caspervk/nixos
1
0
Fork 0
Code Actions Activity

Alejandra 💅

Browse source
This commit is contained in:
Casper V. Kristensen 2024-03-05 22:57:41 +01:00
parent 163a7f38c4
commit a7b28837ee
61 changed files with 472 additions and 306 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
flake.nix
View file

@ -38,40 +38,44 @@
};
};
outputs = { self, nixpkgs, ... } @ inputs: {
# https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-fmt.html
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
outputs = {
self,
nixpkgs,
...
} @ inputs: {
# https://kamadorueda.com/alejandra/
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
nixosConfigurations = {
# Home desktop
omega = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs; # pass flake inputs to modules
modules = [ ./hosts/omega ];
modules = [./hosts/omega];
};
# Laptop
zeta = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs; # pass flake inputs to modules
modules = [ ./hosts/zeta ];
modules = [./hosts/zeta];
};
# Work laptop
mu = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs; # pass flake inputs to modules
modules = [ ./hosts/mu ];
modules = [./hosts/mu];
};
# Hetzner VPS
alpha = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = inputs; # pass flake inputs to modules
modules = [ ./hosts/alpha ];
modules = [./hosts/alpha];
};
# Tor relay
tor = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs; # pass flake inputs to modules
modules = [ ./hosts/tor ];
modules = [./hosts/tor];
};
};
};

2
hosts/alpha/default.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../overlays
../../modules/base

21
hosts/alpha/hardware.nix
View file

@ -1,20 +1,26 @@
{ config, lib, pkgs, modulesPath, ... }: {
{
config,
lib,
pkgs,
modulesPath,
...
}: {
# https://nixos.wiki/wiki/Install_NixOS_on_Hetzner_Cloud
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" "virtio_gpu" ];
boot.kernelParams = [ "console=tty" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
boot.initrd.kernelModules = ["dm-snapshot" "virtio_gpu"];
boot.kernelParams = ["console=tty"];
boot.kernelModules = [];
boot.extraModulePackages = [];
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
options = ["defaults" "size=2G" "mode=755"]; # mode=755 so only root can write to those files
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";
@ -38,4 +44,3 @@
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

10
hosts/alpha/network.nix
View file

@ -1,4 +1,4 @@
{ config, ... }: {
{config, ...}: {
systemd.network = {
# Main interface
networks."10-lan" = {
@ -8,7 +8,7 @@
"2a01:4f8:c2c:71c0::/64"
];
routes = [
{ routeConfig = { Gateway = "fe80::1"; }; }
{routeConfig = {Gateway = "fe80::1";};}
];
};
@ -31,7 +31,7 @@
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
# Add to the main routing table that traffic for the address should
# be sent to sigma.
AllowedIPs = [ "49.13.33.75/32" ];
AllowedIPs = ["49.13.33.75/32"];
RouteTable = "main";
};
}
@ -58,7 +58,7 @@
wireguardPeerConfig = {
PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
AllowedIPs = [ "116.203.6.156/32" ];
AllowedIPs = ["116.203.6.156/32"];
RouteTable = "main";
};
}
@ -76,7 +76,7 @@
};
networking = {
firewall.allowedUDPPorts = [ 51820 51821 ];
firewall.allowedUDPPorts = [51820 51821];
};
age.secrets.wireguard-preshared-key-file = {

2
hosts/mu/default.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../overlays
../../modules/base

16
hosts/mu/fan.nix
View file

@ -1,15 +1,15 @@
{ ... }: {
{...}: {
# Disable jet engine
services.thinkfan = {
enable = true;
levels = [
[ 0 0 70 ]
[ 1 65 75 ]
[ 2 70 80 ]
[ 3 75 85 ]
[ 6 80 90 ]
[ 7 90 95 ]
[ "level auto" 95 32767 ]
[0 0 70]
[1 65 75]
[2 70 80]
[3 75 85]
[6 80 90]
[7 90 95]
["level auto" 95 32767]
];
};
boot.extraModprobeConfig = ''

2
hosts/mu/fish.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
home-manager.users.caspervk = {
programs.fish.shellAliases = {
sm = "bw get totp e2be31fb-135f-4b28-88cd-b094000ddb67 | wl-copy; gcloud --project magenta-os2mo-production compute ssh --tunnel-through-iap saltmaster";

7
hosts/mu/git.nix
View file

@ -1,4 +1,8 @@
{ home-manager, lib, ... }: {
{
home-manager,
lib,
...
}: {
home-manager.users.caspervk = {
programs.git = {
userEmail = lib.mkForce "vk@magenta.dk";
@ -6,7 +10,6 @@
# https://docs.gitlab.com/ee/user/project/push_options.html
mr = "push --push-option=merge_request.create --push-option=merge_request.assign='vk'";
};
};
};
}

20
hosts/mu/hardware.nix
View file

@ -1,4 +1,11 @@
{ config, lib, pkgs, modulesPath, nixos-hardware, ... }: {
{
config,
lib,
pkgs,
modulesPath,
nixos-hardware,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
nixos-hardware.nixosModules.common-cpu-intel
@ -9,17 +16,16 @@
nixos-hardware.nixosModules.common-pc-ssd
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usbhid" "sdhci_pci"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
options = ["defaults" "size=2G" "mode=755"]; # mode=755 so only root can write to those files
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";

2
hosts/mu/hosts.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
networking.hosts = {
"127.0.0.1" = [
# not in git

2
hosts/mu/packages.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
android-studio
azure-cli

7
hosts/mu/sway.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
home-manager.users.caspervk = {
wayland.windowManager.sway = {
config = {
@ -18,7 +18,10 @@
};
};
workspaceOutputAssign = [
{ workspace = "9"; output = "eDP-1"; }
{
workspace = "9";
output = "eDP-1";
}
];
};
};

2
hosts/omega/borg.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../modules/borg.nix
];

10
hosts/omega/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{pkgs, ...}: {
imports = [
../../overlays
../../modules/base
@ -12,10 +12,10 @@
systemd.services.qbittorrent = {
description = "qBittorrent service";
documentation = [ "man:qbittorrent-nox(1)" ];
wantedBy = [ "multi-user.target" ];
wants = [ "multi-user.target" ];
after = [ "network-online.target" "nss-lookup.target" ];
documentation = ["man:qbittorrent-nox(1)"];
wantedBy = ["multi-user.target"];
wants = ["multi-user.target"];
after = ["network-online.target" "nss-lookup.target"];
serviceConfig = {
Type = "exec";
User = "caspervk";

25
hosts/omega/hardware.nix
View file

@ -1,4 +1,11 @@
{ config, lib, pkgs, modulesPath, nixos-hardware, ... }: {
{
config,
lib,
pkgs,
modulesPath,
nixos-hardware,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
nixos-hardware.nixosModules.common-cpu-amd
@ -8,17 +15,17 @@
nixos-hardware.nixosModules.common-pc-ssd
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "ntfs" ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
boot.supportedFilesystems = ["ntfs"];
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
options = ["defaults" "size=2G" "mode=755"]; # mode=755 so only root can write to those files
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";
@ -41,12 +48,12 @@
fileSystems."/mnt/C" = {
device = "/dev/disk/by-label/C";
fsType = "ntfs-3g";
options = [ "rw" "uid=1000" ];
options = ["rw" "uid=1000"];
};
fileSystems."/mnt/Backup" = {
device = "/dev/disk/by-label/Backup";
fsType = "ntfs-3g";
options = [ "rw" "uid=1000" ];
options = ["rw" "uid=1000"];
};
# Enables DHCP on all ethernet and wireless LAN interfaces.

10
hosts/omega/network.nix
View file

@ -1,4 +1,4 @@
{ config, ... }: {
{config, ...}: {
systemd.network = {
config = {
routeTables = {
@ -35,7 +35,7 @@
# we add these routes to a specific routing table and configure a
# routing policy rule to only use it for packets being sent as the
# public IP.
AllowedIPs = [ "0.0.0.0/0" ];
AllowedIPs = ["0.0.0.0/0"];
RouteTable = "wg-sigma-public";
};
}
@ -43,7 +43,7 @@
};
networks."wg-sigma-public" = {
name = "wg-sigma-public";
address = [ "49.13.33.75/32" ];
address = ["49.13.33.75/32"];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
@ -73,7 +73,7 @@
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
Endpoint = "alpha.caspervk.net:51821";
PersistentKeepalive = 25;
AllowedIPs = [ "0.0.0.0/0" ];
AllowedIPs = ["0.0.0.0/0"];
RouteTable = "wg-sigma-p2p";
};
}
@ -81,7 +81,7 @@
};
networks."wg-sigma-p2p" = {
name = "wg-sigma-p2p";
address = [ "116.203.6.156/32" ];
address = ["116.203.6.156/32"];
routingPolicyRules = [
{
routingPolicyRuleConfig = {

12
hosts/omega/sway.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
home-manager.users.caspervk = {
wayland.windowManager.sway = {
config = {
@ -14,8 +14,14 @@
};
};
workspaceOutputAssign = [
{ workspace = "8"; output = "DP-2"; }
{ workspace = "9"; output = "DP-2"; }
{
workspace = "8";
output = "DP-2";
}
{
workspace = "9";
output = "DP-2";
}
];
};
};

2
hosts/tor/default.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../overlays
../../modules/base

19
hosts/tor/hardware.nix
View file

@ -1,18 +1,24 @@
{ config, lib, pkgs, modulesPath, ... }: {
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = [];
boot.extraModulePackages = [];
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
options = ["defaults" "size=2G" "mode=755"]; # mode=755 so only root can write to those files
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";
@ -36,4 +42,3 @@
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

11
hosts/tor/network.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
systemd.network = {
networks."10-lan" = {
# IPv4 settings are from `sudo dhcpcd --test`.
@ -9,8 +9,13 @@
"2a0d:3e83:1:b284::1/64"
];
routes = [
{ routeConfig = { Gateway = "91.210.59.1"; }; }
{ routeConfig = { Gateway = "2a0d:3e83:1::1"; GatewayOnLink = true; }; }
{routeConfig = {Gateway = "91.210.59.1";};}
{
routeConfig = {
Gateway = "2a0d:3e83:1::1";
GatewayOnLink = true;
};
}
];
};
};

12
hosts/tor/tor.nix
View file

@ -1,10 +1,16 @@
{ ... }: {
{...}: {
services.tor = {
settings = {
Nickname = "DXV7520";
ORPort = [
{ addr = "91.210.59.57"; port = 443; }
{ addr = "[2a0d:3e83:1:b284::1]"; port = 443; }
{
addr = "91.210.59.57";
port = 443;
}
{
addr = "[2a0d:3e83:1:b284::1]";
port = 443;
}
];
};
};

2
hosts/zeta/borg.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../modules/borg.nix
];

2
hosts/zeta/default.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../overlays
../../modules/base

19
hosts/zeta/hardware.nix
View file

@ -1,4 +1,11 @@
{ config, lib, pkgs, modulesPath, nixos-hardware, ... }: {
{
config,
lib,
pkgs,
modulesPath,
nixos-hardware,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
nixos-hardware.nixosModules.common-cpu-intel
@ -9,16 +16,16 @@
nixos-hardware.nixosModules.common-pc-ssd
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
options = ["defaults" "size=2G" "mode=755"]; # mode=755 so only root can write to those files
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";

2
hosts/zeta/sway.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
home-manager.users.caspervk = {
wayland.windowManager.sway = {
config = {

8
modules/base/agenix.nix
View file

@ -1,4 +1,8 @@
{ agenix, pkgs, ... }: {
{
agenix,
pkgs,
...
}: {
# Agenix manages the deployment of secrets by public-key encrypting them to
# each system's ssh host key. See the README for more information.
# https://github.com/ryantm/agenix
@ -12,7 +16,7 @@
# host key. Refer directly to the key on the persistent partition, which is
# mounted in stage 1 of the boot process, before agenix runs.
# https://github.com/ryantm/agenix/issues/45#issuecomment-901383985
age.identityPaths = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ];
age.identityPaths = ["/nix/persist/etc/ssh/ssh_host_ed25519_key"];
# `agenix` cli tool
environment.systemPackages = [

2
modules/base/default.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
./agenix.nix
./docker.nix

11
modules/base/docker.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
# Docker is a utility to pack, ship and run any application as a lightweight
# container.
# https://nixos.wiki/wiki/Docker
@ -14,12 +14,17 @@
# Being a member of the docker group is effectively equivalent to being root,
# but without the annoyance of having to type your sudo password all the time.
users.extraGroups.docker.members = [ "caspervk" ];
users.extraGroups.docker.members = ["caspervk"];
# Persist docker volumes
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/var/lib/docker"; user = "root"; group = "root"; mode = "0700"; }
{
directory = "/var/lib/docker";
user = "root";
group = "root";
mode = "0700";
}
];
};
}

4
modules/base/fish.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{pkgs, ...}: {
# Fish is a Unix shell with a focus on interactivity and usability. Fish is
# designed to give the user features by default, rather than by
# configuration.
@ -24,7 +24,7 @@
users.defaultUserShell = pkgs.fish;
# Add fish to the list of permissible login shells for user accounts
environment.shells = with pkgs; [ fish ];
environment.shells = with pkgs; [fish];
# Enabling fish in both NixOS and home manager is required to pick up
# completions and environment variables set by NixOS nixpkgs _and_ home

2
modules/base/git.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# Git version control system.
# https://nixos.wiki/wiki/Git

2
modules/base/hardware.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
# Enable all firmware with a license allowing redistribution
hardware.enableRedistributableFirmware = true;
}

6
modules/base/home-manager.nix
View file

@ -1,4 +1,8 @@
{ config, home-manager, ... }: {
{
config,
home-manager,
...
}: {
# Like NixOS manages the system configuration, Home Manager manages the user
# environment.
#

23
modules/base/impermanence.nix
View file

@ -1,4 +1,4 @@
{ impermanence, ... }: {
{impermanence, ...}: {
# Impermanence in NixOS is where the root directory isn't permanent, but gets
# wiped every reboot (such as by mounting it as tmpfs). Such a setup is
# possible because NixOS only needs /boot and /nix in order to boot, all
@ -28,10 +28,25 @@
hideMounts = true;
directories = [
# See comment above for /tmp
{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
{
directory = "/tmp";
user = "root";
group = "root";
mode = "1777";
}
# Save the last run time of persistent timers so systemd knows if they were missed
{ directory = "/var/lib/systemd/timers"; user = "root"; group = "root"; mode = "0755"; }
{ directory = "/var/log"; user = "root"; group = "root"; mode = "0755"; }
{
directory = "/var/lib/systemd/timers";
user = "root";
group = "root";
mode = "0755";
}
{
directory = "/var/log";
user = "root";
group = "root";
mode = "0755";
}
];
files = [
"/etc/machine-id" # needed for /var/log

2
modules/base/locale.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }: {
{lib, ...}: {
i18n = {
defaultLocale = "en_DK.UTF-8";
extraLocaleSettings = {

19
modules/base/network.nix
View file

@ -1,17 +1,17 @@
{ ... }: {
{...}: {
# https://nixos.wiki/wiki/Networking
# https://nixos.wiki/wiki/Systemd-networkd
networking = {
firewall = {
# Allow some ports for ad-hoc use
allowedTCPPorts = [ 1234 1337 8000 8080 ];
allowedUDPPorts = [ 1234 1337 8000 8080 ];
allowedTCPPorts = [1234 1337 8000 8080];
allowedUDPPorts = [1234 1337 8000 8080];
# Do not spam dmesg/journalctl with refused connections
logRefusedConnections = false;
};
nameservers = [ "127.0.0.53" ]; # resolved stub resolver
search = [ "caspervk.net" ];
nameservers = ["127.0.0.53"]; # resolved stub resolver
search = ["caspervk.net"];
};
# TODO: these systemd networkd settings will be the default once
@ -34,7 +34,7 @@
# Resolved falls back to DNS servers operated by American internet
# surveillance and adtech companies by default. No thanks, I'd rather have
# no DNS at all.
fallbackDns = [ "159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net" ];
fallbackDns = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
extraConfig = ''
DNS=159.69.4.2#dns.caspervk.net 2a01:4f8:1c0c:70d1::1#dns.caspervk.net
DNSOverTLS=yes
@ -51,7 +51,12 @@
services.vnstat.enable = true;
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/var/lib/vnstat"; user = "root"; group = "root"; mode = "0755"; }
{
directory = "/var/lib/vnstat";
user = "root";
group = "root";
mode = "0755";
}
];
};
}

9
modules/base/nix.nix
View file

@ -1,4 +1,9 @@
{ nix-index-database, nixpkgs-unstable, nixpkgs, ... }: {
{
nix-index-database,
nixpkgs-unstable,
nixpkgs,
...
}: {
imports = [
nix-index-database.nixosModules.nix-index
];
@ -22,7 +27,7 @@
auto-optimise-store = true;
# Enable flakes
experimental-features = [ "nix-command" "flakes" ];
experimental-features = ["nix-command" "flakes"];
# Timeout connections to the binary cache instead of waiting forever
connect-timeout = 5;

2
modules/base/packages.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
bat
black

2
modules/base/ripgrep.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# ripgrep is a line-oriented search tool that recursively searches the
# current directory for a regex pattern.
# https://github.com/BurntSushi/ripgrep

2
modules/base/ssh.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
services.openssh = {
enable = true;
settings = {

2
modules/base/sudo.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
security.sudo = {
# Only allow members of the wheel group to execute sudo by setting the
# executables permissions accordingly. This prevents users that are not

8
modules/base/users.nix
View file

@ -1,4 +1,8 @@
{ config, pkgs, ... }: {
{
config,
pkgs,
...
}: {
users = {
# Don't allow imperative modifications to users (incompatible with impermanence)
mutableUsers = false;
@ -17,7 +21,7 @@
# todo: systemd-journal, audio, input, power, nix ?
];
uid = 1000;
packages = with pkgs; [ ];
packages = with pkgs; [];
};
};
};

8
modules/base/vim/default.nix
View file

@ -1,4 +1,8 @@
{ home-manager, pkgs, ... }: {
{
home-manager,
pkgs,
...
}: {
home-manager.users.caspervk = {
programs.neovim = {
enable = true;
@ -27,7 +31,7 @@
nvim-dap-virtual-text # show variable values in-line
salt-vim # salt syntax-highlighting
];
extraPackages = with pkgs; [ ];
extraPackages = with pkgs; [];
extraConfig = builtins.readFile ./config.vim;
extraLuaConfig = builtins.readFile ./config.lua;

9
modules/borg.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }: {
{
config,
lib,
pkgs,
...
}: {
# BorgBackup (short: Borg) is a deduplicating backup program.
# https://nixos.wiki/wiki/Borg_backup
# https://nixos.org/manual/nixos/stable/#module-borgbase
@ -69,7 +74,7 @@
# patterns is used, so if an include pattern (prefix `+`) matches before an
# exclude pattern (prefix `-`), the file is backed up. Prefix `!` is
# exclude-norecurse. See `borg help patterns` for pattern syntax.
paths = [ "/" ];
paths = ["/"];
patterns = [
"! /dev"
"! /lost+found"

8
modules/desktop/alacritty.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# Terminal emulator
# https://wiki.archlinux.org/title/Alacritty
@ -10,7 +10,11 @@
# It's easy to open a new terminal using Mod+Enter in sway, but it
# always opens in the home directly. This binds Control+Shift+Enter
# to open a new terminal in the current directory.
{ key = "Return"; mods = "Control|Shift"; action = "SpawnNewInstance"; }
{
key = "Return";
mods = "Control|Shift";
action = "SpawnNewInstance";
}
];
};
};

7
modules/desktop/clipman.nix
View file

@ -1,4 +1,9 @@
{ home-manager, lib, pkgs, ... }: {
{
home-manager,
lib,
pkgs,
...
}: {
# Clipboard manager. It can help persist clipboard contents after closing an
# application - which otherwise isn't supported in Wayland - but that breaks
# rich content copying in general. Therefore, we only use it for clipboard

2
modules/desktop/default.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
./alacritty.nix
./clipman.nix

9
modules/desktop/flatpak.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# https://flatpak.org/setup/NixOS
# https://nixos.wiki/wiki/Flatpak
@ -14,7 +14,12 @@
# Persist flatpaks
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/var/lib/flatpak"; user = "root"; group = "root"; mode = "0755"; }
{
directory = "/var/lib/flatpak";
user = "root";
group = "root";
mode = "0755";
}
];
};
}

2
modules/desktop/gammastep.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# Gammestep automatically adjusts the screen's colour temperature. It's
# basically redshift for Wayland.
# https://gitlab.com/chinstrap/gammastep

11
modules/desktop/network.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }: {
{lib, ...}: {
networking = {
# It's a little too much to define every WiFi network declaratively.
# Instead, we enable NetworkManager and the nmtui interface.
@ -9,12 +9,17 @@
};
# Allow our user to configure the network
users.extraGroups.networkmanager.members = [ "caspervk" ];
users.extraGroups.networkmanager.members = ["caspervk"];
# Persist WiFi passwords and other network configuration
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/etc/NetworkManager/system-connections"; user = "root"; group = "root"; mode = "0700"; }
{
directory = "/etc/NetworkManager/system-connections";
user = "root";
group = "root";
mode = "0700";
}
];
};

2
modules/desktop/pipewire.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
# PipeWire is a new low-level multimedia framework. It aims to offer capture
# and playback for both audio and video with minimal latency and support for
# PulseAudio-, JACK-, ALSA- and GStreamer-based applications.

28
modules/desktop/programs.nix
View file

@ -1,4 +1,10 @@
{ home-manager, lib, nixpkgs, pkgs, ... }: {
{
home-manager,
lib,
nixpkgs,
pkgs,
...
}: {
# Packages useful on a desktop computer which don't require their own module
environment.systemPackages = with pkgs; [
@ -6,9 +12,10 @@
gimp
jetbrains.pycharm-professional
keepassxc
(kodi-wayland.withPackages (kodiPackages: with kodiPackages; [
jellyfin
]))
(kodi-wayland.withPackages (kodiPackages:
with kodiPackages; [
jellyfin
]))
libqalculate
libreoffice
mpv
@ -19,12 +26,13 @@
webcord # discord
];
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"android-studio-stable"
"pycharm-professional"
"spotify"
"terraform"
];
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"android-studio-stable"
"pycharm-professional"
"spotify"
"terraform"
];
home-manager.users.caspervk = {
home.sessionVariables = {

6
modules/desktop/rofi.nix
View file

@ -1,4 +1,8 @@
{ home-manager, pkgs, ... }: {
{
home-manager,
pkgs,
...
}: {
# A window switcher, application launcher and dmenu replacement. Used to open
# programs, view the clipboard history, and select emojis.
# https://github.com/davatorium/rofi

2
modules/desktop/ssh.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# https://nix-community.github.io/home-manager/options.html
home-manager.users.caspervk = {

260
modules/desktop/sway.nix
View file

@ -1,4 +1,9 @@
{ home-manager, lib, pkgs, ... }: {
{
home-manager,
lib,
pkgs,
...
}: {
# https://nixos.wiki/wiki/Sway
programs.sway = {
@ -77,14 +82,14 @@
"XF86AudioPrev" = "exec 'playerctl previous'";
};
assigns = {
"8" = [{ class = "WebCord"; }];
"9" = [{ class = "Spotify"; }];
"8" = [{class = "WebCord";}];
"9" = [{class = "Spotify";}];
};
floating = {
criteria = [
{ app_id = "org.keepassxc.KeePassXC"; }
{ app_id = "pavucontrol"; }
{ app_id = "wdisplays"; }
{app_id = "org.keepassxc.KeePassXC";}
{app_id = "pavucontrol";}
{app_id = "wdisplays";}
];
};
focus = {
@ -114,7 +119,7 @@
};
};
terminal = "alacritty";
bars = [{ command = "${pkgs.waybar}/bin/waybar"; }];
bars = [{command = "${pkgs.waybar}/bin/waybar";}];
};
# Execute sway with required environment variables for GTK applications
@ -125,104 +130,102 @@
# https://github.com/Alexays/Waybar/wiki/Configuration
# https://github.com/Alexays/Waybar/blob/master/resources/config
programs.waybar =
let
# It isn't possible to extend the default Waybar config in Home
# Manager; as soon as any setting is defined it overwrites the entire
# default configuration. To combat this, we parse the default config
# into Nix and merge it with our changes.
mkDefaultConfig = pkgs.stdenv.mkDerivation {
name = "waybarDefaultConfig";
src = "${pkgs.waybar}/etc/xdg/waybar";
installPhase = ''
# JSON isn't valid if it contains comments
sed 's#//.*##' config | ${pkgs.jq}/bin/jq > $out
'';
};
defaultConfig = builtins.fromJSON (lib.readFile "${mkDefaultConfig}");
in
{
enable = true;
settings = {
bar = lib.mkMerge [
defaultConfig
{
modules-right = lib.mkForce [ "tray" "pulseaudio" "backlight" "network" "battery" "clock" ];
battery = {
states = lib.mkForce {
warning = 15;
critical = 5;
};
};
clock = {
interval = 5;
locale = "da_DK.UTF-8";
format = "{:%a %e. %b %H:%M}";
calendar = {
mode = "year";
mode-mon-col = 3;
weeks-pos = "left";
on-scroll = 1;
format = {
months = "<span color='#ffead3'><b>{}</b></span>";
days = "<span color='#ecc6d9'><b>{}</b></span>";
weeks = "<span color='#99ffdd'><b>W{}</b></span>";
weekdays = "<span color='#ffcc66'><b>{}</b></span>";
today = "<span color='#ff6699'><b><u>{}</u></b></span>";
};
};
actions = {
on-click-right = "mode";
on-scroll-up = "shift_down";
on-scroll-down = "shift_up";
};
};
}
];
};
# https://github.com/Alexays/Waybar/wiki/Styling
# https://github.com/Alexays/Waybar/blob/master/resources/style.css
style = ''
window#waybar {
color: white;
background-color: rgba(0, 0, 0, 0.5);
border-bottom: 1px solid rgba(0, 0, 0, 0.5);
transition-duration: 0s;
}
#workspaces button {
color: white;
box-shadow: inset 0 3px transparent;
border: none;
border-radius: 0;
}
#workspaces button.focused {
box-shadow: inset 0 3px #FF9E3B; /* kanagawa roninYellow */
background-color: transparent;
}
#workspaces button:hover {
/* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
background: rgba(0, 0, 0, 0.25);
text-shadow: inherit;
}
#mode {
background-color: rgba(255, 255, 255, 0.4);
border: none;
}
#tray, #pulseaudio, #backlight, #network, #battery, #clock {
background-color: transparent;
padding: 0 10px;
}
#battery.warning:not(.charging) {
color: #FF9E3B; /* kanagawa roninYellow */
}
#battery.critical:not(.charging) {
color: #E82424; /* kanagawa samuraiRed */
}
#network.disconnected {
color: #E82424; /* kanagawa samuraiRed */
}
programs.waybar = let
# It isn't possible to extend the default Waybar config in Home
# Manager; as soon as any setting is defined it overwrites the entire
# default configuration. To combat this, we parse the default config
# into Nix and merge it with our changes.
mkDefaultConfig = pkgs.stdenv.mkDerivation {
name = "waybarDefaultConfig";
src = "${pkgs.waybar}/etc/xdg/waybar";
installPhase = ''
# JSON isn't valid if it contains comments
sed 's#//.*##' config | ${pkgs.jq}/bin/jq > $out
'';
};
defaultConfig = builtins.fromJSON (lib.readFile "${mkDefaultConfig}");
in {
enable = true;
settings = {
bar = lib.mkMerge [
defaultConfig
{
modules-right = lib.mkForce ["tray" "pulseaudio" "backlight" "network" "battery" "clock"];
battery = {
states = lib.mkForce {
warning = 15;
critical = 5;
};
};
clock = {
interval = 5;
locale = "da_DK.UTF-8";
format = "{:%a %e. %b %H:%M}";
calendar = {
mode = "year";
mode-mon-col = 3;
weeks-pos = "left";
on-scroll = 1;
format = {
months = "<span color='#ffead3'><b>{}</b></span>";
days = "<span color='#ecc6d9'><b>{}</b></span>";
weeks = "<span color='#99ffdd'><b>W{}</b></span>";
weekdays = "<span color='#ffcc66'><b>{}</b></span>";
today = "<span color='#ff6699'><b><u>{}</u></b></span>";
};
};
actions = {
on-click-right = "mode";
on-scroll-up = "shift_down";
on-scroll-down = "shift_up";
};
};
}
];
};
# https://github.com/Alexays/Waybar/wiki/Styling
# https://github.com/Alexays/Waybar/blob/master/resources/style.css
style = ''
window#waybar {
color: white;
background-color: rgba(0, 0, 0, 0.5);
border-bottom: 1px solid rgba(0, 0, 0, 0.5);
transition-duration: 0s;
}
#workspaces button {
color: white;
box-shadow: inset 0 3px transparent;
border: none;
border-radius: 0;
}
#workspaces button.focused {
box-shadow: inset 0 3px #FF9E3B; /* kanagawa roninYellow */
background-color: transparent;
}
#workspaces button:hover {
/* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
background: rgba(0, 0, 0, 0.25);
text-shadow: inherit;
}
#mode {
background-color: rgba(255, 255, 255, 0.4);
border: none;
}
#tray, #pulseaudio, #backlight, #network, #battery, #clock {
background-color: transparent;
padding: 0 10px;
}
#battery.warning:not(.charging) {
color: #FF9E3B; /* kanagawa roninYellow */
}
#battery.critical:not(.charging) {
color: #E82424; /* kanagawa samuraiRed */
}
#network.disconnected {
color: #E82424; /* kanagawa samuraiRed */
}
'';
};
# https://github.com/swaywm/swaylock
programs.swaylock = {
@ -234,24 +237,35 @@
};
# https://github.com/swaywm/swayidle
services.swayidle =
let
lock = "${pkgs.swaylock}/bin/swaylock --daemonize";
outputOff = "${pkgs.sway}/bin/swaymsg 'output * power off'";
outputOn = "${pkgs.sway}/bin/swaymsg 'output * power on'";
suspend = "${pkgs.systemd}/bin/systemctl suspend";
in
{
enable = true;
events = [
{ event = "lock"; command = lock; }
{ event = "before-sleep"; command = lock; }
];
timeouts = [
{ timeout = 60 * 20; command = outputOff; resumeCommand = outputOn; }
{ timeout = 60 * 60 * 3; command = suspend; }
];
};
services.swayidle = let
lock = "${pkgs.swaylock}/bin/swaylock --daemonize";
outputOff = "${pkgs.sway}/bin/swaymsg 'output * power off'";
outputOn = "${pkgs.sway}/bin/swaymsg 'output * power on'";
suspend = "${pkgs.systemd}/bin/systemctl suspend";
in {
enable = true;
events = [
{
event = "lock";
command = lock;
}
{
event = "before-sleep";
command = lock;
}
];
timeouts = [
{
timeout = 60 * 20;
command = outputOff;
resumeCommand = outputOn;
}
{
timeout = 60 * 60 * 3;
command = suspend;
}
];
};
# https://github.com/emersion/mako
services.mako = {
@ -277,12 +291,12 @@
enableDefaultPackages = true;
packages = with pkgs; [
# Nerd Fonts patches glyph icons, such as from Font Awesome, into existing fonts
(nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
(nerdfonts.override {fonts = ["JetBrainsMono"];})
font-awesome # waybar uses Font Awesome icons directly
];
fontDir.enable = true; # TODO?
fontconfig.defaultFonts = {
monospace = [ "JetBrainsMonoNL Nerd Font" ]; # NL = NoLigatures
monospace = ["JetBrainsMonoNL Nerd Font"]; # NL = NoLigatures
};
};

15
modules/desktop/virtd.nix
View file

@ -1,4 +1,4 @@
{ home-manager, ... }: {
{home-manager, ...}: {
# https://nixos.wiki/wiki/Virt-manager
virtualisation.libvirtd.enable = true;
@ -8,19 +8,24 @@
home-manager.users.caspervk = {
dconf.settings = {
"org/virt-manager/virt-manager/connections" = {
autoconnect = [ "qemu:///system" ];
uris = [ "qemu:///system" ];
autoconnect = ["qemu:///system"];
uris = ["qemu:///system"];
};
};
};
# Allow our user to use libvird
users.extraGroups.libvirtd.members = [ "caspervk" ];
users.extraGroups.libvirtd.members = ["caspervk"];
# Persist libvirt data
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/var/lib/libvirt"; user = "root"; group = "root"; mode = "0755"; }
{
directory = "/var/lib/libvirt";
user = "root";
group = "root";
mode = "0755";
}
];
};
}

2
modules/server/default.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
./system.nix
];

2
modules/server/system.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
# Automatically `nixos-rebuild switch` daily with the latest configuration
# from git. This overwrites any uncommitted changes in ~/nixos/, which is why
# it is only enabled on servers. Note that this requires updating flake.lock

14
modules/syncthing.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
# Syncthing is a continuous file synchronization program. It synchronizes
# files between two or more computers in real time. It's basically a
# self-hosted Dropbox for Linux users, but without FTP, curlftpfs, and SVN.
@ -19,20 +19,20 @@
devices = {
"lambda" = {
id = "WES3JH4-S34HTC5-42YZHUJ-MX3Z6PA-PFO72KA-YIJMDOB-GQWZXZ3-I7BBTAS";
addresses = [ "tcp://lambda.caspervk.net" ];
addresses = ["tcp://lambda.caspervk.net"];
};
"omega" = { id = "EZIQ7SI-Y6BBLUY-QI4EEYU-UNIXPSG-R6X5E77-AA2UC7S-VRV2LKQ-RNBOGQT"; };
"S10e" = { id = "DWC6YHB-FRYKFHD-FPOUITV-7GL2WZH-RSFOJXR-PHYXDO7-74NLBUZ-TZENVAC"; };
"zeta" = { id = "GQRNHAQ-MMRQYMD-P4RCA6I-5DJ3HXO-J2N2GVP-UGI55YR-HD3EYSO-ERU5QQV"; };
"omega" = {id = "EZIQ7SI-Y6BBLUY-QI4EEYU-UNIXPSG-R6X5E77-AA2UC7S-VRV2LKQ-RNBOGQT";};
"S10e" = {id = "DWC6YHB-FRYKFHD-FPOUITV-7GL2WZH-RSFOJXR-PHYXDO7-74NLBUZ-TZENVAC";};
"zeta" = {id = "GQRNHAQ-MMRQYMD-P4RCA6I-5DJ3HXO-J2N2GVP-UGI55YR-HD3EYSO-ERU5QQV";};
};
folders = {
"keepass" = {
path = "~/keepass";
devices = [ "lambda" "omega" "S10e" "zeta" ];
devices = ["lambda" "omega" "S10e" "zeta"];
};
"sync" = {
path = "~/sync";
devices = [ "lambda" "omega" "zeta" ];
devices = ["lambda" "omega" "zeta"];
};
};
};

13
modules/tor/default.nix
View file

@ -1,4 +1,8 @@
{ config, pkgs, ... }: {
{
config,
pkgs,
...
}: {
services.tor = {
enable = true;
openFirewall = true;
@ -26,7 +30,12 @@
environment.persistence."/nix/persist" = {
directories = [
{ directory = "/var/lib/tor"; user = "tor"; group = "tor"; mode = "0700"; }
{
directory = "/var/lib/tor";
user = "tor";
group = "tor";
mode = "0700";
}
];
};
}

4
overlays/default.nix
View file

@ -1,3 +1,3 @@
{ ... }: {
imports = [ ];
{...}: {
imports = [];
}

31
secrets/secrets.nix
View file

@ -2,7 +2,6 @@
# the agenix CLI tool to know which public keys to use for encryption. See the
# README for more information.
# https://github.com/ryantm/agenix
let
# Get a system's public key using:
# > cat /etc/ssh/ssh_host_ed25519_key.pub
@ -18,21 +17,21 @@ let
# > agenix -i $AGE_KEY_FILE -e foo.age
recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj";
all = [ alpha mu omega tor zeta ];
all = [alpha mu omega tor zeta];
in
builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
# Borg backup
"borg-passphrase-file-omega.age" = [ omega ];
"borg-passphrase-file-zeta.age" = [ zeta ];
builtins.mapAttrs (name: value: {publicKeys = value ++ [recovery];}) {
# Borg backup
"borg-passphrase-file-omega.age" = [omega];
"borg-passphrase-file-zeta.age" = [zeta];
# User passwords
"users-hashed-password-file.age" = all;
# User passwords
"users-hashed-password-file.age" = all;
# Wireguard
# The preshared key adds an additional layer of symmetric-key crypto to be
# mixed into the already existing public-key crypto, for post-quantum
# resistance. Public-keys are generated using `wireguard-vanity-address`.
"wireguard-preshared-key-file.age" = [ alpha omega ];
"wireguard-private-key-file-alpha.age" = [ alpha ];
"wireguard-private-key-file-omega.age" = [ omega ];
}
# Wireguard
# The preshared key adds an additional layer of symmetric-key crypto to be
# mixed into the already existing public-key crypto, for post-quantum
# resistance. Public-keys are generated using `wireguard-vanity-address`.
"wireguard-preshared-key-file.age" = [alpha omega];
"wireguard-private-key-file-alpha.age" = [alpha];
"wireguard-private-key-file-omega.age" = [omega];
}