Merge branch 'main' into ci
This commit is contained in:
commit
51cd65518f
76 changed files with 1424 additions and 1369 deletions
4
.github/workflows/build-raspi4.yaml
vendored
4
.github/workflows/build-raspi4.yaml
vendored
|
@ -15,7 +15,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4.1.1
|
||||
- uses: cachix/install-nix-action@v23
|
||||
- uses: cachix/install-nix-action@v26
|
||||
with:
|
||||
nix_path: nixpkgs=channel:nixos-23.05
|
||||
extra_nix_config: |
|
||||
|
@ -32,7 +32,7 @@ jobs:
|
|||
- name: Build SD Image
|
||||
run: |
|
||||
nix build .#images.${{ github.event.inputs.image }}
|
||||
- uses: actions/upload-artifact@v3
|
||||
- uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: rpi4.img
|
||||
path: ./result/sd-image/*.img*
|
||||
|
|
7
.github/workflows/diff-pr.yaml
vendored
7
.github/workflows/diff-pr.yaml
vendored
|
@ -48,10 +48,15 @@ jobs:
|
|||
fetch-depth: 0
|
||||
|
||||
- name: Install nix
|
||||
uses: cachix/install-nix-action@v25
|
||||
uses: cachix/install-nix-action@v26
|
||||
with:
|
||||
extra_nix_config: |
|
||||
experimental-features = nix-command flakes
|
||||
extra-platforms = aarch64-linux
|
||||
- name: Register binfmt
|
||||
run: |
|
||||
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
|
||||
|
||||
|
||||
- name: Garbage collect build dependencies
|
||||
run: nix-collect-garbage
|
||||
|
|
4
.github/workflows/nix-lint.yaml
vendored
4
.github/workflows/nix-lint.yaml
vendored
|
@ -11,10 +11,10 @@ jobs:
|
|||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install Nix
|
||||
uses: cachix/install-nix-action@v23
|
||||
uses: cachix/install-nix-action@v26
|
||||
with:
|
||||
nix_path: nixpkgs=channel:nixos-unstable
|
||||
|
||||
|
|
|
@ -1,20 +1,19 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://taskfile.dev/schema.json
|
||||
version: "3"
|
||||
|
||||
vars:
|
||||
host: $HOSTNAME
|
||||
|
||||
tasks:
|
||||
apply:
|
||||
switch:
|
||||
desc: Build and apply nix configuration
|
||||
silent: true
|
||||
requires:
|
||||
vars:
|
||||
- host
|
||||
cmds:
|
||||
- task: build
|
||||
vars:
|
||||
host: "{{ .host }}"
|
||||
- echo "This will switch your config."
|
||||
- task: .prompt_to_continue
|
||||
- sudo nixos-rebuild switch --flake "{{.ROOT_DIR}}/#{{.host}}" --impure
|
||||
preconditions:
|
||||
|
@ -23,6 +22,39 @@ tasks:
|
|||
- sh: which nixos-rebuild
|
||||
msg: "nixos-rebuild not found"
|
||||
|
||||
test:
|
||||
desc: Build and apply nix configuration
|
||||
silent: true
|
||||
requires:
|
||||
vars:
|
||||
- host
|
||||
cmds:
|
||||
- echo "This will test your config."
|
||||
- task: .prompt_to_continue
|
||||
- sudo nixos-rebuild test --flake "{{.ROOT_DIR}}/#{{.host}}" --impure
|
||||
preconditions:
|
||||
- sh: which nix
|
||||
msg: "nix not found"
|
||||
- sh: which nixos-rebuild
|
||||
msg: "nixos-rebuild not found"
|
||||
|
||||
dry-run:
|
||||
desc: Build and apply nix configuration
|
||||
silent: true
|
||||
requires:
|
||||
vars:
|
||||
- host
|
||||
cmds:
|
||||
- echo "This will dry-run your config and add your untracked git files."
|
||||
- git add .
|
||||
- nixos-rebuild dry-run --flake "{{.ROOT_DIR}}/#{{.host}}" --impure
|
||||
preconditions:
|
||||
- sh: which nix
|
||||
msg: "nix not found"
|
||||
- sh: which nixos-rebuild
|
||||
msg: "nixos-rebuild not found"
|
||||
|
||||
|
||||
build:
|
||||
desc: Build nix configuration
|
||||
silent: true
|
||||
|
@ -30,6 +62,7 @@ tasks:
|
|||
vars:
|
||||
- host
|
||||
cmds:
|
||||
- git add .
|
||||
- nixos-rebuild build --flake "{{.ROOT_DIR}}/#{{.host}}" --impure
|
||||
- nvd diff /run/current-system result
|
||||
preconditions:
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://taskfile.dev/schema.json
|
||||
version: "3"
|
||||
|
||||
vars:
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://taskfile.dev/schema.json
|
||||
version: "3"
|
||||
|
||||
tasks:
|
||||
|
|
17
README.md
17
README.md
|
@ -40,6 +40,8 @@ To Install
|
|||
- [ ] WSL
|
||||
- [ ] JJY emulator Raspi4
|
||||
- [ ] Documentation!
|
||||
- [ ] ssh_config build from computers?
|
||||
- [ ] Modularise host to allow vm builds and hw builds
|
||||
- [ ] Add license
|
||||
- [ ] Add taskfiles
|
||||
|
||||
|
@ -66,6 +68,21 @@ cd ~/dotfiles
|
|||
nixos-rebuild switch --flake .#nameOfMachine --target-host machineToSshInto --use-remote-sudo
|
||||
```
|
||||
|
||||
## Hacking at nix files
|
||||
|
||||
Eval config to see what keys are being set.
|
||||
|
||||
```bash
|
||||
nix eval .#nixosConfigurations.rickenbacker.config.security.sudo.WheelNeedsPassword
|
||||
nix eval .#nixosConfigurations.rickenbacker.config.mySystem.security.wheelNeedsPassword
|
||||
```
|
||||
|
||||
Quickly run a flake to see what the next error message is as you hack.
|
||||
|
||||
```bash
|
||||
nixos-rebuild dry-run --flake . --fast --impure
|
||||
```
|
||||
|
||||
## Links & References
|
||||
|
||||
- [Misterio77/nix-starter-config](https://github.com/Misterio77/nix-starter-configs)
|
||||
|
|
3
docs/vm/faq.md
Normal file
3
docs/vm/faq.md
Normal file
|
@ -0,0 +1,3 @@
|
|||
## Why not recurse the module folder
|
||||
|
||||
Imports are special in NIX and its important that they are definet at runtime for lazy evaluation - if you do optional/coded imports not everything is avaliable for evaluating.
|
133
flake.nix
133
flake.nix
|
@ -35,107 +35,124 @@
|
|||
, sops-nix
|
||||
, ...
|
||||
} @ inputs:
|
||||
|
||||
let
|
||||
inherit (self) outputs;
|
||||
forAllSystems = nixpkgs.lib.genAttrs [
|
||||
"aarch64-linux"
|
||||
# "i686-linux"
|
||||
"x86_64-linux"
|
||||
# "aarch64-darwin"
|
||||
# "x86_64-darwin"
|
||||
|
||||
];
|
||||
in
|
||||
with inputs; rec {
|
||||
rec {
|
||||
# Use nixpkgs-fmt for 'nix fmt'
|
||||
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
|
||||
|
||||
nixosModules = import ./nixos/modules/nixos;
|
||||
|
||||
nixosConfigurations =
|
||||
with self.lib;
|
||||
let
|
||||
defaultModules =
|
||||
# (builtins.attrValues nixosModules) ++
|
||||
(builtins.attrValues nixosModules) ++
|
||||
[
|
||||
sops-nix.nixosModules.sops
|
||||
];
|
||||
specialArgs = {
|
||||
inherit inputs outputs;
|
||||
};
|
||||
|
||||
# generate a base nixos configuration with the
|
||||
# specified overlays, hardware modules, and any extraModules applied
|
||||
mkNixosConfig =
|
||||
{ hostname
|
||||
, system ? "x86_64-linux"
|
||||
, nixpkgs ? inputs.nixpkgs
|
||||
, hardwareModules ? [ ]
|
||||
, baseModules ? [
|
||||
sops-nix.nixosModules.sops
|
||||
./nixos/profiles/global.nix
|
||||
./nixos/modules/nixos
|
||||
./nixos/hosts/${hostname}
|
||||
]
|
||||
, profileModules ? [ ]
|
||||
}:
|
||||
nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = baseModules ++ hardwareModules ++ profileModules;
|
||||
specialArgs = { inherit self inputs nixpkgs; };
|
||||
};
|
||||
in
|
||||
{
|
||||
nixosvm = nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs;
|
||||
|
||||
"rickenbacker" = mkNixosConfig {
|
||||
# NixOS laptop (dualboot windows, dunno why i kept it)
|
||||
hostname = "rickenbacker";
|
||||
system = "x86_64-linux";
|
||||
modules = defaultModules ++ [
|
||||
./nixos/hosts/nixosvm
|
||||
hardwareModules = [
|
||||
./nixos/profiles/hw-thinkpad-e14-amd.nix
|
||||
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-amd
|
||||
];
|
||||
profileModules = [
|
||||
./nixos/profiles/role-worstation.nix
|
||||
|
||||
];
|
||||
};
|
||||
|
||||
rickenbacker = nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs;
|
||||
"citadel" = mkNixosConfig {
|
||||
# Gaming PC (dualboot windows)
|
||||
|
||||
hostname = "citadel";
|
||||
system = "x86_64-linux";
|
||||
modules = defaultModules ++ [
|
||||
./nixos/hosts/rickenbacker
|
||||
hardwareModules = [
|
||||
./nixos/profiles/hw-gaming-desktop.nix
|
||||
];
|
||||
profileModules = [
|
||||
./nixos/profiles/role-worstation.nix
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
citadel = nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs;
|
||||
system = "x86_64-linux";
|
||||
modules = defaultModules ++ [
|
||||
./nixos/hosts/citadel
|
||||
];
|
||||
};
|
||||
"dns01" = mkNixosConfig {
|
||||
# Rpi for DNS and misc services
|
||||
|
||||
dns01 = nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs;
|
||||
hostname = "dns01";
|
||||
system = "aarch64-linux";
|
||||
modules = defaultModules ++ [
|
||||
./nixos/hosts/dns01
|
||||
hardwareModules = [
|
||||
./nixos/profiles/hw-rpi4.nix
|
||||
inputs.nixos-hardware.nixosModules.raspberry-pi-4
|
||||
];
|
||||
profileModules = [
|
||||
./nixos/profiles/role-server.nix
|
||||
];
|
||||
};
|
||||
|
||||
# dns02 = nixpkgs.lib.nixosSystem {
|
||||
|
||||
# # nix build .#images.rpi4
|
||||
# rpi4 = nixpkgs.lib.nixosSystem {
|
||||
# inherit specialArgs;
|
||||
# system = "aarch64-linux";
|
||||
|
||||
# modules = defaultModules ++ [
|
||||
# ./nixos/hosts/dns02
|
||||
# "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
|
||||
# ./nixos/hosts/images/sd-image
|
||||
# ];
|
||||
# };
|
||||
|
||||
# isoimage = nixpkgs.lib.nixosSystem {
|
||||
# system = "x86_64-linux";
|
||||
# # nix build .#images.iso
|
||||
# iso = nixpkgs.lib.nixosSystem {
|
||||
# inherit specialArgs;
|
||||
|
||||
# modules = defaultModules ++ [
|
||||
# "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix"
|
||||
# { isoImage.squashfsCompression = "gzip -Xcompression-level 1"; }
|
||||
# ./nixos/iso
|
||||
# "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
|
||||
# "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix"
|
||||
# ./nixos/hosts/images/cd-dvd
|
||||
# ];
|
||||
# };
|
||||
|
||||
# nix build .#images.rpi4
|
||||
rpi4 = nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs;
|
||||
|
||||
modules = defaultModules ++ [
|
||||
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
|
||||
./nixos/hosts/images/sd-image
|
||||
];
|
||||
};
|
||||
# nix build .#images.iso
|
||||
iso = nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs;
|
||||
|
||||
modules = defaultModules ++ [
|
||||
"${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
|
||||
"${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix"
|
||||
./nixos/hosts/images/cd-dvd
|
||||
];
|
||||
};
|
||||
};
|
||||
# simple shortcut to allow for easier referencing of correct
|
||||
# key for building images
|
||||
# > nix build .#images.rpi4
|
||||
images.rpi4 = nixosConfigurations.rpi4.config.system.build.sdImage;
|
||||
images.iso = nixosConfigurations.iso.config.system.build.isoImage;
|
||||
# images.rpi4 = nixosConfigurations.rpi4.config.system.build.sdImage;
|
||||
# images.iso = nixosConfigurations.iso.config.system.build.isoImage;
|
||||
|
||||
# deploy-rs
|
||||
deploy.nodes =
|
||||
|
@ -147,7 +164,7 @@
|
|||
inherit (configuration.config.nixpkgs.hostPlatform) system;
|
||||
in
|
||||
{
|
||||
path = deploy-rs.lib."${system}".activate.nixos configuration;
|
||||
path = inputs.deploy-rs.lib."${system}".activate.nixos configuration;
|
||||
sshUser = "truxnell";
|
||||
user = "root";
|
||||
sshOpts = [ "-t" ];
|
||||
|
@ -158,11 +175,13 @@
|
|||
in
|
||||
{
|
||||
dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01;
|
||||
rickenbacker = mkDeployConfig "rickenbacker" self.nixosConfigurations.rickenbacker;
|
||||
|
||||
# dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02;
|
||||
};
|
||||
|
||||
# deploy-rs: This is highly advised, and will prevent many possible mistakes
|
||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
|
||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
|
||||
|
||||
# Convenience output that aggregates the outputs for home, nixos, and darwin configurations.
|
||||
# Also used in ci to build targets generally.
|
||||
|
|
|
@ -6,140 +6,31 @@
|
|||
, pkgs
|
||||
, ...
|
||||
}: {
|
||||
imports = [
|
||||
# Host-specific
|
||||
./hardware-configuration.nix
|
||||
|
||||
# Common imports
|
||||
../common/nixos
|
||||
../common/nixos/users/truxnell
|
||||
../common/optional/fish.nix
|
||||
../common/optional/monitoring.nix
|
||||
../common/optional/reboot-required.nix
|
||||
../common/optional/gnome.nix
|
||||
../common/optional/editors/vscode
|
||||
../common/optional/firefox.nix
|
||||
../common/optional/sops-nix.nix
|
||||
|
||||
];
|
||||
config = {
|
||||
mySystem = {
|
||||
services.openssh.enable = true;
|
||||
security.wheelNeedsSudoPassword = false;
|
||||
};
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
|
||||
networking.hostName = "citadel"; # Define your hostname.
|
||||
|
||||
networking.hostName = "citadel"; # Define your hostname.
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/1D5B-36D3";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enable OpenGL
|
||||
hardware.opengl = {
|
||||
enable = true;
|
||||
driSupport = true;
|
||||
driSupport32Bit = true;
|
||||
};
|
||||
|
||||
# Load nvidia driver for Xorg and Wayland
|
||||
services.xserver.videoDrivers = [ "nvidia" ]; # or "nvidiaLegacy470 etc.
|
||||
|
||||
hardware.nvidia = {
|
||||
|
||||
# Modesetting is required.
|
||||
modesetting.enable = true;
|
||||
|
||||
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
|
||||
# Enable this if you have graphical corruption issues or application crashes after waking
|
||||
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
|
||||
# of just the bare essentials.
|
||||
powerManagement.enable = false;
|
||||
|
||||
# Fine-grained power management. Turns off GPU when not in use.
|
||||
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
|
||||
powerManagement.finegrained = false;
|
||||
|
||||
# Use the NVidia open source kernel module (not to be confused with the
|
||||
# independent third-party "nouveau" open source driver).
|
||||
# Support is limited to the Turing and later architectures. Full list of
|
||||
# supported GPUs is at:
|
||||
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
|
||||
# Only available from driver 515.43.04+
|
||||
# Currently alpha-quality/buggy, so false is currently the recommended setting.
|
||||
open = false;
|
||||
|
||||
# Enable the Nvidia settings menu,
|
||||
# accessible via `nvidia-settings`.
|
||||
nvidiaSettings = true;
|
||||
|
||||
# Optionally, you may need to select the appropriate driver version for your specific GPU.
|
||||
package = config.boot.kernelPackages.nvidiaPackages.stable;
|
||||
};
|
||||
|
||||
# Pick only one of the below networking options.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
# Select internationalisation properties.
|
||||
# i18n.defaultLocale = "en_US.UTF-8";
|
||||
# console = {
|
||||
# font = "Lat2-Terminus16";
|
||||
# keyMap = "us";
|
||||
# useXkbConfig = true; # use xkb.options in tty.
|
||||
# };
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
# services.xserver.enable = true;
|
||||
|
||||
# Configure keymap in X11
|
||||
# services.xserver.xkb.layout = "us";
|
||||
# services.xserver.xkb.options = "eurosign:e,caps:escape";
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
# services.printing.enable = true;
|
||||
|
||||
# Enable sound.
|
||||
# sound.enable = true;
|
||||
# hardware.pulseaudio.enable = true;
|
||||
|
||||
# Enable touchpad support (enabled default in most desktopManager).
|
||||
# services.xserver.libinput.enable = true;
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
# programs.mtr.enable = true;
|
||||
# programs.gnupg.agent = {
|
||||
# enable = true;
|
||||
# enableSSHSupport = true;
|
||||
# };
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# Copy the NixOS configuration file and link it from the resulting system
|
||||
# (/run/current-system/configuration.nix). This is useful in case you
|
||||
# accidentally delete configuration.nix.
|
||||
# system.copySystemConfiguration = true;
|
||||
|
||||
# This option defines the first version of NixOS you have installed on this particular machine,
|
||||
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
|
||||
#
|
||||
# Most users should NEVER change this value after the initial install, for any reason,
|
||||
# even if you've upgraded your system to a new NixOS release.
|
||||
#
|
||||
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
|
||||
# so changing it will NOT upgrade your system.
|
||||
#
|
||||
# This value being lower than the current NixOS release does NOT mean your system is
|
||||
# out of date, out of support, or vulnerable.
|
||||
#
|
||||
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
|
||||
# and migrated your data accordingly.
|
||||
#
|
||||
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -1,20 +0,0 @@
|
|||
{ config
|
||||
, inputs
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) hostName;
|
||||
# Only enable auto upgrade if current config came from a clean tree
|
||||
# This avoids accidental auto-upgrades when working locally.
|
||||
isClean = inputs.self ? rev;
|
||||
in
|
||||
{
|
||||
system.autoUpgrade = {
|
||||
enable = isClean;
|
||||
dates = "hourly";
|
||||
flags = [
|
||||
"--refresh"
|
||||
];
|
||||
flake = "github:truxnell/nix-config";
|
||||
};
|
||||
}
|
|
@ -1,71 +0,0 @@
|
|||
{ inputs
|
||||
, outputs
|
||||
, config
|
||||
, sops-nix
|
||||
, ...
|
||||
}: {
|
||||
imports =
|
||||
[
|
||||
# inputs.home-manager.nixosModules.home-manager
|
||||
#inputs.sops-nix.nixosModules.sops
|
||||
./locale.nix
|
||||
./nix.nix
|
||||
./openssh.nix
|
||||
./packages.nix
|
||||
]
|
||||
++ (builtins.attrValues { });
|
||||
|
||||
# home-manager.extraSpecialArgs = { inherit inputs outputs; }; TODO Home-manager
|
||||
|
||||
nixpkgs = {
|
||||
# Configure your nixpkgs instance
|
||||
config = {
|
||||
# Disable if you don't want unfree packages
|
||||
allowUnfree = true;
|
||||
};
|
||||
};
|
||||
|
||||
# TODO Shared sops location, probably in home-manager?
|
||||
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||
|
||||
# Increase open file limit for sudoers
|
||||
security.pam.loginLimits = [
|
||||
{
|
||||
domain = "@wheel";
|
||||
item = "nofile";
|
||||
type = "soft";
|
||||
value = "524288";
|
||||
}
|
||||
{
|
||||
domain = "@wheel";
|
||||
item = "nofile";
|
||||
type = "hard";
|
||||
value = "1048576";
|
||||
}
|
||||
];
|
||||
|
||||
# sops.secrets.msmtp = {
|
||||
# sopsFile = ./secret.sops.yaml;
|
||||
# }
|
||||
|
||||
# # TODO Email settings
|
||||
# programs.msmtp = {
|
||||
# enable = true;
|
||||
# accounts.default = {
|
||||
# host = "maddy.home.tld";
|
||||
# from = "${config.networking.hostName}@trux.dev";
|
||||
# };
|
||||
# defaults = {
|
||||
# aliases = "/etc/aliases";
|
||||
# };
|
||||
# };
|
||||
|
||||
environment.etc = {
|
||||
"aliases" = {
|
||||
text = ''
|
||||
root: ${config.networking.hostName}@trux.dev
|
||||
'';
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,6 +0,0 @@
|
|||
{ lib, ... }: {
|
||||
i18n = {
|
||||
defaultLocale = lib.mkDefault "en_US.UTF-8";
|
||||
};
|
||||
time.timeZone = lib.mkDefault "Australia/Melbourne";
|
||||
}
|
|
@ -1,52 +0,0 @@
|
|||
{ inputs
|
||||
, lib
|
||||
, pkgs
|
||||
, config
|
||||
, ...
|
||||
}: {
|
||||
nix = {
|
||||
settings = {
|
||||
experimental-features = [ "nix-command" "flakes" ];
|
||||
substituters = [
|
||||
"https://nix-community.cachix.org"
|
||||
"https://cache.garnix.io"
|
||||
];
|
||||
trusted-public-keys = [
|
||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
|
||||
];
|
||||
trusted-users = [ "root" "@wheel" ];
|
||||
auto-optimise-store = lib.mkDefault true;
|
||||
warn-dirty = false;
|
||||
|
||||
};
|
||||
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
# Delete older generations too
|
||||
options = "--delete-older-than 5d";
|
||||
};
|
||||
};
|
||||
|
||||
# This will add each flake input as a registry
|
||||
# To make nix3 commands consistent with your flake
|
||||
nix.registry = (lib.mapAttrs (_: flake: { inherit flake; })) ((lib.filterAttrs (_: lib.isType "flake")) inputs);
|
||||
|
||||
# This will additionally add your inputs to the system's legacy channels
|
||||
# Making legacy nix commands consistent as well, awesome!
|
||||
nix.nixPath = [ "/etc/nix/path" ];
|
||||
environment.etc =
|
||||
lib.mapAttrs'
|
||||
(name: value: {
|
||||
name = "nix/path/${name}";
|
||||
value.source = value.flake;
|
||||
})
|
||||
config.nix.registry;
|
||||
|
||||
# Enable printing changes on nix build etc with nvd
|
||||
system.activationScripts.report-changes = ''
|
||||
PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]}
|
||||
nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
|
||||
'';
|
||||
}
|
|
@ -1,26 +0,0 @@
|
|||
_:
|
||||
|
||||
{
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
# Harden
|
||||
PasswordAuthentication = false;
|
||||
PermitRootLogin = "no";
|
||||
# Automatically remove stale sockets
|
||||
StreamLocalBindUnlink = "yes";
|
||||
# Allow forwarding ports to everywhere
|
||||
GatewayPorts = "clientspecified";
|
||||
# Don't allow home-directory authorized_keys
|
||||
# authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
|
||||
};
|
||||
};
|
||||
|
||||
# TODO fix pam, wheel no pass is a bit of a hack
|
||||
# security.pam.enableSSHAgentAuth = true;
|
||||
|
||||
# TODO remove this hack
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
}
|
|
@ -1,31 +0,0 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, lib
|
||||
, ...
|
||||
}: {
|
||||
environment.systemPackages = with pkgs; [
|
||||
bat
|
||||
jq
|
||||
yq
|
||||
btop
|
||||
neovim
|
||||
vim
|
||||
git
|
||||
dnsutils
|
||||
nvd
|
||||
gh
|
||||
nix
|
||||
|
||||
# TODO Move
|
||||
nil
|
||||
nixpkgs-fmt
|
||||
statix
|
||||
];
|
||||
|
||||
programs.direnv = {
|
||||
# TODO move to home-manager
|
||||
enable = true;
|
||||
nix-direnv.enable = true;
|
||||
};
|
||||
programs.mtr.enable = true;
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
{ inputs
|
||||
, outputs
|
||||
, config
|
||||
, ...
|
||||
}: {
|
||||
# Time
|
||||
networking.timeServers = [ "10.8.10.1" ];
|
||||
services.chrony = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
{ config
|
||||
, lib
|
||||
, ...
|
||||
}: {
|
||||
# Current nixpkgs cf-ddns only supports using a env file for the apitoken
|
||||
# but not for domains, which makes them hard to find.
|
||||
# To circumvent this, I put both in the 'apiTokenFile' var
|
||||
# so my secret is:
|
||||
|
||||
# apiTokenFile: |-
|
||||
# CLOUDFLARE_API_TOKEN=derp
|
||||
# CLOUDFLARE_DOMAINS=derp.herp.xyz derp1.herp.xyz
|
||||
|
||||
# init secret
|
||||
config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml;
|
||||
|
||||
# Restart when secret changes
|
||||
config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ];
|
||||
|
||||
# Cloudflare dynamic dns to keep my DNS records pointed at home
|
||||
config.services.cloudflare-dyndns = {
|
||||
enable = true;
|
||||
ipv6 = false;
|
||||
proxied = true;
|
||||
apiTokenFile = config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".path;
|
||||
domains = [ ];
|
||||
};
|
||||
}
|
|
@ -1,41 +0,0 @@
|
|||
# Ref: https://nixos.wiki/wiki/Encrypted_DNS#dnscrypt-proxy2
|
||||
{ inputs
|
||||
, outputs
|
||||
, pkgs
|
||||
, config
|
||||
, ...
|
||||
}: {
|
||||
# Disable resolvd to ensure it doesnt re-write /etc/resolv.conf
|
||||
config.services.resolved.enable = false;
|
||||
|
||||
# Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt
|
||||
# causing a risk of no dns if service fails.
|
||||
config.networking = {
|
||||
nameservers = [ "10.8.10.1" ]; # TODO make varible IP
|
||||
|
||||
dhcpcd.extraConfig = "nohook resolv.conf";
|
||||
};
|
||||
|
||||
# configure secret for forwarding rules
|
||||
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
|
||||
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file
|
||||
|
||||
# Restart dnscrypt when secret changes
|
||||
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];
|
||||
|
||||
config.services.dnscrypt-proxy2 = {
|
||||
enable = true;
|
||||
settings = {
|
||||
require_dnssec = true;
|
||||
forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;
|
||||
listen_addresses = [ "0.0.0.0:53" ];
|
||||
server_names = [ "NextDNS" ];
|
||||
|
||||
static = {
|
||||
"NextDNS" = {
|
||||
stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,138 +0,0 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, lib
|
||||
, ...
|
||||
}: {
|
||||
# Enable vscode & addons
|
||||
environment.systemPackages = with pkgs; [
|
||||
(vscode-with-extensions.override {
|
||||
vscode = vscodium;
|
||||
vscodeExtensions = with vscode-extensions;
|
||||
[
|
||||
bbenoist.nix
|
||||
mkhl.direnv
|
||||
|
||||
]
|
||||
++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
|
||||
{
|
||||
name = "prettier-vscode";
|
||||
publisher = "esbenp";
|
||||
version = "10.1.0";
|
||||
sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9";
|
||||
}
|
||||
|
||||
{
|
||||
name = "vscode-docker";
|
||||
publisher = "ms-azuretools";
|
||||
version = "1.28.0";
|
||||
sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0";
|
||||
}
|
||||
|
||||
{
|
||||
name = "gitlens";
|
||||
publisher = "eamodio";
|
||||
version = "14.7.0";
|
||||
sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy";
|
||||
}
|
||||
|
||||
{
|
||||
name = "remote-containers";
|
||||
publisher = "ms-vscode-remote";
|
||||
version = "0.327.0";
|
||||
sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz";
|
||||
}
|
||||
|
||||
{
|
||||
name = "remote-ssh";
|
||||
publisher = "ms-vscode-remote";
|
||||
version = "0.107.1";
|
||||
sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf";
|
||||
}
|
||||
|
||||
{
|
||||
name = "vscode-yaml";
|
||||
publisher = "redhat";
|
||||
version = "1.14.0";
|
||||
sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944";
|
||||
}
|
||||
|
||||
{
|
||||
name = "todo-tree";
|
||||
publisher = "gruntfuggly";
|
||||
version = "0.0.226";
|
||||
sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn";
|
||||
}
|
||||
|
||||
{
|
||||
name = "path-autocomplete";
|
||||
publisher = "ionutvmi";
|
||||
version = "1.25.0";
|
||||
sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb";
|
||||
}
|
||||
|
||||
{
|
||||
name = "even-better-toml";
|
||||
publisher = "tamasfe";
|
||||
version = "0.19.2";
|
||||
sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14";
|
||||
}
|
||||
|
||||
{
|
||||
name = "linter";
|
||||
publisher = "fnando";
|
||||
version = "0.0.19";
|
||||
sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g";
|
||||
}
|
||||
|
||||
{
|
||||
name = "catppuccin-vsc";
|
||||
publisher = "catppuccin";
|
||||
version = "3.11.0";
|
||||
sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d";
|
||||
}
|
||||
|
||||
{
|
||||
name = "catppuccin-vsc-icons";
|
||||
publisher = "catppuccin";
|
||||
version = "1.8.0";
|
||||
sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z";
|
||||
}
|
||||
|
||||
{
|
||||
name = "nix-ide";
|
||||
publisher = "jnoortheen";
|
||||
version = "0.2.2";
|
||||
sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg";
|
||||
}
|
||||
|
||||
{
|
||||
name = "vscode-swissknife";
|
||||
publisher = "luisfontes19";
|
||||
version = "1.8.1";
|
||||
sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c";
|
||||
}
|
||||
|
||||
{
|
||||
name = "pre-commit-helper";
|
||||
publisher = "elagil";
|
||||
version = "0.5.0";
|
||||
sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj";
|
||||
}
|
||||
|
||||
{
|
||||
name = "sops-edit";
|
||||
publisher = "shipitsmarter";
|
||||
version = "1.0.0";
|
||||
sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4";
|
||||
}
|
||||
|
||||
{
|
||||
name = "json5-for-vscode";
|
||||
publisher = "tudoudou";
|
||||
version = "0.0.3";
|
||||
sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w";
|
||||
}
|
||||
];
|
||||
})
|
||||
];
|
||||
}
|
|
@ -1,174 +0,0 @@
|
|||
# Warning, this file is autogenerated by nix4vscode. Don't modify this manually.
|
||||
{ pkgs }:
|
||||
let
|
||||
inherit (pkgs) vscode-utils;
|
||||
in
|
||||
{
|
||||
"ms-python"."python" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "python";
|
||||
publisher = "ms-python";
|
||||
version = "2024.0.0";
|
||||
sha256 = "0sy1z2r6b0m1lkivjyrcf41dbgj9m5zkjy6yncpji1hisjcbgq6n";
|
||||
};
|
||||
|
||||
"ms-python"."vscode-pylance" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "vscode-pylance";
|
||||
publisher = "ms-python";
|
||||
version = "2023.12.1";
|
||||
sha256 = "03fr9zanhdsf3wirv65vb41swvdnxxaz8lviyjdbmzcw9yihf8dv";
|
||||
};
|
||||
|
||||
"esbenp"."prettier-vscode" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "prettier-vscode";
|
||||
publisher = "esbenp";
|
||||
version = "10.1.0";
|
||||
sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9";
|
||||
};
|
||||
|
||||
"ms-azuretools"."vscode-docker" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "vscode-docker";
|
||||
publisher = "ms-azuretools";
|
||||
version = "1.28.0";
|
||||
sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0";
|
||||
};
|
||||
|
||||
"eamodio"."gitlens" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "gitlens";
|
||||
publisher = "eamodio";
|
||||
version = "14.7.0";
|
||||
sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy";
|
||||
};
|
||||
|
||||
"ms-vscode-remote"."remote-containers" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "remote-containers";
|
||||
publisher = "ms-vscode-remote";
|
||||
version = "0.327.0";
|
||||
sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz";
|
||||
};
|
||||
|
||||
"ms-vscode-remote"."remote-ssh" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "remote-ssh";
|
||||
publisher = "ms-vscode-remote";
|
||||
version = "0.107.1";
|
||||
sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf";
|
||||
};
|
||||
|
||||
"redhat"."vscode-yaml" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "vscode-yaml";
|
||||
publisher = "redhat";
|
||||
version = "1.14.0";
|
||||
sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944";
|
||||
};
|
||||
|
||||
"github"."copilot" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "copilot";
|
||||
publisher = "github";
|
||||
version = "1.156.0";
|
||||
sha256 = "16nzwazfbh895kmc2887b17zzbbcjyk8fhiphk5xmy1nm9qxszk0";
|
||||
};
|
||||
|
||||
"golang"."go" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "go";
|
||||
publisher = "golang";
|
||||
version = "0.40.3";
|
||||
sha256 = "15kicpv9xpn7l3w9mbmsjdzjmavh88p3skkim0a9prg9p40bsq0m";
|
||||
};
|
||||
|
||||
"gruntfuggly"."todo-tree" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "todo-tree";
|
||||
publisher = "gruntfuggly";
|
||||
version = "0.0.226";
|
||||
sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn";
|
||||
};
|
||||
|
||||
"ms-kubernetes-tools"."vscode-kubernetes-tools" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "vscode-kubernetes-tools";
|
||||
publisher = "ms-kubernetes-tools";
|
||||
version = "1.3.15";
|
||||
sha256 = "1x6npc90p6b1wx5sd1hd0x0djahmffr6lw9cxh2zg10rbpq48w8i";
|
||||
};
|
||||
|
||||
"hashicorp"."terraform" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "terraform";
|
||||
publisher = "hashicorp";
|
||||
version = "2.29.3";
|
||||
sha256 = "sha256-cYYtBZaWgtT6vS6In+tbpLfp/GdyWodBXyHsxn8ZZrU=";
|
||||
};
|
||||
|
||||
"ionutvmi"."path-autocomplete" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "path-autocomplete";
|
||||
publisher = "ionutvmi";
|
||||
version = "1.25.0";
|
||||
sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb";
|
||||
};
|
||||
|
||||
"tamasfe"."even-better-toml" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "even-better-toml";
|
||||
publisher = "tamasfe";
|
||||
version = "0.19.2";
|
||||
sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14";
|
||||
};
|
||||
|
||||
"redhat"."ansible" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "ansible";
|
||||
publisher = "redhat";
|
||||
version = "2.9.118";
|
||||
sha256 = "0yndj2r0w2zxc5firxgfrykkc5ajy9gsmrfmkz80kfhwk33n9y1p";
|
||||
};
|
||||
|
||||
"fnando"."linter" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "linter";
|
||||
publisher = "fnando";
|
||||
version = "0.0.19";
|
||||
sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g";
|
||||
};
|
||||
|
||||
"catppuccin"."catppuccin-vsc" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "catppuccin-vsc";
|
||||
publisher = "catppuccin";
|
||||
version = "3.11.0";
|
||||
sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d";
|
||||
};
|
||||
|
||||
"catppuccin"."catppuccin-vsc-icons" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "catppuccin-vsc-icons";
|
||||
publisher = "catppuccin";
|
||||
version = "1.8.0";
|
||||
sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z";
|
||||
};
|
||||
|
||||
"jnoortheen"."nix-ide" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "nix-ide";
|
||||
publisher = "jnoortheen";
|
||||
version = "0.2.2";
|
||||
sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg";
|
||||
};
|
||||
|
||||
"luisfontes19"."vscode-swissknife" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "vscode-swissknife";
|
||||
publisher = "luisfontes19";
|
||||
version = "1.8.1";
|
||||
sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c";
|
||||
};
|
||||
|
||||
"elagil"."pre-commit-helper" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "pre-commit-helper";
|
||||
publisher = "elagil";
|
||||
version = "0.5.0";
|
||||
sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj";
|
||||
};
|
||||
|
||||
"shipitsmarter"."sops-edit" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "sops-edit";
|
||||
publisher = "shipitsmarter";
|
||||
version = "1.0.0";
|
||||
sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4";
|
||||
};
|
||||
|
||||
"tudoudou"."json5-for-vscode" = vscode-utils.extensionFromVscodeMarketplace {
|
||||
name = "json5-for-vscode";
|
||||
publisher = "tudoudou";
|
||||
version = "0.0.3";
|
||||
sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w";
|
||||
};
|
||||
}
|
|
@ -1,9 +0,0 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, lib
|
||||
, ...
|
||||
}: {
|
||||
programs.firefox = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
|
@ -1,10 +0,0 @@
|
|||
{
|
||||
programs.fish = {
|
||||
enable = true;
|
||||
vendor = {
|
||||
completions.enable = true;
|
||||
config.enable = true;
|
||||
functions.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,45 +0,0 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, lib
|
||||
, ...
|
||||
}: {
|
||||
# Ref: https://nixos.wiki/wiki/GNOME
|
||||
|
||||
# GNOME plz
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
desktopManager.gnome.enable = true;
|
||||
displayManager = {
|
||||
gdm.enable = true;
|
||||
defaultSession = "gnome"; # TODO move to config overlay
|
||||
autoLogin.user = "truxnell"; # TODO move to config overlay
|
||||
};
|
||||
layout = "us"; # `localctl` will give you
|
||||
};
|
||||
|
||||
# And dconf
|
||||
programs.dconf.enable = true;
|
||||
# dconf write /org/gnome/mutter/experimental-features "['scale-monitor-framebuffer']"
|
||||
|
||||
# Exclude default GNOME packages that dont interest me.
|
||||
environment.gnome.excludePackages =
|
||||
(with pkgs; [
|
||||
gnome-photos
|
||||
gnome-tour
|
||||
])
|
||||
++ (with pkgs.gnome; [
|
||||
cheese # webcam tool
|
||||
gnome-music
|
||||
gnome-terminal
|
||||
gedit # text editor
|
||||
epiphany # web browser
|
||||
geary # email reader
|
||||
evince # document viewer
|
||||
gnome-characters
|
||||
totem # video player
|
||||
tali # poker game
|
||||
iagno # go game
|
||||
hitori # sudoku game
|
||||
atomix # puzzle game
|
||||
]);
|
||||
}
|
|
@ -1,22 +0,0 @@
|
|||
{ inputs
|
||||
, outputs
|
||||
, config
|
||||
, ...
|
||||
}: {
|
||||
# init secret
|
||||
config.sops.secrets."system/mail/maddy/envFile" = {
|
||||
sopsFile = ./maddy.sops.yaml;
|
||||
owner = "maddy";
|
||||
group = "maddy";
|
||||
};
|
||||
|
||||
# Restart dnscrypt when secret changes
|
||||
config.sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy" ];
|
||||
|
||||
#
|
||||
config.services.maddy = {
|
||||
enable = true;
|
||||
secrets = [ config.sops.secrets."system/mail/maddy/envFile".path ];
|
||||
config = builtins.readFile ./maddy.conf;
|
||||
};
|
||||
}
|
|
@ -1,30 +0,0 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, lib
|
||||
, ...
|
||||
}: {
|
||||
services.prometheus.exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [
|
||||
"diskstats"
|
||||
"filesystem"
|
||||
"loadavg"
|
||||
"meminfo"
|
||||
"netdev"
|
||||
"stat"
|
||||
"time"
|
||||
"uname"
|
||||
"systemd"
|
||||
];
|
||||
};
|
||||
smartctl = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
config.services.prometheus.exporters.node.port
|
||||
config.services.prometheus.exporters.smartctl.port
|
||||
];
|
||||
}
|
|
@ -1,36 +0,0 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, ...
|
||||
}: {
|
||||
systemd.timers."reboot-required-check" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
# start at boot
|
||||
OnBootSec = "0m";
|
||||
# check every hour
|
||||
OnUnitActiveSec = "1h";
|
||||
Unit = "reboot-required-check.service";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."reboot-required-check" = {
|
||||
script = ''
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# compare current system with booted sysetm to determine if a reboot is required
|
||||
if [[ "$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" == "$(readlink /run/current-system/{initrd,kernel,kernel-modules})" ]]; then
|
||||
# check if the '/var/run/reboot-required' file exists and if it does, remove it
|
||||
if [[ -f /var/run/reboot-required ]]; then
|
||||
rm /var/run/reboot-required || { echo "Failed to remove /var/run/reboot-required"; exit 1; }
|
||||
fi
|
||||
else
|
||||
echo "reboot required"
|
||||
touch /var/run/reboot-required || { echo "Failed to create /var/run/reboot-required"; exit 1; }
|
||||
fi
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,10 +0,0 @@
|
|||
{ inputs
|
||||
, outputs
|
||||
, config
|
||||
, ...
|
||||
}: {
|
||||
# SOPS settings
|
||||
# https://github.com/Mic92/sops-nix
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
}
|
|
@ -7,104 +7,27 @@
|
|||
, ...
|
||||
}: {
|
||||
imports = [
|
||||
# Host-specific
|
||||
./hardware-configuration.nix
|
||||
|
||||
# Common imports
|
||||
../common/nixos
|
||||
../common/nixos/users/truxnell
|
||||
../common/optional/fish.nix
|
||||
../common/optional/monitoring.nix
|
||||
../common/optional/reboot-required.nix
|
||||
../common/optional/sops-nix.nix
|
||||
|
||||
../common/optional/dnscrypt-proxy2.nix
|
||||
../common/optional/cloudflare-dyndns.nix
|
||||
../common/optional/maddy.nix
|
||||
];
|
||||
|
||||
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
|
||||
boot.loader.grub.enable = false;
|
||||
# Enables the generation of /boot/extlinux/extlinux.conf
|
||||
boot.loader.generic-extlinux-compatible.enable = true;
|
||||
mySystem.services = {
|
||||
maddy.enable = true;
|
||||
dnscrypt-proxy.enable = true;
|
||||
cfDdns.enable = true;
|
||||
};
|
||||
|
||||
networking.hostName = "dns01"; # Define your hostname.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
|
||||
console.enable = false;
|
||||
environment.systemPackages = with pkgs; [
|
||||
libraspberrypi
|
||||
raspberrypi-eeprom
|
||||
];
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
# Pick only one of the below networking options.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
||||
swapDevices = [ ];
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
# Select internationalisation properties.
|
||||
# i18n.defaultLocale = "en_US.UTF-8";
|
||||
# console = {
|
||||
# font = "Lat2-Terminus16";
|
||||
# keyMap = "us";
|
||||
# useXkbConfig = true; # use xkb.options in tty.
|
||||
# };
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
# services.xserver.enable = true;
|
||||
|
||||
# Configure keymap in X11
|
||||
# services.xserver.xkb.layout = "us";
|
||||
# services.xserver.xkb.options = "eurosign:e,caps:escape";
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
# services.printing.enable = true;
|
||||
|
||||
# Enable sound.
|
||||
# sound.enable = true;
|
||||
# hardware.pulseaudio.enable = true;
|
||||
|
||||
# Enable touchpad support (enabled default in most desktopManager).
|
||||
# services.xserver.libinput.enable = true;
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
# programs.mtr.enable = true;
|
||||
# programs.gnupg.agent = {
|
||||
# enable = true;
|
||||
# enableSSHSupport = true;
|
||||
# };
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# Copy the NixOS configuration file and link it from the resulting system
|
||||
# (/run/current-system/configuration.nix). This is useful in case you
|
||||
# accidentally delete configuration.nix.
|
||||
# system.copySystemConfiguration = true;
|
||||
|
||||
# This option defines the first version of NixOS you have installed on this particular machine,
|
||||
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
|
||||
#
|
||||
# Most users should NEVER change this value after the initial install, for any reason,
|
||||
# even if you've upgraded your system to a new NixOS release.
|
||||
#
|
||||
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
|
||||
# so changing it will NOT upgrade your system.
|
||||
#
|
||||
# This value being lower than the current NixOS release does NOT mean your system is
|
||||
# out of date, out of support, or vulnerable.
|
||||
#
|
||||
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
|
||||
# and migrated your data accordingly.
|
||||
#
|
||||
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -1,34 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||
}
|
|
@ -1,104 +0,0 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page, on
|
||||
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, ...
|
||||
}: {
|
||||
imports = [
|
||||
# Host-specific
|
||||
./hardware-configuration.nix
|
||||
|
||||
# Common imports
|
||||
../common/nixos
|
||||
../common/nixos/users/truxnell
|
||||
../common/optional/fish.nix
|
||||
../common/optional/monitoring.nix
|
||||
../common/optional/reboot-required.nix
|
||||
../common/optional/gnome.nix
|
||||
../common/optional/editors/vscode
|
||||
../common/optional/firefox.nix
|
||||
../common/optional/sops-nix.nix
|
||||
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
|
||||
|
||||
networking.hostName = "nixosvm"; # Define your hostname.
|
||||
|
||||
|
||||
# Pick only one of the below networking options.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
# Select internationalisation properties.
|
||||
# i18n.defaultLocale = "en_US.UTF-8";
|
||||
# console = {
|
||||
# font = "Lat2-Terminus16";
|
||||
# keyMap = "us";
|
||||
# useXkbConfig = true; # use xkb.options in tty.
|
||||
# };
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
# services.xserver.enable = true;
|
||||
|
||||
# Configure keymap in X11
|
||||
# services.xserver.xkb.layout = "us";
|
||||
# services.xserver.xkb.options = "eurosign:e,caps:escape";
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
# services.printing.enable = true;
|
||||
|
||||
# Enable sound.
|
||||
# sound.enable = true;
|
||||
# hardware.pulseaudio.enable = true;
|
||||
|
||||
# Enable touchpad support (enabled default in most desktopManager).
|
||||
# services.xserver.libinput.enable = true;
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
# programs.mtr.enable = true;
|
||||
# programs.gnupg.agent = {
|
||||
# enable = true;
|
||||
# enableSSHSupport = true;
|
||||
# };
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# Copy the NixOS configuration file and link it from the resulting system
|
||||
# (/run/current-system/configuration.nix). This is useful in case you
|
||||
# accidentally delete configuration.nix.
|
||||
# system.copySystemConfiguration = true;
|
||||
|
||||
# This option defines the first version of NixOS you have installed on this particular machine,
|
||||
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
|
||||
#
|
||||
# Most users should NEVER change this value after the initial install, for any reason,
|
||||
# even if you've upgraded your system to a new NixOS release.
|
||||
#
|
||||
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
|
||||
# so changing it will NOT upgrade your system.
|
||||
#
|
||||
# This value being lower than the current NixOS release does NOT mean your system is
|
||||
# out of date, out of support, or vulnerable.
|
||||
#
|
||||
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
|
||||
# and migrated your data accordingly.
|
||||
#
|
||||
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
}
|
|
@ -1,40 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, modulesPath
|
||||
, ...
|
||||
}: {
|
||||
imports = [ ];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-label/nixos";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-label/boot";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [{ device = "/dev/sda2"; }];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.ens33.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
virtualisation.vmware.guest.enable = true;
|
||||
virtualisation.virtualbox.guest.enable = true;
|
||||
virtualisation.virtualbox.guest.x11 = true;
|
||||
}
|
|
@ -1,115 +1,35 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page, on
|
||||
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, ...
|
||||
}: {
|
||||
imports = [
|
||||
# Host-specific
|
||||
./hardware-configuration.nix
|
||||
config = {
|
||||
|
||||
# Common imports
|
||||
../common/nixos
|
||||
../common/nixos/users/truxnell
|
||||
../common/optional/fish.nix
|
||||
../common/optional/monitoring.nix
|
||||
../common/optional/reboot-required.nix
|
||||
../common/optional/gnome.nix
|
||||
../common/optional/editors/vscode
|
||||
../common/optional/firefox.nix
|
||||
../common/optional/sops-nix.nix
|
||||
# hardware-configuration.nix is missing as I've abstracted out the parts
|
||||
|
||||
];
|
||||
mySystem = {
|
||||
services.openssh.enable = true;
|
||||
security.wheelNeedsSudoPassword = false;
|
||||
};
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
|
||||
boot.initrd.kernelModules = [ "amdgpu" ];
|
||||
# TODO build this in from flake host names
|
||||
networking.hostName = "rickenbacker";
|
||||
|
||||
networking.hostName = "rickenbacker"; # Define your hostname.
|
||||
|
||||
# Enable OpenGL
|
||||
hardware.opengl = {
|
||||
enable = true;
|
||||
driSupport = true;
|
||||
driSupport32Bit = true;
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-label/nixos";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/44D0-91EC";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
};
|
||||
|
||||
# Load nvidia driver for Xorg and Wayland
|
||||
services.xserver.videoDrivers = [ "amdgpu" ]; # or "nvidiaLegacy470 etc.
|
||||
|
||||
|
||||
# Pick only one of the below networking options.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
# Select internationalisation properties.
|
||||
# i18n.defaultLocale = "en_US.UTF-8";
|
||||
# console = {
|
||||
# font = "Lat2-Terminus16";
|
||||
# keyMap = "us";
|
||||
# useXkbConfig = true; # use xkb.options in tty.
|
||||
# };
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
# services.xserver.enable = true;
|
||||
|
||||
# Configure keymap in X11
|
||||
# services.xserver.xkb.layout = "us";
|
||||
# services.xserver.xkb.options = "eurosign:e,caps:escape";
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
# services.printing.enable = true;
|
||||
|
||||
# Enable sound.
|
||||
# sound.enable = true;
|
||||
# hardware.pulseaudio.enable = true;
|
||||
|
||||
# Enable touchpad support (enabled default in most desktopManager).
|
||||
# services.xserver.libinput.enable = true;
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
# programs.mtr.enable = true;
|
||||
# programs.gnupg.agent = {
|
||||
# enable = true;
|
||||
# enableSSHSupport = true;
|
||||
# };
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# Copy the NixOS configuration file and link it from the resulting system
|
||||
# (/run/current-system/configuration.nix). This is useful in case you
|
||||
# accidentally delete configuration.nix.
|
||||
# system.copySystemConfiguration = true;
|
||||
|
||||
# This option defines the first version of NixOS you have installed on this particular machine,
|
||||
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
|
||||
#
|
||||
# Most users should NEVER change this value after the initial install, for any reason,
|
||||
# even if you've upgraded your system to a new NixOS release.
|
||||
#
|
||||
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
|
||||
# so changing it will NOT upgrade your system.
|
||||
#
|
||||
# This value being lower than the current NixOS release does NOT mean your system is
|
||||
# out of date, out of support, or vulnerable.
|
||||
#
|
||||
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
|
||||
# and migrated your data accordingly.
|
||||
#
|
||||
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -1,41 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/fe728106-aaf8-46e6-ab46-1610f1f4398a";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/44D0-91EC";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
9
nixos/modules/README.md
Normal file
9
nixos/modules/README.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
## Modules
|
||||
|
||||
A set of 'custom' modules with the aim to enable easy on/off/settings to build up a system modulary to my 'specs'.
|
||||
|
||||
The main goal is to build up a `mySystem` options key which is easy to read and toggle functionality on and off.
|
||||
|
||||
This option key will largely be manipulated by a profile to build up a host to a base, then toggle specific options from there.
|
||||
|
||||
I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things.
|
5
nixos/modules/default.nix
Normal file
5
nixos/modules/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
|
||||
mySystem = import ./nixos;
|
||||
|
||||
}
|
5
nixos/modules/nixos/browser/default.nix
Normal file
5
nixos/modules/nixos/browser/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
imports = [
|
||||
./firefox.nix
|
||||
];
|
||||
}
|
22
nixos/modules/nixos/browser/firefox.nix
Normal file
22
nixos/modules/nixos/browser/firefox.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
{ lib
|
||||
, config
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.browser.firefox;
|
||||
in
|
||||
{
|
||||
options.mySystem.browser.firefox.enable = mkEnableOption "Firefox";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
programs.firefox = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
6
nixos/modules/nixos/de/default.nix
Normal file
6
nixos/modules/nixos/de/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
imports = [
|
||||
./gnome.nix
|
||||
|
||||
];
|
||||
}
|
81
nixos/modules/nixos/de/gnome.nix
Normal file
81
nixos/modules/nixos/de/gnome.nix
Normal file
|
@ -0,0 +1,81 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.de.gnome;
|
||||
in
|
||||
{
|
||||
options.mySystem.de.gnome.enable = mkEnableOption "GNOME";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# Ref: https://nixos.wiki/wiki/GNOME
|
||||
|
||||
# GNOME plz
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
displayManager =
|
||||
{
|
||||
gdm.enable = true;
|
||||
defaultSession = "gnome"; # TODO move to config overlay
|
||||
|
||||
autoLogin.enable = true;
|
||||
autoLogin.user = "truxnell"; # TODO move to config overlay
|
||||
};
|
||||
desktopManager = {
|
||||
# GNOME
|
||||
gnome.enable = true;
|
||||
};
|
||||
|
||||
layout = "us"; # `localctl` will give you
|
||||
};
|
||||
|
||||
# TODO remove this when possible
|
||||
# workaround for GNOME autologin
|
||||
# https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
|
||||
systemd.services."getty@tty1".enable = false;
|
||||
systemd.services."autovt@tty1".enable = false;
|
||||
|
||||
# TODO tidy this
|
||||
# port forward for GNOME when using RDP***REMOVED***
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
3389
|
||||
];
|
||||
|
||||
# And dconf
|
||||
programs.dconf.enable = true;
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/issues/114514
|
||||
# dconf write /org/gnome/mutter/experimental-features "['scale-monitor-framebuffer']" TODO hack for GNOME 45
|
||||
|
||||
|
||||
# Exclude default GNOME packages that dont interest me.
|
||||
environment.gnome.excludePackages =
|
||||
(with pkgs; [
|
||||
gnome-photos
|
||||
gnome-tour
|
||||
])
|
||||
++ (with pkgs.gnome; [
|
||||
cheese # webcam tool
|
||||
gnome-music
|
||||
gnome-terminal
|
||||
gedit # text editor
|
||||
epiphany # web browser
|
||||
geary # email reader
|
||||
evince # document viewer
|
||||
gnome-characters
|
||||
totem # video player
|
||||
tali # poker game
|
||||
iagno # go game
|
||||
hitori # sudoku game
|
||||
atomix # puzzle game
|
||||
]);
|
||||
};
|
||||
|
||||
|
||||
}
|
11
nixos/modules/nixos/default.nix
Normal file
11
nixos/modules/nixos/default.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
imports = [
|
||||
./system
|
||||
./programs
|
||||
./services
|
||||
./browser
|
||||
./de
|
||||
./editor
|
||||
|
||||
];
|
||||
}
|
6
nixos/modules/nixos/editor/default.nix
Normal file
6
nixos/modules/nixos/editor/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
imports = [
|
||||
./vscodium.nix
|
||||
|
||||
];
|
||||
}
|
154
nixos/modules/nixos/editor/vscodium.nix
Normal file
154
nixos/modules/nixos/editor/vscodium.nix
Normal file
|
@ -0,0 +1,154 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.editor.vscodium;
|
||||
in
|
||||
{
|
||||
options.mySystem.editor.vscodium.enable = mkEnableOption "Vscodium";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# TODO add USER settings.json
|
||||
# Enable vscode & addons
|
||||
environment.systemPackages = with pkgs; [
|
||||
(vscode-with-extensions.override {
|
||||
vscode = vscodium;
|
||||
vscodeExtensions = with vscode-extensions;
|
||||
[
|
||||
bbenoist.nix
|
||||
mkhl.direnv
|
||||
|
||||
]
|
||||
++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
|
||||
{
|
||||
name = "prettier-vscode";
|
||||
publisher = "esbenp";
|
||||
version = "10.1.0";
|
||||
sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9";
|
||||
}
|
||||
|
||||
{
|
||||
name = "vscode-docker";
|
||||
publisher = "ms-azuretools";
|
||||
version = "1.28.0";
|
||||
sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0";
|
||||
}
|
||||
|
||||
{
|
||||
name = "gitlens";
|
||||
publisher = "eamodio";
|
||||
version = "14.7.0";
|
||||
sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy";
|
||||
}
|
||||
|
||||
{
|
||||
name = "remote-containers";
|
||||
publisher = "ms-vscode-remote";
|
||||
version = "0.327.0";
|
||||
sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz";
|
||||
}
|
||||
|
||||
{
|
||||
name = "remote-ssh";
|
||||
publisher = "ms-vscode-remote";
|
||||
version = "0.107.1";
|
||||
sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf";
|
||||
}
|
||||
|
||||
{
|
||||
name = "vscode-yaml";
|
||||
publisher = "redhat";
|
||||
version = "1.14.0";
|
||||
sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944";
|
||||
}
|
||||
|
||||
{
|
||||
name = "todo-tree";
|
||||
publisher = "gruntfuggly";
|
||||
version = "0.0.226";
|
||||
sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn";
|
||||
}
|
||||
|
||||
{
|
||||
name = "path-autocomplete";
|
||||
publisher = "ionutvmi";
|
||||
version = "1.25.0";
|
||||
sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb";
|
||||
}
|
||||
|
||||
{
|
||||
name = "even-better-toml";
|
||||
publisher = "tamasfe";
|
||||
version = "0.19.2";
|
||||
sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14";
|
||||
}
|
||||
|
||||
{
|
||||
name = "linter";
|
||||
publisher = "fnando";
|
||||
version = "0.0.19";
|
||||
sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g";
|
||||
}
|
||||
|
||||
{
|
||||
name = "catppuccin-vsc";
|
||||
publisher = "catppuccin";
|
||||
version = "3.11.0";
|
||||
sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d";
|
||||
}
|
||||
|
||||
{
|
||||
name = "catppuccin-vsc-icons";
|
||||
publisher = "catppuccin";
|
||||
version = "1.8.0";
|
||||
sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z";
|
||||
}
|
||||
|
||||
{
|
||||
name = "nix-ide";
|
||||
publisher = "jnoortheen";
|
||||
version = "0.2.2";
|
||||
sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg";
|
||||
}
|
||||
|
||||
{
|
||||
name = "vscode-swissknife";
|
||||
publisher = "luisfontes19";
|
||||
version = "1.8.1";
|
||||
sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c";
|
||||
}
|
||||
|
||||
{
|
||||
name = "pre-commit-helper";
|
||||
publisher = "elagil";
|
||||
version = "0.5.0";
|
||||
sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj";
|
||||
}
|
||||
|
||||
{
|
||||
name = "sops-edit";
|
||||
publisher = "shipitsmarter";
|
||||
version = "1.0.0";
|
||||
sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4";
|
||||
}
|
||||
|
||||
{
|
||||
name = "json5-for-vscode";
|
||||
publisher = "tudoudou";
|
||||
version = "0.0.3";
|
||||
sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w";
|
||||
}
|
||||
];
|
||||
})
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
5
nixos/modules/nixos/programs/default.nix
Normal file
5
nixos/modules/nixos/programs/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
imports = [
|
||||
./shell
|
||||
];
|
||||
}
|
5
nixos/modules/nixos/programs/shell/default.nix
Normal file
5
nixos/modules/nixos/programs/shell/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
imports = [
|
||||
./fish.nix
|
||||
];
|
||||
}
|
35
nixos/modules/nixos/programs/shell/fish.nix
Normal file
35
nixos/modules/nixos/programs/shell/fish.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{ lib
|
||||
, config
|
||||
, self
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.shell.fish;
|
||||
in
|
||||
{
|
||||
options.mySystem.shell.fish =
|
||||
{
|
||||
enable = mkEnableOption "Fish";
|
||||
enablePlugins = mkOption
|
||||
{
|
||||
type = lib.types.bool;
|
||||
description = "If we want to add fish plugins";
|
||||
default = true;
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
# Install fish systemwide
|
||||
config.programs.fish = mkIf cfg.enable {
|
||||
enable = true;
|
||||
vendor = {
|
||||
completions.enable = true;
|
||||
config.enable = true;
|
||||
functions.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
}
|
|
@ -27,7 +27,7 @@ sops:
|
|||
V285bFUwdXgzUy9Ndi8yTCtsYlRHVGsKzSx+eyIrJKgZCL2VoS4fEcp6iVpDiqF6
|
||||
7czaNhQhT0doqRm3QddMlD+o/7t7xOGhQEraq4q+i/JD4iYkSQp4zw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age190fm3dlfxtf5smttyqxtrht4ac2ldfhkap7luppc0aap8w6r940qvjyc8t
|
||||
- recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnR0JCdUJubzRLRFY1ZGdp
|
39
nixos/modules/nixos/services/cloudflare-dyndns/default.nix
Normal file
39
nixos/modules/nixos/services/cloudflare-dyndns/default.nix
Normal file
|
@ -0,0 +1,39 @@
|
|||
{ lib
|
||||
, config
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.cfDdns;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.cfDdns.enable = mkEnableOption "Cloudflare ddns";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Current nixpkgs cf-ddns only supports using a env file for the apitoken
|
||||
# but not for domains, which makes them hard to find.
|
||||
# To circumvent this, I put both in the 'apiTokenFile' var
|
||||
# so my secret is:
|
||||
|
||||
# apiTokenFile: |-
|
||||
# CLOUDFLARE_API_TOKEN=derp
|
||||
# CLOUDFLARE_DOMAINS=derp.herp.xyz derp1.herp.xyz
|
||||
|
||||
# TODO add notifications on IP change
|
||||
# init secret
|
||||
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml;
|
||||
|
||||
# Restart when secret changes
|
||||
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ];
|
||||
|
||||
# Cloudflare dynamic dns to keep my DNS records pointed at home
|
||||
services.cloudflare-dyndns = {
|
||||
enable = true;
|
||||
ipv6 = false;
|
||||
proxied = true;
|
||||
apiTokenFile = config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".path;
|
||||
domains = [ ];
|
||||
};
|
||||
};
|
||||
}
|
9
nixos/modules/nixos/services/default.nix
Normal file
9
nixos/modules/nixos/services/default.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
imports = [
|
||||
./monitoring.nix
|
||||
./reboot-required-check.nix
|
||||
./cloudflare-dyndns
|
||||
./maddy
|
||||
./dnscrypt-proxy2
|
||||
];
|
||||
}
|
50
nixos/modules/nixos/services/dnscrypt-proxy2/default.nix
Normal file
50
nixos/modules/nixos/services/dnscrypt-proxy2/default.nix
Normal file
|
@ -0,0 +1,50 @@
|
|||
{ lib
|
||||
, config
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.dnscrypt-proxy;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.dnscrypt-proxy.enable = mkEnableOption "Cloudflare ddns";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Disable resolvd to ensure it doesnt re-write /etc/resolv.conf
|
||||
services.resolved.enable = false;
|
||||
|
||||
# Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt
|
||||
# causing a risk of no dns if service fails.
|
||||
networking = {
|
||||
nameservers = [ "10.8.10.1" ]; # TODO make varible IP
|
||||
|
||||
dhcpcd.extraConfig = "nohook resolv.conf";
|
||||
};
|
||||
sops.secrets = {
|
||||
|
||||
# configure secret for forwarding rules
|
||||
"system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
|
||||
"system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file
|
||||
|
||||
# Restart dnscrypt when secret changes
|
||||
"system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];
|
||||
};
|
||||
|
||||
services.dnscrypt-proxy2 = {
|
||||
enable = true;
|
||||
settings = {
|
||||
require_dnssec = true;
|
||||
forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;
|
||||
listen_addresses = [ "0.0.0.0:53" ];
|
||||
server_names = [ "NextDNS" ];
|
||||
|
||||
static = {
|
||||
"NextDNS" = {
|
||||
stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -26,7 +26,7 @@ sops:
|
|||
VjhyZ3FqSkhtZHZ3S0xPVXZBNEtZOHMKCW9YMMwPXaDO23WdbW+NMmYVYau6Nw3i
|
||||
I4J+xRLDe8N8Ty8sVql7xPYmA2UtI/Vf12sJxrH+YZA3x7Ip1RnM5A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age190fm3dlfxtf5smttyqxtrht4ac2ldfhkap7luppc0aap8w6r940qvjyc8t
|
||||
- recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyR1h3aDZqMmtWYkE4ZFBo
|
30
nixos/modules/nixos/services/maddy/default.nix
Normal file
30
nixos/modules/nixos/services/maddy/default.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{ lib
|
||||
, config
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.maddy;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.maddy.enable = mkEnableOption "Maddy SMTP Client (Relay)";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
sops.secrets."system/mail/maddy/envFile" = {
|
||||
sopsFile = ./maddy.sops.yaml;
|
||||
owner = "maddy";
|
||||
group = "maddy";
|
||||
};
|
||||
|
||||
sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy" ];
|
||||
|
||||
services.maddy = {
|
||||
enable = true;
|
||||
secrets = [ config.sops.secrets."system/mail/maddy/envFile".path ];
|
||||
config = builtins.readFile ./maddy.conf;
|
||||
};
|
||||
|
||||
};
|
||||
}
|
|
@ -26,7 +26,7 @@ sops:
|
|||
bVoxd0FvWjEyeHlKM2IyS1c2ajlhMncKJjDktmjOisjdUecV/bhI00fp6jA2puGD
|
||||
mOuASUhxGGN1c805vLmLnJA0llLtaN8C2iQC/H14IjG1U7QObbnrEA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age190fm3dlfxtf5smttyqxtrht4ac2ldfhkap7luppc0aap8w6r940qvjyc8t
|
||||
- recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMjkrcHFZTXQ3QjZKWksw
|
46
nixos/modules/nixos/services/monitoring.nix
Normal file
46
nixos/modules/nixos/services/monitoring.nix
Normal file
|
@ -0,0 +1,46 @@
|
|||
{ lib
|
||||
, config
|
||||
, self
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.promMonitoring;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.promMonitoring.enable = mkEnableOption "Prometheus Monitoring";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
services.prometheus.exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [
|
||||
"diskstats"
|
||||
"filesystem"
|
||||
"loadavg"
|
||||
"meminfo"
|
||||
"netdev"
|
||||
"stat"
|
||||
"time"
|
||||
"uname"
|
||||
"systemd"
|
||||
];
|
||||
};
|
||||
smartctl = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
|
||||
# ensure ports are open
|
||||
networking.firewall.allowedTCPPorts = mkIf cfg.enable [
|
||||
config.services.prometheus.exporters.node.port
|
||||
config.services.prometheus.exporters.smartctl.port
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
54
nixos/modules/nixos/services/reboot-required-check.nix
Normal file
54
nixos/modules/nixos/services/reboot-required-check.nix
Normal file
|
@ -0,0 +1,54 @@
|
|||
{ lib
|
||||
, config
|
||||
, self
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.rebootRequiredCheck;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.rebootRequiredCheck.enable = mkEnableOption "Reboot required check";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# Enable timer
|
||||
systemd.timers."reboot-required-check" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
# start at boot
|
||||
OnBootSec = "0m";
|
||||
# check every hour
|
||||
OnUnitActiveSec = "1h";
|
||||
Unit = "reboot-required-check.service";
|
||||
};
|
||||
};
|
||||
|
||||
# Below script will check if initrd, kernel, kernel-modules that were booted match the current system
|
||||
# i.e. if a nixos-rebuild switch has upgraded anything
|
||||
systemd.services."reboot-required-check" = {
|
||||
script = ''
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# compare current system with booted sysetm to determine if a reboot is required
|
||||
if [[ "$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" == "$(readlink /run/current-system/{initrd,kernel,kernel-modules})" ]]; then
|
||||
# check if the '/var/run/reboot-required' file exists and if it does, remove it
|
||||
if [[ -f /var/run/reboot-required ]]; then
|
||||
rm /var/run/reboot-required || { echo "Failed to remove /var/run/reboot-required"; exit 1; }
|
||||
fi
|
||||
else
|
||||
echo "reboot required"
|
||||
touch /var/run/reboot-required || { echo "Failed to create /var/run/reboot-required"; exit 1; }
|
||||
fi
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
9
nixos/modules/nixos/system/default.nix
Normal file
9
nixos/modules/nixos/system/default.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
imports = [
|
||||
./openssh.nix
|
||||
./time.nix
|
||||
./security.nix
|
||||
./systempackages.nix
|
||||
./nix.nix
|
||||
];
|
||||
}
|
48
nixos/modules/nixos/system/nix.nix
Normal file
48
nixos/modules/nixos/system/nix.nix
Normal file
|
@ -0,0 +1,48 @@
|
|||
{ lib
|
||||
, config
|
||||
, self
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.nix;
|
||||
in
|
||||
{
|
||||
options.mySystem.nix = {
|
||||
autoOptimiseStore = mkOption
|
||||
{
|
||||
type = lib.types.bool;
|
||||
description = "If we want to auto optimise store";
|
||||
default = true;
|
||||
|
||||
};
|
||||
gc = {
|
||||
enable = mkEnableOption "automatic garbage collection" // {
|
||||
default = true;
|
||||
};
|
||||
persistent = mkOption
|
||||
{
|
||||
type = lib.types.bool;
|
||||
description = "Persistent timer for gc, runs at startup if timer missed";
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config.nix = {
|
||||
|
||||
optimise.automatic = cfg.autoOptimiseStore;
|
||||
|
||||
# automatically garbage collect nix store
|
||||
gc = mkIf cfg.gc.enable {
|
||||
# garbage collection
|
||||
automatic = cfg.gc.enable;
|
||||
options = "--delete-older-than 30d";
|
||||
inherit (cfg.gc) persistent;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
47
nixos/modules/nixos/system/openssh.nix
Normal file
47
nixos/modules/nixos/system/openssh.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
{ lib
|
||||
, config
|
||||
, self
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.openssh;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.openssh = {
|
||||
enable = mkEnableOption "openssh";
|
||||
passwordAuthentication = mkOption
|
||||
{
|
||||
type = lib.types.bool;
|
||||
description = "If password can be accepted for ssh (commonly disable for security hardening)";
|
||||
default = false;
|
||||
|
||||
};
|
||||
permitRootLogin = mkOption
|
||||
{
|
||||
type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ];
|
||||
description = "If root can login via ssh (commonly disable for security hardening)";
|
||||
default = "no";
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
# TODO: Enable this when option becomes available
|
||||
# Don't allow home-directory authorized_keys
|
||||
# authorizedKeysFiles = mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||
settings = {
|
||||
# Harden
|
||||
PasswordAuthentication = cfg.passwordAuthentication;
|
||||
PermitRootLogin = cfg.permitRootLogin;
|
||||
# Automatically remove stale sockets
|
||||
StreamLocalBindUnlink = "yes";
|
||||
# Allow forwarding ports to everywhere
|
||||
GatewayPorts = "clientspecified";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
51
nixos/modules/nixos/system/security.nix
Normal file
51
nixos/modules/nixos/system/security.nix
Normal file
|
@ -0,0 +1,51 @@
|
|||
{ lib
|
||||
, config
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.security;
|
||||
in
|
||||
{
|
||||
options.mySystem.security = {
|
||||
|
||||
sshAgentAuth.enable = lib.mkEnableOption "openssh";
|
||||
|
||||
wheelNeedsSudoPassword = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
description = "If wheel group users need password for sudo";
|
||||
default = true;
|
||||
};
|
||||
increaseWheelLoginLimits = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
description = "If wheel group users receive increased login limits";
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
{
|
||||
security = {
|
||||
sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword;
|
||||
|
||||
pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable;
|
||||
|
||||
# Increase open file limit for sudoers
|
||||
pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [
|
||||
{
|
||||
domain = "@wheel";
|
||||
item = "nofile";
|
||||
type = "soft";
|
||||
value = "524288";
|
||||
}
|
||||
{
|
||||
domain = "@wheel";
|
||||
item = "nofile";
|
||||
type = "hard";
|
||||
value = "1048576";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
}
|
26
nixos/modules/nixos/system/systempackages.nix
Normal file
26
nixos/modules/nixos/system/systempackages.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{ lib
|
||||
, config
|
||||
, self
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.system;
|
||||
in
|
||||
{
|
||||
options.mySystem.system = {
|
||||
packages = mkOption
|
||||
{
|
||||
type = with types; listOf package;
|
||||
description = "List of system level package installs";
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
|
||||
# System packages deployed globally.
|
||||
# This is NixOS so lets keep this liiight?
|
||||
# Ideally i'd keep most of it to home-manager user only stuff
|
||||
# and keep server role as light as possible
|
||||
config.environment.systemPackages = cfg.packages;
|
||||
|
||||
}
|
25
nixos/modules/nixos/system/time.nix
Normal file
25
nixos/modules/nixos/system/time.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{ lib
|
||||
, config
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
cfg = config.mySystem.time;
|
||||
in
|
||||
{
|
||||
options.mySystem.time = {
|
||||
timeZone = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Timezone of system";
|
||||
default = "Australia/Melbourne";
|
||||
};
|
||||
hwClockLocalTime = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
description = "If hardware clock is set to local time (useful for windows dual boot)";
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
config = {
|
||||
time.timeZone = cfg.timeZone;
|
||||
time.hardwareClockInLocalTime = cfg.hwClockLocalTime;
|
||||
};
|
||||
}
|
20
nixos/modules/nixos/template.nix
Normal file
20
nixos/modules/nixos/template.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{ lib
|
||||
, config
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.xx.yy;
|
||||
in
|
||||
{
|
||||
options.mySystem.xx.yy.enable = mkEnableOption "<INSERT DESCRIPTION>";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# CONFIG HERE
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
19
nixos/profiles/README.md
Normal file
19
nixos/profiles/README.md
Normal file
|
@ -0,0 +1,19 @@
|
|||
## Profiles
|
||||
|
||||
Here is the profiles that each host picks from to build up a system.
|
||||
|
||||
My headspace for this to have be able to have a set of modular components pull together on a granular system from this nix, from 'Everything will have this set' to per-device config.
|
||||
Where possible ill use the `mySystem` option list to configure defaults via these profiles, so they _can_ be overridden later. If its not worth writing a custom module for a nixos feature I may just set it directly in the profile.
|
||||
|
||||
## Global
|
||||
|
||||
Default global settings that will apply to every device. Things like locale, timezone, etc that wont change machine to machine
|
||||
|
||||
## Hardware
|
||||
|
||||
Hardware settings so I can apply per set of machines as standard- i.e. all Raspi4's may benefit from a specific set of additions/hardware overlays.
|
||||
|
||||
## Role
|
||||
|
||||
The role the machine have. Machines may have multiple roles
|
||||
i.e. servers will want to have bare minimal, remote build settings, where as main desktop/laptop will have full blow GUIs.
|
78
nixos/profiles/global.nix
Normal file
78
nixos/profiles/global.nix
Normal file
|
@ -0,0 +1,78 @@
|
|||
{ config, lib, pkgs, imports, modulesPath, ... }:
|
||||
|
||||
with lib;
|
||||
{
|
||||
# NOTE
|
||||
# Some 'global' areas have defaults set in their respective modules.
|
||||
# These will be applied when the modules are loaded
|
||||
# Not the global role.
|
||||
# Not sure at this point a good way to manage globals in one place
|
||||
# without mono-repo config.
|
||||
|
||||
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix") # Generated by nixos-config-generate
|
||||
./global
|
||||
];
|
||||
|
||||
mySystem = {
|
||||
|
||||
# basics for all devices
|
||||
time.timeZone = "Australia/Melbourne";
|
||||
security.increaseWheelLoginLimits = true;
|
||||
system.packages = [ pkgs.bat ];
|
||||
|
||||
# Lets see if fish everywhere is OK on the pi's
|
||||
# TODO decide if i drop to bash on pis?
|
||||
shell.fish.enable = true;
|
||||
# But wont enable plugins globally, leave them for workstations
|
||||
};
|
||||
|
||||
|
||||
i18n = {
|
||||
defaultLocale = lib.mkDefault "en_AU.UTF-8";
|
||||
};
|
||||
|
||||
# TODO refactor this shit out wow
|
||||
|
||||
# SOPS settings
|
||||
# https://github.com/Mic92/sops-nix
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
jq
|
||||
yq
|
||||
btop
|
||||
vim
|
||||
git
|
||||
dnsutils
|
||||
nix
|
||||
|
||||
# TODO Move
|
||||
nil
|
||||
nixpkgs-fmt
|
||||
statix
|
||||
nvd
|
||||
gh
|
||||
];
|
||||
|
||||
programs.direnv = {
|
||||
# TODO move to home-manager
|
||||
enable = true;
|
||||
nix-direnv.enable = true;
|
||||
};
|
||||
programs.mtr.enable = true;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
9
nixos/profiles/global/default.nix
Normal file
9
nixos/profiles/global/default.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
imports = [
|
||||
./nix.nix
|
||||
./nixpkgs.nix
|
||||
./sops.nix
|
||||
./system.nix
|
||||
./users.nix
|
||||
];
|
||||
}
|
58
nixos/profiles/global/nix.nix
Normal file
58
nixos/profiles/global/nix.nix
Normal file
|
@ -0,0 +1,58 @@
|
|||
{ lib, config, pkgs, nixpkgs, ... }:
|
||||
{
|
||||
|
||||
## Below is to align shell/system to flake's nixpkgs
|
||||
## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry
|
||||
|
||||
# Make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
|
||||
environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
|
||||
nix = {
|
||||
|
||||
# make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
|
||||
registry.nixpkgs.flake = nixpkgs;
|
||||
channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
|
||||
|
||||
# but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake.
|
||||
# https://github.com/NixOS/nix/issues/9574
|
||||
settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs";
|
||||
|
||||
###
|
||||
|
||||
settings = {
|
||||
|
||||
# Enable flakes
|
||||
experimental-features = [
|
||||
"nix-command"
|
||||
"flakes"
|
||||
];
|
||||
|
||||
# Substitutions
|
||||
trusted-substituters = [
|
||||
"https://cache.garnix.io"
|
||||
"https://nix-community.cachix.org"
|
||||
"https://numtide.cachix.org"
|
||||
];
|
||||
|
||||
trusted-public-keys = [
|
||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
|
||||
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
|
||||
];
|
||||
|
||||
# Fallback quickly if substituters are not available.
|
||||
connect-timeout = 5;
|
||||
# Avoid copying unnecessary stuff over SSH
|
||||
builders-use-substitutes = true;
|
||||
|
||||
|
||||
trusted-users = [ "root" "@wheel" ];
|
||||
|
||||
warn-dirty = false;
|
||||
|
||||
# The default at 10 is rarely enough.
|
||||
log-lines = lib.mkDefault 25;
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
}
|
10
nixos/profiles/global/nixpkgs.nix
Normal file
10
nixos/profiles/global/nixpkgs.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
nixpkgs = {
|
||||
# Configure your nixpkgs instance
|
||||
config = {
|
||||
# Disable if you don't want unfree packages
|
||||
allowUnfree = true;
|
||||
};
|
||||
};
|
||||
}
|
6
nixos/profiles/global/sops.nix
Normal file
6
nixos/profiles/global/sops.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
}
|
47
nixos/profiles/global/system.nix
Normal file
47
nixos/profiles/global/system.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
{
|
||||
system = {
|
||||
# Enable printing changes on nix build etc with nvd
|
||||
activationScripts.report-changes = ''
|
||||
PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]}
|
||||
nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
|
||||
'';
|
||||
|
||||
# Do not change unless you know what you are doing
|
||||
stateVersion = "23.11"; # THERE BE DRAGONS
|
||||
|
||||
# (This one comes in the niiiiight) :::
|
||||
# :: :::.
|
||||
# \/, .:::::
|
||||
# \), \`-._ :::888
|
||||
# /\ \ `-. ::88888
|
||||
# / \ | .( ::88
|
||||
# /,. \ ; ( ` .:8888
|
||||
# ), \ / ;`` :::888
|
||||
# /_ \ __/_(_ :88
|
||||
# `. ,`..-' `-._ \ / :8
|
||||
# )__ `. `._ .\/.
|
||||
# / `. ` `-._______m _,
|
||||
# ,-=====-.-;' , ___________/ _,-_,'"`/__,-.
|
||||
# C =-- ; `.`._ V V V -=-'"#==-._
|
||||
# :, \ ,| UuUu _,......__ `-.__A_A_ -. ._ ,--._ ",`` `-
|
||||
# || |`---' : uUuUu,' `'--...____/ `" `". `
|
||||
# |` : \ UuUu:
|
||||
# : / \ UuUu`-._
|
||||
# \(_ `._ uUuUu `-.
|
||||
# (_3 `._ uUu `._
|
||||
# ``-._ `.
|
||||
# `-._ `.
|
||||
# `. \
|
||||
# ) ;
|
||||
# / /
|
||||
# `. |\ ,' /
|
||||
# ",_A_/\-| ` ,'
|
||||
# `--..,_|_,-'\
|
||||
# | \
|
||||
# | \__
|
||||
# |__
|
||||
|
||||
};
|
||||
}
|
|
@ -18,13 +18,14 @@ in
|
|||
++ ifTheyExist [
|
||||
"network"
|
||||
"samba-users"
|
||||
"docker"
|
||||
];
|
||||
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home"
|
||||
];
|
||||
|
||||
packages = [ pkgs.home-manager ];
|
||||
# packages = [ pkgs.home-manager ];
|
||||
};
|
||||
|
||||
# home-manager.users.taylor = import ../../../../../home-manager/taylor_${config.networking.hostName}.nix; TODO home-manager?
|
74
nixos/profiles/hw-gaming-desktop.nix
Normal file
74
nixos/profiles/hw-gaming-desktop.nix
Normal file
|
@ -0,0 +1,74 @@
|
|||
{ config, lib, pkgs, imports, boot, ... }:
|
||||
|
||||
with lib;
|
||||
{
|
||||
|
||||
mySystem.system.packages = with pkgs; [
|
||||
ntfs3g
|
||||
];
|
||||
|
||||
boot = {
|
||||
|
||||
initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
kernelModules = [ "kvm-amd" ];
|
||||
extraModulePackages = [ ];
|
||||
|
||||
# for managing/mounting ntfs
|
||||
supportedFilesystems = [ "ntfs" ];
|
||||
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
# why not ensure we can memtest workstatons easily?
|
||||
grub.memtest86.enable = true;
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
# set xserver videodrivers for NVIDIA 4080 gpu
|
||||
services.xserver.videoDrivers = [ "nvidia" ];
|
||||
|
||||
|
||||
# ref: https://nixos.wiki/wiki/Nvidia
|
||||
# Enable OpenGL
|
||||
hardware.opengl = {
|
||||
enable = true;
|
||||
driSupport = true;
|
||||
driSupport32Bit = true;
|
||||
};
|
||||
|
||||
hardware.nvidia = {
|
||||
|
||||
# Modesetting is required.
|
||||
modesetting.enable = true;
|
||||
|
||||
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
|
||||
# Enable this if you have graphical corruption issues or application crashes after waking
|
||||
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
|
||||
# of just the bare essentials.
|
||||
powerManagement.enable = false;
|
||||
|
||||
# Fine-grained power management. Turns off GPU when not in use.
|
||||
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
|
||||
powerManagement.finegrained = false;
|
||||
|
||||
# Use the NVidia open source kernel module (not to be confused with the
|
||||
# independent third-party "nouveau" open source driver).
|
||||
# Support is limited to the Turing and later architectures. Full list of
|
||||
# supported GPUs is at:
|
||||
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
|
||||
# Only available from driver 515.43.04+
|
||||
# Currently alpha-quality/buggy, so false is currently the recommended setting.
|
||||
open = false;
|
||||
|
||||
# Enable the Nvidia settings menu,
|
||||
# accessible via `nvidia-settings`.
|
||||
nvidiaSettings = true;
|
||||
|
||||
# Optionally, you may need to select the appropriate driver version for your specific GPU.
|
||||
package = config.boot.kernelPackages.nvidiaPackages.stable;
|
||||
};
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
|
||||
}
|
29
nixos/profiles/hw-rpi4.nix
Normal file
29
nixos/profiles/hw-rpi4.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
{ config, lib, pkgs, imports, boot, ... }:
|
||||
|
||||
with lib;
|
||||
{
|
||||
boot = {
|
||||
|
||||
initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
|
||||
initrd.kernelModules = [ ];
|
||||
kernelModules = [ ];
|
||||
extraModulePackages = [ ];
|
||||
|
||||
loader = {
|
||||
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
|
||||
grub.enable = false;
|
||||
# Enables the generation of /boot/extlinux/extlinux.conf
|
||||
generic-extlinux-compatible.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
console.enable = false;
|
||||
mySystem.system.packages = with pkgs; [
|
||||
libraspberrypi
|
||||
raspberrypi-eeprom
|
||||
];
|
||||
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||
|
||||
}
|
32
nixos/profiles/hw-thinkpad-e14-amd.nix
Normal file
32
nixos/profiles/hw-thinkpad-e14-amd.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ config, lib, pkgs, imports, boot, ... }:
|
||||
|
||||
with lib;
|
||||
{
|
||||
boot = {
|
||||
|
||||
initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
initrd.kernelModules = [ "amdgpu" ];
|
||||
kernelModules = [ "kvm-amd" ];
|
||||
extraModulePackages = [ ];
|
||||
|
||||
# for managing/mounting ntfs
|
||||
supportedFilesystems = [ "ntfs" ];
|
||||
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
# why not ensure we can memtest workstatons easily?
|
||||
grub.memtest86.enable = true;
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
# set xserver videodrivers for amp gpu
|
||||
services.xserver.videoDrivers = [ "amdgpu" ];
|
||||
|
||||
# As this is a laptop explicitly enable nmcli (likely enabled by GUI anyway)
|
||||
networking.networkmanager.enable = true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
|
||||
}
|
24
nixos/profiles/role-server.nix
Normal file
24
nixos/profiles/role-server.nix
Normal file
|
@ -0,0 +1,24 @@
|
|||
{ config, lib, pkgs, imports, boot, ... }:
|
||||
# Role for headless servers
|
||||
# covers raspi's, sbc, NUC etc, anything
|
||||
# that is headless and minimal for running services
|
||||
|
||||
with lib;
|
||||
{
|
||||
config = {
|
||||
|
||||
# Enable monitoring for remote scraiping
|
||||
mySystem.services.promMonitoring.enable = true;
|
||||
mySystem.services.rebootRequiredCheck.enable = true;
|
||||
|
||||
nix.settings = {
|
||||
# TODO factor out into mySystem
|
||||
# Avoid disk full issues
|
||||
max-free = lib.mkDefault (1000 * 1000 * 1000);
|
||||
min-free = lib.mkDefault (128 * 1000 * 1000);
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
|
||||
}
|
36
nixos/profiles/role-worstation.nix
Normal file
36
nixos/profiles/role-worstation.nix
Normal file
|
@ -0,0 +1,36 @@
|
|||
{ config, lib, pkgs, imports, boot, ... }:
|
||||
# Role for workstations
|
||||
# Covers desktops/laptops, expected to have a GUI and do worloads
|
||||
# Will have home-manager installs
|
||||
|
||||
with config;
|
||||
{
|
||||
mySystem = {
|
||||
|
||||
de.gnome.enable = true;
|
||||
editor.vscodium.enable = true;
|
||||
browser.firefox.enable = true;
|
||||
};
|
||||
|
||||
boot = {
|
||||
|
||||
binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
|
||||
plymouth.enable = true; # hide console with splash screen
|
||||
};
|
||||
|
||||
nix.settings = {
|
||||
# TODO factor out into mySystem
|
||||
# Avoid disk full issues
|
||||
max-free = lib.mkDefault (1000 * 1000 * 1000);
|
||||
min-free = lib.mkDefault (128 * 1000 * 1000);
|
||||
};
|
||||
|
||||
# set xserver videodrivers if used
|
||||
services.xserver.enable = true;
|
||||
|
||||
# Laptop so ill likely use wireles
|
||||
# very likely to be set by GUI packages but lets
|
||||
# be declarative.
|
||||
|
||||
|
||||
}
|
Reference in a new issue