName = "${hostname}"; } - ] ++ modules ++ fileList "modules" - ++ map - (user: { config, lib, pkgs, ... }@args: { - users.users.${user} = import ./users/${user} (args // { name = "${user}"; }); - boot.initrd.network.ssh.authorizedKeys = config.users.users.${user}.openssh.authorizedKeys.keys; - sops = { - secrets."${user}/user-password" = { - sopsFile = ./users/${user}/secrets.yaml; - neededForUsers = true; + ] else [ + ./users/${builtins.head users}/systems/${hostname}/configuration.nix + ./users/${builtins.head users}/systems/${hostname}/hardware.nix + ]) ++ fileList "modules" ++ modules ++ lib.optional home home-manager.nixosModules.home-manager + ++ (if home then (map (user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users) else [ ]) ++ map + (user: + { config, lib, pkgs, ... }@args: { + users.users.${user} = import ./users/${user} (args // { name = "${user}"; }); + boot.initrd.network.ssh.authorizedKeys = lib.mkIf server config.users.users.${user}.openssh.authorizedKeys.keys; + sops = lib.mkIf sops { + secrets."${user}/user-password" = { + sopsFile = ./users/${user}/secrets.yaml; + neededForUsers = true; + }; }; - }; - }) - users - ++ map (user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users; + }) + users; }; in (builtins.listToAttrs (map (system: { name = system; - value = constructSystem { hostname = system; } // (import ./systems/${system} { }); + value = constructSystem ({ hostname = system; } // builtins.removeAttrs (import ./systems/${system} { }) [ "hostname" "server" "home" ]); }) - (lsdir "systems"))) // - (builtins.listToAttrs (builtins.concatMap - (user: map - (system: rec { - name = "${user}.${system}"; - cfg = import ./users/${user}/systems/${system} { }; - value = lib.nixosSystem { - system = cfg.system ? "x86_64-linux"; - modules = [ - nixos-modules.nixosModule - sops-nix.nixosModules.sops - ./users/${user}/systems/${system}/configuration.nix - ./users/${user}/systems/${system}/hardware.nix - { config.networking.hostName = "${system}"; } - ] ++ fileList "modules" - ++ lib.optional (cfg.home-manager ? false) home-manager.nixosModules.home-manager; - }; - }) - (lsdir "users/${user}/systems")) + (lsdir "systems"))) // (builtins.listToAttrs (builtins.concatMap + (user: + map + (system: { + name = "${user}.${system}"; + value = constructSystem ({ + hostname = system; + server = false; + users = [ user ]; + } // builtins.removeAttrs (import ./users/${user}/systems/${system} { }) [ "hostname" "server" "users" ]); + }) + (lsdir "users/${user}/systems")) (lsdir "users"))); devShell = lib.mapAttrs @@ -174,16 +175,30 @@ with nixpkgs.legacyPackages.${system}; mkShell { sopsPGPKeyDirs = [ "./keys" ]; - nativeBuildInputs = [ - apacheHttpd - sopsPkgs.sops-import-keys-hook - ]; - - shellHook = (nix-pre-commit.lib.${system}.mkConfig { - inherit pkgs config; - }).shellHook; - } - ) + nativeBuildInputs = [ apacheHttpd sopsPkgs.sops-import-keys-hook ]; + packages = [ self.formatter.${system} ]; + shellHook = (nix-pre-commit.lib.${system}.mkConfig { inherit pkgs config; }).shellHook; + }) sops-nix.packages; + + hydraJobs = { + build = (recursiveMerge + ( + (map + (machine: { + ${machine.pkgs.system} = (builtins.listToAttrs (map + (pkg: { + name = pkg.name; + value = pkg; + }) + machine.config.environment.systemPackages)); + }) + (builtins.attrValues self.nixosConfigurations)) ++ [ + (forEachSystem (system: { + ${system}.${nixpkgs-fmt.legacyPackages.${system}.nixpkgs-fmt.name} = nixpkgs-fmt.legacyPackages.${system}.nixpkgs-fmt; + })) + ] + )); + }; }; } diff --git a/modules/backup.nix b/modules/backup.nix index 2642a28..d62f1d3 100644 --- a/modules/backup.nix +++ b/modules/backup.nix @@ -1,9 +1,7 @@ { config, lib, pkgs, ... }: -let - cfg = config.services.backup; -in -{ +let cfg = config.services.backup; +in { options.services.backup = { enable = lib.mkEnableOption "backup"; @@ -54,9 +52,7 @@ in restic.backups = let commonOpts = { - extraBackupArgs = [ - "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" - ]; + extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ]; initialize = true; passwordFile = config.sops.secrets."restic/password".path; @@ -74,19 +70,11 @@ in "/etc/subgid" "/etc/subuid" "/var/lib/nixos/" - ] ++ cfg.paths - ++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/" - ++ lib.optional config.services.mysql.enable "/var/lib/mysql/" - ++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/" - ++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/" + ] ++ cfg.paths ++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/" ++ lib.optional config.services.mysql.enable "/var/lib/mysql/" + ++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/" ++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/" ++ lib.optional config.mailserver.enable config.mailserver.mailDirectory; - pruneOpts = [ - "--group-by host" - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 12" - ]; + pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ]; timerConfig = { OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00"; @@ -95,13 +83,9 @@ in }; in lib.mkIf cfg.enable { - local = commonOpts // { - repository = "/var/backup"; - }; + local = commonOpts // { repository = "/var/backup"; }; - offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { - repository = "sftp://offsite/${config.networking.hostName}"; - }; + offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; }; }; }; @@ -124,9 +108,7 @@ in path = "/root/.ssh/config"; sopsFile = ./backup.yaml; }; - } // lib.mkIf cfg.enable { - "restic/password".owner = "root"; - }; + } // lib.mkIf cfg.enable { "restic/password".owner = "root"; }; system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) '' echo "Linking restic ssh config..." @@ -142,9 +124,7 @@ in restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666"; }; - timers = lib.mkIf config.services.postgresqlBackup.enable { - postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; - }; + timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; }; }; }; } diff --git a/modules/boot.nix b/modules/boot.nix index 09f2284..cf9d726 100644 --- a/modules/boot.nix +++ b/modules/boot.nix @@ -1,9 +1,7 @@ { config, lib, libS, ... }: -let - cfg = config.boot; -in -{ +let cfg = config.boot; +in { options = { boot = { default = libS.mkOpinionatedOption "enable the boot builder"; @@ -42,10 +40,7 @@ in supportedFilesystems = [ cfg.filesystem ]; tmp.useTmpfs = true; kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - kernelParams = [ - "nordrand" - ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd" - ++ lib.optional cfg.fullDiskEncryption "ip=:::"; + kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional cfg.fullDiskEncryption "ip=:::"; zfs = lib.mkIf (cfg.filesystem == "zfs") { enableUnstable = true; @@ -54,9 +49,7 @@ in }; loader = { - efi = { - canTouchEfiVariables = false; - }; + efi = { canTouchEfiVariables = false; }; generationsDir.copyKernels = true; systemd-boot.enable = lib.mkIf cfg.useSystemdBoot true; grub = lib.mkIf (!cfg.useSystemdBoot) { diff --git a/modules/fail2ban.nix b/modules/fail2ban.nix index 3f7ce53..0a5849b 100644 --- a/modules/fail2ban.nix +++ b/modules/fail2ban.nix @@ -1,14 +1,8 @@ { config, lib, libS, ... }: -let - cfg = config.services.fail2ban; -in -{ - options = { - services.fail2ban = { - recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults"; - }; - }; +let cfg = config.services.fail2ban; +in { + options = { services.fail2ban = { recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults"; }; }; config.services.fail2ban = lib.mkIf cfg.recommendedDefaults { maxretry = 5; diff --git a/modules/flake-update-service.nix b/modules/flake-update-service.nix index e11c6f4..0221b71 100644 --- a/modules/flake-update-service.nix +++ b/modules/flake-update-service.nix @@ -1,9 +1,7 @@ { config, lib, pkgs, ... }: -let - cfg = config.services.autopull; -in -{ +let cfg = config.services.autopull; +in { options = { services.autopull = { enable = lib.mkEnableOption "autopull"; @@ -29,7 +27,8 @@ in triggersRebuild = lib.mkOption { type = lib.types.bool; default = false; - description = ''Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option.''; + description = + "Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option."; }; }; }; diff --git a/modules/hydra.nix b/modules/hydra.nix index c8cd50e..9af1f49 100644 --- a/modules/hydra.nix +++ b/modules/hydra.nix @@ -1,9 +1,7 @@ { config, lib, ... }: -let - cfg = config.services.hydra; -in -{ +let cfg = config.services.hydra; +in { config = { services.hydra.extraConfig = lib.mkDefault (lib.concatLines [ cfg.extraConfig diff --git a/modules/security.nix b/modules/security.nix index 6963808..694b498 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -1,6 +1,5 @@ # BIASED -{ config, lib, ... }: -{ +{ config, lib, ... }: { config = { services = { @@ -23,8 +22,6 @@ }; }; - networking.firewall = lib.mkIf config.services.openssh.enable { - allowedTCPPorts = config.services.openssh.ports ++ [ 22 ]; - }; + networking.firewall = lib.mkIf config.services.openssh.enable { allowedTCPPorts = config.services.openssh.ports ++ [ 22 ]; }; }; } diff --git a/modules/website.nix b/modules/website.nix index 5306383..ecf41c4 100644 --- a/modules/website.nix +++ b/modules/website.nix @@ -2,42 +2,41 @@ let eachSite = config.services.staticpage.sites; - siteOpts = { lib, name, config, ... }: - { - options = { - package = lib.mkPackageOption pkgs "page" { }; + siteOpts = { lib, name, config, ... }: { + options = { + package = lib.mkPackageOption pkgs "page" { }; - root = lib.mkOption { - type = lib.types.str; - description = "The Document-Root folder in /var/lib"; - }; + root = lib.mkOption { + type = lib.types.str; + description = "The Document-Root folder in /var/lib"; + }; - domain = lib.mkOption { - type = lib.types.str; - example = "example.com"; - description = "The staticpage's domain."; - }; + domain = lib.mkOption { + type = lib.types.str; + example = "example.com"; + description = "The staticpage's domain."; + }; - subdomain = lib.mkOption { - type = with lib.types; nullOr str; - default = null; - example = "app"; - description = "The staticpage subdomain."; - }; + subdomain = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + example = "app"; + description = "The staticpage subdomain."; + }; - usePHP = lib.mkOption { - type = lib.types.bool; - default = false; - description = "Configure the Nginx Server to use PHP"; - }; + usePHP = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Configure the Nginx Server to use PHP"; + }; - configureNginx = lib.mkOption { - type = lib.types.bool; - default = true; - description = "Configure the Nginx Server to serve the site with acne"; - }; + configureNginx = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Configure the Nginx Server to serve the site with acne"; }; }; + }; in { options.services.staticpage = { @@ -81,7 +80,7 @@ in allow all; ''; }; - locations."~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$" = { + locations."~* .(js|css|png|jpg|jpeg|gif|ico|svg)$" = { extraConfig = '' try_files $uri @rewrite; expires max; @@ -94,17 +93,17 @@ in ''; }; } // lib.optionalAttrs cfg.usePHP { - locations."~ '\.php$|^/update.php'" = { + locations."~ '.php$|^/update.php'" = { extraConfig = '' include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; fastcgi_pass unix:${config.services.phpfpm.pools.${name}.socket}; fastcgi_index index.php; - + fastcgi_split_path_info ^(.+?\.php)(|/.*)$; # Ensure the php file exists. Mitigates CVE-2019-11043 try_files $fastcgi_script_name =404; - + # Block httpoxy attacks. See https://httpoxy.org/. fastcgi_param HTTP_PROXY ""; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; @@ -114,7 +113,7 @@ in ''; }; - locations."~ \..*/.*\.php$" = { + locations."~ ..*/.*.php$" = { extraConfig = '' return 403; ''; @@ -124,7 +123,7 @@ in return 403; ''; }; - locations."~ ^/sites/[^/]+/files/.*\.php$" = { + locations."~ ^/sites/[^/]+/files/.*.php$" = { extraConfig = '' deny all; ''; @@ -139,7 +138,7 @@ in rewrite ^ /index.php; ''; }; - locations."~ /vendor/.*\.php$" = { + locations."~ /vendor/.*.php$" = { extraConfig = '' deny all; return 404; @@ -150,7 +149,7 @@ in try_files $uri @rewrite; ''; }; - locations."~ ^(/[a-z\-]+)?/system/files/" = { + locations."~ ^(/[a-z-]+)?/system/files/" = { extraConfig = '' try_files $uri /index.php?$query_string; ''; diff --git a/systems/configuration.nix b/systems/configuration.nix index b1072cb..f43bc97 100644 --- a/systems/configuration.nix +++ b/systems/configuration.nix @@ -1,5 +1,4 @@ -{ lib, pkgs, config, ... }: -{ +{ lib, pkgs, config, ... }: { i18n = { defaultLocale = "en_US.utf8"; supportedLocales = [ "en_US.UTF-8/UTF-8" ]; @@ -7,9 +6,7 @@ boot = { default = true; - kernel.sysctl = { - "net.ipv6.conf.ens3.accept_ra" = 1; - }; + kernel.sysctl = { "net.ipv6.conf.ens3.accept_ra" = 1; }; }; home-manager = { @@ -37,7 +34,7 @@ openssh = { enable = true; fixPermissions = true; - extraConfig = ''StreamLocalBindUnlink yes''; + extraConfig = "StreamLocalBindUnlink yes"; hostKeys = [ { @@ -72,28 +69,11 @@ TcpKeepAlive = "no"; X11Forwarding = lib.mkDefault false; - KexAlgorithms = [ - "curve25519-sha256@libssh.org" - "diffie-hellman-group-exchange-sha256" - ]; + KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; - Ciphers = [ - "chacha20-poly1305@openssh.com" - "aes256-gcm@openssh.com" - "aes128-gcm@openssh.com" - "aes256-ctr" - "aes192-ctr" - "aes128-ctr" - ]; + Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ]; - Macs = [ - "hmac-sha2-512-etm@openssh.com" - "hmac-sha2-256-etm@openssh.com" - "umac-128-etm@openssh.com" - "hmac-sha2-512" - "hmac-sha2-256" - "umac-128@openssh.com" - ]; + Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com" ]; }; }; autopull = { @@ -143,32 +123,12 @@ zsh-autoenv.enable = true; enableCompletion = true; enableBashCompletion = true; - ohMyZsh = { - enable = true; - }; + ohMyZsh = { enable = true; }; }; nix-ld = { enable = true; - libraries = with pkgs; [ - acl - attr - bzip2 - curl - glib - libglvnd - libmysqlclient - libsodium - libssh - libxml2 - openssl - stdenv.cc.cc - systemd - util-linux - xz - zlib - zstd - ]; + libraries = with pkgs; [ acl attr bzip2 curl glib libglvnd libmysqlclient libsodium libssh libxml2 openssl stdenv.cc.cc systemd util-linux xz zlib zstd ]; }; }; diff --git a/systems/jeeves-jr/configuration.nix b/systems/jeeves-jr/configuration.nix index e4d2a15..f1f4db1 100644 --- a/systems/jeeves-jr/configuration.nix +++ b/systems/jeeves-jr/configuration.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{ pkgs, ... }: { time.timeZone = "America/New_York"; console.keyMap = "us"; networking.hostId = "1beb3026"; @@ -34,9 +33,7 @@ }; environment = { - systemPackages = with pkgs; [ - docker-compose - ]; + systemPackages = with pkgs; [ docker-compose ]; etc = { # Creates /etc/lynis/custom.prf diff --git a/systems/jeeves-jr/default.nix b/systems/jeeves-jr/default.nix index 340dfca..5044dd4 100644 --- a/systems/jeeves-jr/default.nix +++ b/systems/jeeves-jr/default.nix @@ -1,8 +1 @@ -{ ... }: -{ - users = [ - "alice" - "dennis" - "richie" - ]; -} +{ ... }: { users = [ "alice" "dennis" "richie" ]; } diff --git a/systems/jeeves-jr/hardware.nix b/systems/jeeves-jr/hardware.nix index e3f4a72..d970d5c 100644 --- a/systems/jeeves-jr/hardware.nix +++ b/systems/jeeves-jr/hardware.nix @@ -4,30 +4,24 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { - device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/7295-A442"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/7295-A442"; + fsType = "vfat"; + }; - swapDevices = - [{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }]; + swapDevices = [{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/systems/palatine-hill/configuration.nix b/systems/palatine-hill/configuration.nix index 8be196d..4f98219 100644 --- a/systems/palatine-hill/configuration.nix +++ b/systems/palatine-hill/configuration.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{ config, pkgs, ... }: { time.timeZone = "America/New_York"; console.keyMap = "us"; networking.hostId = "dc2f9781"; @@ -8,15 +7,10 @@ loader.grub.device = "/dev/sda"; filesystem = "zfs"; useSystemdBoot = true; - kernelParams = [ - "i915.force_probe=56a5" - "i915.enable_guc=2" - ]; + kernelParams = [ "i915.force_probe=56a5" "i915.enable_guc=2" ]; }; - nixpkgs.config.packageOverrides = pkgs: { - vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - }; + nixpkgs.config.packageOverrides = pkgs: { vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; }; hardware = { enableAllFirmware = true; @@ -57,10 +51,9 @@ # }; }; - environment.systemPackages = with pkgs; [ - docker-compose - jellyfin-ffmpeg - ]; + environment.systemPackages = with pkgs; [ docker-compose jellyfin-ffmpeg ]; + + systemd.services.hydra-notify = { serviceConfig.EnvironmentFile = config.sops.secrets."hydra/environment".path; }; services = { samba.enable = true; @@ -101,9 +94,22 @@ minimumDiskFree = 50; minimumDiskFreeEvaluator = 100; }; + + nix-serve = { + enable = true; + secretKeyFile = config.sops.secrets."nix-serve/secret-key".path; + }; }; networking.firewall.enable = false; + sops = { + defaultSopsFile = ./secrets.yaml; + secrets = { + "hydra/environment".owner = "hydra"; + "nix-serve/secret-key".owner = "root"; + }; + }; + system.stateVersion = "23.05"; } diff --git a/systems/palatine-hill/default.nix b/systems/palatine-hill/default.nix index 340dfca..5044dd4 100644 --- a/systems/palatine-hill/default.nix +++ b/systems/palatine-hill/default.nix @@ -1,8 +1 @@ -{ ... }: -{ - users = [ - "alice" - "dennis" - "richie" - ]; -} +{ ... }: { users = [ "alice" "dennis" "richie" ]; } diff --git a/systems/palatine-hill/hardware.nix b/systems/palatine-hill/hardware.nix index c6ceac6..ad9ee40 100644 --- a/systems/palatine-hill/hardware.nix +++ b/systems/palatine-hill/hardware.nix @@ -6,8 +6,7 @@ { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = - [ "xhci_pci" "mpt3sas" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "mpt3sas" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; @@ -22,8 +21,7 @@ fsType = "vfat"; }; - swapDevices = - [{ device = "/dev/disk/by-uuid/2b01e592-2297-4eb1-854b-17a63f1d4cf6"; }]; + swapDevices = [{ device = "/dev/disk/by-uuid/2b01e592-2297-4eb1-854b-17a63f1d4cf6"; }]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's @@ -35,6 +33,5 @@ # networking.interfaces.enp72s0f3u1u2c2.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/systems/palatine-hill/secrets.yaml b/systems/palatine-hill/secrets.yaml new file mode 100644 index 0000000..63d6bb3 --- /dev/null +++ b/systems/palatine-hill/secrets.yaml @@ -0,0 +1,76 @@ +hydra: + environment: ENC[AES256_GCM,data:k6t0jVLgsCbOwAnj71ogmsdoLsMaMjeScYRblE72FNEk8cgWc2Q5kw5LVShIC5Kgl2XhSJIoi1+pDS1X5huyWs+cz4T9oUtOJhtSlL9+UCLmaqoR0SCI1eCZT1fkRZ3QtitrRmtvm77Sld7Ckz/apG7cQsfpKhymkEz+Y8WdC3mc5Kjt05eAn66IbQYO8y1HQc9bkCAWYD+NSwOqC80W5RIfkKActWz1DFoeTESwMcpA9MKHlGMKP82Uo/qlRhXq+riY5e5voFGQw0O3CKRTy1Q=,iv:Fbl/9XkNTe5qmn7wvPtQ1Hpfzp7+3WLeuipkme9a29A=,tag:+git1pCZzSirfFsxj91WUQ==,type:str] +nix-serve: + secret-key: ENC[AES256_GCM,data:a+N7udOUnls35wCyO/icqtMWEVMorg3mSlZKih8LHQM4wgemZXuXYdhvw65CTPHvzcS0mr6QEMNzkqXios4kvlNDUvbG0OuaVhtqWqtuutz4J9VsGf8PdIvXNkLSHfm2fEY4n84nYM5tUidzwfA=,iv:045gOacG0t9rbzaszQ/5quZkRvfHLF8cETG2tABUrvk=,tag:sLs/yFdUlwf+YZf/Ja8YbA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsMXl4RWc0Ymt4YjB4dHk3 + YWdHcndLQzhyRFl4Vlp4d015KzJ3dGN2OGxBCkE4MEZjTnVua0pEd1BibWlhOUVs + enZFMUw4dVBBWC9Zb2hhalNxZi9LRGMKLS0tIEFreDViNEEySXlqM3FQMVE1ZEtk + Qkt2U1hWWGo4VzB2bEFYTWUwL0tyYzgKE1H8Wx5VH8D5cBHrniAAVQXD8yyR1eWY + wUjeAOgiTEe8gjulqGDKxjMqcz7w/wuHBTICXEUEi6fBSdDE4RJkkA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-01T05:36:42Z" + mac: ENC[AES256_GCM,data:mUpprU3khFg6ioJlv6dD0SfD6vmLsKKWqX/nHMkUooyc3SbLTEh7u40bmIhpQLMTvxryRB1+oV+K87NTUYBlD34SglH4a3/FyCzdeP0cgpc+pkswa5LQsJrPcB2IN2MJe4cWGGDkzVS80747HSdAqHw6fv2lNjQBFfvsp3Jo8ck=,iv:ltDI4nOBYRPVTTbSfEYfLFee3H7b0G9tjOu0eNnpvgw=,tag:+l3NsxJ+HSy8RI2ZAUn0Jw==,type:str] + pgp: + - created_at: "2024-02-01T04:49:29Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA84hNUGIgI/nAQ/9GapgiAVoonYaq99pd66krKBfZMzdaFH6/29azR/f8+/Z + 80m0wyS58u54/vosYMdCjiWx7+uiL6PqRs+xzyDlcXJjCqT1ExXywHaEL1IueY4q + 3OkqUcj0Vnas0uIBV70Xa8RngxE9hPS7OitmUjEKUhHbFhqJnCNdiXcvEsBQkVpT + C+YOGCpIszWShUHukH7CZuZQWW8mF6+c+pcqPt+NVcuBx+c2tJfXCRxh0QloUbT+ + zVmuiwHcQpX0wwO+lLFjuGq/7nUzYyxqbyeqkRwYXFwDF1btdL1aIz7RXobLxjQO + hBDgJZTb0TxZGPzhvgGtMWaK0wDuNa3KA6IEv03ivmkmK0rffEJ4qIW2XXA4MXbU + wJDDMe7u2B5Kgs09soPa9eYQuRRDigvgdTPWg6dPMIdAszqtXCY0l7847ODYl1pw + 8J7CS1kL1sShFvoHqPwK5c1231Kc3mJwgAntlwwemBZP60TGcwgmqWRl/LhfoRm5 + CwzbVyLZeYRYuuVHeJDNXB1FFmVtpgidcB8tduUZUo80otnBgEzU73ShJHr32BeJ + 195qa0vb5KCLz9G89oWZUq5jOKe3rHftCEMlGHQ0cvBHl3SezLCx9FJ373c6Rsq2 + egNwg9HMyScJGD93mukGPRlyawJAEEmZawmDJz8IKa/YzxqE+cDHp37MImXIEBzS + XgHsddLzcv0vY73sq+Wl3TYmHEq0Bs36WZWHJ4CkfRqkhRW3AGfS5jo1UAvIYKMa + oZCksFpcoJ4jLfxze/pU3ZX1n4fdapCSZSJNwdwYRygZlx9Mn38l7qF+MX8hTvg= + =7ah4 + -----END PGP MESSAGE----- + fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82 + - created_at: "2024-02-01T04:49:29Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DqDJbhoEBo+ISAQdAKVno0tJCc4ipQxmAk1vA8TJeR0prQ/TAvueAYoTulFkw + KVrbiII3tQQFVeUeT8iG+QZEY1heDW0qGrGg7YLGk71R7HXrOgFMGpjGg+gXQsui + 1GgBCQIQqSQ6oXefrAklm7/aMTgfjvo5ZdIPSF9dbwhxx4J3tf+Pm9pyEDZSxTy+ + /vHvwlnqJXKOEPnwHl1XJKawwdTOIPeuBTr5uH51/kmd4TcrGBMBXKVHfI5qtqAs + lQNgfsDgk+oH/Q== + =KQD1 + -----END PGP MESSAGE----- + fp: 8F79E6CD6434700615867480D11A514F5095BFA8 + - created_at: "2024-02-01T04:49:29Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA29thaGx06tOAQ/8Cjj9t2J2t8aehRfqRsFK1npQV/ToTsGLn2mpAl5ITXrF + xOBLg1nqRq1h9++xSdpH2A9KK8tf0JkJ0Yb9sFfu/7SNqTmdnfl7FYSU67Hlxji/ + LYBLDy6KPOEkfes8prYcAnNGe6U7W5zHfRasKjbg2RqJ0wrlkB9dttBRFIpTHkUK + amibjf/ScLRJuqt5nwZkNnvOFBImQlXHMOhxp/QUnWzUD1CE6zWGe6hb++ixGoHW + OSqlVF87K1/7jqaUMmX5Jee16ybcziHg5c7dnoq623GWZHZrGEDG3c8E588+c2LJ + RSyQjLfUvvRbkIdBOgKTM0/EdNVmwHLWezRgwiHsZJFP8tJUBY7CZTzIrwFwm4Hz + zxlr/p7egN2KrI8mzePBd9DlOsJJ1gCSW+MMZ/mqi+AntJqmNOcrHyEIr5wPbiyP + c6iIucTAAJIHLgMwa1PzzlK8F8miE0R6ON4IeDg/i5LXk9QpB9FZktiqp2bybPyd + WUNhWbZT9z7homCkjgyMQ/1Pc6/i5NZFQZ5HaGvsiEszToF0uCoMWUxwJeHwfKfO + RRV3XsMMzKaagS3eauq+omE47yj86gePmTIBK2nTvhg3HH3c3S+XN/vKU170scbO + mo03fH09qoXJ0B4QScj8O7NDFdTo4FcOa5eJGpfRcZFaBcNIttz4A5xnho2Pz7nS + XgG1chsapzPutaMWqicefBs7niFgEhIoL2aEBRlY9lpj5noyZBgvC7u00Fi5sXVb + MY3H0SlP4B3ic3fh77L5yr3ZemYh+NVfujdzMak6OgLk+ELrs8ZxMj4MMvEgoq4= + =Nw8m + -----END PGP MESSAGE----- + fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/programs.nix b/systems/programs.nix index 51e4322..2cdf7b6 100644 --- a/systems/programs.nix +++ b/systems/programs.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{ pkgs, ... }: { environment.systemPackages = with pkgs; [ bat btop diff --git a/users/alice/home.nix b/users/alice/home.nix index 639f0af..c1d746f 100644 --- a/users/alice/home.nix +++ b/users/alice/home.nix @@ -61,11 +61,7 @@ topgrade = { enable = true; - settings = { - misc = { - disable = [ "system" "nix" "shell" ]; - }; - }; + settings = { misc = { disable = [ "system" "nix" "shell" ]; }; }; }; }; diff --git a/users/alice/secrets.yaml b/users/alice/secrets.yaml index bfa3747..21da1d9 100644 --- a/users/alice/secrets.yaml +++ b/users/alice/secrets.yaml @@ -33,8 +33,8 @@ sops: THdwZG9QQ01mamYrclhHT2dQUXhIWTQK9fxQV7RDYij2aCdfgCufUToWgoais1KI UQ7bPV0ZPhaBX4h2Q7kUk7FJwK5aGAsoBxf4KW4V78tSbz+XIyd3JQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-03T23:04:30Z" - mac: ENC[AES256_GCM,data:6Wnf1Ul8qJXs7/qeJGilLDgVcHFR7p5EkH4g058uqL08zbN++VAkkKzfayKa5zF6DQeSBw9E+68r1bzML9O1UIpdUUyedKn0Jyl6rm0nPbWfgfQR0NkMlhi9JNvJp+ROfLAUQP/5g/o2BQAEDcGuGaleZ6wV39Q5ZX2vMayxufM=,iv:YBQco/q50LEUCssG1/HoQ9buAPnYJG+kRGQbg4HFyfU=,tag:okJ+Un0ri6wLERNlDSclHw==,type:str] + lastmodified: "2024-02-01T04:49:18Z" + mac: ENC[AES256_GCM,data:4TarduVMtlQWCcCY73i6xuZOAUZAVHuGVxy+Mpl5IPo+BPMTUYjMed4x/EbYSV/+j/NEvA3A5c9+MTHjDvO9ywCYjulgosSim5aNHacOpQ7rwwa7fLFyztmL2SG3ZSBdjH2H/5VXkPfpKpOmp6X/yRHxnEKa0WAJg9FKOht/P2E=,iv:iqFwMB6hid7hEq7HZ7jCYCAXoZjDypC6Qg7qqcJxfAc=,tag:A7AoIPm8IsjPgOOl4Burxg==,type:str] pgp: - created_at: "2023-12-29T19:22:00Z" enc: |- diff --git a/users/alice/systems/configuration.nix b/users/alice/systems/configuration.nix index fb4b367..c915eb0 100644 --- a/users/alice/systems/configuration.nix +++ b/users/alice/systems/configuration.nix @@ -1,2 +1 @@ -{ ... }: -{ } +{ ... }: { } diff --git a/users/alice/systems/testtop/configuration.nix b/users/alice/systems/testtop/configuration.nix index 5c90545..bcc370c 100644 --- a/users/alice/systems/testtop/configuration.nix +++ b/users/alice/systems/testtop/configuration.nix @@ -1,10 +1,5 @@ -{ pkgs, ... }: -{ - imports = [ - ../configuration.nix - ../programs.nix - ./programs.nix - ]; +{ pkgs, ... }: { + imports = [ ../configuration.nix ../programs.nix ./programs.nix ]; time.timeZone = "America/New_York"; console.keyMap = "us"; @@ -23,9 +18,7 @@ boot = { default = true; - kernel.sysctl = { - "net.ipv6.conf.ens3.accept_ra" = 1; - }; + kernel.sysctl = { "net.ipv6.conf.ens3.accept_ra" = 1; }; }; system.stateVersion = "23.05"; diff --git a/users/alice/systems/testtop/default.nix b/users/alice/systems/testtop/default.nix index 06627e5..7a9656a 100644 --- a/users/alice/systems/testtop/default.nix +++ b/users/alice/systems/testtop/default.nix @@ -1,5 +1,5 @@ -{ ... }: -{ +{ ... }: { system = "x86_64-linux"; - home-manager = true; + home = true; + sops = false; } diff --git a/users/alice/systems/testtop/hardware.nix b/users/alice/systems/testtop/hardware.nix index e3f4a72..d970d5c 100644 --- a/users/alice/systems/testtop/hardware.nix +++ b/users/alice/systems/testtop/hardware.nix @@ -4,30 +4,24 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { - device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/7295-A442"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/7295-A442"; + fsType = "vfat"; + }; - swapDevices = - [{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }]; + swapDevices = [{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/users/alice/systems/testtop/programs.nix b/users/alice/systems/testtop/programs.nix index b96912e..e7d2c36 100644 --- a/users/alice/systems/testtop/programs.nix +++ b/users/alice/systems/testtop/programs.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{ pkgs, ... }: { environment.systemPackages = with pkgs; [ bat btop diff --git a/users/default.nix b/users/default.nix index a065d59..d2ca900 100644 --- a/users/default.nix +++ b/users/default.nix @@ -1,11 +1,4 @@ -{ lib -, config -, pkgs -, name -, publicKeys ? [ ] -, defaultShell ? "zsh" -, -}: +{ lib, config, pkgs, name, publicKeys ? [ ], defaultShell ? "zsh", }: { inherit name; @@ -22,7 +15,7 @@ "plugdev" "uaccess" ]; - shell = pkgs.${defaultShell}; - hashedPasswordFile = config.sops.secrets."${name}/user-password".path; + shell = lib.mkIf config.programs.${defaultShell}.enable pkgs.${defaultShell}; + hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null; openssh.authorizedKeys.keys = publicKeys; }