diff --git a/flake.nix b/flake.nix index 2013adf..cd7a05a 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,6 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; systems.url = "github:nix-systems/default"; - nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; @@ -94,7 +93,6 @@ inherit (nixpkgs) lib; systems = [ "x86_64-linux" "aarch64-linux" ]; forEachSystem = lib.genAttrs systems; - overlayList = [ self.overlays.default nix.overlays.default ]; pkgsBySystem = forEachSystem (system: import nixpkgs { inherit system; @@ -135,13 +133,13 @@ { repo = "local"; hooks = [ - { - id = "nixfmt check"; - entry = "${nixpkgs-fmt.legacyPackages.x86_64-linux.nixpkgs-fmt}/bin/nixpkgs-fmt"; - args = [ "--check" ]; - language = "system"; - files = "\\.nix"; - } + # { + # id = "nixfmt check"; + # entry = "${nixpkgs-fmt.legacyPackages.x86_64-linux.nixpkgs-fmt}/bin/nixpkgs-fmt"; + # args = [ "--check" ]; + # language = "system"; + # files = "\\.nix"; + # } { id = "nix-flake-check"; entry = "nix flake check"; @@ -175,19 +173,20 @@ ] else [ ./users/${builtins.head users}/systems/${hostname}/configuration.nix ./users/${builtins.head users}/systems/${hostname}/hardware.nix - ]) ++ fileList "modules" ++ modules ++ lib.optional home home-manager.nixosModules.home-manager - ++ (if home then (map (user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users) else [ ]) ++ map - (user: - { config, lib, pkgs, ... }@args: { - users.users.${user} = import ./users/${user} (args // { name = "${user}"; }); - boot.initrd.network.ssh.authorizedKeys = lib.mkIf server config.users.users.${user}.openssh.authorizedKeys.keys; - sops = lib.mkIf sops { - secrets."${user}/user-password" = { - sopsFile = ./users/${user}/secrets.yaml; - neededForUsers = true; - }; + ]) ++ modules + ++ fileList "modules" + ++ lib.optional home home-manager.nixosModules.home-manager + ++ (if home then (map (user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users) else [ ]) + ++ map (user: { config, lib, pkgs, ... }@args: { + users.users.${user} = import ./users/${user} (args // { name = "${user}"; }); + boot.initrd.network.ssh.authorizedKeys = lib.mkIf server config.users.users.${user}.openssh.authorizedKeys.keys; + sops = lib.mkIf sops { + secrets."${user}/user-password" = { + sopsFile = ./users/${user}/secrets.yaml; + neededForUsers = true; }; - }) + }; + }) users; }; in diff --git a/modules/backup.nix b/modules/backup.nix index 3af01ed..78490bd 100644 --- a/modules/backup.nix +++ b/modules/backup.nix @@ -52,9 +52,9 @@ in { restic.backups = let commonOpts = { - extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ]; - initialize = true; + extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ]; + pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ]; passwordFile = config.sops.secrets."restic/password".path; paths = [ "/etc/group" @@ -85,8 +85,6 @@ in { "/var/lib/gitea/data/tmp/" ]; - pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ]; - timerConfig = { OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00"; RandomizedDelaySec = "5m"; @@ -95,31 +93,29 @@ in { in lib.mkIf cfg.enable { local = commonOpts // { repository = "/var/backup"; }; - offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; }; }; }; - sops.secrets = lib.mkIf (cfg.enable && cfg.offsite != [ ]) - { - "restic/offsite/private" = { - owner = "root"; - path = "/root/.ssh/id_offsite-backup"; - sopsFile = ./backup.yaml; - }; + sops.secrets = lib.mkIf (cfg.enable && cfg.offsite != [ ]) { + "restic/offsite/private" = { + owner = "root"; + path = "/root/.ssh/id_offsite-backup"; + sopsFile = ./backup.yaml; + }; - "restic/offsite/public" = { - owner = "root"; - path = "/root/.ssh/id_offsite-backup.pub"; - sopsFile = ./backup.yaml; - }; + "restic/offsite/public" = { + owner = "root"; + path = "/root/.ssh/id_offsite-backup.pub"; + sopsFile = ./backup.yaml; + }; - "restic/offsite/ssh-config" = { - owner = "root"; - path = "/root/.ssh/config"; - sopsFile = ./backup.yaml; - }; - } // lib.mkIf cfg.enable { "restic/password".owner = "root"; }; + "restic/offsite/ssh-config" = { + owner = "root"; + path = "/root/.ssh/config"; + sopsFile = ./backup.yaml; + }; + } // lib.mkIf cfg.enable { "restic/password".owner = "root"; }; system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) '' echo "Linking restic ssh config..." @@ -130,12 +126,11 @@ in { ''; systemd = lib.mkIf cfg.enable { + timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; }; services = { restic-backups-local.serviceConfig.Environment = "RESTIC_PROGRESS_FPS=0.016666"; restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666"; }; - - timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; }; }; }; } diff --git a/modules/boot.nix b/modules/boot.nix index cf9d726..cf0089d 100644 --- a/modules/boot.nix +++ b/modules/boot.nix @@ -5,12 +5,15 @@ in { options = { boot = { default = libS.mkOpinionatedOption "enable the boot builder"; + fullDiskEncryption = libS.mkOpinionatedOption "use luks full disk encrytion"; + useSystemdBoot = libS.mkOpinionatedOption "use systemd boot"; cpuType = lib.mkOption { type = lib.types.str; example = "amd"; default = ""; description = "The cpu-type installed on the server."; }; + amdGPU = libS.mkOpinionatedOption "the system contains a AMD GPU"; filesystem = lib.mkOption { type = lib.types.str; @@ -18,16 +21,16 @@ in { default = "ext4"; description = "The filesystem installed."; }; - fullDiskEncryption = libS.mkOpinionatedOption "use luks full disk encrytion"; - useSystemdBoot = libS.mkOpinionatedOption "use systemd boot"; }; }; config.boot = lib.mkIf cfg.default { + supportedFilesystems = [ cfg.filesystem ]; + tmp.useTmpfs = true; + kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional cfg.fullDiskEncryption "ip=:::"; initrd = { - # networking for netcard kernelModules = [ "e1000e" ]; kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ]; - network = lib.mkIf cfg.fullDiskEncryption { enable = true; ssh = { @@ -37,11 +40,6 @@ in { }; }; - supportedFilesystems = [ cfg.filesystem ]; - tmp.useTmpfs = true; - kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional cfg.fullDiskEncryption "ip=:::"; - zfs = lib.mkIf (cfg.filesystem == "zfs") { enableUnstable = true; devNodes = "/dev/disk/by-id/"; @@ -49,7 +47,7 @@ in { }; loader = { - efi = { canTouchEfiVariables = false; }; + efi.canTouchEfiVariables = false; generationsDir.copyKernels = true; systemd-boot.enable = lib.mkIf cfg.useSystemdBoot true; grub = lib.mkIf (!cfg.useSystemdBoot) { diff --git a/modules/fail2ban.nix b/modules/fail2ban.nix index 0a5849b..1f03681 100644 --- a/modules/fail2ban.nix +++ b/modules/fail2ban.nix @@ -2,7 +2,7 @@ let cfg = config.services.fail2ban; in { - options = { services.fail2ban = { recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults"; }; }; + options.services.fail2ban.recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults"; config.services.fail2ban = lib.mkIf cfg.recommendedDefaults { maxretry = 5; diff --git a/modules/flake-update-service.nix b/modules/flake-update-service.nix index 0221b71..fda4bef 100644 --- a/modules/flake-update-service.nix +++ b/modules/flake-update-service.nix @@ -10,38 +10,40 @@ in { default = "dotfiles"; description = "A name for the service which needs to be pulled"; }; + path = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; description = "Path that needs to be updated via git pull"; }; + frequency = lib.mkOption { type = lib.types.str; description = "systemd-timer compatible time between pulls"; default = "1h"; }; + ssh-key = lib.mkOption { type = lib.types.str; description = "ssh-key used to pull the repository"; }; + triggersRebuild = lib.mkOption { type = lib.types.bool; default = false; - description = - "Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option."; + description = "Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option."; }; }; }; - # implementation config = lib.mkIf (cfg.enable && !(builtins.isNull cfg.path)) { + environment.systemPackages = [ pkgs.openssh pkgs.git ]; systemd.services."autopull@${cfg.name}" = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; description = "Pull the latest data for ${cfg.name}"; serviceConfig = { Type = "oneshot"; - # TODO: See how we can migrate this to DynamicUser=yes instead User = "root"; WorkingDirectory = cfg.path; Environment = lib.mkIf (cfg.ssh-key != "") "GIT_SSH_COMMAND=${pkgs.openssh}/bin/ssh -i ${cfg.ssh-key} -o IdentitiesOnly=yes"; @@ -50,6 +52,7 @@ in { Wants = "nixos-upgrade.service"; }; }; + systemd.timers."autopull@${cfg.name}" = { wantedBy = [ "timers.target" ]; timerConfig = { @@ -58,6 +61,5 @@ in { Unit = "autopull@${cfg.name}.service"; }; }; - environment.systemPackages = [ pkgs.openssh pkgs.git ]; }; } diff --git a/modules/security.nix b/modules/security.nix index 694b498..6fd0dc0 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -2,7 +2,6 @@ { config, lib, ... }: { config = { services = { - openssh = lib.mkIf config.services.gitea.enable { extraConfig = '' Match User gitea @@ -22,6 +21,8 @@ }; }; - networking.firewall = lib.mkIf config.services.openssh.enable { allowedTCPPorts = config.services.openssh.ports ++ [ 22 ]; }; + networking.firewall = lib.mkIf config.services.openssh.enable { + allowedTCPPorts = config.services.openssh.ports ++ [ 22 ]; + }; }; } diff --git a/modules/website.nix b/modules/website.nix index ecf41c4..0aeedfb 100644 --- a/modules/website.nix +++ b/modules/website.nix @@ -1,7 +1,6 @@ { config, pkgs, lib, ... }: let eachSite = config.services.staticpage.sites; - siteOpts = { lib, name, config, ... }: { options = { package = lib.mkPackageOption pkgs "page" { }; @@ -41,7 +40,6 @@ in { options.services.staticpage = { enable = lib.mkEnableOption "staticpage"; - sites = lib.mkOption { type = lib.types.attrsOf (lib.types.submodule siteOpts); default = { }; @@ -57,7 +55,6 @@ in name = "${(if (cfg.subdomain == null) then "${cfg.domain}" else "${cfg.subdomain}.${cfg.domain}")}"; value = { root = "/var/lib/www/${cfg.root}"; - forceSSL = true; enableACME = true; serverAliases = lib.mkIf (cfg.subdomain == null) [ "www.${cfg.domain}" ]; @@ -68,6 +65,7 @@ in access_log off; ''; }; + locations."= /robots.txt" = { extraConfig = '' allow all; @@ -75,11 +73,13 @@ in access_log off; ''; }; + locations."~* ^/.well-known/" = { extraConfig = '' allow all; ''; }; + locations."~* .(js|css|png|jpg|jpeg|gif|ico|svg)$" = { extraConfig = '' try_files $uri @rewrite; @@ -87,6 +87,7 @@ in log_not_found off; ''; }; + locations."~ ^/sites/.*/files/styles/" = { extraConfig = '' try_files $uri @rewrite; @@ -118,37 +119,44 @@ in return 403; ''; }; + locations."~ ^/sites/.*/private/" = { extraConfig = '' return 403; ''; }; + locations."~ ^/sites/[^/]+/files/.*.php$" = { extraConfig = '' deny all; ''; }; + locations."/" = { extraConfig = '' try_files $uri /index.php?$query_string; ''; }; + locations."@rewrite" = { extraConfig = '' rewrite ^ /index.php; ''; }; + locations."~ /vendor/.*.php$" = { extraConfig = '' deny all; return 404; ''; }; + locations."~ ^/sites/.*/files/styles/" = { extraConfig = '' try_files $uri @rewrite; ''; }; + locations."~ ^(/[a-z-]+)?/system/files/" = { extraConfig = '' try_files $uri /index.php?$query_string; @@ -171,6 +179,7 @@ in (lib.mapAttrs (name: cfg: { user = "nginx"; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; settings = { "listen.owner" = config.services.nginx.user; "pm" = "dynamic"; @@ -183,7 +192,6 @@ in "php_admin_flag[log_errors]" = true; "catch_workers_output" = true; }; - phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; }) (lib.filterAttrs (n: v: v.usePHP) eachSite)) ]; diff --git a/systems/configuration.nix b/systems/configuration.nix index 4488036..8094e2f 100644 --- a/systems/configuration.nix +++ b/systems/configuration.nix @@ -1,4 +1,6 @@ { lib, pkgs, config, ... }: { + security.auditd.enable = true; + nixpkgs.config.allowUnfree = true; i18n = { defaultLocale = "en_US.utf8"; supportedLocales = [ "en_US.UTF-8/UTF-8" ]; @@ -26,8 +28,6 @@ }; }; - security.auditd.enable = true; - services = { fail2ban = { enable = lib.mkIf config.networking.firewall.enable (lib.mkDefault true); @@ -55,7 +55,6 @@ } ]; - # all of these setting are recommended by lynis unless otherwise commented settings = { AllowAgentForwarding = "no"; AllowTcpForwarding = "no"; @@ -71,14 +70,31 @@ PermitRootLogin = "no"; TcpKeepAlive = "no"; X11Forwarding = lib.mkDefault false; + KexAlgorithms = [ + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; - KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; + Ciphers = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes128-gcm@openssh.com" + "aes256-ctr" + "aes192-ctr" + "aes128-ctr" + ]; - Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ]; - - Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com" ]; + Macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; }; }; + autopull = { enable = true; path = /root/dotfiles; @@ -86,11 +102,10 @@ }; }; - nixpkgs.config.allowUnfree = true; - programs = { git = { enable = true; + lfs.enable = lib.mkDefault true; config = { interactive.singlekey = true; pull.rebase = true; @@ -116,17 +131,16 @@ zsh = { enable = true; + syntaxHighlighting.enable = true; + zsh-autoenv.enable = true; + enableCompletion = true; + enableBashCompletion = true; + ohMyZsh.enable = true; autosuggestions = { enable = true; strategy = [ "completion" ]; async = true; }; - - syntaxHighlighting.enable = true; - zsh-autoenv.enable = true; - enableCompletion = true; - enableBashCompletion = true; - ohMyZsh = { enable = true; }; }; nix-ld = { @@ -142,6 +156,7 @@ }; nix = { + diffSystem = true; settings = { experimental-features = [ "nix-command" "flakes" ]; keep-outputs = true; @@ -154,8 +169,6 @@ dates = "weekly"; options = "--delete-older-than 30d"; }; - - diffSystem = true; }; system = { @@ -163,8 +176,6 @@ enable = true; randomizedDelaySec = "1h"; persistent = true; - # Running this since this is private right now. - # Need to set up a ssh-key for github for autoUpgrade flake = "git+ssh://git@github.com/RAD-Development/nix-dotfiles"; }; }; diff --git a/systems/jeeves-jr/configuration.nix b/systems/jeeves-jr/configuration.nix index f1f4db1..4c70c26 100644 --- a/systems/jeeves-jr/configuration.nix +++ b/systems/jeeves-jr/configuration.nix @@ -1,7 +1,10 @@ { pkgs, ... }: { time.timeZone = "America/New_York"; console.keyMap = "us"; - networking.hostId = "1beb3026"; + networking = { + hostId = "1beb3026"; + firewall.enable = false; + }; boot = { zfs.extraPools = [ "Main" ]; @@ -14,16 +17,16 @@ enable = true; recommendedDefaults = true; logDriver = "local"; + storageDriver = "overlay2"; daemon."settings" = { experimental = true; + data-root = "/var/lib/docker"; exec-opts = [ "native.cgroupdriver=systemd" ]; log-opts = { max-size = "10m"; max-file = "5"; }; - data-root = "/var/lib/docker"; }; - storageDriver = "overlay2"; }; podman = { @@ -34,7 +37,6 @@ environment = { systemPackages = with pkgs; [ docker-compose ]; - etc = { # Creates /etc/lynis/custom.prf "lynis/custom.prf" = { @@ -57,11 +59,8 @@ services = { nfs.server.enable = true; - openssh.ports = [ 352 ]; - smartd.enable = true; - sysstat.enable = true; usbguard = { @@ -82,7 +81,5 @@ }; }; - networking.firewall.enable = false; - system.stateVersion = "23.05"; } diff --git a/systems/jeeves-jr/hardware.nix b/systems/jeeves-jr/hardware.nix index d970d5c..37d31ba 100644 --- a/systems/jeeves-jr/hardware.nix +++ b/systems/jeeves-jr/hardware.nix @@ -1,35 +1,31 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - +{ config, lib, modulesPath, ... }: { - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/7295-A442"; - fsType = "vfat"; - }; - - swapDevices = [{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + networking.useDHCP = lib.mkDefault true; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + swapDevices = [{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }]; + boot = { + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + initrd = { + kernelModules = [ ]; + availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/7295-A442"; + fsType = "vfat"; + }; + }; } diff --git a/systems/palatine-hill/configuration.nix b/systems/palatine-hill/configuration.nix index 59960ad..6d41db3 100644 --- a/systems/palatine-hill/configuration.nix +++ b/systems/palatine-hill/configuration.nix @@ -1,7 +1,18 @@ { config, pkgs, ... }: { time.timeZone = "America/New_York"; console.keyMap = "us"; - networking.hostId = "dc2f9781"; + systemd.services.hydra-notify.serviceConfig.EnvironmentFile = config.sops.secrets."hydra/environment".path; + networking = { + hostId = "dc2f9781"; + firewall.enable = false; + }; + + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { + enableHybridCodec = true; + }; + }; + boot = { zfs.extraPools = [ "ZFS-primary" ]; loader.grub.device = "/dev/sda"; @@ -25,8 +36,6 @@ }]; }; - nixpkgs.config.packageOverrides = pkgs: { vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; }; - hardware = { enableAllFirmware = true; opengl = { @@ -43,6 +52,7 @@ }; virtualisation = { + # Disabling Podman as topgrade apparently prefers podman over docker and now I cant update anything :( docker = { enable = true; recommendedDefaults = true; @@ -58,17 +68,12 @@ }; }; }; - - # Disabling as topgrade apparently prefers podman over docker and now I cant update anything :( - # podman = { - # enable = true; - # recommendedDefaults = true; - # }; }; - environment.systemPackages = with pkgs; [ docker-compose jellyfin-ffmpeg ]; - - systemd.services.hydra-notify = { serviceConfig.EnvironmentFile = config.sops.secrets."hydra/environment".path; }; + environment.systemPackages = with pkgs; [ + docker-compose + jellyfin-ffmpeg + ]; services = { samba.enable = true; @@ -116,8 +121,6 @@ }; }; - networking.firewall.enable = false; - sops = { defaultSopsFile = ./secrets.yaml; secrets = { diff --git a/systems/palatine-hill/hardware.nix b/systems/palatine-hill/hardware.nix index ad9ee40..24d3153 100644 --- a/systems/palatine-hill/hardware.nix +++ b/systems/palatine-hill/hardware.nix @@ -1,37 +1,39 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - +{ config, lib, modulesPath, ... }: { - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "mpt3sas" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/b3b709ce-fe88-4267-be47-bf991a512cbe"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/4CBA-2451"; - fsType = "vfat"; - }; - - swapDevices = [{ device = "/dev/disk/by-uuid/2b01e592-2297-4eb1-854b-17a63f1d4cf6"; }]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - # networking.interfaces.eno2.useDHCP = lib.mkDefault true; - # networking.interfaces.enp72s0f3u1u2c2.useDHCP = lib.mkDefault true; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + networking.useDHCP = lib.mkDefault true; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + swapDevices = [{ device = "/dev/disk/by-uuid/2b01e592-2297-4eb1-854b-17a63f1d4cf6"; }]; + boot = { + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + initrd = { + kernelModules = [ ]; + availableKernelModules = [ + "ahci" + "mpt3sas" + "nvme" + "sd_mod" + "usb_storage" + "usbhid" + "xhci_pci" + ]; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/b3b709ce-fe88-4267-be47-bf991a512cbe"; + fsType = "ext4"; + }; + + "boot" = { + device = "/dev/disk/by-uuid/4CBA-2451"; + fsType = "vfat"; + }; + }; } diff --git a/users/alice/home.nix b/users/alice/home.nix index c1d746f..5a21605 100644 --- a/users/alice/home.nix +++ b/users/alice/home.nix @@ -1,10 +1,7 @@ { pkgs, ... }: { - home.username = "alice"; - home.homeDirectory = "/home/alice"; - - home.packages = with pkgs; [ + home = { # # Adds the 'hello' command to your environment. It prints a friendly # # "Hello, world!" when run. # pkgs.hello @@ -22,37 +19,40 @@ # echo "Hello, ${config.home.username}!" # '') - ncdu + username = "alice"; + homeDirectory = "/home/alice"; + packages = with pkgs; [ + ncdu - # Rust packages - trunk - wasm-pack - cargo-watch - #pkgs.cargo-tarpaulin - cargo-generate - cargo-audit - cargo-update - diesel-cli - gitoxide - tealdeer - helix + # Rust packages + trunk + wasm-pack + cargo-watch + #pkgs.cargo-tarpaulin + cargo-generate + cargo-audit + cargo-update + diesel-cli + gitoxide + tealdeer + helix - # nix specific packages - nil - nixfmt + # nix specific packages + nil + nixfmt - # markdown - nodePackages.markdownlint-cli + # markdown + nodePackages.markdownlint-cli - # doom emacs dependencies - fd - ripgrep - clang - ]; + # doom emacs dependencies + fd + ripgrep + clang + ]; + }; programs = { zsh.enable = true; - starship.enable = true; fzf = { enable = true; diff --git a/users/default.nix b/users/default.nix index d2ca900..54fa520 100644 --- a/users/default.nix +++ b/users/default.nix @@ -3,6 +3,9 @@ { inherit name; isNormalUser = true; + shell = lib.mkIf config.programs.${defaultShell}.enable pkgs.${defaultShell}; + hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null; + openssh.authorizedKeys.keys = publicKeys; extraGroups = [ "wheel" "media" @@ -15,7 +18,4 @@ "plugdev" "uaccess" ]; - shell = lib.mkIf config.programs.${defaultShell}.enable pkgs.${defaultShell}; - hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null; - openssh.authorizedKeys.keys = publicKeys; } diff --git a/users/richie/home.nix b/users/richie/home.nix index f8f17d2..be59d74 100644 --- a/users/richie/home.nix +++ b/users/richie/home.nix @@ -1,39 +1,39 @@ { pkgs, ... }: { - home.username = "richie"; - home.homeDirectory = "/home/richie"; - - home.packages = with pkgs; [ - # Rust packages - topgrade - trunk - wasm-pack - cargo-watch - # pkgs.cargo-tarpaulin - cargo-generate - cargo-audit - cargo-update - diesel-cli - # gitoxide currently broke 09182023 - gitoxide - tealdeer - helix - - # nix specific packages - nil - nixfmt - - # markdown - nodePackages.markdownlint-cli - - # doom emacs dependencies - fd - ripgrep - clang - ]; - programs.zsh.enable = true; + home = { + username = "richie"; + homeDirectory = "/home/richie"; + packages = with pkgs; [ + # Rust packages + topgrade + trunk + wasm-pack + cargo-watch + # pkgs.cargo-tarpaulin + cargo-generate + cargo-audit + cargo-update + diesel-cli + # gitoxide currently broke 09182023 + gitoxide + tealdeer + helix + + # nix specific packages + nil + nixfmt + + # markdown + nodePackages.markdownlint-cli + + # doom emacs dependencies + fd + ripgrep + clang + ]; + }; home.stateVersion = "23.11"; }