caspervk/nixos
1
0
Fork 0
Code Actions Activity

srvos

Browse source
This commit is contained in:
Casper V. Kristensen 2024-03-05 22:17:26 +01:00
parent 6ba7267844
commit a58a31b91a
11 changed files with 98 additions and 66 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -137,3 +137,6 @@ nix repl
:p inputs.nixpkgs.outputs.legacyPackages.${builtins.currentSystem}.openssh.version :p inputs.nixpkgs.outputs.legacyPackages.${builtins.currentSystem}.openssh.version
``` ```
## References
- https://github.com/nix-community/srvos/tree/29a48ae201fbd69b6b71acdae5e19fa2ceaa8181

5
modules/base/default.nix
View file

@ -4,12 +4,15 @@
./docker.nix ./docker.nix
./fish.nix ./fish.nix
./git.nix ./git.nix
./hardware.nix
./home-manager.nix ./home-manager.nix
./impermanence.nix ./impermanence.nix
./locale.nix
./network.nix ./network.nix
./nix.nix
./packages.nix
./ripgrep.nix ./ripgrep.nix
./ssh.nix ./ssh.nix
./system.nix
./users.nix ./users.nix
./vim ./vim
]; ];

4
modules/base/hardware.nix Normal file
View file

@ -0,0 +1,4 @@
{ ... }: {
# Enable all firmware with a license allowing redistribution
hardware.enableRedistributableFirmware = true;
}

6
modules/base/impermanence.nix
View file

@ -29,9 +29,7 @@
directories = [ directories = [
# See comment above for /tmp # See comment above for /tmp
{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; } { directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
# With great power comes great responsibility, we get it # Save the last run time of persistent timers so systemd knows if they were missed
{ directory = "/var/db/sudo/lectured"; user = "root"; group = "root"; mode = "0700"; }
# Save the last run time of persistent timers so systemd knows if they was missed
{ directory = "/var/lib/systemd/timers"; user = "root"; group = "root"; mode = "0755"; } { directory = "/var/lib/systemd/timers"; user = "root"; group = "root"; mode = "0755"; }
{ directory = "/var/log"; user = "root"; group = "root"; mode = "0755"; } { directory = "/var/log"; user = "root"; group = "root"; mode = "0755"; }
]; ];
@ -40,7 +38,7 @@
]; ];
users.caspervk = { users.caspervk = {
directories = [ directories = [
"/" # entire home directory (TODO) "/" # entire home directory (TODO?)
]; ];
}; };
}; };

23
modules/base/locale.nix Normal file
View file

@ -0,0 +1,23 @@
{ lib, ... }: {
i18n = {
defaultLocale = "en_DK.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_DK.UTF-8";
LC_IDENTIFICATION = "en_DK.UTF-8";
LC_MEASUREMENT = "en_DK.UTF-8";
LC_MONETARY = "en_DK.UTF-8";
LC_NAME = "en_DK.UTF-8";
LC_NUMERIC = "en_DK.UTF-8";
LC_PAPER = "en_DK.UTF-8";
LC_TELEPHONE = "en_DK.UTF-8";
LC_TIME = "en_DK.UTF-8";
};
supportedLocales = lib.mkOptionDefault [
"da_DK.UTF-8/UTF-8"
];
};
time = {
timeZone = "Europe/Copenhagen";
};
}

2
modules/base/network.nix
View file

@ -7,6 +7,8 @@
# Allow some ports for ad-hoc use # Allow some ports for ad-hoc use
allowedTCPPorts = [ 1234 1337 8000 8080 ]; allowedTCPPorts = [ 1234 1337 8000 8080 ];
allowedUDPPorts = [ 1234 1337 8000 8080 ]; allowedUDPPorts = [ 1234 1337 8000 8080 ];
# Do not spam dmesg/journalctl with refused connections
logRefusedConnections = false;
}; };
nameservers = [ "127.0.0.53" ]; # resolved stub resolver nameservers = [ "127.0.0.53" ]; # resolved stub resolver
search = [ "caspervk.net" ]; search = [ "caspervk.net" ];

67
modules/base/system.nix → modules/base/nix.nix
View file

@ -1,4 +1,4 @@
{ config, nix-index-database, nixpkgs-unstable, nixpkgs, lib, pkgs, ... }: { { nix-index-database, nixpkgs-unstable, nixpkgs, ... }: {
imports = [ imports = [
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
]; ];
@ -13,13 +13,19 @@
dates = "weekly"; dates = "weekly";
options = "--delete-older-than 7d"; options = "--delete-older-than 7d";
}; };
settings = { settings = {
# Automatically optimise the store after each build. Store optimisation # Automatically optimise the store after each build. Store optimisation
# reduces nix store space by 25-35% by finding identical files and # reduces nix store space by 25-35% by finding identical files and
# hard-linking them to each other. # hard-linking them to each other.
# https://nixos.org/manual/nix/unstable/command-ref/nix-store/optimise.html # https://nixos.org/manual/nix/unstable/command-ref/nix-store/optimise.html
auto-optimise-store = true; auto-optimise-store = true;
# Enable flakes
experimental-features = [ "nix-command" "flakes" ]; experimental-features = [ "nix-command" "flakes" ];
# Timeout connections to the binary cache instead of waiting forever
connect-timeout = 5;
}; };
# The nix registry is used to refer to flakes using symbolic identifiers # The nix registry is used to refer to flakes using symbolic identifiers
@ -35,66 +41,7 @@
}; };
}; };
# Enable all firmware with a license allowing redistribution
hardware.enableRedistributableFirmware = true;
environment.systemPackages = with pkgs; [
bat
black
clang
curl
dig
fd
file
fzf
gcc
git
gnumake
htop
inetutils
jq
magic-wormhole
ntp
progress
pwgen
python310
python311
python312
rsync
sqlite
tmux
traceroute
tree
unzip
wget
wireguard-tools
xkcdpass
yq
];
# https://github.com/nix-community/comma # https://github.com/nix-community/comma
programs.nix-index-database.comma.enable = true; programs.nix-index-database.comma.enable = true;
programs.command-not-found.enable = false; programs.command-not-found.enable = false;
i18n = {
defaultLocale = "en_DK.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_DK.UTF-8";
LC_IDENTIFICATION = "en_DK.UTF-8";
LC_MEASUREMENT = "en_DK.UTF-8";
LC_MONETARY = "en_DK.UTF-8";
LC_NAME = "en_DK.UTF-8";
LC_NUMERIC = "en_DK.UTF-8";
LC_PAPER = "en_DK.UTF-8";
LC_TELEPHONE = "en_DK.UTF-8";
LC_TIME = "en_DK.UTF-8";
};
supportedLocales = lib.mkOptionDefault [
"da_DK.UTF-8/UTF-8"
];
};
time = {
timeZone = "Europe/Copenhagen";
};
} }

35
modules/base/packages.nix Normal file
View file

@ -0,0 +1,35 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
bat
black
clang
curl
dig
fd
file
fzf
gcc
git
gnumake
htop
inetutils
jq
magic-wormhole
ntp
progress
pwgen
python310
python311
python312
rsync
sqlite
tmux
traceroute
tree
unzip
wget
wireguard-tools
xkcdpass
yq
];
}

2
modules/base/ssh.nix
View file

@ -2,7 +2,9 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false; PasswordAuthentication = false;
PermitRootLogin = "no";
}; };
}; };

15
modules/base/sudo.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }: {
security.sudo = {
# Only allow members of the wheel group to execute sudo by setting the
# executables permissions accordingly. This prevents users that are not
# members of wheel from exploiting vulnerabilities in sudo such as
# CVE-2021-3156.
security.sudo.execWheelOnly = true;
# With great power comes great responsibility, we get it.. Also means we
# don't have state in /var/db/sudo/lectured.
security.sudo.extraConfig = ''
Defaults lecture = never
'';
};
}

2
modules/desktop/pipewire.nix
View file

@ -1,4 +1,4 @@
{ home-manager, lib, pkgs, ... }: { { ... }: {
# PipeWire is a new low-level multimedia framework. It aims to offer capture # PipeWire is a new low-level multimedia framework. It aims to offer capture
# and playback for both audio and video with minimal latency and support for # and playback for both audio and video with minimal latency and support for
# PulseAudio-, JACK-, ALSA- and GStreamer-based applications. # PulseAudio-, JACK-, ALSA- and GStreamer-based applications.