Merge pull request #21 from truxnell/module-refactor

feat: module refactor go bang crash clatter
This commit is contained in:
Truxnell 2024-03-26 23:32:27 +11:00 committed by GitHub
commit 637c55c39b
74 changed files with 1419 additions and 1364 deletions

View file

@ -52,6 +52,11 @@ jobs:
with: with:
extra_nix_config: | extra_nix_config: |
experimental-features = nix-command flakes experimental-features = nix-command flakes
extra-platforms = aarch64-linux
- name: Register binfmt
run: |
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
- name: Garbage collect build dependencies - name: Garbage collect build dependencies
run: nix-collect-garbage run: nix-collect-garbage

View file

@ -1,20 +1,19 @@
--- ---
# yaml-language-server: $schema=https://taskfile.dev/schema.json
version: "3" version: "3"
vars: vars:
host: $HOSTNAME host: $HOSTNAME
tasks: tasks:
apply: switch:
desc: Build and apply nix configuration desc: Build and apply nix configuration
silent: true silent: true
requires: requires:
vars: vars:
- host - host
cmds: cmds:
- task: build - echo "This will switch your config."
vars:
host: "{{ .host }}"
- task: .prompt_to_continue - task: .prompt_to_continue
- sudo nixos-rebuild switch --flake "{{.ROOT_DIR}}/#{{.host}}" --impure - sudo nixos-rebuild switch --flake "{{.ROOT_DIR}}/#{{.host}}" --impure
preconditions: preconditions:
@ -23,6 +22,39 @@ tasks:
- sh: which nixos-rebuild - sh: which nixos-rebuild
msg: "nixos-rebuild not found" msg: "nixos-rebuild not found"
test:
desc: Build and apply nix configuration
silent: true
requires:
vars:
- host
cmds:
- echo "This will test your config."
- task: .prompt_to_continue
- sudo nixos-rebuild test --flake "{{.ROOT_DIR}}/#{{.host}}" --impure
preconditions:
- sh: which nix
msg: "nix not found"
- sh: which nixos-rebuild
msg: "nixos-rebuild not found"
dry-run:
desc: Build and apply nix configuration
silent: true
requires:
vars:
- host
cmds:
- echo "This will dry-run your config and add your untracked git files."
- git add .
- nixos-rebuild dry-run --flake "{{.ROOT_DIR}}/#{{.host}}" --impure
preconditions:
- sh: which nix
msg: "nix not found"
- sh: which nixos-rebuild
msg: "nixos-rebuild not found"
build: build:
desc: Build nix configuration desc: Build nix configuration
silent: true silent: true
@ -30,6 +62,7 @@ tasks:
vars: vars:
- host - host
cmds: cmds:
- git add .
- nixos-rebuild build --flake "{{.ROOT_DIR}}/#{{.host}}" --impure - nixos-rebuild build --flake "{{.ROOT_DIR}}/#{{.host}}" --impure
- nvd diff /run/current-system result - nvd diff /run/current-system result
preconditions: preconditions:

View file

@ -1,4 +1,5 @@
--- ---
# yaml-language-server: $schema=https://taskfile.dev/schema.json
version: "3" version: "3"
vars: vars:

View file

@ -1,4 +1,5 @@
--- ---
# yaml-language-server: $schema=https://taskfile.dev/schema.json
version: "3" version: "3"
tasks: tasks:

View file

@ -40,6 +40,8 @@ To Install
- [ ] WSL - [ ] WSL
- [ ] JJY emulator Raspi4 - [ ] JJY emulator Raspi4
- [ ] Documentation! - [ ] Documentation!
- [ ] ssh_config build from computers?
- [ ] Modularise host to allow vm builds and hw builds
- [ ] Add license - [ ] Add license
- [ ] Add taskfiles - [ ] Add taskfiles
@ -66,6 +68,21 @@ cd ~/dotfiles
nixos-rebuild switch --flake .#nameOfMachine --target-host machineToSshInto --use-remote-sudo nixos-rebuild switch --flake .#nameOfMachine --target-host machineToSshInto --use-remote-sudo
``` ```
## Hacking at nix files
Eval config to see what keys are being set.
```bash
nix eval .#nixosConfigurations.rickenbacker.config.security.sudo.WheelNeedsPassword
nix eval .#nixosConfigurations.rickenbacker.config.mySystem.security.wheelNeedsPassword
```
Quickly run a flake to see what the next error message is as you hack.
```bash
nixos-rebuild dry-run --flake . --fast --impure
```
## Links & References ## Links & References
- [Misterio77/nix-starter-config](https://github.com/Misterio77/nix-starter-configs) - [Misterio77/nix-starter-config](https://github.com/Misterio77/nix-starter-configs)

3
docs/vm/faq.md Normal file
View file

@ -0,0 +1,3 @@
## Why not recurse the module folder
Imports are special in NIX and its important that they are definet at runtime for lazy evaluation - if you do optional/coded imports not everything is avaliable for evaluating.

133
flake.nix
View file

@ -35,107 +35,124 @@
, sops-nix , sops-nix
, ... , ...
} @ inputs: } @ inputs:
let let
inherit (self) outputs; inherit (self) outputs;
forAllSystems = nixpkgs.lib.genAttrs [ forAllSystems = nixpkgs.lib.genAttrs [
"aarch64-linux" "aarch64-linux"
# "i686-linux"
"x86_64-linux" "x86_64-linux"
# "aarch64-darwin"
# "x86_64-darwin"
]; ];
in in
with inputs; rec { rec {
# Use nixpkgs-fmt for 'nix fmt' # Use nixpkgs-fmt for 'nix fmt'
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
nixosModules = import ./nixos/modules/nixos;
nixosConfigurations = nixosConfigurations =
with self.lib;
let let
defaultModules = defaultModules =
# (builtins.attrValues nixosModules) ++ (builtins.attrValues nixosModules) ++
[ [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
]; ];
specialArgs = { specialArgs = {
inherit inputs outputs; inherit inputs outputs;
}; };
# generate a base nixos configuration with the
# specified overlays, hardware modules, and any extraModules applied
mkNixosConfig =
{ hostname
, system ? "x86_64-linux"
, nixpkgs ? inputs.nixpkgs
, hardwareModules ? [ ]
, baseModules ? [
sops-nix.nixosModules.sops
./nixos/profiles/global.nix
./nixos/modules/nixos
./nixos/hosts/${hostname}
]
, profileModules ? [ ]
}:
nixpkgs.lib.nixosSystem {
inherit system;
modules = baseModules ++ hardwareModules ++ profileModules;
specialArgs = { inherit self inputs nixpkgs; };
};
in in
{ {
nixosvm = nixpkgs.lib.nixosSystem {
inherit specialArgs; "rickenbacker" = mkNixosConfig {
# NixOS laptop (dualboot windows, dunno why i kept it)
hostname = "rickenbacker";
system = "x86_64-linux"; system = "x86_64-linux";
modules = defaultModules ++ [ hardwareModules = [
./nixos/hosts/nixosvm ./nixos/profiles/hw-thinkpad-e14-amd.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-amd
];
profileModules = [
./nixos/profiles/role-worstation.nix
]; ];
}; };
rickenbacker = nixpkgs.lib.nixosSystem { "citadel" = mkNixosConfig {
inherit specialArgs; # Gaming PC (dualboot windows)
hostname = "citadel";
system = "x86_64-linux"; system = "x86_64-linux";
modules = defaultModules ++ [ hardwareModules = [
./nixos/hosts/rickenbacker ./nixos/profiles/hw-gaming-desktop.nix
]; ];
profileModules = [
./nixos/profiles/role-worstation.nix
];
}; };
citadel = nixpkgs.lib.nixosSystem { "dns01" = mkNixosConfig {
inherit specialArgs; # Rpi for DNS and misc services
system = "x86_64-linux";
modules = defaultModules ++ [
./nixos/hosts/citadel
];
};
dns01 = nixpkgs.lib.nixosSystem { hostname = "dns01";
inherit specialArgs;
system = "aarch64-linux"; system = "aarch64-linux";
modules = defaultModules ++ [ hardwareModules = [
./nixos/hosts/dns01 ./nixos/profiles/hw-rpi4.nix
inputs.nixos-hardware.nixosModules.raspberry-pi-4
];
profileModules = [
./nixos/profiles/role-server.nix
]; ];
}; };
# dns02 = nixpkgs.lib.nixosSystem {
# # nix build .#images.rpi4
# rpi4 = nixpkgs.lib.nixosSystem {
# inherit specialArgs; # inherit specialArgs;
# system = "aarch64-linux";
# modules = defaultModules ++ [ # modules = defaultModules ++ [
# ./nixos/hosts/dns02 # "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
# ./nixos/hosts/images/sd-image
# ]; # ];
# }; # };
# # nix build .#images.iso
# isoimage = nixpkgs.lib.nixosSystem { # iso = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# inherit specialArgs; # inherit specialArgs;
# modules = defaultModules ++ [ # modules = defaultModules ++ [
# "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix" # "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
# { isoImage.squashfsCompression = "gzip -Xcompression-level 1"; } # "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix"
# ./nixos/iso # ./nixos/hosts/images/cd-dvd
# ]; # ];
# }; # };
# nix build .#images.rpi4
rpi4 = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = defaultModules ++ [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
./nixos/hosts/images/sd-image
];
};
# nix build .#images.iso
iso = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = defaultModules ++ [
"${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
"${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix"
./nixos/hosts/images/cd-dvd
];
};
}; };
# simple shortcut to allow for easier referencing of correct # simple shortcut to allow for easier referencing of correct
# key for building images # key for building images
# > nix build .#images.rpi4 # > nix build .#images.rpi4
images.rpi4 = nixosConfigurations.rpi4.config.system.build.sdImage; # images.rpi4 = nixosConfigurations.rpi4.config.system.build.sdImage;
images.iso = nixosConfigurations.iso.config.system.build.isoImage; # images.iso = nixosConfigurations.iso.config.system.build.isoImage;
# deploy-rs # deploy-rs
deploy.nodes = deploy.nodes =
@ -147,7 +164,7 @@
inherit (configuration.config.nixpkgs.hostPlatform) system; inherit (configuration.config.nixpkgs.hostPlatform) system;
in in
{ {
path = deploy-rs.lib."${system}".activate.nixos configuration; path = inputs.deploy-rs.lib."${system}".activate.nixos configuration;
sshUser = "truxnell"; sshUser = "truxnell";
user = "root"; user = "root";
sshOpts = [ "-t" ]; sshOpts = [ "-t" ];
@ -158,11 +175,13 @@
in in
{ {
dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01; dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01;
rickenbacker = mkDeployConfig "rickenbacker" self.nixosConfigurations.rickenbacker;
# dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02; # dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02;
}; };
# deploy-rs: This is highly advised, and will prevent many possible mistakes # deploy-rs: This is highly advised, and will prevent many possible mistakes
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
# Convenience output that aggregates the outputs for home, nixos, and darwin configurations. # Convenience output that aggregates the outputs for home, nixos, and darwin configurations.
# Also used in ci to build targets generally. # Also used in ci to build targets generally.

View file

@ -6,140 +6,31 @@
, pkgs , pkgs
, ... , ...
}: { }: {
imports = [
# Host-specific
./hardware-configuration.nix
# Common imports
../common/nixos
../common/nixos/users/truxnell
../common/optional/fish.nix
../common/optional/monitoring.nix
../common/optional/reboot-required.nix
../common/optional/gnome.nix
../common/optional/editors/vscode
../common/optional/firefox.nix
../common/optional/sops-nix.nix
]; config = {
mySystem = {
boot.loader.systemd-boot.enable = true; services.openssh.enable = true;
boot.loader.efi.canTouchEfiVariables = true; security.wheelNeedsSudoPassword = false;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation };
networking.hostName = "citadel"; # Define your hostname. networking.hostName = "citadel"; # Define your hostname.
# Enable OpenGL fileSystems."/" =
hardware.opengl = { {
enable = true; device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5";
driSupport = true; fsType = "ext4";
driSupport32Bit = true;
}; };
# Load nvidia driver for Xorg and Wayland fileSystems."/boot" =
services.xserver.videoDrivers = [ "nvidia" ]; # or "nvidiaLegacy470 etc. {
device = "/dev/disk/by-uuid/1D5B-36D3";
hardware.nvidia = { fsType = "vfat";
# Modesetting is required.
modesetting.enable = true;
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# Enable this if you have graphical corruption issues or application crashes after waking
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
# of just the bare essentials.
powerManagement.enable = false;
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
powerManagement.finegrained = false;
# Use the NVidia open source kernel module (not to be confused with the
# independent third-party "nouveau" open source driver).
# Support is limited to the Turing and later architectures. Full list of
# supported GPUs is at:
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+
# Currently alpha-quality/buggy, so false is currently the recommended setting.
open = false;
# Enable the Nvidia settings menu,
# accessible via `nvidia-settings`.
nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU.
package = config.boot.kernelPackages.nvidiaPackages.stable;
}; };
# Pick only one of the below networking options. swapDevices = [ ];
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Configure network proxy if necessary };
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "23.11"; # Did you read the comment?
} }

View file

@ -1,20 +0,0 @@
{ config
, inputs
, ...
}:
let
inherit (config.networking) hostName;
# Only enable auto upgrade if current config came from a clean tree
# This avoids accidental auto-upgrades when working locally.
isClean = inputs.self ? rev;
in
{
system.autoUpgrade = {
enable = isClean;
dates = "hourly";
flags = [
"--refresh"
];
flake = "github:truxnell/nix-config";
};
}

View file

@ -1,71 +0,0 @@
{ inputs
, outputs
, config
, sops-nix
, ...
}: {
imports =
[
# inputs.home-manager.nixosModules.home-manager
#inputs.sops-nix.nixosModules.sops
./locale.nix
./nix.nix
./openssh.nix
./packages.nix
]
++ (builtins.attrValues { });
# home-manager.extraSpecialArgs = { inherit inputs outputs; }; TODO Home-manager
nixpkgs = {
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
# TODO Shared sops location, probably in home-manager?
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# Increase open file limit for sudoers
security.pam.loginLimits = [
{
domain = "@wheel";
item = "nofile";
type = "soft";
value = "524288";
}
{
domain = "@wheel";
item = "nofile";
type = "hard";
value = "1048576";
}
];
# sops.secrets.msmtp = {
# sopsFile = ./secret.sops.yaml;
# }
# # TODO Email settings
# programs.msmtp = {
# enable = true;
# accounts.default = {
# host = "maddy.home.tld";
# from = "${config.networking.hostName}@trux.dev";
# };
# defaults = {
# aliases = "/etc/aliases";
# };
# };
environment.etc = {
"aliases" = {
text = ''
root: ${config.networking.hostName}@trux.dev
'';
mode = "0644";
};
};
}

View file

@ -1,6 +0,0 @@
{ lib, ... }: {
i18n = {
defaultLocale = lib.mkDefault "en_US.UTF-8";
};
time.timeZone = lib.mkDefault "Australia/Melbourne";
}

View file

@ -1,52 +0,0 @@
{ inputs
, lib
, pkgs
, config
, ...
}: {
nix = {
settings = {
experimental-features = [ "nix-command" "flakes" ];
substituters = [
"https://nix-community.cachix.org"
"https://cache.garnix.io"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
];
trusted-users = [ "root" "@wheel" ];
auto-optimise-store = lib.mkDefault true;
warn-dirty = false;
};
gc = {
automatic = true;
dates = "weekly";
# Delete older generations too
options = "--delete-older-than 5d";
};
};
# This will add each flake input as a registry
# To make nix3 commands consistent with your flake
nix.registry = (lib.mapAttrs (_: flake: { inherit flake; })) ((lib.filterAttrs (_: lib.isType "flake")) inputs);
# This will additionally add your inputs to the system's legacy channels
# Making legacy nix commands consistent as well, awesome!
nix.nixPath = [ "/etc/nix/path" ];
environment.etc =
lib.mapAttrs'
(name: value: {
name = "nix/path/${name}";
value.source = value.flake;
})
config.nix.registry;
# Enable printing changes on nix build etc with nvd
system.activationScripts.report-changes = ''
PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]}
nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
'';
}

View file

@ -1,26 +0,0 @@
_:
{
services.openssh = {
enable = true;
settings = {
# Harden
PasswordAuthentication = false;
PermitRootLogin = "no";
# Automatically remove stale sockets
StreamLocalBindUnlink = "yes";
# Allow forwarding ports to everywhere
GatewayPorts = "clientspecified";
# Don't allow home-directory authorized_keys
# authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
};
};
# TODO fix pam, wheel no pass is a bit of a hack
# security.pam.enableSSHAgentAuth = true;
# TODO remove this hack
security.sudo.wheelNeedsPassword = false;
}

View file

@ -1,31 +0,0 @@
{ config
, pkgs
, lib
, ...
}: {
environment.systemPackages = with pkgs; [
bat
jq
yq
btop
neovim
vim
git
dnsutils
nvd
gh
nix
# TODO Move
nil
nixpkgs-fmt
statix
];
programs.direnv = {
# TODO move to home-manager
enable = true;
nix-direnv.enable = true;
};
programs.mtr.enable = true;
}

View file

@ -1,11 +0,0 @@
{ inputs
, outputs
, config
, ...
}: {
# Time
networking.timeServers = [ "10.8.10.1" ];
services.chrony = {
enable = true;
};
}

View file

@ -1,28 +0,0 @@
{ config
, lib
, ...
}: {
# Current nixpkgs cf-ddns only supports using a env file for the apitoken
# but not for domains, which makes them hard to find.
# To circumvent this, I put both in the 'apiTokenFile' var
# so my secret is:
# apiTokenFile: |-
# CLOUDFLARE_API_TOKEN=derp
# CLOUDFLARE_DOMAINS=derp.herp.xyz derp1.herp.xyz
# init secret
config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml;
# Restart when secret changes
config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ];
# Cloudflare dynamic dns to keep my DNS records pointed at home
config.services.cloudflare-dyndns = {
enable = true;
ipv6 = false;
proxied = true;
apiTokenFile = config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".path;
domains = [ ];
};
}

View file

@ -1,41 +0,0 @@
# Ref: https://nixos.wiki/wiki/Encrypted_DNS#dnscrypt-proxy2
{ inputs
, outputs
, pkgs
, config
, ...
}: {
# Disable resolvd to ensure it doesnt re-write /etc/resolv.conf
config.services.resolved.enable = false;
# Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt
# causing a risk of no dns if service fails.
config.networking = {
nameservers = [ "10.8.10.1" ]; # TODO make varible IP
dhcpcd.extraConfig = "nohook resolv.conf";
};
# configure secret for forwarding rules
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file
# Restart dnscrypt when secret changes
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];
config.services.dnscrypt-proxy2 = {
enable = true;
settings = {
require_dnssec = true;
forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;
listen_addresses = [ "0.0.0.0:53" ];
server_names = [ "NextDNS" ];
static = {
"NextDNS" = {
stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
};
};
};
};
}

View file

@ -1,138 +0,0 @@
{ config
, pkgs
, lib
, ...
}: {
# Enable vscode & addons
environment.systemPackages = with pkgs; [
(vscode-with-extensions.override {
vscode = vscodium;
vscodeExtensions = with vscode-extensions;
[
bbenoist.nix
mkhl.direnv
]
++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "prettier-vscode";
publisher = "esbenp";
version = "10.1.0";
sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9";
}
{
name = "vscode-docker";
publisher = "ms-azuretools";
version = "1.28.0";
sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0";
}
{
name = "gitlens";
publisher = "eamodio";
version = "14.7.0";
sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy";
}
{
name = "remote-containers";
publisher = "ms-vscode-remote";
version = "0.327.0";
sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz";
}
{
name = "remote-ssh";
publisher = "ms-vscode-remote";
version = "0.107.1";
sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf";
}
{
name = "vscode-yaml";
publisher = "redhat";
version = "1.14.0";
sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944";
}
{
name = "todo-tree";
publisher = "gruntfuggly";
version = "0.0.226";
sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn";
}
{
name = "path-autocomplete";
publisher = "ionutvmi";
version = "1.25.0";
sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb";
}
{
name = "even-better-toml";
publisher = "tamasfe";
version = "0.19.2";
sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14";
}
{
name = "linter";
publisher = "fnando";
version = "0.0.19";
sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g";
}
{
name = "catppuccin-vsc";
publisher = "catppuccin";
version = "3.11.0";
sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d";
}
{
name = "catppuccin-vsc-icons";
publisher = "catppuccin";
version = "1.8.0";
sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z";
}
{
name = "nix-ide";
publisher = "jnoortheen";
version = "0.2.2";
sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg";
}
{
name = "vscode-swissknife";
publisher = "luisfontes19";
version = "1.8.1";
sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c";
}
{
name = "pre-commit-helper";
publisher = "elagil";
version = "0.5.0";
sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj";
}
{
name = "sops-edit";
publisher = "shipitsmarter";
version = "1.0.0";
sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4";
}
{
name = "json5-for-vscode";
publisher = "tudoudou";
version = "0.0.3";
sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w";
}
];
})
];
}

View file

@ -1,174 +0,0 @@
# Warning, this file is autogenerated by nix4vscode. Don't modify this manually.
{ pkgs }:
let
inherit (pkgs) vscode-utils;
in
{
"ms-python"."python" = vscode-utils.extensionFromVscodeMarketplace {
name = "python";
publisher = "ms-python";
version = "2024.0.0";
sha256 = "0sy1z2r6b0m1lkivjyrcf41dbgj9m5zkjy6yncpji1hisjcbgq6n";
};
"ms-python"."vscode-pylance" = vscode-utils.extensionFromVscodeMarketplace {
name = "vscode-pylance";
publisher = "ms-python";
version = "2023.12.1";
sha256 = "03fr9zanhdsf3wirv65vb41swvdnxxaz8lviyjdbmzcw9yihf8dv";
};
"esbenp"."prettier-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "prettier-vscode";
publisher = "esbenp";
version = "10.1.0";
sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9";
};
"ms-azuretools"."vscode-docker" = vscode-utils.extensionFromVscodeMarketplace {
name = "vscode-docker";
publisher = "ms-azuretools";
version = "1.28.0";
sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0";
};
"eamodio"."gitlens" = vscode-utils.extensionFromVscodeMarketplace {
name = "gitlens";
publisher = "eamodio";
version = "14.7.0";
sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy";
};
"ms-vscode-remote"."remote-containers" = vscode-utils.extensionFromVscodeMarketplace {
name = "remote-containers";
publisher = "ms-vscode-remote";
version = "0.327.0";
sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz";
};
"ms-vscode-remote"."remote-ssh" = vscode-utils.extensionFromVscodeMarketplace {
name = "remote-ssh";
publisher = "ms-vscode-remote";
version = "0.107.1";
sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf";
};
"redhat"."vscode-yaml" = vscode-utils.extensionFromVscodeMarketplace {
name = "vscode-yaml";
publisher = "redhat";
version = "1.14.0";
sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944";
};
"github"."copilot" = vscode-utils.extensionFromVscodeMarketplace {
name = "copilot";
publisher = "github";
version = "1.156.0";
sha256 = "16nzwazfbh895kmc2887b17zzbbcjyk8fhiphk5xmy1nm9qxszk0";
};
"golang"."go" = vscode-utils.extensionFromVscodeMarketplace {
name = "go";
publisher = "golang";
version = "0.40.3";
sha256 = "15kicpv9xpn7l3w9mbmsjdzjmavh88p3skkim0a9prg9p40bsq0m";
};
"gruntfuggly"."todo-tree" = vscode-utils.extensionFromVscodeMarketplace {
name = "todo-tree";
publisher = "gruntfuggly";
version = "0.0.226";
sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn";
};
"ms-kubernetes-tools"."vscode-kubernetes-tools" = vscode-utils.extensionFromVscodeMarketplace {
name = "vscode-kubernetes-tools";
publisher = "ms-kubernetes-tools";
version = "1.3.15";
sha256 = "1x6npc90p6b1wx5sd1hd0x0djahmffr6lw9cxh2zg10rbpq48w8i";
};
"hashicorp"."terraform" = vscode-utils.extensionFromVscodeMarketplace {
name = "terraform";
publisher = "hashicorp";
version = "2.29.3";
sha256 = "sha256-cYYtBZaWgtT6vS6In+tbpLfp/GdyWodBXyHsxn8ZZrU=";
};
"ionutvmi"."path-autocomplete" = vscode-utils.extensionFromVscodeMarketplace {
name = "path-autocomplete";
publisher = "ionutvmi";
version = "1.25.0";
sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb";
};
"tamasfe"."even-better-toml" = vscode-utils.extensionFromVscodeMarketplace {
name = "even-better-toml";
publisher = "tamasfe";
version = "0.19.2";
sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14";
};
"redhat"."ansible" = vscode-utils.extensionFromVscodeMarketplace {
name = "ansible";
publisher = "redhat";
version = "2.9.118";
sha256 = "0yndj2r0w2zxc5firxgfrykkc5ajy9gsmrfmkz80kfhwk33n9y1p";
};
"fnando"."linter" = vscode-utils.extensionFromVscodeMarketplace {
name = "linter";
publisher = "fnando";
version = "0.0.19";
sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g";
};
"catppuccin"."catppuccin-vsc" = vscode-utils.extensionFromVscodeMarketplace {
name = "catppuccin-vsc";
publisher = "catppuccin";
version = "3.11.0";
sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d";
};
"catppuccin"."catppuccin-vsc-icons" = vscode-utils.extensionFromVscodeMarketplace {
name = "catppuccin-vsc-icons";
publisher = "catppuccin";
version = "1.8.0";
sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z";
};
"jnoortheen"."nix-ide" = vscode-utils.extensionFromVscodeMarketplace {
name = "nix-ide";
publisher = "jnoortheen";
version = "0.2.2";
sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg";
};
"luisfontes19"."vscode-swissknife" = vscode-utils.extensionFromVscodeMarketplace {
name = "vscode-swissknife";
publisher = "luisfontes19";
version = "1.8.1";
sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c";
};
"elagil"."pre-commit-helper" = vscode-utils.extensionFromVscodeMarketplace {
name = "pre-commit-helper";
publisher = "elagil";
version = "0.5.0";
sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj";
};
"shipitsmarter"."sops-edit" = vscode-utils.extensionFromVscodeMarketplace {
name = "sops-edit";
publisher = "shipitsmarter";
version = "1.0.0";
sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4";
};
"tudoudou"."json5-for-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "json5-for-vscode";
publisher = "tudoudou";
version = "0.0.3";
sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w";
};
}

View file

@ -1,9 +0,0 @@
{ config
, pkgs
, lib
, ...
}: {
programs.firefox = {
enable = true;
};
}

View file

@ -1,10 +0,0 @@
{
programs.fish = {
enable = true;
vendor = {
completions.enable = true;
config.enable = true;
functions.enable = true;
};
};
}

View file

@ -1,45 +0,0 @@
{ config
, pkgs
, lib
, ...
}: {
# Ref: https://nixos.wiki/wiki/GNOME
# GNOME plz
services.xserver = {
enable = true;
desktopManager.gnome.enable = true;
displayManager = {
gdm.enable = true;
defaultSession = "gnome"; # TODO move to config overlay
autoLogin.user = "truxnell"; # TODO move to config overlay
};
layout = "us"; # `localctl` will give you
};
# And dconf
programs.dconf.enable = true;
# dconf write /org/gnome/mutter/experimental-features "['scale-monitor-framebuffer']"
# Exclude default GNOME packages that dont interest me.
environment.gnome.excludePackages =
(with pkgs; [
gnome-photos
gnome-tour
])
++ (with pkgs.gnome; [
cheese # webcam tool
gnome-music
gnome-terminal
gedit # text editor
epiphany # web browser
geary # email reader
evince # document viewer
gnome-characters
totem # video player
tali # poker game
iagno # go game
hitori # sudoku game
atomix # puzzle game
]);
}

View file

@ -1,22 +0,0 @@
{ inputs
, outputs
, config
, ...
}: {
# init secret
config.sops.secrets."system/mail/maddy/envFile" = {
sopsFile = ./maddy.sops.yaml;
owner = "maddy";
group = "maddy";
};
# Restart dnscrypt when secret changes
config.sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy" ];
#
config.services.maddy = {
enable = true;
secrets = [ config.sops.secrets."system/mail/maddy/envFile".path ];
config = builtins.readFile ./maddy.conf;
};
}

View file

@ -1,30 +0,0 @@
{ config
, pkgs
, lib
, ...
}: {
services.prometheus.exporters = {
node = {
enable = true;
enabledCollectors = [
"diskstats"
"filesystem"
"loadavg"
"meminfo"
"netdev"
"stat"
"time"
"uname"
"systemd"
];
};
smartctl = {
enable = true;
};
};
networking.firewall.allowedTCPPorts = [
config.services.prometheus.exporters.node.port
config.services.prometheus.exporters.smartctl.port
];
}

View file

@ -1,36 +0,0 @@
{ config
, pkgs
, ...
}: {
systemd.timers."reboot-required-check" = {
wantedBy = [ "timers.target" ];
timerConfig = {
# start at boot
OnBootSec = "0m";
# check every hour
OnUnitActiveSec = "1h";
Unit = "reboot-required-check.service";
};
};
systemd.services."reboot-required-check" = {
script = ''
#!/usr/bin/env bash
# compare current system with booted sysetm to determine if a reboot is required
if [[ "$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" == "$(readlink /run/current-system/{initrd,kernel,kernel-modules})" ]]; then
# check if the '/var/run/reboot-required' file exists and if it does, remove it
if [[ -f /var/run/reboot-required ]]; then
rm /var/run/reboot-required || { echo "Failed to remove /var/run/reboot-required"; exit 1; }
fi
else
echo "reboot required"
touch /var/run/reboot-required || { echo "Failed to create /var/run/reboot-required"; exit 1; }
fi
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
}

View file

@ -1,10 +0,0 @@
{ inputs
, outputs
, config
, ...
}: {
# SOPS settings
# https://github.com/Mic92/sops-nix
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}

View file

@ -7,104 +7,27 @@
, ... , ...
}: { }: {
imports = [ imports = [
# Host-specific
./hardware-configuration.nix
# Common imports
../common/nixos
../common/nixos/users/truxnell
../common/optional/fish.nix
../common/optional/monitoring.nix
../common/optional/reboot-required.nix
../common/optional/sops-nix.nix
../common/optional/dnscrypt-proxy2.nix
../common/optional/cloudflare-dyndns.nix
../common/optional/maddy.nix
]; ];
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default) mySystem.services = {
boot.loader.grub.enable = false; maddy.enable = true;
# Enables the generation of /boot/extlinux/extlinux.conf dnscrypt-proxy.enable = true;
boot.loader.generic-extlinux-compatible.enable = true; cfDdns.enable = true;
};
networking.hostName = "dns01"; # Define your hostname. networking.hostName = "dns01"; # Define your hostname.
networking.useDHCP = lib.mkDefault true;
console.enable = false; fileSystems."/" =
environment.systemPackages = with pkgs; [ {
libraspberrypi device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
raspberrypi-eeprom fsType = "ext4";
]; };
# Pick only one of the below networking options. swapDevices = [ ];
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "23.11"; # Did you read the comment?
} }

View file

@ -1,34 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

View file

@ -1,104 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config
, lib
, pkgs
, ...
}: {
imports = [
# Host-specific
./hardware-configuration.nix
# Common imports
../common/nixos
../common/nixos/users/truxnell
../common/optional/fish.nix
../common/optional/monitoring.nix
../common/optional/reboot-required.nix
../common/optional/gnome.nix
../common/optional/editors/vscode
../common/optional/firefox.nix
../common/optional/sops-nix.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
networking.hostName = "nixosvm"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "23.11"; # Did you read the comment?
}

View file

@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config
, lib
, pkgs
, modulesPath
, ...
}: {
imports = [ ];
boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
swapDevices = [{ device = "/dev/sda2"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens33.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
virtualisation.vmware.guest.enable = true;
virtualisation.virtualbox.guest.enable = true;
virtualisation.virtualbox.guest.x11 = true;
}

View file

@ -1,115 +1,35 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config { config
, lib , lib
, pkgs , pkgs
, ... , ...
}: { }: {
imports = [ config = {
# Host-specific
./hardware-configuration.nix
# Common imports # hardware-configuration.nix is missing as I've abstracted out the parts
../common/nixos
../common/nixos/users/truxnell
../common/optional/fish.nix
../common/optional/monitoring.nix
../common/optional/reboot-required.nix
../common/optional/gnome.nix
../common/optional/editors/vscode
../common/optional/firefox.nix
../common/optional/sops-nix.nix
]; mySystem = {
services.openssh.enable = true;
boot.loader.systemd-boot.enable = true; security.wheelNeedsSudoPassword = false;
boot.loader.efi.canTouchEfiVariables = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
boot.initrd.kernelModules = [ "amdgpu" ];
networking.hostName = "rickenbacker"; # Define your hostname.
# Enable OpenGL
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
}; };
# Load nvidia driver for Xorg and Wayland # TODO build this in from flake host names
services.xserver.videoDrivers = [ "amdgpu" ]; # or "nvidiaLegacy470 etc. networking.hostName = "rickenbacker";
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Configure network proxy if necessary fileSystems."/" =
# networking.proxy.default = "http://user:password@proxy:port/"; {
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
# Select internationalisation properties. fileSystems."/boot" =
# i18n.defaultLocale = "en_US.UTF-8"; {
# console = { device = "/dev/disk/by-uuid/44D0-91EC";
# font = "Lat2-Terminus16"; fsType = "vfat";
# keyMap = "us"; };
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system. swapDevices = [ ];
# services.xserver.enable = true;
# Configure keymap in X11 };
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "23.11"; # Did you read the comment?
} }

View file

@ -1,41 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/fe728106-aaf8-46e6-ab46-1610f1f4398a";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/44D0-91EC";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

9
nixos/modules/README.md Normal file
View file

@ -0,0 +1,9 @@
## Modules
A set of 'custom' modules with the aim to enable easy on/off/settings to build up a system modulary to my 'specs'.
The main goal is to build up a `mySystem` options key which is easy to read and toggle functionality on and off.
This option key will largely be manipulated by a profile to build up a host to a base, then toggle specific options from there.
I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things.

View file

@ -0,0 +1,5 @@
{
mySystem = import ./nixos;
}

View file

@ -0,0 +1,5 @@
{
imports = [
./firefox.nix
];
}

View file

@ -0,0 +1,22 @@
{ lib
, config
, ...
}:
with lib;
let
cfg = config.mySystem.browser.firefox;
in
{
options.mySystem.browser.firefox.enable = mkEnableOption "Firefox";
config = mkIf cfg.enable {
programs.firefox = {
enable = true;
};
};
}

View file

@ -0,0 +1,6 @@
{
imports = [
./gnome.nix
];
}

View file

@ -0,0 +1,81 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
cfg = config.mySystem.de.gnome;
in
{
options.mySystem.de.gnome.enable = mkEnableOption "GNOME";
config = mkIf cfg.enable {
# Ref: https://nixos.wiki/wiki/GNOME
# GNOME plz
services.xserver = {
enable = true;
displayManager =
{
gdm.enable = true;
defaultSession = "gnome"; # TODO move to config overlay
autoLogin.enable = true;
autoLogin.user = "truxnell"; # TODO move to config overlay
};
desktopManager = {
# GNOME
gnome.enable = true;
};
layout = "us"; # `localctl` will give you
};
# TODO remove this when possible
# workaround for GNOME autologin
# https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
systemd.services."getty@tty1".enable = false;
systemd.services."autovt@tty1".enable = false;
# TODO tidy this
# port forward for GNOME when using RDP***REMOVED***
networking.firewall.allowedTCPPorts = [
3389
];
# And dconf
programs.dconf.enable = true;
# https://github.com/NixOS/nixpkgs/issues/114514
# dconf write /org/gnome/mutter/experimental-features "['scale-monitor-framebuffer']" TODO hack for GNOME 45
# Exclude default GNOME packages that dont interest me.
environment.gnome.excludePackages =
(with pkgs; [
gnome-photos
gnome-tour
])
++ (with pkgs.gnome; [
cheese # webcam tool
gnome-music
gnome-terminal
gedit # text editor
epiphany # web browser
geary # email reader
evince # document viewer
gnome-characters
totem # video player
tali # poker game
iagno # go game
hitori # sudoku game
atomix # puzzle game
]);
};
}

View file

@ -0,0 +1,11 @@
{
imports = [
./system
./programs
./services
./browser
./de
./editor
];
}

View file

@ -0,0 +1,6 @@
{
imports = [
./vscodium.nix
];
}

View file

@ -0,0 +1,154 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
cfg = config.mySystem.editor.vscodium;
in
{
options.mySystem.editor.vscodium.enable = mkEnableOption "Vscodium";
config = mkIf cfg.enable {
# TODO add USER settings.json
# Enable vscode & addons
environment.systemPackages = with pkgs; [
(vscode-with-extensions.override {
vscode = vscodium;
vscodeExtensions = with vscode-extensions;
[
bbenoist.nix
mkhl.direnv
]
++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "prettier-vscode";
publisher = "esbenp";
version = "10.1.0";
sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9";
}
{
name = "vscode-docker";
publisher = "ms-azuretools";
version = "1.28.0";
sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0";
}
{
name = "gitlens";
publisher = "eamodio";
version = "14.7.0";
sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy";
}
{
name = "remote-containers";
publisher = "ms-vscode-remote";
version = "0.327.0";
sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz";
}
{
name = "remote-ssh";
publisher = "ms-vscode-remote";
version = "0.107.1";
sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf";
}
{
name = "vscode-yaml";
publisher = "redhat";
version = "1.14.0";
sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944";
}
{
name = "todo-tree";
publisher = "gruntfuggly";
version = "0.0.226";
sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn";
}
{
name = "path-autocomplete";
publisher = "ionutvmi";
version = "1.25.0";
sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb";
}
{
name = "even-better-toml";
publisher = "tamasfe";
version = "0.19.2";
sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14";
}
{
name = "linter";
publisher = "fnando";
version = "0.0.19";
sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g";
}
{
name = "catppuccin-vsc";
publisher = "catppuccin";
version = "3.11.0";
sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d";
}
{
name = "catppuccin-vsc-icons";
publisher = "catppuccin";
version = "1.8.0";
sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z";
}
{
name = "nix-ide";
publisher = "jnoortheen";
version = "0.2.2";
sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg";
}
{
name = "vscode-swissknife";
publisher = "luisfontes19";
version = "1.8.1";
sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c";
}
{
name = "pre-commit-helper";
publisher = "elagil";
version = "0.5.0";
sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj";
}
{
name = "sops-edit";
publisher = "shipitsmarter";
version = "1.0.0";
sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4";
}
{
name = "json5-for-vscode";
publisher = "tudoudou";
version = "0.0.3";
sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w";
}
];
})
];
};
}

View file

@ -0,0 +1,5 @@
{
imports = [
./shell
];
}

View file

@ -0,0 +1,5 @@
{
imports = [
./fish.nix
];
}

View file

@ -0,0 +1,35 @@
{ lib
, config
, self
, pkgs
, ...
}:
with lib;
let
cfg = config.mySystem.shell.fish;
in
{
options.mySystem.shell.fish =
{
enable = mkEnableOption "Fish";
enablePlugins = mkOption
{
type = lib.types.bool;
description = "If we want to add fish plugins";
default = true;
};
};
# Install fish systemwide
config.programs.fish = mkIf cfg.enable {
enable = true;
vendor = {
completions.enable = true;
config.enable = true;
functions.enable = true;
};
};
}

View file

@ -27,7 +27,7 @@ sops:
V285bFUwdXgzUy9Ndi8yTCtsYlRHVGsKzSx+eyIrJKgZCL2VoS4fEcp6iVpDiqF6 V285bFUwdXgzUy9Ndi8yTCtsYlRHVGsKzSx+eyIrJKgZCL2VoS4fEcp6iVpDiqF6
7czaNhQhT0doqRm3QddMlD+o/7t7xOGhQEraq4q+i/JD4iYkSQp4zw== 7czaNhQhT0doqRm3QddMlD+o/7t7xOGhQEraq4q+i/JD4iYkSQp4zw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age190fm3dlfxtf5smttyqxtrht4ac2ldfhkap7luppc0aap8w6r940qvjyc8t - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnR0JCdUJubzRLRFY1ZGdp YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnR0JCdUJubzRLRFY1ZGdp

View file

@ -0,0 +1,39 @@
{ lib
, config
, ...
}:
with lib;
let
cfg = config.mySystem.services.cfDdns;
in
{
options.mySystem.services.cfDdns.enable = mkEnableOption "Cloudflare ddns";
config = mkIf cfg.enable {
# Current nixpkgs cf-ddns only supports using a env file for the apitoken
# but not for domains, which makes them hard to find.
# To circumvent this, I put both in the 'apiTokenFile' var
# so my secret is:
# apiTokenFile: |-
# CLOUDFLARE_API_TOKEN=derp
# CLOUDFLARE_DOMAINS=derp.herp.xyz derp1.herp.xyz
# TODO add notifications on IP change
# init secret
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml;
# Restart when secret changes
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ];
# Cloudflare dynamic dns to keep my DNS records pointed at home
services.cloudflare-dyndns = {
enable = true;
ipv6 = false;
proxied = true;
apiTokenFile = config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".path;
domains = [ ];
};
};
}

View file

@ -0,0 +1,9 @@
{
imports = [
./monitoring.nix
./reboot-required-check.nix
./cloudflare-dyndns
./maddy
./dnscrypt-proxy2
];
}

View file

@ -0,0 +1,50 @@
{ lib
, config
, ...
}:
with lib;
let
cfg = config.mySystem.services.dnscrypt-proxy;
in
{
options.mySystem.services.dnscrypt-proxy.enable = mkEnableOption "Cloudflare ddns";
config = mkIf cfg.enable {
# Disable resolvd to ensure it doesnt re-write /etc/resolv.conf
services.resolved.enable = false;
# Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt
# causing a risk of no dns if service fails.
networking = {
nameservers = [ "10.8.10.1" ]; # TODO make varible IP
dhcpcd.extraConfig = "nohook resolv.conf";
};
sops.secrets = {
# configure secret for forwarding rules
"system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
"system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file
# Restart dnscrypt when secret changes
"system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];
};
services.dnscrypt-proxy2 = {
enable = true;
settings = {
require_dnssec = true;
forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;
listen_addresses = [ "0.0.0.0:53" ];
server_names = [ "NextDNS" ];
static = {
"NextDNS" = {
stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
};
};
};
};
};
}

View file

@ -26,7 +26,7 @@ sops:
VjhyZ3FqSkhtZHZ3S0xPVXZBNEtZOHMKCW9YMMwPXaDO23WdbW+NMmYVYau6Nw3i VjhyZ3FqSkhtZHZ3S0xPVXZBNEtZOHMKCW9YMMwPXaDO23WdbW+NMmYVYau6Nw3i
I4J+xRLDe8N8Ty8sVql7xPYmA2UtI/Vf12sJxrH+YZA3x7Ip1RnM5A== I4J+xRLDe8N8Ty8sVql7xPYmA2UtI/Vf12sJxrH+YZA3x7Ip1RnM5A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age190fm3dlfxtf5smttyqxtrht4ac2ldfhkap7luppc0aap8w6r940qvjyc8t - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyR1h3aDZqMmtWYkE4ZFBo YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyR1h3aDZqMmtWYkE4ZFBo

View file

@ -0,0 +1,30 @@
{ lib
, config
, ...
}:
with lib;
let
cfg = config.mySystem.services.maddy;
in
{
options.mySystem.services.maddy.enable = mkEnableOption "Maddy SMTP Client (Relay)";
config = mkIf cfg.enable {
sops.secrets."system/mail/maddy/envFile" = {
sopsFile = ./maddy.sops.yaml;
owner = "maddy";
group = "maddy";
};
sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy" ];
services.maddy = {
enable = true;
secrets = [ config.sops.secrets."system/mail/maddy/envFile".path ];
config = builtins.readFile ./maddy.conf;
};
};
}

View file

@ -26,7 +26,7 @@ sops:
bVoxd0FvWjEyeHlKM2IyS1c2ajlhMncKJjDktmjOisjdUecV/bhI00fp6jA2puGD bVoxd0FvWjEyeHlKM2IyS1c2ajlhMncKJjDktmjOisjdUecV/bhI00fp6jA2puGD
mOuASUhxGGN1c805vLmLnJA0llLtaN8C2iQC/H14IjG1U7QObbnrEA== mOuASUhxGGN1c805vLmLnJA0llLtaN8C2iQC/H14IjG1U7QObbnrEA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age190fm3dlfxtf5smttyqxtrht4ac2ldfhkap7luppc0aap8w6r940qvjyc8t - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMjkrcHFZTXQ3QjZKWksw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMjkrcHFZTXQ3QjZKWksw

View file

@ -0,0 +1,46 @@
{ lib
, config
, self
, ...
}:
with lib;
let
cfg = config.mySystem.services.promMonitoring;
in
{
options.mySystem.services.promMonitoring.enable = mkEnableOption "Prometheus Monitoring";
config = mkIf cfg.enable {
services.prometheus.exporters = {
node = {
enable = true;
enabledCollectors = [
"diskstats"
"filesystem"
"loadavg"
"meminfo"
"netdev"
"stat"
"time"
"uname"
"systemd"
];
};
smartctl = {
enable = true;
};
};
# ensure ports are open
networking.firewall.allowedTCPPorts = mkIf cfg.enable [
config.services.prometheus.exporters.node.port
config.services.prometheus.exporters.smartctl.port
];
};
}

View file

@ -0,0 +1,54 @@
{ lib
, config
, self
, ...
}:
with lib;
let
cfg = config.mySystem.services.rebootRequiredCheck;
in
{
options.mySystem.services.rebootRequiredCheck.enable = mkEnableOption "Reboot required check";
config = mkIf cfg.enable {
# Enable timer
systemd.timers."reboot-required-check" = {
wantedBy = [ "timers.target" ];
timerConfig = {
# start at boot
OnBootSec = "0m";
# check every hour
OnUnitActiveSec = "1h";
Unit = "reboot-required-check.service";
};
};
# Below script will check if initrd, kernel, kernel-modules that were booted match the current system
# i.e. if a nixos-rebuild switch has upgraded anything
systemd.services."reboot-required-check" = {
script = ''
#!/usr/bin/env bash
# compare current system with booted sysetm to determine if a reboot is required
if [[ "$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" == "$(readlink /run/current-system/{initrd,kernel,kernel-modules})" ]]; then
# check if the '/var/run/reboot-required' file exists and if it does, remove it
if [[ -f /var/run/reboot-required ]]; then
rm /var/run/reboot-required || { echo "Failed to remove /var/run/reboot-required"; exit 1; }
fi
else
echo "reboot required"
touch /var/run/reboot-required || { echo "Failed to create /var/run/reboot-required"; exit 1; }
fi
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
};
}

View file

@ -0,0 +1,9 @@
{
imports = [
./openssh.nix
./time.nix
./security.nix
./systempackages.nix
./nix.nix
];
}

View file

@ -0,0 +1,48 @@
{ lib
, config
, self
, ...
}:
with lib;
let
cfg = config.mySystem.nix;
in
{
options.mySystem.nix = {
autoOptimiseStore = mkOption
{
type = lib.types.bool;
description = "If we want to auto optimise store";
default = true;
};
gc = {
enable = mkEnableOption "automatic garbage collection" // {
default = true;
};
persistent = mkOption
{
type = lib.types.bool;
description = "Persistent timer for gc, runs at startup if timer missed";
default = true;
};
};
};
config.nix = {
optimise.automatic = cfg.autoOptimiseStore;
# automatically garbage collect nix store
gc = mkIf cfg.gc.enable {
# garbage collection
automatic = cfg.gc.enable;
options = "--delete-older-than 30d";
inherit (cfg.gc) persistent;
};
};
}

View file

@ -0,0 +1,47 @@
{ lib
, config
, self
, ...
}:
with lib;
let
cfg = config.mySystem.services.openssh;
in
{
options.mySystem.services.openssh = {
enable = mkEnableOption "openssh";
passwordAuthentication = mkOption
{
type = lib.types.bool;
description = "If password can be accepted for ssh (commonly disable for security hardening)";
default = false;
};
permitRootLogin = mkOption
{
type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ];
description = "If root can login via ssh (commonly disable for security hardening)";
default = "no";
};
};
config = mkIf cfg.enable {
services.openssh = {
enable = true;
# TODO: Enable this when option becomes available
# Don't allow home-directory authorized_keys
# authorizedKeysFiles = mkForce ["/etc/ssh/authorized_keys.d/%u"];
settings = {
# Harden
PasswordAuthentication = cfg.passwordAuthentication;
PermitRootLogin = cfg.permitRootLogin;
# Automatically remove stale sockets
StreamLocalBindUnlink = "yes";
# Allow forwarding ports to everywhere
GatewayPorts = "clientspecified";
};
};
};
}

View file

@ -0,0 +1,51 @@
{ lib
, config
, ...
}:
with lib;
let
cfg = config.mySystem.security;
in
{
options.mySystem.security = {
sshAgentAuth.enable = lib.mkEnableOption "openssh";
wheelNeedsSudoPassword = lib.mkOption {
type = lib.types.bool;
description = "If wheel group users need password for sudo";
default = true;
};
increaseWheelLoginLimits = lib.mkOption {
type = lib.types.bool;
description = "If wheel group users receive increased login limits";
default = true;
};
};
config =
{
security = {
sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword;
pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable;
# Increase open file limit for sudoers
pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [
{
domain = "@wheel";
item = "nofile";
type = "soft";
value = "524288";
}
{
domain = "@wheel";
item = "nofile";
type = "hard";
value = "1048576";
}
];
};
};
}

View file

@ -0,0 +1,26 @@
{ lib
, config
, self
, ...
}:
with lib;
let
cfg = config.mySystem.system;
in
{
options.mySystem.system = {
packages = mkOption
{
type = with types; listOf package;
description = "List of system level package installs";
default = [ ];
};
};
# System packages deployed globally.
# This is NixOS so lets keep this liiight?
# Ideally i'd keep most of it to home-manager user only stuff
# and keep server role as light as possible
config.environment.systemPackages = cfg.packages;
}

View file

@ -0,0 +1,25 @@
{ lib
, config
, ...
}:
let
cfg = config.mySystem.time;
in
{
options.mySystem.time = {
timeZone = lib.mkOption {
type = lib.types.str;
description = "Timezone of system";
default = "Australia/Melbourne";
};
hwClockLocalTime = lib.mkOption {
type = lib.types.bool;
description = "If hardware clock is set to local time (useful for windows dual boot)";
default = false;
};
};
config = {
time.timeZone = cfg.timeZone;
time.hardwareClockInLocalTime = cfg.hwClockLocalTime;
};
}

View file

@ -0,0 +1,20 @@
{ lib
, config
, ...
}:
with lib;
let
cfg = config.mySystem.xx.yy;
in
{
options.mySystem.xx.yy.enable = mkEnableOption "<INSERT DESCRIPTION>";
config = mkIf cfg.enable {
# CONFIG HERE
};
}

19
nixos/profiles/README.md Normal file
View file

@ -0,0 +1,19 @@
## Profiles
Here is the profiles that each host picks from to build up a system.
My headspace for this to have be able to have a set of modular components pull together on a granular system from this nix, from 'Everything will have this set' to per-device config.
Where possible ill use the `mySystem` option list to configure defaults via these profiles, so they _can_ be overridden later. If its not worth writing a custom module for a nixos feature I may just set it directly in the profile.
## Global
Default global settings that will apply to every device. Things like locale, timezone, etc that wont change machine to machine
## Hardware
Hardware settings so I can apply per set of machines as standard- i.e. all Raspi4's may benefit from a specific set of additions/hardware overlays.
## Role
The role the machine have. Machines may have multiple roles
i.e. servers will want to have bare minimal, remote build settings, where as main desktop/laptop will have full blow GUIs.

78
nixos/profiles/global.nix Normal file
View file

@ -0,0 +1,78 @@
{ config, lib, pkgs, imports, modulesPath, ... }:
with lib;
{
# NOTE
# Some 'global' areas have defaults set in their respective modules.
# These will be applied when the modules are loaded
# Not the global role.
# Not sure at this point a good way to manage globals in one place
# without mono-repo config.
imports =
[
(modulesPath + "/installer/scan/not-detected.nix") # Generated by nixos-config-generate
./global
];
mySystem = {
# basics for all devices
time.timeZone = "Australia/Melbourne";
security.increaseWheelLoginLimits = true;
system.packages = [ pkgs.bat ];
# Lets see if fish everywhere is OK on the pi's
# TODO decide if i drop to bash on pis?
shell.fish.enable = true;
# But wont enable plugins globally, leave them for workstations
};
i18n = {
defaultLocale = lib.mkDefault "en_AU.UTF-8";
};
# TODO refactor this shit out wow
# SOPS settings
# https://github.com/Mic92/sops-nix
networking.useDHCP = lib.mkDefault true;
environment.systemPackages = with pkgs; [
jq
yq
btop
vim
git
dnsutils
nix
# TODO Move
nil
nixpkgs-fmt
statix
nvd
gh
];
programs.direnv = {
# TODO move to home-manager
enable = true;
nix-direnv.enable = true;
};
programs.mtr.enable = true;
}

View file

@ -0,0 +1,9 @@
{
imports = [
./nix.nix
./nixpkgs.nix
./sops.nix
./system.nix
./users.nix
];
}

View file

@ -0,0 +1,58 @@
{ lib, config, pkgs, nixpkgs, ... }:
{
## Below is to align shell/system to flake's nixpkgs
## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry
# Make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
nix = {
# make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
registry.nixpkgs.flake = nixpkgs;
channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
# but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake.
# https://github.com/NixOS/nix/issues/9574
settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs";
###
settings = {
# Enable flakes
experimental-features = [
"nix-command"
"flakes"
];
# Substitutions
trusted-substituters = [
"https://cache.garnix.io"
"https://nix-community.cachix.org"
"https://numtide.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
];
# Fallback quickly if substituters are not available.
connect-timeout = 5;
# Avoid copying unnecessary stuff over SSH
builders-use-substitutes = true;
trusted-users = [ "root" "@wheel" ];
warn-dirty = false;
# The default at 10 is rarely enough.
log-lines = lib.mkDefault 25;
};
};
}

View file

@ -0,0 +1,10 @@
{ config, ... }:
{
nixpkgs = {
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
}

View file

@ -0,0 +1,6 @@
{ config, ... }:
{
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}

View file

@ -0,0 +1,47 @@
{ config, lib, pkgs, ... }:
with lib;
{
system = {
# Enable printing changes on nix build etc with nvd
activationScripts.report-changes = ''
PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]}
nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
'';
# Do not change unless you know what you are doing
stateVersion = "23.11"; # THERE BE DRAGONS
# (This one comes in the niiiiight) :::
# :: :::.
# \/, .:::::
# \), \`-._ :::888
# /\ \ `-. ::88888
# / \ | .( ::88
# /,. \ ; ( ` .:8888
# ), \ / ;`` :::888
# /_ \ __/_(_ :88
# `. ,`..-' `-._ \ / :8
# )__ `. `._ .\/.
# / `. ` `-._______m _,
# ,-=====-.-;' , ___________/ _,-_,'"`/__,-.
# C =-- ; `.`._ V V V -=-'"#==-._
# :, \ ,| UuUu _,......__ `-.__A_A_ -. ._ ,--._ ",`` `-
# || |`---' : uUuUu,' `'--...____/ `" `". `
# |` : \ UuUu:
# : / \ UuUu`-._
# \(_ `._ uUuUu `-.
# (_3 `._ uUu `._
# ``-._ `.
# `-._ `.
# `. \
# ) ;
# / /
# `. |\ ,' /
# ",_A_/\-| ` ,'
# `--..,_|_,-'\
# | \
# | \__
# |__
};
}

View file

@ -18,13 +18,14 @@ in
++ ifTheyExist [ ++ ifTheyExist [
"network" "network"
"samba-users" "samba-users"
"docker"
]; ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home"
]; ];
packages = [ pkgs.home-manager ]; # packages = [ pkgs.home-manager ];
}; };
# home-manager.users.taylor = import ../../../../../home-manager/taylor_${config.networking.hostName}.nix; TODO home-manager? # home-manager.users.taylor = import ../../../../../home-manager/taylor_${config.networking.hostName}.nix; TODO home-manager?

View file

@ -0,0 +1,74 @@
{ config, lib, pkgs, imports, boot, ... }:
with lib;
{
mySystem.system.packages = with pkgs; [
ntfs3g
];
boot = {
initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
# for managing/mounting ntfs
supportedFilesystems = [ "ntfs" ];
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
# why not ensure we can memtest workstatons easily?
grub.memtest86.enable = true;
};
};
# set xserver videodrivers for NVIDIA 4080 gpu
services.xserver.videoDrivers = [ "nvidia" ];
# ref: https://nixos.wiki/wiki/Nvidia
# Enable OpenGL
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
hardware.nvidia = {
# Modesetting is required.
modesetting.enable = true;
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# Enable this if you have graphical corruption issues or application crashes after waking
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
# of just the bare essentials.
powerManagement.enable = false;
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
powerManagement.finegrained = false;
# Use the NVidia open source kernel module (not to be confused with the
# independent third-party "nouveau" open source driver).
# Support is limited to the Turing and later architectures. Full list of
# supported GPUs is at:
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+
# Currently alpha-quality/buggy, so false is currently the recommended setting.
open = false;
# Enable the Nvidia settings menu,
# accessible via `nvidia-settings`.
nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU.
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, imports, boot, ... }:
with lib;
{
boot = {
initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
loader = {
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
grub.enable = false;
# Enables the generation of /boot/extlinux/extlinux.conf
generic-extlinux-compatible.enable = true;
};
};
console.enable = false;
mySystem.system.packages = with pkgs; [
libraspberrypi
raspberrypi-eeprom
];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

View file

@ -0,0 +1,32 @@
{ config, lib, pkgs, imports, boot, ... }:
with lib;
{
boot = {
initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ "amdgpu" ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
# for managing/mounting ntfs
supportedFilesystems = [ "ntfs" ];
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
# why not ensure we can memtest workstatons easily?
grub.memtest86.enable = true;
};
};
# set xserver videodrivers for amp gpu
services.xserver.videoDrivers = [ "amdgpu" ];
# As this is a laptop explicitly enable nmcli (likely enabled by GUI anyway)
networking.networkmanager.enable = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -0,0 +1,24 @@
{ config, lib, pkgs, imports, boot, ... }:
# Role for headless servers
# covers raspi's, sbc, NUC etc, anything
# that is headless and minimal for running services
with lib;
{
config = {
# Enable monitoring for remote scraiping
mySystem.services.promMonitoring.enable = true;
mySystem.services.rebootRequiredCheck.enable = true;
nix.settings = {
# TODO factor out into mySystem
# Avoid disk full issues
max-free = lib.mkDefault (1000 * 1000 * 1000);
min-free = lib.mkDefault (128 * 1000 * 1000);
};
};
}

View file

@ -0,0 +1,36 @@
{ config, lib, pkgs, imports, boot, ... }:
# Role for workstations
# Covers desktops/laptops, expected to have a GUI and do worloads
# Will have home-manager installs
with config;
{
mySystem = {
de.gnome.enable = true;
editor.vscodium.enable = true;
browser.firefox.enable = true;
};
boot = {
binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
plymouth.enable = true; # hide console with splash screen
};
nix.settings = {
# TODO factor out into mySystem
# Avoid disk full issues
max-free = lib.mkDefault (1000 * 1000 * 1000);
min-free = lib.mkDefault (128 * 1000 * 1000);
};
# set xserver videodrivers if used
services.xserver.enable = true;
# Laptop so ill likely use wireles
# very likely to be set by GUI packages but lets
# be declarative.
}