Alejandra 💅

This commit is contained in:
Casper V. Kristensen 2024-03-05 22:57:41 +01:00
parent 163a7f38c4
commit a7b28837ee
61 changed files with 472 additions and 306 deletions

View file

@ -38,40 +38,44 @@
};
};
outputs = { self, nixpkgs, ... } @ inputs: {
# https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-fmt.html
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
outputs = {
self,
nixpkgs,
...
} @ inputs: {
# https://kamadorueda.com/alejandra/
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
nixosConfigurations = {
# Home desktop
omega = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs; # pass flake inputs to modules
modules = [ ./hosts/omega ];
modules = [./hosts/omega];
};
# Laptop
zeta = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs; # pass flake inputs to modules
modules = [ ./hosts/zeta ];
modules = [./hosts/zeta];
};
# Work laptop
mu = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs; # pass flake inputs to modules
modules = [ ./hosts/mu ];
modules = [./hosts/mu];
};
# Hetzner VPS
alpha = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = inputs; # pass flake inputs to modules
modules = [ ./hosts/alpha ];
modules = [./hosts/alpha];
};
# Tor relay
tor = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs; # pass flake inputs to modules
modules = [ ./hosts/tor ];
modules = [./hosts/tor];
};
};
};

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../overlays
../../modules/base

View file

@ -1,20 +1,26 @@
{ config, lib, pkgs, modulesPath, ... }: {
{
config,
lib,
pkgs,
modulesPath,
...
}: {
# https://nixos.wiki/wiki/Install_NixOS_on_Hetzner_Cloud
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" "virtio_gpu" ];
boot.kernelParams = [ "console=tty" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
boot.initrd.kernelModules = ["dm-snapshot" "virtio_gpu"];
boot.kernelParams = ["console=tty"];
boot.kernelModules = [];
boot.extraModulePackages = [];
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
options = ["defaults" "size=2G" "mode=755"]; # mode=755 so only root can write to those files
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";
@ -38,4 +44,3 @@
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

View file

@ -1,4 +1,4 @@
{ config, ... }: {
{config, ...}: {
systemd.network = {
# Main interface
networks."10-lan" = {
@ -8,7 +8,7 @@
"2a01:4f8:c2c:71c0::/64"
];
routes = [
{ routeConfig = { Gateway = "fe80::1"; }; }
{routeConfig = {Gateway = "fe80::1";};}
];
};
@ -31,7 +31,7 @@
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
# Add to the main routing table that traffic for the address should
# be sent to sigma.
AllowedIPs = [ "49.13.33.75/32" ];
AllowedIPs = ["49.13.33.75/32"];
RouteTable = "main";
};
}
@ -58,7 +58,7 @@
wireguardPeerConfig = {
PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
AllowedIPs = [ "116.203.6.156/32" ];
AllowedIPs = ["116.203.6.156/32"];
RouteTable = "main";
};
}
@ -76,7 +76,7 @@
};
networking = {
firewall.allowedUDPPorts = [ 51820 51821 ];
firewall.allowedUDPPorts = [51820 51821];
};
age.secrets.wireguard-preshared-key-file = {

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../overlays
../../modules/base

View file

@ -1,15 +1,15 @@
{ ... }: {
{...}: {
# Disable jet engine
services.thinkfan = {
enable = true;
levels = [
[ 0 0 70 ]
[ 1 65 75 ]
[ 2 70 80 ]
[ 3 75 85 ]
[ 6 80 90 ]
[ 7 90 95 ]
[ "level auto" 95 32767 ]
[0 0 70]
[1 65 75]
[2 70 80]
[3 75 85]
[6 80 90]
[7 90 95]
["level auto" 95 32767]
];
};
boot.extraModprobeConfig = ''

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
home-manager.users.caspervk = {
programs.fish.shellAliases = {
sm = "bw get totp e2be31fb-135f-4b28-88cd-b094000ddb67 | wl-copy; gcloud --project magenta-os2mo-production compute ssh --tunnel-through-iap saltmaster";

View file

@ -1,4 +1,8 @@
{ home-manager, lib, ... }: {
{
home-manager,
lib,
...
}: {
home-manager.users.caspervk = {
programs.git = {
userEmail = lib.mkForce "vk@magenta.dk";
@ -6,7 +10,6 @@
# https://docs.gitlab.com/ee/user/project/push_options.html
mr = "push --push-option=merge_request.create --push-option=merge_request.assign='vk'";
};
};
};
}

View file

@ -1,4 +1,11 @@
{ config, lib, pkgs, modulesPath, nixos-hardware, ... }: {
{
config,
lib,
pkgs,
modulesPath,
nixos-hardware,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
nixos-hardware.nixosModules.common-cpu-intel
@ -9,17 +16,16 @@
nixos-hardware.nixosModules.common-pc-ssd
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usbhid" "sdhci_pci"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
options = ["defaults" "size=2G" "mode=755"]; # mode=755 so only root can write to those files
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
networking.hosts = {
"127.0.0.1" = [
# not in git

View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
android-studio
azure-cli

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
home-manager.users.caspervk = {
wayland.windowManager.sway = {
config = {
@ -18,7 +18,10 @@
};
};
workspaceOutputAssign = [
{ workspace = "9"; output = "eDP-1"; }
{
workspace = "9";
output = "eDP-1";
}
];
};
};

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../modules/borg.nix
];

View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{pkgs, ...}: {
imports = [
../../overlays
../../modules/base
@ -12,10 +12,10 @@
systemd.services.qbittorrent = {
description = "qBittorrent service";
documentation = [ "man:qbittorrent-nox(1)" ];
wantedBy = [ "multi-user.target" ];
wants = [ "multi-user.target" ];
after = [ "network-online.target" "nss-lookup.target" ];
documentation = ["man:qbittorrent-nox(1)"];
wantedBy = ["multi-user.target"];
wants = ["multi-user.target"];
after = ["network-online.target" "nss-lookup.target"];
serviceConfig = {
Type = "exec";
User = "caspervk";

View file

@ -1,4 +1,11 @@
{ config, lib, pkgs, modulesPath, nixos-hardware, ... }: {
{
config,
lib,
pkgs,
modulesPath,
nixos-hardware,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
nixos-hardware.nixosModules.common-cpu-amd
@ -8,17 +15,17 @@
nixos-hardware.nixosModules.common-pc-ssd
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "ntfs" ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
boot.supportedFilesystems = ["ntfs"];
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
options = ["defaults" "size=2G" "mode=755"]; # mode=755 so only root can write to those files
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";
@ -41,12 +48,12 @@
fileSystems."/mnt/C" = {
device = "/dev/disk/by-label/C";
fsType = "ntfs-3g";
options = [ "rw" "uid=1000" ];
options = ["rw" "uid=1000"];
};
fileSystems."/mnt/Backup" = {
device = "/dev/disk/by-label/Backup";
fsType = "ntfs-3g";
options = [ "rw" "uid=1000" ];
options = ["rw" "uid=1000"];
};
# Enables DHCP on all ethernet and wireless LAN interfaces.

View file

@ -1,4 +1,4 @@
{ config, ... }: {
{config, ...}: {
systemd.network = {
config = {
routeTables = {
@ -35,7 +35,7 @@
# we add these routes to a specific routing table and configure a
# routing policy rule to only use it for packets being sent as the
# public IP.
AllowedIPs = [ "0.0.0.0/0" ];
AllowedIPs = ["0.0.0.0/0"];
RouteTable = "wg-sigma-public";
};
}
@ -43,7 +43,7 @@
};
networks."wg-sigma-public" = {
name = "wg-sigma-public";
address = [ "49.13.33.75/32" ];
address = ["49.13.33.75/32"];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
@ -73,7 +73,7 @@
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
Endpoint = "alpha.caspervk.net:51821";
PersistentKeepalive = 25;
AllowedIPs = [ "0.0.0.0/0" ];
AllowedIPs = ["0.0.0.0/0"];
RouteTable = "wg-sigma-p2p";
};
}
@ -81,7 +81,7 @@
};
networks."wg-sigma-p2p" = {
name = "wg-sigma-p2p";
address = [ "116.203.6.156/32" ];
address = ["116.203.6.156/32"];
routingPolicyRules = [
{
routingPolicyRuleConfig = {

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
home-manager.users.caspervk = {
wayland.windowManager.sway = {
config = {
@ -14,8 +14,14 @@
};
};
workspaceOutputAssign = [
{ workspace = "8"; output = "DP-2"; }
{ workspace = "9"; output = "DP-2"; }
{
workspace = "8";
output = "DP-2";
}
{
workspace = "9";
output = "DP-2";
}
];
};
};

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../overlays
../../modules/base

View file

@ -1,18 +1,24 @@
{ config, lib, pkgs, modulesPath, ... }: {
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = [];
boot.extraModulePackages = [];
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
options = ["defaults" "size=2G" "mode=755"]; # mode=755 so only root can write to those files
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";
@ -36,4 +42,3 @@
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
systemd.network = {
networks."10-lan" = {
# IPv4 settings are from `sudo dhcpcd --test`.
@ -9,8 +9,13 @@
"2a0d:3e83:1:b284::1/64"
];
routes = [
{ routeConfig = { Gateway = "91.210.59.1"; }; }
{ routeConfig = { Gateway = "2a0d:3e83:1::1"; GatewayOnLink = true; }; }
{routeConfig = {Gateway = "91.210.59.1";};}
{
routeConfig = {
Gateway = "2a0d:3e83:1::1";
GatewayOnLink = true;
};
}
];
};
};

View file

@ -1,10 +1,16 @@
{ ... }: {
{...}: {
services.tor = {
settings = {
Nickname = "DXV7520";
ORPort = [
{ addr = "91.210.59.57"; port = 443; }
{ addr = "[2a0d:3e83:1:b284::1]"; port = 443; }
{
addr = "91.210.59.57";
port = 443;
}
{
addr = "[2a0d:3e83:1:b284::1]";
port = 443;
}
];
};
};

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../modules/borg.nix
];

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../overlays
../../modules/base

View file

@ -1,4 +1,11 @@
{ config, lib, pkgs, modulesPath, nixos-hardware, ... }: {
{
config,
lib,
pkgs,
modulesPath,
nixos-hardware,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
nixos-hardware.nixosModules.common-cpu-intel
@ -9,16 +16,16 @@
nixos-hardware.nixosModules.common-pc-ssd
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
options = ["defaults" "size=2G" "mode=755"]; # mode=755 so only root can write to those files
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
home-manager.users.caspervk = {
wayland.windowManager.sway = {
config = {

View file

@ -1,4 +1,8 @@
{ agenix, pkgs, ... }: {
{
agenix,
pkgs,
...
}: {
# Agenix manages the deployment of secrets by public-key encrypting them to
# each system's ssh host key. See the README for more information.
# https://github.com/ryantm/agenix
@ -12,7 +16,7 @@
# host key. Refer directly to the key on the persistent partition, which is
# mounted in stage 1 of the boot process, before agenix runs.
# https://github.com/ryantm/agenix/issues/45#issuecomment-901383985
age.identityPaths = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ];
age.identityPaths = ["/nix/persist/etc/ssh/ssh_host_ed25519_key"];
# `agenix` cli tool
environment.systemPackages = [

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
./agenix.nix
./docker.nix

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
# Docker is a utility to pack, ship and run any application as a lightweight
# container.
# https://nixos.wiki/wiki/Docker
@ -14,12 +14,17 @@
# Being a member of the docker group is effectively equivalent to being root,
# but without the annoyance of having to type your sudo password all the time.
users.extraGroups.docker.members = [ "caspervk" ];
users.extraGroups.docker.members = ["caspervk"];
# Persist docker volumes
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/var/lib/docker"; user = "root"; group = "root"; mode = "0700"; }
{
directory = "/var/lib/docker";
user = "root";
group = "root";
mode = "0700";
}
];
};
}

View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{pkgs, ...}: {
# Fish is a Unix shell with a focus on interactivity and usability. Fish is
# designed to give the user features by default, rather than by
# configuration.
@ -24,7 +24,7 @@
users.defaultUserShell = pkgs.fish;
# Add fish to the list of permissible login shells for user accounts
environment.shells = with pkgs; [ fish ];
environment.shells = with pkgs; [fish];
# Enabling fish in both NixOS and home manager is required to pick up
# completions and environment variables set by NixOS nixpkgs _and_ home

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# Git version control system.
# https://nixos.wiki/wiki/Git

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
# Enable all firmware with a license allowing redistribution
hardware.enableRedistributableFirmware = true;
}

View file

@ -1,4 +1,8 @@
{ config, home-manager, ... }: {
{
config,
home-manager,
...
}: {
# Like NixOS manages the system configuration, Home Manager manages the user
# environment.
#

View file

@ -1,4 +1,4 @@
{ impermanence, ... }: {
{impermanence, ...}: {
# Impermanence in NixOS is where the root directory isn't permanent, but gets
# wiped every reboot (such as by mounting it as tmpfs). Such a setup is
# possible because NixOS only needs /boot and /nix in order to boot, all
@ -28,10 +28,25 @@
hideMounts = true;
directories = [
# See comment above for /tmp
{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
{
directory = "/tmp";
user = "root";
group = "root";
mode = "1777";
}
# Save the last run time of persistent timers so systemd knows if they were missed
{ directory = "/var/lib/systemd/timers"; user = "root"; group = "root"; mode = "0755"; }
{ directory = "/var/log"; user = "root"; group = "root"; mode = "0755"; }
{
directory = "/var/lib/systemd/timers";
user = "root";
group = "root";
mode = "0755";
}
{
directory = "/var/log";
user = "root";
group = "root";
mode = "0755";
}
];
files = [
"/etc/machine-id" # needed for /var/log

View file

@ -1,4 +1,4 @@
{ lib, ... }: {
{lib, ...}: {
i18n = {
defaultLocale = "en_DK.UTF-8";
extraLocaleSettings = {

View file

@ -1,17 +1,17 @@
{ ... }: {
{...}: {
# https://nixos.wiki/wiki/Networking
# https://nixos.wiki/wiki/Systemd-networkd
networking = {
firewall = {
# Allow some ports for ad-hoc use
allowedTCPPorts = [ 1234 1337 8000 8080 ];
allowedUDPPorts = [ 1234 1337 8000 8080 ];
allowedTCPPorts = [1234 1337 8000 8080];
allowedUDPPorts = [1234 1337 8000 8080];
# Do not spam dmesg/journalctl with refused connections
logRefusedConnections = false;
};
nameservers = [ "127.0.0.53" ]; # resolved stub resolver
search = [ "caspervk.net" ];
nameservers = ["127.0.0.53"]; # resolved stub resolver
search = ["caspervk.net"];
};
# TODO: these systemd networkd settings will be the default once
@ -34,7 +34,7 @@
# Resolved falls back to DNS servers operated by American internet
# surveillance and adtech companies by default. No thanks, I'd rather have
# no DNS at all.
fallbackDns = [ "159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net" ];
fallbackDns = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
extraConfig = ''
DNS=159.69.4.2#dns.caspervk.net 2a01:4f8:1c0c:70d1::1#dns.caspervk.net
DNSOverTLS=yes
@ -51,7 +51,12 @@
services.vnstat.enable = true;
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/var/lib/vnstat"; user = "root"; group = "root"; mode = "0755"; }
{
directory = "/var/lib/vnstat";
user = "root";
group = "root";
mode = "0755";
}
];
};
}

View file

@ -1,4 +1,9 @@
{ nix-index-database, nixpkgs-unstable, nixpkgs, ... }: {
{
nix-index-database,
nixpkgs-unstable,
nixpkgs,
...
}: {
imports = [
nix-index-database.nixosModules.nix-index
];
@ -22,7 +27,7 @@
auto-optimise-store = true;
# Enable flakes
experimental-features = [ "nix-command" "flakes" ];
experimental-features = ["nix-command" "flakes"];
# Timeout connections to the binary cache instead of waiting forever
connect-timeout = 5;

View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
bat
black

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# ripgrep is a line-oriented search tool that recursively searches the
# current directory for a regex pattern.
# https://github.com/BurntSushi/ripgrep

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
services.openssh = {
enable = true;
settings = {

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
security.sudo = {
# Only allow members of the wheel group to execute sudo by setting the
# executables permissions accordingly. This prevents users that are not

View file

@ -1,4 +1,8 @@
{ config, pkgs, ... }: {
{
config,
pkgs,
...
}: {
users = {
# Don't allow imperative modifications to users (incompatible with impermanence)
mutableUsers = false;
@ -17,7 +21,7 @@
# todo: systemd-journal, audio, input, power, nix ?
];
uid = 1000;
packages = with pkgs; [ ];
packages = with pkgs; [];
};
};
};

View file

@ -1,4 +1,8 @@
{ home-manager, pkgs, ... }: {
{
home-manager,
pkgs,
...
}: {
home-manager.users.caspervk = {
programs.neovim = {
enable = true;
@ -27,7 +31,7 @@
nvim-dap-virtual-text # show variable values in-line
salt-vim # salt syntax-highlighting
];
extraPackages = with pkgs; [ ];
extraPackages = with pkgs; [];
extraConfig = builtins.readFile ./config.vim;
extraLuaConfig = builtins.readFile ./config.lua;

View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }: {
{
config,
lib,
pkgs,
...
}: {
# BorgBackup (short: Borg) is a deduplicating backup program.
# https://nixos.wiki/wiki/Borg_backup
# https://nixos.org/manual/nixos/stable/#module-borgbase
@ -69,7 +74,7 @@
# patterns is used, so if an include pattern (prefix `+`) matches before an
# exclude pattern (prefix `-`), the file is backed up. Prefix `!` is
# exclude-norecurse. See `borg help patterns` for pattern syntax.
paths = [ "/" ];
paths = ["/"];
patterns = [
"! /dev"
"! /lost+found"

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# Terminal emulator
# https://wiki.archlinux.org/title/Alacritty
@ -10,7 +10,11 @@
# It's easy to open a new terminal using Mod+Enter in sway, but it
# always opens in the home directly. This binds Control+Shift+Enter
# to open a new terminal in the current directory.
{ key = "Return"; mods = "Control|Shift"; action = "SpawnNewInstance"; }
{
key = "Return";
mods = "Control|Shift";
action = "SpawnNewInstance";
}
];
};
};

View file

@ -1,4 +1,9 @@
{ home-manager, lib, pkgs, ... }: {
{
home-manager,
lib,
pkgs,
...
}: {
# Clipboard manager. It can help persist clipboard contents after closing an
# application - which otherwise isn't supported in Wayland - but that breaks
# rich content copying in general. Therefore, we only use it for clipboard

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
./alacritty.nix
./clipman.nix

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# https://flatpak.org/setup/NixOS
# https://nixos.wiki/wiki/Flatpak
@ -14,7 +14,12 @@
# Persist flatpaks
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/var/lib/flatpak"; user = "root"; group = "root"; mode = "0755"; }
{
directory = "/var/lib/flatpak";
user = "root";
group = "root";
mode = "0755";
}
];
};
}

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# Gammestep automatically adjusts the screen's colour temperature. It's
# basically redshift for Wayland.
# https://gitlab.com/chinstrap/gammastep

View file

@ -1,4 +1,4 @@
{ lib, ... }: {
{lib, ...}: {
networking = {
# It's a little too much to define every WiFi network declaratively.
# Instead, we enable NetworkManager and the nmtui interface.
@ -9,12 +9,17 @@
};
# Allow our user to configure the network
users.extraGroups.networkmanager.members = [ "caspervk" ];
users.extraGroups.networkmanager.members = ["caspervk"];
# Persist WiFi passwords and other network configuration
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/etc/NetworkManager/system-connections"; user = "root"; group = "root"; mode = "0700"; }
{
directory = "/etc/NetworkManager/system-connections";
user = "root";
group = "root";
mode = "0700";
}
];
};

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
# PipeWire is a new low-level multimedia framework. It aims to offer capture
# and playback for both audio and video with minimal latency and support for
# PulseAudio-, JACK-, ALSA- and GStreamer-based applications.

View file

@ -1,4 +1,10 @@
{ home-manager, lib, nixpkgs, pkgs, ... }: {
{
home-manager,
lib,
nixpkgs,
pkgs,
...
}: {
# Packages useful on a desktop computer which don't require their own module
environment.systemPackages = with pkgs; [
@ -6,7 +12,8 @@
gimp
jetbrains.pycharm-professional
keepassxc
(kodi-wayland.withPackages (kodiPackages: with kodiPackages; [
(kodi-wayland.withPackages (kodiPackages:
with kodiPackages; [
jellyfin
]))
libqalculate
@ -19,7 +26,8 @@
webcord # discord
];
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"android-studio-stable"
"pycharm-professional"
"spotify"

View file

@ -1,4 +1,8 @@
{ home-manager, pkgs, ... }: {
{
home-manager,
pkgs,
...
}: {
# A window switcher, application launcher and dmenu replacement. Used to open
# programs, view the clipboard history, and select emojis.
# https://github.com/davatorium/rofi

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# https://nix-community.github.io/home-manager/options.html
home-manager.users.caspervk = {

View file

@ -1,4 +1,9 @@
{ home-manager, lib, pkgs, ... }: {
{
home-manager,
lib,
pkgs,
...
}: {
# https://nixos.wiki/wiki/Sway
programs.sway = {
@ -77,14 +82,14 @@
"XF86AudioPrev" = "exec 'playerctl previous'";
};
assigns = {
"8" = [{ class = "WebCord"; }];
"9" = [{ class = "Spotify"; }];
"8" = [{class = "WebCord";}];
"9" = [{class = "Spotify";}];
};
floating = {
criteria = [
{ app_id = "org.keepassxc.KeePassXC"; }
{ app_id = "pavucontrol"; }
{ app_id = "wdisplays"; }
{app_id = "org.keepassxc.KeePassXC";}
{app_id = "pavucontrol";}
{app_id = "wdisplays";}
];
};
focus = {
@ -114,7 +119,7 @@
};
};
terminal = "alacritty";
bars = [{ command = "${pkgs.waybar}/bin/waybar"; }];
bars = [{command = "${pkgs.waybar}/bin/waybar";}];
};
# Execute sway with required environment variables for GTK applications
@ -125,8 +130,7 @@
# https://github.com/Alexays/Waybar/wiki/Configuration
# https://github.com/Alexays/Waybar/blob/master/resources/config
programs.waybar =
let
programs.waybar = let
# It isn't possible to extend the default Waybar config in Home
# Manager; as soon as any setting is defined it overwrites the entire
# default configuration. To combat this, we parse the default config
@ -140,14 +144,13 @@
'';
};
defaultConfig = builtins.fromJSON (lib.readFile "${mkDefaultConfig}");
in
{
in {
enable = true;
settings = {
bar = lib.mkMerge [
defaultConfig
{
modules-right = lib.mkForce [ "tray" "pulseaudio" "backlight" "network" "battery" "clock" ];
modules-right = lib.mkForce ["tray" "pulseaudio" "backlight" "network" "battery" "clock"];
battery = {
states = lib.mkForce {
warning = 15;
@ -234,22 +237,33 @@
};
# https://github.com/swaywm/swayidle
services.swayidle =
let
services.swayidle = let
lock = "${pkgs.swaylock}/bin/swaylock --daemonize";
outputOff = "${pkgs.sway}/bin/swaymsg 'output * power off'";
outputOn = "${pkgs.sway}/bin/swaymsg 'output * power on'";
suspend = "${pkgs.systemd}/bin/systemctl suspend";
in
{
in {
enable = true;
events = [
{ event = "lock"; command = lock; }
{ event = "before-sleep"; command = lock; }
{
event = "lock";
command = lock;
}
{
event = "before-sleep";
command = lock;
}
];
timeouts = [
{ timeout = 60 * 20; command = outputOff; resumeCommand = outputOn; }
{ timeout = 60 * 60 * 3; command = suspend; }
{
timeout = 60 * 20;
command = outputOff;
resumeCommand = outputOn;
}
{
timeout = 60 * 60 * 3;
command = suspend;
}
];
};
@ -277,12 +291,12 @@
enableDefaultPackages = true;
packages = with pkgs; [
# Nerd Fonts patches glyph icons, such as from Font Awesome, into existing fonts
(nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
(nerdfonts.override {fonts = ["JetBrainsMono"];})
font-awesome # waybar uses Font Awesome icons directly
];
fontDir.enable = true; # TODO?
fontconfig.defaultFonts = {
monospace = [ "JetBrainsMonoNL Nerd Font" ]; # NL = NoLigatures
monospace = ["JetBrainsMonoNL Nerd Font"]; # NL = NoLigatures
};
};

View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# https://nixos.wiki/wiki/Virt-manager
virtualisation.libvirtd.enable = true;
@ -8,19 +8,24 @@
home-manager.users.caspervk = {
dconf.settings = {
"org/virt-manager/virt-manager/connections" = {
autoconnect = [ "qemu:///system" ];
uris = [ "qemu:///system" ];
autoconnect = ["qemu:///system"];
uris = ["qemu:///system"];
};
};
};
# Allow our user to use libvird
users.extraGroups.libvirtd.members = [ "caspervk" ];
users.extraGroups.libvirtd.members = ["caspervk"];
# Persist libvirt data
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/var/lib/libvirt"; user = "root"; group = "root"; mode = "0755"; }
{
directory = "/var/lib/libvirt";
user = "root";
group = "root";
mode = "0755";
}
];
};
}

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
./system.nix
];

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
# Automatically `nixos-rebuild switch` daily with the latest configuration
# from git. This overwrites any uncommitted changes in ~/nixos/, which is why
# it is only enabled on servers. Note that this requires updating flake.lock

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
# Syncthing is a continuous file synchronization program. It synchronizes
# files between two or more computers in real time. It's basically a
# self-hosted Dropbox for Linux users, but without FTP, curlftpfs, and SVN.
@ -19,20 +19,20 @@
devices = {
"lambda" = {
id = "WES3JH4-S34HTC5-42YZHUJ-MX3Z6PA-PFO72KA-YIJMDOB-GQWZXZ3-I7BBTAS";
addresses = [ "tcp://lambda.caspervk.net" ];
addresses = ["tcp://lambda.caspervk.net"];
};
"omega" = { id = "EZIQ7SI-Y6BBLUY-QI4EEYU-UNIXPSG-R6X5E77-AA2UC7S-VRV2LKQ-RNBOGQT"; };
"S10e" = { id = "DWC6YHB-FRYKFHD-FPOUITV-7GL2WZH-RSFOJXR-PHYXDO7-74NLBUZ-TZENVAC"; };
"zeta" = { id = "GQRNHAQ-MMRQYMD-P4RCA6I-5DJ3HXO-J2N2GVP-UGI55YR-HD3EYSO-ERU5QQV"; };
"omega" = {id = "EZIQ7SI-Y6BBLUY-QI4EEYU-UNIXPSG-R6X5E77-AA2UC7S-VRV2LKQ-RNBOGQT";};
"S10e" = {id = "DWC6YHB-FRYKFHD-FPOUITV-7GL2WZH-RSFOJXR-PHYXDO7-74NLBUZ-TZENVAC";};
"zeta" = {id = "GQRNHAQ-MMRQYMD-P4RCA6I-5DJ3HXO-J2N2GVP-UGI55YR-HD3EYSO-ERU5QQV";};
};
folders = {
"keepass" = {
path = "~/keepass";
devices = [ "lambda" "omega" "S10e" "zeta" ];
devices = ["lambda" "omega" "S10e" "zeta"];
};
"sync" = {
path = "~/sync";
devices = [ "lambda" "omega" "zeta" ];
devices = ["lambda" "omega" "zeta"];
};
};
};

View file

@ -1,4 +1,8 @@
{ config, pkgs, ... }: {
{
config,
pkgs,
...
}: {
services.tor = {
enable = true;
openFirewall = true;
@ -26,7 +30,12 @@
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/var/lib/tor"; user = "tor"; group = "tor"; mode = "0700"; }
{
directory = "/var/lib/tor";
user = "tor";
group = "tor";
mode = "0700";
}
];
};
}

View file

@ -1,3 +1,3 @@
{ ... }: {
imports = [ ];
{...}: {
imports = [];
}

View file

@ -2,7 +2,6 @@
# the agenix CLI tool to know which public keys to use for encryption. See the
# README for more information.
# https://github.com/ryantm/agenix
let
# Get a system's public key using:
# > cat /etc/ssh/ssh_host_ed25519_key.pub
@ -18,12 +17,12 @@ let
# > agenix -i $AGE_KEY_FILE -e foo.age
recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj";
all = [ alpha mu omega tor zeta ];
all = [alpha mu omega tor zeta];
in
builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
builtins.mapAttrs (name: value: {publicKeys = value ++ [recovery];}) {
# Borg backup
"borg-passphrase-file-omega.age" = [ omega ];
"borg-passphrase-file-zeta.age" = [ zeta ];
"borg-passphrase-file-omega.age" = [omega];
"borg-passphrase-file-zeta.age" = [zeta];
# User passwords
"users-hashed-password-file.age" = all;
@ -32,7 +31,7 @@ builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
# The preshared key adds an additional layer of symmetric-key crypto to be
# mixed into the already existing public-key crypto, for post-quantum
# resistance. Public-keys are generated using `wireguard-vanity-address`.
"wireguard-preshared-key-file.age" = [ alpha omega ];
"wireguard-private-key-file-alpha.age" = [ alpha ];
"wireguard-private-key-file-omega.age" = [ omega ];
}
"wireguard-preshared-key-file.age" = [alpha omega];
"wireguard-private-key-file-alpha.age" = [alpha];
"wireguard-private-key-file-omega.age" = [omega];
}