From 54baace7c18ae33a0a3f36c22c99d6fe4b10b5d0 Mon Sep 17 00:00:00 2001 From: Daniel Lundin Date: Fri, 2 Aug 2024 14:09:42 +0200 Subject: [PATCH] move old nixos-config over here --- README.md | 30 ++++- common/base.nix | 42 ++++++ common/default.nix | 22 +--- common/desktop.nix | 107 ++++++++++++++++ common/hardening.nix | 43 +++++++ common/laptop.nix | 20 +++ common/nix.nix | 40 +++++- common/plymouth.nix | 45 +++++++ common/podman.nix | 48 +++++++ flake.lock | 93 +++++++++++++- flake.nix | 27 +++- {common => home/common}/atuin.nix | 0 {common => home/common}/broot.nix | 0 home/common/default.nix | 21 +++ {common => home/common}/devel.nix | 0 {common => home/common}/fish.nix | 12 +- {common => home/common}/gnome.nix | 0 {common => home/common}/k8s.nix | 0 home/common/nix.nix | 15 +++ {common => home/common}/nvim.nix | 2 +- {common => home/common}/scripts.nix | 2 +- {common => home/common}/ssh.nix | 0 {common => home/common}/utils.nix | 0 {common => home/common}/vcs.nix | 0 {common => home/common}/web.nix | 0 {common => home/common}/wezterm.nix | 2 +- {users => home}/dln/desktop.nix | 0 {users => home}/dln/dinky.nix | 0 {users => home}/dln/home.nix | 0 {users => home}/dln/nemo.nix | 0 {users => home}/lsjostro/home.nix | 0 {users => home}/lsjostro/nemo.nix | 0 hosts/dinky/default.nix | 113 ++++++++++++++++ hosts/nemo/default.nix | 192 ++++++++++++++++++++++++++++ justfile | 18 ++- 35 files changed, 850 insertions(+), 44 deletions(-) create mode 100644 common/base.nix create mode 100644 common/desktop.nix create mode 100644 common/hardening.nix create mode 100644 common/laptop.nix create mode 100644 common/plymouth.nix create mode 100644 common/podman.nix rename {common => home/common}/atuin.nix (100%) rename {common => home/common}/broot.nix (100%) create mode 100644 home/common/default.nix rename {common => home/common}/devel.nix (100%) rename {common => home/common}/fish.nix (90%) rename {common => home/common}/gnome.nix (100%) rename {common => home/common}/k8s.nix (100%) create mode 100644 home/common/nix.nix rename {common => home/common}/nvim.nix (86%) rename {common => home/common}/scripts.nix (80%) rename {common => home/common}/ssh.nix (100%) rename {common => home/common}/utils.nix (100%) rename {common => home/common}/vcs.nix (100%) rename {common => home/common}/web.nix (100%) rename {common => home/common}/wezterm.nix (63%) rename {users => home}/dln/desktop.nix (100%) rename {users => home}/dln/dinky.nix (100%) rename {users => home}/dln/home.nix (100%) rename {users => home}/dln/nemo.nix (100%) rename {users => home}/lsjostro/home.nix (100%) rename {users => home}/lsjostro/nemo.nix (100%) create mode 100644 hosts/dinky/default.nix create mode 100644 hosts/nemo/default.nix diff --git a/README.md b/README.md index a989f47..fee8b5d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,31 @@ -# Home Manager +# NixOS Config IT in a box! + +## Bootstrapping from a fresh NixOS installation + +1. Install NixOS +2. Clone this repo: + + ``` + nix-shell -p git --command 'git clone https://git.shelman.io/shelmangroup/nixos-config.git' + ``` + +3. Ensure host configuration exists at `./nixos-config/hosts/${HOSTNAME}` and contains at minimum the hardware configuration. The NixOS installer will write this out to `/etc/nixos/hardware-configuration.nix`. +4. Apply configuration: + ``` + sudo nixos-rebuild boot --flake ./nixos-config#${HOSTNAME} + ``` + +## Use + +1. Clone this repo somewhere convenient, like `~/src/shelman/nixos-config` +2. Apply configuration: `just switch` + +## Update + +Update nixpkgs and switch: `just update` + +# Home Manager + +`just home-switch` diff --git a/common/base.nix b/common/base.nix new file mode 100644 index 0000000..269169b --- /dev/null +++ b/common/base.nix @@ -0,0 +1,42 @@ +{ pkgs, ... }: + +{ + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + kernelPackages = pkgs.linuxPackages_zen; + }; + + time.timeZone = "Europe/Stockholm"; + + environment.systemPackages = with pkgs; [ + btrfs-progs + btrfs-snap + git + glibcLocales + qemu_kvm + qemu-utils + vim + zstd + ]; + + # Use fish, but not in /etc/passwd . See https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell + programs.bash = { + interactiveShellInit = '' + if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] + then + shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" + exec ${pkgs.fish}/bin/fish $LOGIN_OPTION + fi + ''; + shellInit = '' + export NIX_LD=$(nix eval --impure --raw --expr 'let pkgs = import {}; NIX_LD = pkgs.lib.fileContents "${pkgs.stdenv.cc}/nix-support/dynamic-linker"; in NIX_LD') + ''; + }; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; +} diff --git a/common/default.nix b/common/default.nix index d36eaaa..fcbbc87 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,21 +1,11 @@ -{ lib, ... }: { imports = [ - ./atuin.nix - ./broot.nix - ./devel.nix - ./fish.nix - ./gnome.nix - ./k8s.nix + ./base.nix + ./desktop.nix + ./hardening.nix + ./laptop.nix ./nix.nix - ./nvim.nix - ./scripts.nix - ./ssh.nix - ./utils.nix - ./vcs.nix - ./web.nix - ./wezterm.nix + ./plymouth.nix + ./podman.nix ]; - - options.shelman.desktop.enable = lib.mkEnableOption "Desktop environment"; } diff --git a/common/desktop.nix b/common/desktop.nix new file mode 100644 index 0000000..d7eefa2 --- /dev/null +++ b/common/desktop.nix @@ -0,0 +1,107 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + inherit (lib) mkIf mkEnableOption; + cfg = config.shelman.podman; +in +{ + options.shelman.desktop.enable = mkEnableOption "Desktop environment and common applications"; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ gnome-ssh-askpass4 ]; + + # Excluding some GNOME applications from the default install + environment.gnome.excludePackages = + (with pkgs; [ + gnome-connections + gnome-photos + gnome-tour + snapshot + ]) + ++ (with pkgs.gnome; [ + atomix # puzzle game + baobab # disk usage analyzer + cheese # webcam tool + epiphany # web browser + geary # email reader + gnome-clocks + gnome-contacts + gnome-disk-utility + gnome-logs + gnome-music + gnome-terminal + hitori # sudoku game + iagno # go game + simple-scan + tali # poker game + yelp # help viewer + ]); + + fonts = { + fontDir.enable = true; + fontconfig = { + allowBitmaps = false; + antialias = true; + defaultFonts = { + serif = [ "Liberation Serif" ]; + sansSerif = [ "Inter" ]; + monospace = [ "BerkeleyMono Nerd Font" ]; + }; + hinting.enable = true; + hinting.style = "slight"; + subpixel.rgba = "rgb"; + }; + packages = with pkgs; [ + inter + jetbrains-mono + liberation_ttf + monaspace + (pkgs.nerdfonts.override { fonts = [ "JetBrainsMono" ]; }) + noto-fonts + noto-fonts-cjk + noto-fonts-color-emoji + roboto + ubuntu_font_family + ]; + }; + + programs.ssh.askPassword = "${pkgs.gnome-ssh-askpass4}/bin/gnome-ssh-askpass4"; + programs.ssh.startAgent = true; + + programs.steam = { + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + localNetworkGameTransfers.openFirewall = true; + }; + + services.gnome.gnome-keyring.enable = true; + + services.printing.enable = true; + + services.xserver = { + enable = true; + displayManager.defaultSession = "gnome"; + displayManager.gdm.enable = true; + displayManager.gdm.autoSuspend = false; + desktopManager.gnome.enable = true; + xkb.layout = "se"; + xkb.variant = "us"; + }; + + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; + }; +} diff --git a/common/hardening.nix b/common/hardening.nix new file mode 100644 index 0000000..4095ce0 --- /dev/null +++ b/common/hardening.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + nix.settings.allowed-users = [ + "@wheel" + "root" + ]; + + boot.specialFileSystems = lib.mkIf ( + !config.security.rtkit.enable && !config.security.polkit.enable + ) { "/proc".options = [ "hidepid=2" ]; }; + + boot.kernel.sysctl."kernel.dmesg_restrict" = 1; + + environment.systemPackages = [ pkgs.doas-sudo-shim ]; + + security = { + doas = { + enable = true; + extraRules = [ + { + groups = [ "wheel" ]; + keepEnv = true; + persist = true; + } + ]; + }; + sudo.enable = false; + }; + + services.openssh = { + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + # prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed + # authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ]; + }; + + users.users.root.hashedPassword = "!"; +} diff --git a/common/laptop.nix b/common/laptop.nix new file mode 100644 index 0000000..c9d5688 --- /dev/null +++ b/common/laptop.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + inherit (lib) mkIf mkEnableOption; + cfg = config.shelman.podman; +in +{ + options.shelman.laptop.enable = mkEnableOption "Laptop tools and configuration"; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ gnomeExtensions.battery-health-charging ]; + + services.fprintd.enable = true; + }; +} diff --git a/common/nix.nix b/common/nix.nix index 3b66fd3..c94c16d 100644 --- a/common/nix.nix +++ b/common/nix.nix @@ -1,15 +1,47 @@ -{ outputs, ... }: { + inputs, + outputs, + lib, + config, + pkgs, + ... +}: + +{ + nix = + let + flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; + in + { + settings = { + auto-optimise-store = true; + experimental-features = "nix-command flakes"; + flake-registry = ""; + # Workaround for https://github.com/NixOS/nix/issues/9574 + nix-path = config.nix.nixPath; + substituters = [ "https://cache.nixos.org/" ]; + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + }; + channel.enable = false; + registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs; + nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; + }; + nixpkgs = { - config.allowUnfree = true; overlays = [ outputs.overlays.additions outputs.overlays.modifications outputs.overlays.unstable-packages ]; + config.allowUnfree = true; }; - programs.home-manager.enable = true; + programs.nh = { + enable = true; + clean.enable = true; + clean.extraArgs = "--keep-since 14d --keep 5"; + }; + programs.nix-ld.enable = true; - systemd.user.startServices = "sd-switch"; + environment.systemPackages = with pkgs; [ nvd ]; } diff --git a/common/plymouth.nix b/common/plymouth.nix new file mode 100644 index 0000000..bcf73cc --- /dev/null +++ b/common/plymouth.nix @@ -0,0 +1,45 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + inherit (lib) mkIf mkEnableOption; + cfg = config.shelman.plymouth; +in +{ + options.shelman.plymouth.enable = mkEnableOption "Fancy boot splash"; + + config = mkIf cfg.enable { + boot = { + consoleLogLevel = 0; + initrd.verbose = false; + + # Hide the OS choice for bootloaders. + # It's still possible to open the bootloader list by pressing any key + # It will just not appear on screen unless a key is pressed + loader.timeout = 0; + + kernelParams = [ + "quiet" + "splash" + "boot.shell_on_fail" + "loglevel=3" + "rd.systemd.show_status=false" + "rd.udev.log_level=3" + "udev.log_priority=3" + ]; + + plymouth = { + enable = true; + theme = "spinner_alt"; + themePackages = with pkgs; [ + (adi1090x-plymouth-themes.override { selected_themes = [ "spinner_alt" ]; }) + ]; + }; + }; + + }; +} diff --git a/common/podman.nix b/common/podman.nix new file mode 100644 index 0000000..02540ee --- /dev/null +++ b/common/podman.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + inherit (lib) mkIf mkEnableOption; + cfg = config.shelman.podman; +in +{ + options.shelman.podman.enable = mkEnableOption "Podman"; + + config = mkIf cfg.enable { + environment.extraInit = '' + if [ -z "$DOCKER_HOST" -a -n "$XDG_RUNTIME_DIR" ]; then + export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/podman/podman.sock" + fi + ''; + + environment.systemPackages = with pkgs; [ + docker-compose + podman-compose + ]; + + virtualisation = { + containers = { + enable = true; + storage.settings = { + storage = { + driver = "overlay"; + runroot = "/run/containers/storage"; + graphroot = "/var/lib/containers/storage"; + rootless_storage_path = "/tmp/containers-$USER"; + options.overlay.mountopt = "nodev,metacopy=on"; + }; + }; + }; + + oci-containers.backend = "podman"; + podman = { + enable = true; + dockerCompat = true; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index 09d6f23..708bc20 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,55 @@ { "nodes": { + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "stable": "stable" + }, + "locked": { + "lastModified": 1711386353, + "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=", + "path": "/nix/store/in94zdj4ls6p21r3q4zzvmbd61g9ap3b-source", + "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db", + "type": "path" + }, + "original": { + "id": "colmena", + "type": "indirect" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -7,11 +57,11 @@ ] }, "locked": { - "lastModified": 1722462338, - "narHash": "sha256-ss0G8t8RJVDewA3MyqgAlV951cWRK6EtVhVKEZ7J5LU=", + "lastModified": 1722203588, + "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=", "owner": "nix-community", "repo": "home-manager", - "rev": "6e090576c4824b16e8759ebca3958c5b09659ee8", + "rev": "792757f643cedc13f02098d8ed506d82e19ec1da", "type": "github" }, "original": { @@ -24,11 +74,27 @@ "locked": { "lastModified": 1722421184, "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", - "owner": "nixos", + "owner": "NixOS", "repo": "nixpkgs", "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", "type": "github" }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1722062969, + "narHash": "sha256-QOS0ykELUmPbrrUGmegAUlpmUFznDQeR4q7rFhl8eQg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b73c2221a46c13557b1b3be9c2070cc42cf01eb3", + "type": "github" + }, "original": { "owner": "nixos", "ref": "nixos-unstable", @@ -38,8 +104,25 @@ }, "root": { "inputs": { + "colmena": "colmena", "home-manager": "home-manager", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" + } + }, + "stable": { + "locked": { + "lastModified": 1696039360, + "narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "32dcb45f66c0487e92db8303a798ebc548cadedc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 2ea8237..75a57a5 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,7 @@ { self, nixpkgs, + colmena, home-manager, ... }@inputs: @@ -21,18 +22,27 @@ mkHome = modules: home-manager.lib.homeManagerConfiguration { - modules = [ ./common ] ++ modules; + modules = [ ./home/common ] ++ modules; pkgs = nixpkgs.legacyPackages.x86_64-linux; extraSpecialArgs = { inherit inputs outputs; }; }; + mkHost = + modules: + nixpkgs.lib.nixosSystem { + specialArgs = { + inherit inputs outputs; + }; + system = "x86_64-linux"; + modules = [ ./common ] ++ modules; + }; + supportedSystems = [ "x86_64-linux" "aarch64-linux" ]; - forEachSystem = f: builtins.listToAttrs ( @@ -58,14 +68,19 @@ devShells = forEachSystem' ( { system, pkgs, ... }: { - default = pkgs.mkShell { packages = [ pkgs.just ]; }; + default = pkgs.mkShell { packages = [ pkgs.colmena ]; }; } ); homeConfigurations = { - "dln@dinky" = mkHome [ ./users/dln/dinky.nix ]; - "dln@nemo" = mkHome [ ./users/dln/nemo.nix ]; - "lsjostro@nemo" = mkHome [ ./users/lsjostro/nemo.nix ]; + "dln@dinky" = mkHome [ ./home/dln/dinky.nix ]; + "dln@nemo" = mkHome [ ./home/dln/nemo.nix ]; + "lsjostro@nemo" = mkHome [ ./home/lsjostro/nemo.nix ]; + }; + + nixosConfigurations = { + dinky = mkHost [ ./hosts/dinky ]; + nemo = mkHost [ ./hosts/nemo ]; }; }; diff --git a/common/atuin.nix b/home/common/atuin.nix similarity index 100% rename from common/atuin.nix rename to home/common/atuin.nix diff --git a/common/broot.nix b/home/common/broot.nix similarity index 100% rename from common/broot.nix rename to home/common/broot.nix diff --git a/home/common/default.nix b/home/common/default.nix new file mode 100644 index 0000000..d36eaaa --- /dev/null +++ b/home/common/default.nix @@ -0,0 +1,21 @@ +{ lib, ... }: +{ + imports = [ + ./atuin.nix + ./broot.nix + ./devel.nix + ./fish.nix + ./gnome.nix + ./k8s.nix + ./nix.nix + ./nvim.nix + ./scripts.nix + ./ssh.nix + ./utils.nix + ./vcs.nix + ./web.nix + ./wezterm.nix + ]; + + options.shelman.desktop.enable = lib.mkEnableOption "Desktop environment"; +} diff --git a/common/devel.nix b/home/common/devel.nix similarity index 100% rename from common/devel.nix rename to home/common/devel.nix diff --git a/common/fish.nix b/home/common/fish.nix similarity index 90% rename from common/fish.nix rename to home/common/fish.nix index 1d619bf..107493d 100644 --- a/common/fish.nix +++ b/home/common/fish.nix @@ -93,7 +93,7 @@ rg.body = '' if status is-interactive - command rg --json $argv | delta + command rg -p $argv | bat else command rg $argv end @@ -101,11 +101,11 @@ }; interactiveShellInit = lib.concatStringsSep "\n" [ - (builtins.readFile ../files/config/fish/config.fish) - (builtins.readFile ../files/config/fish/semantic-prompt.fish) - (builtins.readFile ../files/config/fish/go-task.fish) - (builtins.readFile ../files/config/fish/jj.fish) - (builtins.readFile ../files/config/fish/vcs.fish) + (builtins.readFile ../../files/config/fish/config.fish) + (builtins.readFile ../../files/config/fish/semantic-prompt.fish) + (builtins.readFile ../../files/config/fish/go-task.fish) + (builtins.readFile ../../files/config/fish/jj.fish) + (builtins.readFile ../../files/config/fish/vcs.fish) ]; shellAbbrs = { diff --git a/common/gnome.nix b/home/common/gnome.nix similarity index 100% rename from common/gnome.nix rename to home/common/gnome.nix diff --git a/common/k8s.nix b/home/common/k8s.nix similarity index 100% rename from common/k8s.nix rename to home/common/k8s.nix diff --git a/home/common/nix.nix b/home/common/nix.nix new file mode 100644 index 0000000..3b66fd3 --- /dev/null +++ b/home/common/nix.nix @@ -0,0 +1,15 @@ +{ outputs, ... }: +{ + nixpkgs = { + config.allowUnfree = true; + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.unstable-packages + ]; + }; + + programs.home-manager.enable = true; + + systemd.user.startServices = "sd-switch"; +} diff --git a/common/nvim.nix b/home/common/nvim.nix similarity index 86% rename from common/nvim.nix rename to home/common/nvim.nix index 83f255b..9e65aaf 100644 --- a/common/nvim.nix +++ b/home/common/nvim.nix @@ -13,7 +13,7 @@ xdg.configFile = { "nvim" = { recursive = true; - source = ./../files/config/nvim; + source = ./../../files/config/nvim; }; }; } diff --git a/common/scripts.nix b/home/common/scripts.nix similarity index 80% rename from common/scripts.nix rename to home/common/scripts.nix index 4848c39..7f607ac 100644 --- a/common/scripts.nix +++ b/home/common/scripts.nix @@ -8,7 +8,7 @@ home.file = { ".local/bin" = { recursive = true; - source = ./../files/scripts; + source = ./../../files/scripts; }; }; diff --git a/common/ssh.nix b/home/common/ssh.nix similarity index 100% rename from common/ssh.nix rename to home/common/ssh.nix diff --git a/common/utils.nix b/home/common/utils.nix similarity index 100% rename from common/utils.nix rename to home/common/utils.nix diff --git a/common/vcs.nix b/home/common/vcs.nix similarity index 100% rename from common/vcs.nix rename to home/common/vcs.nix diff --git a/common/web.nix b/home/common/web.nix similarity index 100% rename from common/web.nix rename to home/common/web.nix diff --git a/common/wezterm.nix b/home/common/wezterm.nix similarity index 63% rename from common/wezterm.nix rename to home/common/wezterm.nix index 6555bdb..2aa7913 100644 --- a/common/wezterm.nix +++ b/home/common/wezterm.nix @@ -4,7 +4,7 @@ programs.wezterm = { enable = true; - extraConfig = builtins.readFile ./../files/config/wezterm/wezterm.lua; + extraConfig = builtins.readFile ./../../files/config/wezterm/wezterm.lua; }; }; diff --git a/users/dln/desktop.nix b/home/dln/desktop.nix similarity index 100% rename from users/dln/desktop.nix rename to home/dln/desktop.nix diff --git a/users/dln/dinky.nix b/home/dln/dinky.nix similarity index 100% rename from users/dln/dinky.nix rename to home/dln/dinky.nix diff --git a/users/dln/home.nix b/home/dln/home.nix similarity index 100% rename from users/dln/home.nix rename to home/dln/home.nix diff --git a/users/dln/nemo.nix b/home/dln/nemo.nix similarity index 100% rename from users/dln/nemo.nix rename to home/dln/nemo.nix diff --git a/users/lsjostro/home.nix b/home/lsjostro/home.nix similarity index 100% rename from users/lsjostro/home.nix rename to home/lsjostro/home.nix diff --git a/users/lsjostro/nemo.nix b/home/lsjostro/nemo.nix similarity index 100% rename from users/lsjostro/nemo.nix rename to home/lsjostro/nemo.nix diff --git a/hosts/dinky/default.nix b/hosts/dinky/default.nix new file mode 100644 index 0000000..851801a --- /dev/null +++ b/hosts/dinky/default.nix @@ -0,0 +1,113 @@ +{ + inputs, + outputs, + lib, + config, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ + "xhci_pci" + "thunderbolt" + "nvme" + "usb_storage" + "sd_mod" + ]; + kernelModules = [ ]; + luks.devices."enc".device = "/dev/disk/by-uuid/e7c7a230-b321-4e6d-869c-6c2d858455d2"; + systemd.enable = true; + }; + kernelModules = [ "kvm-intel" ]; + kernelParams = [ "mitigations=off" ]; + extraModulePackages = [ ]; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/81e5205d-fe1e-458f-82e1-d60ab03c0a1d"; + fsType = "btrfs"; + options = [ + "noatime" + "nodiratime" + ]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/D6C0-1A05"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + vpl-gpu-rt + intel-media-driver + vaapiVdpau + libvdpau-va-gl + ]; + }; + + hardware.nitrokey.enable = true; + + swapDevices = [ { device = "/dev/disk/by-uuid/c9cc5270-87b0-4ed4-9891-7df924b0f55a"; } ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + environment.systemPackages = with pkgs; [ + android-tools + android-udev-rules + mullvad-vpn + ]; + + services.printing.enable = true; + services.printing.drivers = [ pkgs.brlaser ]; + + programs.adb.enable = true; + + networking = { + hostName = "dinky"; + useDHCP = lib.mkDefault true; + }; + + services.mullvad-vpn.enable = true; + + users.users.dln = { + isNormalUser = true; + description = "Daniel Lundin"; + extraGroups = [ + "adbusers" + "lp" + "nitrokey" + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILwakA+EeuR23vRhjvjMkzK+FtWIhpnbs7z1pfnBehCUAAAABHNzaDo= dln@dinky" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJNOBFoU7Cdsgi4KpYRcv7EhR/8kD4DYjEZnwk6urRx7AAAABHNzaDo= dln@nemo" + ]; + }; + + shelman = { + desktop.enable = true; + laptop.enable = true; + plymouth.enable = true; + podman.enable = true; + }; + + services.xserver.displayManager.autoLogin.enable = true; + services.xserver.displayManager.autoLogin.user = "dln"; + systemd.services."getty@tty1".enable = false; + systemd.services."autovt@tty1".enable = false; + + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/nemo/default.nix b/hosts/nemo/default.nix new file mode 100644 index 0000000..dc4024d --- /dev/null +++ b/hosts/nemo/default.nix @@ -0,0 +1,192 @@ +{ + lib, + config, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot = { + extraModulePackages = with config.boot.kernelPackages; [ nct6687d ]; + initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nct6687" + "nvme" + "firewire_ohci" + "usbhid" + "usb_storage" + "sd_mod" + ]; + initrd.kernelModules = [ "nct6687" ]; + kernelModules = [ + "nct6687" + "kvm-intel" + ]; + extraModprobeConfig = '' + options nct6687 force=1 + ''; + kernelParams = [ "mitigations=off" ]; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/b9514f88-1c83-4596-999f-7e3640db6a86"; + fsType = "btrfs"; + options = [ + "subvol=@" + "noatime" + "nodiratime" + ]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/b9514f88-1c83-4596-999f-7e3640db6a86"; + fsType = "btrfs"; + options = [ + "subvol=@home" + "noatime" + "nodiratime" + ]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2670-0FCA"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + vpl-gpu-rt + intel-media-driver + vaapiVdpau + libvdpau-va-gl + ]; + }; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + networking = { + hostName = "nemo"; # Define your hostname. + nameservers = [ + "10.1.100.11" + "10.1.100.12" + "10.1.100.13" + ]; + networkmanager.enable = false; + useDHCP = false; + wireless.iwd = { + enable = true; + settings = { + DriverQuirks.PowerSaveDisable = "*"; + Network = { + EnableIPv6 = false; + NameResolvingService = "systemd"; + }; + Scan.DisablePeriodicScan = true; + Settings = { + AutoConnect = true; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 22000 # Syncthing + ]; + networking.firewall.allowedUDPPorts = [ + 22000 # Synchthing + 21027 + ]; + + systemd.network.enable = true; + systemd.network.networks."10-wifi" = { + matchConfig.Name = "wlan0"; + address = [ "10.1.100.20/24" ]; + gateway = [ "10.1.100.1" ]; + linkConfig.RequiredForOnline = "routable"; + }; + + security = { + pam.services.doas = + { config, ... }: + { + rules.auth.rssh = { + order = config.rules.auth.ssh_agent_auth.order - 1; + control = "sufficient"; + modulePath = "${pkgs.pam_rssh}/lib/libpam_rssh.so"; + settings.authorized_keys_command = pkgs.writeShellScript "get-authorized-keys" '' + cat "/etc/ssh/authorized_keys.d/$1" + ''; + }; + }; + }; + + services.resolved = { + enable = true; + domains = [ "~." ]; + fallbackDns = [ "9.9.9.9" ]; + }; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + StreamLocalBindUnlink = true; + }; + }; + + services.sunshine = { + enable = true; + openFirewall = true; + settings = { }; + }; + + shelman = { + desktop.enable = true; + plymouth.enable = true; + podman.enable = true; + }; + + environment.systemPackages = with pkgs; [ + ffado + lm_sensors + openconnect + pam_rssh + ]; + + programs.coolercontrol.enable = true; + + users.users.dln = { + isNormalUser = true; + description = "Daniel Lundin"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIHMAEZx02kbHrEygyPQYStiXlrIe6EIqBCv7anIkL0pAAAABHNzaDo= dln@dinky" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJNOBFoU7Cdsgi4KpYRcv7EhR/8kD4DYjEZnwk6urRx7AAAABHNzaDo= dln@nemo" + ]; + }; + + users.users.lsjostro = { + isNormalUser = true; + description = "Lars Sjöström"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBJ10mLOpInoqDaySyrxbzvcOrJfLw48Y6eWHa9501lw+hEEBXya3ib7nlvpCqEQJ8aPU5fVRqpkOW5zSimCiRbwAAAAEc3NoOg==" + "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBLpoKvsZDIQQLfgzJhe1jAQubBNxjydkj8UfdUPaSXqgfB02OypMOC1m5ZuJYcQIxox0I+4Z8xstFhYP6s8zKZwAAAAEc3NoOg==" + ]; + }; + + system.stateVersion = "24.05"; # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion +} diff --git a/justfile b/justfile index 73fe5fa..75763bf 100644 --- a/justfile +++ b/justfile @@ -4,14 +4,26 @@ set shell := ["/usr/bin/env", "bash", "-euo", "pipefail", "-c"] default: @just --list +boot: + nh os boot . + +build: + nh os build . + +switch: + nh os switch . + +update: + nh os switch --update --ask . + clean: nh clean all -build: +home-build: nh home build . -switch: +home-switch: nh home switch . -update: +home-update: nh home switch --update --ask .