jahanson/nix-config-tn
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

hax

Browse source
This commit is contained in:
truxnell 2024-03-26 21:11:59 +11:00
parent b44499c92e
commit 4686125f28
9 changed files with 99 additions and 111 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -49,7 +49,6 @@
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
nixosModules = import ./nixos/modules/nixos; nixosModules = import ./nixos/modules/nixos;
lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib;
nixosConfigurations = nixosConfigurations =
with self.lib; with self.lib;

24
lib/default.nix
View file

@ -1,24 +0,0 @@
{ inputs, ... }:
with inputs.nixpkgs.lib;
let
strToPath = x: path:
if builtins.typeOf x == "string"
then builtins.toPath ("${toString path}/${x}")
else x;
strToFile = x: path:
if builtins.typeOf x == "string"
then builtins.toPath ("${toString path}/${x}.nix")
else x;
in
rec {
firstOrDefault = first: default: if !isNull first then first else default;
existsOrDefault = x: set: default: if hasAttr x set then getAttr x set else default;
mkIfElse = p: yes: no: mkMerge [
(mkIf p yes)
(mkIf (!p) no)
];
}

8
nixos/hosts/dns01/default.nix
View file

@ -11,10 +11,10 @@
]; ];
mySystem = { mySystem.services = {
services.maddy.enable = true; maddy.enable = true;
services.dnscrypt-proxy.enable = true; dnscrypt-proxy.enable = true;
services.cfDdns.enable = true; cfDdns.enable = true;
}; };
networking.hostName = "dns01"; # Define your hostname. networking.hostName = "dns01"; # Define your hostname.

8
nixos/hosts/rickenbacker/default.nix
View file

@ -3,18 +3,19 @@
, pkgs , pkgs
, ... , ...
}: { }: {
config = {
# hardware-configuration.nix is missing as I've abstracted out the parts # hardware-configuration.nix is missing as I've abstracted out the parts
config.mySystem = { mySystem = {
services.openssh.enable = true; services.openssh.enable = true;
security.wheelNeedsSudoPassword = false; security.wheelNeedsSudoPassword = false;
}; };
# TODO build this in from flake host names # TODO build this in from flake host names
config.networking.hostName = "rickenbacker"; networking.hostName = "rickenbacker";
config = {
fileSystems."/" = fileSystems."/" =
{ {
@ -29,5 +30,6 @@
}; };
swapDevices = [ ]; swapDevices = [ ];
}; };
} }

8
nixos/modules/nixos/services/dnscrypt-proxy2/default.nix
View file

@ -21,13 +21,15 @@ in
dhcpcd.extraConfig = "nohook resolv.conf"; dhcpcd.extraConfig = "nohook resolv.conf";
}; };
sops.secrets = {
# configure secret for forwarding rules # configure secret for forwarding rules
sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; "system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file "system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file
# Restart dnscrypt when secret changes # Restart dnscrypt when secret changes
sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ]; "system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];
};
services.dnscrypt-proxy2 = { services.dnscrypt-proxy2 = {
enable = true; enable = true;

2
nixos/modules/nixos/system/nix.nix
View file

@ -39,7 +39,7 @@ in
# garbage collection # garbage collection
automatic = cfg.gc.enable; automatic = cfg.gc.enable;
options = "--delete-older-than 30d"; options = "--delete-older-than 30d";
persistent = cfg.gc.persistent; inherit (cfg.gc) persistent;
}; };
}; };

20
nixos/modules/nixos/system/security.nix
View file

@ -7,28 +7,31 @@ let
cfg = config.mySystem.security; cfg = config.mySystem.security;
in in
{ {
options.mySystem.security.sshAgentAuth = { options.mySystem.security = {
enable = lib.mkEnableOption "openssh";
}; sshAgentAuth.enable = lib.mkEnableOption "openssh";
options.mySystem.security.wheelNeedsSudoPassword = lib.mkOption {
wheelNeedsSudoPassword = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
description = "If wheel group users need password for sudo"; description = "If wheel group users need password for sudo";
default = true; default = true;
}; };
options.mySystem.security.increaseWheelLoginLimits = lib.mkOption { increaseWheelLoginLimits = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
description = "If wheel group users receive increased login limits"; description = "If wheel group users receive increased login limits";
default = true; default = true;
}; };
};
config = config =
{ {
security.sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword; security = {
sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword;
security.pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable; pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable;
# Increase open file limit for sudoers # Increase open file limit for sudoers
security.pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [ pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [
{ {
domain = "@wheel"; domain = "@wheel";
item = "nofile"; item = "nofile";
@ -43,5 +46,6 @@ in
} }
]; ];
}; };
};
} }

17
nixos/profiles/global/nix.nix
View file

@ -4,19 +4,21 @@
## Below is to align shell/system to flake's nixpkgs ## Below is to align shell/system to flake's nixpkgs
## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry ## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry
# make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
nix.registry.nixpkgs.flake = nixpkgs;
nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
# but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake.
# Make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake. # Make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}"; environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
nix = {
# make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
registry.nixpkgs.flake = nixpkgs;
channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
# but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake.
# https://github.com/NixOS/nix/issues/9574 # https://github.com/NixOS/nix/issues/9574
nix.settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs"; settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs";
### ###
nix.settings = { settings = {
# Enable flakes # Enable flakes
experimental-features = [ experimental-features = [
@ -51,5 +53,6 @@
log-lines = lib.mkDefault 25; log-lines = lib.mkDefault 25;
}; };
};
} }

8
nixos/profiles/role-worstation.nix
View file

@ -5,10 +5,12 @@
with config; with config;
{ {
mySystem = {
mySystem.de.gnome.enable = true; de.gnome.enable = true;
mySystem.editor.vscodium.enable = true; editor.vscodium.enable = true;
mySystem.browser.firefox.enable = true; browser.firefox.enable = true;
};
boot = { boot = {