ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

dennis the formatter (#75)

Browse Source 
* dennis the formatter

* changed comment

* fixup
This commit is contained in:
Dennis 2024-02-05 22:45:43 +01:00 committed by GitHub
parent 47a65a151c
commit 4c1e86907a
15 changed files with 247 additions and 235 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
flake.nix
View File

@ -11,7 +11,6 @@
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
systems.url = "github:nix-systems/default"; systems.url = "github:nix-systems/default";
nix-index-database = { nix-index-database = {
url = "github:Mic92/nix-index-database"; url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -94,7 +93,6 @@
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
systems = [ "x86_64-linux" "aarch64-linux" ]; systems = [ "x86_64-linux" "aarch64-linux" ];
forEachSystem = lib.genAttrs systems; forEachSystem = lib.genAttrs systems;
overlayList = [ self.overlays.default nix.overlays.default ]; overlayList = [ self.overlays.default nix.overlays.default ];
pkgsBySystem = forEachSystem (system: import nixpkgs { pkgsBySystem = forEachSystem (system: import nixpkgs {
inherit system; inherit system;
@ -135,13 +133,13 @@
{ {
repo = "local"; repo = "local";
hooks = [ hooks = [
{ # {
id = "nixfmt check"; # id = "nixfmt check";
entry = "${nixpkgs-fmt.legacyPackages.x86_64-linux.nixpkgs-fmt}/bin/nixpkgs-fmt"; # entry = "${nixpkgs-fmt.legacyPackages.x86_64-linux.nixpkgs-fmt}/bin/nixpkgs-fmt";
args = [ "--check" ]; # args = [ "--check" ];
language = "system"; # language = "system";
files = "\\.nix"; # files = "\\.nix";
} # }
{ {
id = "nix-flake-check"; id = "nix-flake-check";
entry = "nix flake check"; entry = "nix flake check";
@ -175,19 +173,20 @@
] else [ ] else [
./users/${builtins.head users}/systems/${hostname}/configuration.nix ./users/${builtins.head users}/systems/${hostname}/configuration.nix
./users/${builtins.head users}/systems/${hostname}/hardware.nix ./users/${builtins.head users}/systems/${hostname}/hardware.nix
]) ++ fileList "modules" ++ modules ++ lib.optional home home-manager.nixosModules.home-manager ]) ++ modules
++ (if home then (map (user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users) else [ ]) ++ map ++ fileList "modules"
(user: ++ lib.optional home home-manager.nixosModules.home-manager
{ config, lib, pkgs, ... }@args: { ++ (if home then (map (user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users) else [ ])
users.users.${user} = import ./users/${user} (args // { name = "${user}"; }); ++ map (user: { config, lib, pkgs, ... }@args: {
boot.initrd.network.ssh.authorizedKeys = lib.mkIf server config.users.users.${user}.openssh.authorizedKeys.keys; users.users.${user} = import ./users/${user} (args // { name = "${user}"; });
sops = lib.mkIf sops { boot.initrd.network.ssh.authorizedKeys = lib.mkIf server config.users.users.${user}.openssh.authorizedKeys.keys;
secrets."${user}/user-password" = { sops = lib.mkIf sops {
sopsFile = ./users/${user}/secrets.yaml; secrets."${user}/user-password" = {
neededForUsers = true; sopsFile = ./users/${user}/secrets.yaml;
}; neededForUsers = true;
}; };
}) };
})
users; users;
}; };
in in

45
modules/backup.nix
View File

@ -52,9 +52,9 @@ in {
restic.backups = restic.backups =
let let
commonOpts = { commonOpts = {
extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ];
initialize = true; initialize = true;
extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ];
pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ];
passwordFile = config.sops.secrets."restic/password".path; passwordFile = config.sops.secrets."restic/password".path;
paths = [ paths = [
"/etc/group" "/etc/group"
@ -85,8 +85,6 @@ in {
"/var/lib/gitea/data/tmp/" "/var/lib/gitea/data/tmp/"
]; ];
pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00"; OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00";
RandomizedDelaySec = "5m"; RandomizedDelaySec = "5m";
@ -95,31 +93,29 @@ in {
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
local = commonOpts // { repository = "/var/backup"; }; local = commonOpts // { repository = "/var/backup"; };
offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; }; offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; };
}; };
}; };
sops.secrets = lib.mkIf (cfg.enable && cfg.offsite != [ ]) sops.secrets = lib.mkIf (cfg.enable && cfg.offsite != [ ]) {
{ "restic/offsite/private" = {
"restic/offsite/private" = { owner = "root";
owner = "root"; path = "/root/.ssh/id_offsite-backup";
path = "/root/.ssh/id_offsite-backup"; sopsFile = ./backup.yaml;
sopsFile = ./backup.yaml; };
};
"restic/offsite/public" = { "restic/offsite/public" = {
owner = "root"; owner = "root";
path = "/root/.ssh/id_offsite-backup.pub"; path = "/root/.ssh/id_offsite-backup.pub";
sopsFile = ./backup.yaml; sopsFile = ./backup.yaml;
}; };
"restic/offsite/ssh-config" = { "restic/offsite/ssh-config" = {
owner = "root"; owner = "root";
path = "/root/.ssh/config"; path = "/root/.ssh/config";
sopsFile = ./backup.yaml; sopsFile = ./backup.yaml;
}; };
} // lib.mkIf cfg.enable { "restic/password".owner = "root"; }; } // lib.mkIf cfg.enable { "restic/password".owner = "root"; };
system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) '' system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) ''
echo "Linking restic ssh config..." echo "Linking restic ssh config..."
@ -130,12 +126,11 @@ in {
''; '';
systemd = lib.mkIf cfg.enable { systemd = lib.mkIf cfg.enable {
timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; };
services = { services = {
restic-backups-local.serviceConfig.Environment = "RESTIC_PROGRESS_FPS=0.016666"; restic-backups-local.serviceConfig.Environment = "RESTIC_PROGRESS_FPS=0.016666";
restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666"; restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666";
}; };
timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; };
}; };
}; };
} }

18
modules/boot.nix
View File

@ -5,12 +5,15 @@ in {
options = { options = {
boot = { boot = {
default = libS.mkOpinionatedOption "enable the boot builder"; default = libS.mkOpinionatedOption "enable the boot builder";
fullDiskEncryption = libS.mkOpinionatedOption "use luks full disk encrytion";
useSystemdBoot = libS.mkOpinionatedOption "use systemd boot";
cpuType = lib.mkOption { cpuType = lib.mkOption {
type = lib.types.str; type = lib.types.str;
example = "amd"; example = "amd";
default = ""; default = "";
description = "The cpu-type installed on the server."; description = "The cpu-type installed on the server.";
}; };
amdGPU = libS.mkOpinionatedOption "the system contains a AMD GPU"; amdGPU = libS.mkOpinionatedOption "the system contains a AMD GPU";
filesystem = lib.mkOption { filesystem = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@ -18,16 +21,16 @@ in {
default = "ext4"; default = "ext4";
description = "The filesystem installed."; description = "The filesystem installed.";
}; };
fullDiskEncryption = libS.mkOpinionatedOption "use luks full disk encrytion";
useSystemdBoot = libS.mkOpinionatedOption "use systemd boot";
}; };
}; };
config.boot = lib.mkIf cfg.default { config.boot = lib.mkIf cfg.default {
supportedFilesystems = [ cfg.filesystem ];
tmp.useTmpfs = true;
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
initrd = { initrd = {
# networking for netcard kernelModules = [ "e1000e" ];
kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ]; kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ];
network = lib.mkIf cfg.fullDiskEncryption { network = lib.mkIf cfg.fullDiskEncryption {
enable = true; enable = true;
ssh = { ssh = {
@ -37,11 +40,6 @@ in {
}; };
}; };
supportedFilesystems = [ cfg.filesystem ];
tmp.useTmpfs = true;
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
zfs = lib.mkIf (cfg.filesystem == "zfs") { zfs = lib.mkIf (cfg.filesystem == "zfs") {
enableUnstable = true; enableUnstable = true;
devNodes = "/dev/disk/by-id/"; devNodes = "/dev/disk/by-id/";
@ -49,7 +47,7 @@ in {
}; };
loader = { loader = {
efi = { canTouchEfiVariables = false; }; efi.canTouchEfiVariables = false;
generationsDir.copyKernels = true; generationsDir.copyKernels = true;
systemd-boot.enable = lib.mkIf cfg.useSystemdBoot true; systemd-boot.enable = lib.mkIf cfg.useSystemdBoot true;
grub = lib.mkIf (!cfg.useSystemdBoot) { grub = lib.mkIf (!cfg.useSystemdBoot) {

2
modules/fail2ban.nix
View File

@ -2,7 +2,7 @@
let cfg = config.services.fail2ban; let cfg = config.services.fail2ban;
in { in {
options = { services.fail2ban = { recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults"; }; }; options.services.fail2ban.recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults";
config.services.fail2ban = lib.mkIf cfg.recommendedDefaults { config.services.fail2ban = lib.mkIf cfg.recommendedDefaults {
maxretry = 5; maxretry = 5;

12
modules/flake-update-service.nix
View File

@ -10,38 +10,40 @@ in {
default = "dotfiles"; default = "dotfiles";
description = "A name for the service which needs to be pulled"; description = "A name for the service which needs to be pulled";
}; };
path = lib.mkOption { path = lib.mkOption {
type = lib.types.nullOr lib.types.path; type = lib.types.nullOr lib.types.path;
default = null; default = null;
description = "Path that needs to be updated via git pull"; description = "Path that needs to be updated via git pull";
}; };
frequency = lib.mkOption { frequency = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "systemd-timer compatible time between pulls"; description = "systemd-timer compatible time between pulls";
default = "1h"; default = "1h";
}; };
ssh-key = lib.mkOption { ssh-key = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "ssh-key used to pull the repository"; description = "ssh-key used to pull the repository";
}; };
triggersRebuild = lib.mkOption { triggersRebuild = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = false; default = false;
description = description = "Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option.";
"Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option.";
}; };
}; };
}; };
# implementation
config = lib.mkIf (cfg.enable && !(builtins.isNull cfg.path)) { config = lib.mkIf (cfg.enable && !(builtins.isNull cfg.path)) {
environment.systemPackages = [ pkgs.openssh pkgs.git ];
systemd.services."autopull@${cfg.name}" = { systemd.services."autopull@${cfg.name}" = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
description = "Pull the latest data for ${cfg.name}"; description = "Pull the latest data for ${cfg.name}";
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
# TODO: See how we can migrate this to DynamicUser=yes instead
User = "root"; User = "root";
WorkingDirectory = cfg.path; WorkingDirectory = cfg.path;
Environment = lib.mkIf (cfg.ssh-key != "") "GIT_SSH_COMMAND=${pkgs.openssh}/bin/ssh -i ${cfg.ssh-key} -o IdentitiesOnly=yes"; Environment = lib.mkIf (cfg.ssh-key != "") "GIT_SSH_COMMAND=${pkgs.openssh}/bin/ssh -i ${cfg.ssh-key} -o IdentitiesOnly=yes";
@ -50,6 +52,7 @@ in {
Wants = "nixos-upgrade.service"; Wants = "nixos-upgrade.service";
}; };
}; };
systemd.timers."autopull@${cfg.name}" = { systemd.timers."autopull@${cfg.name}" = {
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
@ -58,6 +61,5 @@ in {
Unit = "autopull@${cfg.name}.service"; Unit = "autopull@${cfg.name}.service";
}; };
}; };
environment.systemPackages = [ pkgs.openssh pkgs.git ];
}; };
} }

5
modules/security.nix
View File

@ -2,7 +2,6 @@
{ config, lib, ... }: { { config, lib, ... }: {
config = { config = {
services = { services = {
openssh = lib.mkIf config.services.gitea.enable { openssh = lib.mkIf config.services.gitea.enable {
extraConfig = '' extraConfig = ''
Match User gitea Match User gitea
@ -22,6 +21,8 @@
}; };
}; };
networking.firewall = lib.mkIf config.services.openssh.enable { allowedTCPPorts = config.services.openssh.ports ++ [ 22 ]; }; networking.firewall = lib.mkIf config.services.openssh.enable {
allowedTCPPorts = config.services.openssh.ports ++ [ 22 ];
};
}; };
} }

16
modules/website.nix
View File

@ -1,7 +1,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
eachSite = config.services.staticpage.sites; eachSite = config.services.staticpage.sites;
siteOpts = { lib, name, config, ... }: { siteOpts = { lib, name, config, ... }: {
options = { options = {
package = lib.mkPackageOption pkgs "page" { }; package = lib.mkPackageOption pkgs "page" { };
@ -41,7 +40,6 @@ in
{ {
options.services.staticpage = { options.services.staticpage = {
enable = lib.mkEnableOption "staticpage"; enable = lib.mkEnableOption "staticpage";
sites = lib.mkOption { sites = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule siteOpts); type = lib.types.attrsOf (lib.types.submodule siteOpts);
default = { }; default = { };
@ -57,7 +55,6 @@ in
name = "${(if (cfg.subdomain == null) then "${cfg.domain}" else "${cfg.subdomain}.${cfg.domain}")}"; name = "${(if (cfg.subdomain == null) then "${cfg.domain}" else "${cfg.subdomain}.${cfg.domain}")}";
value = { value = {
root = "/var/lib/www/${cfg.root}"; root = "/var/lib/www/${cfg.root}";
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
serverAliases = lib.mkIf (cfg.subdomain == null) [ "www.${cfg.domain}" ]; serverAliases = lib.mkIf (cfg.subdomain == null) [ "www.${cfg.domain}" ];
@ -68,6 +65,7 @@ in
access_log off; access_log off;
''; '';
}; };
locations."= /robots.txt" = { locations."= /robots.txt" = {
extraConfig = '' extraConfig = ''
allow all; allow all;
@ -75,11 +73,13 @@ in
access_log off; access_log off;
''; '';
}; };
locations."~* ^/.well-known/" = { locations."~* ^/.well-known/" = {
extraConfig = '' extraConfig = ''
allow all; allow all;
''; '';
}; };
locations."~* .(js|css|png|jpg|jpeg|gif|ico|svg)$" = { locations."~* .(js|css|png|jpg|jpeg|gif|ico|svg)$" = {
extraConfig = '' extraConfig = ''
try_files $uri @rewrite; try_files $uri @rewrite;
@ -87,6 +87,7 @@ in
log_not_found off; log_not_found off;
''; '';
}; };
locations."~ ^/sites/.*/files/styles/" = { locations."~ ^/sites/.*/files/styles/" = {
extraConfig = '' extraConfig = ''
try_files $uri @rewrite; try_files $uri @rewrite;
@ -118,37 +119,44 @@ in
return 403; return 403;
''; '';
}; };
locations."~ ^/sites/.*/private/" = { locations."~ ^/sites/.*/private/" = {
extraConfig = '' extraConfig = ''
return 403; return 403;
''; '';
}; };
locations."~ ^/sites/[^/]+/files/.*.php$" = { locations."~ ^/sites/[^/]+/files/.*.php$" = {
extraConfig = '' extraConfig = ''
deny all; deny all;
''; '';
}; };
locations."/" = { locations."/" = {
extraConfig = '' extraConfig = ''
try_files $uri /index.php?$query_string; try_files $uri /index.php?$query_string;
''; '';
}; };
locations."@rewrite" = { locations."@rewrite" = {
extraConfig = '' extraConfig = ''
rewrite ^ /index.php; rewrite ^ /index.php;
''; '';
}; };
locations."~ /vendor/.*.php$" = { locations."~ /vendor/.*.php$" = {
extraConfig = '' extraConfig = ''
deny all; deny all;
return 404; return 404;
''; '';
}; };
locations."~ ^/sites/.*/files/styles/" = { locations."~ ^/sites/.*/files/styles/" = {
extraConfig = '' extraConfig = ''
try_files $uri @rewrite; try_files $uri @rewrite;
''; '';
}; };
locations."~ ^(/[a-z-]+)?/system/files/" = { locations."~ ^(/[a-z-]+)?/system/files/" = {
extraConfig = '' extraConfig = ''
try_files $uri /index.php?$query_string; try_files $uri /index.php?$query_string;
@ -171,6 +179,7 @@ in
(lib.mapAttrs (lib.mapAttrs
(name: cfg: { (name: cfg: {
user = "nginx"; user = "nginx";
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
settings = { settings = {
"listen.owner" = config.services.nginx.user; "listen.owner" = config.services.nginx.user;
"pm" = "dynamic"; "pm" = "dynamic";
@ -183,7 +192,6 @@ in
"php_admin_flag[log_errors]" = true; "php_admin_flag[log_errors]" = true;
"catch_workers_output" = true; "catch_workers_output" = true;
}; };
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
}) })
(lib.filterAttrs (n: v: v.usePHP) eachSite)) (lib.filterAttrs (n: v: v.usePHP) eachSite))
]; ];

49
systems/configuration.nix
View File

@ -1,4 +1,6 @@
{ lib, pkgs, config, ... }: { { lib, pkgs, config, ... }: {
security.auditd.enable = true;
nixpkgs.config.allowUnfree = true;
i18n = { i18n = {
defaultLocale = "en_US.utf8"; defaultLocale = "en_US.utf8";
supportedLocales = [ "en_US.UTF-8/UTF-8" ]; supportedLocales = [ "en_US.UTF-8/UTF-8" ];
@ -26,8 +28,6 @@
}; };
}; };
security.auditd.enable = true;
services = { services = {
fail2ban = { fail2ban = {
enable = lib.mkIf config.networking.firewall.enable (lib.mkDefault true); enable = lib.mkIf config.networking.firewall.enable (lib.mkDefault true);
@ -55,7 +55,6 @@
} }
]; ];
# all of these setting are recommended by lynis unless otherwise commented
settings = { settings = {
AllowAgentForwarding = "no"; AllowAgentForwarding = "no";
AllowTcpForwarding = "no"; AllowTcpForwarding = "no";
@ -71,14 +70,31 @@
PermitRootLogin = "no"; PermitRootLogin = "no";
TcpKeepAlive = "no"; TcpKeepAlive = "no";
X11Forwarding = lib.mkDefault false; X11Forwarding = lib.mkDefault false;
KexAlgorithms = [
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; Ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ]; Macs = [
"hmac-sha2-512-etm@openssh.com"
Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com" ]; "hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
}; };
}; };
autopull = { autopull = {
enable = true; enable = true;
path = /root/dotfiles; path = /root/dotfiles;
@ -86,11 +102,10 @@
}; };
}; };
nixpkgs.config.allowUnfree = true;
programs = { programs = {
git = { git = {
enable = true; enable = true;
lfs.enable = lib.mkDefault true;
config = { config = {
interactive.singlekey = true; interactive.singlekey = true;
pull.rebase = true; pull.rebase = true;
@ -116,17 +131,16 @@
zsh = { zsh = {
enable = true; enable = true;
syntaxHighlighting.enable = true;
zsh-autoenv.enable = true;
enableCompletion = true;
enableBashCompletion = true;
ohMyZsh.enable = true;
autosuggestions = { autosuggestions = {
enable = true; enable = true;
strategy = [ "completion" ]; strategy = [ "completion" ];
async = true; async = true;
}; };
syntaxHighlighting.enable = true;
zsh-autoenv.enable = true;
enableCompletion = true;
enableBashCompletion = true;
ohMyZsh = { enable = true; };
}; };
nix-ld = { nix-ld = {
@ -142,6 +156,7 @@
}; };
nix = { nix = {
diffSystem = true;
settings = { settings = {
experimental-features = [ "nix-command" "flakes" ]; experimental-features = [ "nix-command" "flakes" ];
keep-outputs = true; keep-outputs = true;
@ -154,8 +169,6 @@
dates = "weekly"; dates = "weekly";
options = "--delete-older-than 30d"; options = "--delete-older-than 30d";
}; };
diffSystem = true;
}; };
system = { system = {
@ -163,8 +176,6 @@
enable = true; enable = true;
randomizedDelaySec = "1h"; randomizedDelaySec = "1h";
persistent = true; persistent = true;
# Running this since this is private right now.
# Need to set up a ssh-key for github for autoUpgrade
flake = "git+ssh://git@github.com/RAD-Development/nix-dotfiles"; flake = "git+ssh://git@github.com/RAD-Development/nix-dotfiles";
}; };
}; };

15
systems/jeeves-jr/configuration.nix
View File

@ -1,7 +1,10 @@
{ pkgs, ... }: { { pkgs, ... }: {
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";
console.keyMap = "us"; console.keyMap = "us";
networking.hostId = "1beb3026"; networking = {
hostId = "1beb3026";
firewall.enable = false;
};
boot = { boot = {
zfs.extraPools = [ "Main" ]; zfs.extraPools = [ "Main" ];
@ -14,16 +17,16 @@
enable = true; enable = true;
recommendedDefaults = true; recommendedDefaults = true;
logDriver = "local"; logDriver = "local";
storageDriver = "overlay2";
daemon."settings" = { daemon."settings" = {
experimental = true; experimental = true;
data-root = "/var/lib/docker";
exec-opts = [ "native.cgroupdriver=systemd" ]; exec-opts = [ "native.cgroupdriver=systemd" ];
log-opts = { log-opts = {
max-size = "10m"; max-size = "10m";
max-file = "5"; max-file = "5";
}; };
data-root = "/var/lib/docker";
}; };
storageDriver = "overlay2";
}; };
podman = { podman = {
@ -34,7 +37,6 @@
environment = { environment = {
systemPackages = with pkgs; [ docker-compose ]; systemPackages = with pkgs; [ docker-compose ];
etc = { etc = {
# Creates /etc/lynis/custom.prf # Creates /etc/lynis/custom.prf
"lynis/custom.prf" = { "lynis/custom.prf" = {
@ -57,11 +59,8 @@
services = { services = {
nfs.server.enable = true; nfs.server.enable = true;
openssh.ports = [ 352 ]; openssh.ports = [ 352 ];
smartd.enable = true; smartd.enable = true;
sysstat.enable = true; sysstat.enable = true;
usbguard = { usbguard = {
@ -82,7 +81,5 @@
}; };
}; };
networking.firewall.enable = false;
system.stateVersion = "23.05"; system.stateVersion = "23.05";
} }

56
systems/jeeves-jr/hardware.nix
View File

@ -1,35 +1,31 @@
# Do not modify this file! It was generated by nixos-generate-config { config, lib, modulesPath, ... }:
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [
(modulesPath + "/installer/scan/not-detected.nix")
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7295-A442";
fsType = "vfat";
};
swapDevices = [{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
networking.useDHCP = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
swapDevices = [{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }];
boot = {
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
initrd = {
kernelModules = [ ];
availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/7295-A442";
fsType = "vfat";
};
};
} }

31
systems/palatine-hill/configuration.nix
View File

@ -1,7 +1,18 @@
{ config, pkgs, ... }: { { config, pkgs, ... }: {
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";
console.keyMap = "us"; console.keyMap = "us";
networking.hostId = "dc2f9781"; systemd.services.hydra-notify.serviceConfig.EnvironmentFile = config.sops.secrets."hydra/environment".path;
networking = {
hostId = "dc2f9781";
firewall.enable = false;
};
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override {
enableHybridCodec = true;
};
};
boot = { boot = {
zfs.extraPools = [ "ZFS-primary" ]; zfs.extraPools = [ "ZFS-primary" ];
loader.grub.device = "/dev/sda"; loader.grub.device = "/dev/sda";
@ -25,8 +36,6 @@
}]; }];
}; };
nixpkgs.config.packageOverrides = pkgs: { vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; };
hardware = { hardware = {
enableAllFirmware = true; enableAllFirmware = true;
opengl = { opengl = {
@ -43,6 +52,7 @@
}; };
virtualisation = { virtualisation = {
# Disabling Podman as topgrade apparently prefers podman over docker and now I cant update anything :(
docker = { docker = {
enable = true; enable = true;
recommendedDefaults = true; recommendedDefaults = true;
@ -58,17 +68,12 @@
}; };
}; };
}; };
# Disabling as topgrade apparently prefers podman over docker and now I cant update anything :(
# podman = {
# enable = true;
# recommendedDefaults = true;
# };
}; };
environment.systemPackages = with pkgs; [ docker-compose jellyfin-ffmpeg ]; environment.systemPackages = with pkgs; [
docker-compose
systemd.services.hydra-notify = { serviceConfig.EnvironmentFile = config.sops.secrets."hydra/environment".path; }; jellyfin-ffmpeg
];
services = { services = {
samba.enable = true; samba.enable = true;
@ -116,8 +121,6 @@
}; };
}; };
networking.firewall.enable = false;
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
secrets = { secrets = {

66
systems/palatine-hill/hardware.nix
View File

@ -1,37 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config { config, lib, modulesPath, ... }:
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [
(modulesPath + "/installer/scan/not-detected.nix")
boot.initrd.availableKernelModules = [ "xhci_pci" "mpt3sas" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/b3b709ce-fe88-4267-be47-bf991a512cbe";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4CBA-2451";
fsType = "vfat";
};
swapDevices = [{ device = "/dev/disk/by-uuid/2b01e592-2297-4eb1-854b-17a63f1d4cf6"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
# networking.interfaces.enp72s0f3u1u2c2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
networking.useDHCP = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
swapDevices = [{ device = "/dev/disk/by-uuid/2b01e592-2297-4eb1-854b-17a63f1d4cf6"; }];
boot = {
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
initrd = {
kernelModules = [ ];
availableKernelModules = [
"ahci"
"mpt3sas"
"nvme"
"sd_mod"
"usb_storage"
"usbhid"
"xhci_pci"
];
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/b3b709ce-fe88-4267-be47-bf991a512cbe";
fsType = "ext4";
};
"boot" = {
device = "/dev/disk/by-uuid/4CBA-2451";
fsType = "vfat";
};
};
} }

56
users/alice/home.nix
View File

@ -1,10 +1,7 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
home.username = "alice"; home = {
home.homeDirectory = "/home/alice";
home.packages = with pkgs; [
# # Adds the 'hello' command to your environment. It prints a friendly # # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run. # # "Hello, world!" when run.
# pkgs.hello # pkgs.hello
@ -22,37 +19,40 @@
# echo "Hello, ${config.home.username}!" # echo "Hello, ${config.home.username}!"
# '') # '')
ncdu username = "alice";
homeDirectory = "/home/alice";
packages = with pkgs; [
ncdu
# Rust packages # Rust packages
trunk trunk
wasm-pack wasm-pack
cargo-watch cargo-watch
#pkgs.cargo-tarpaulin #pkgs.cargo-tarpaulin
cargo-generate cargo-generate
cargo-audit cargo-audit
cargo-update cargo-update
diesel-cli diesel-cli
gitoxide gitoxide
tealdeer tealdeer
helix helix
# nix specific packages # nix specific packages
nil nil
nixfmt nixfmt
# markdown # markdown
nodePackages.markdownlint-cli nodePackages.markdownlint-cli
# doom emacs dependencies # doom emacs dependencies
fd fd
ripgrep ripgrep
clang clang
]; ];
};
programs = { programs = {
zsh.enable = true; zsh.enable = true;
starship.enable = true; starship.enable = true;
fzf = { fzf = {
enable = true; enable = true;

6
users/default.nix
View File

@ -3,6 +3,9 @@
{ {
inherit name; inherit name;
isNormalUser = true; isNormalUser = true;
shell = lib.mkIf config.programs.${defaultShell}.enable pkgs.${defaultShell};
hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null;
openssh.authorizedKeys.keys = publicKeys;
extraGroups = [ extraGroups = [
"wheel" "wheel"
"media" "media"
@ -15,7 +18,4 @@
"plugdev" "plugdev"
"uaccess" "uaccess"
]; ];
shell = lib.mkIf config.programs.${defaultShell}.enable pkgs.${defaultShell};
hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null;
openssh.authorizedKeys.keys = publicKeys;
} }

64
users/richie/home.nix
View File

@ -1,39 +1,39 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
home.username = "richie";
home.homeDirectory = "/home/richie";
home.packages = with pkgs; [
# Rust packages
topgrade
trunk
wasm-pack
cargo-watch
# pkgs.cargo-tarpaulin
cargo-generate
cargo-audit
cargo-update
diesel-cli
# gitoxide currently broke 09182023
gitoxide
tealdeer
helix
# nix specific packages
nil
nixfmt
# markdown
nodePackages.markdownlint-cli
# doom emacs dependencies
fd
ripgrep
clang
];
programs.zsh.enable = true; programs.zsh.enable = true;
home = {
username = "richie";
homeDirectory = "/home/richie";
packages = with pkgs; [
# Rust packages
topgrade
trunk
wasm-pack
cargo-watch
# pkgs.cargo-tarpaulin
cargo-generate
cargo-audit
cargo-update
diesel-cli
# gitoxide currently broke 09182023
gitoxide
tealdeer
helix
# nix specific packages
nil
nixfmt
# markdown
nodePackages.markdownlint-cli
# doom emacs dependencies
fd
ripgrep
clang
];
};
home.stateVersion = "23.11"; home.stateVersion = "23.11";
} }