diff --git a/flake.nix b/flake.nix index a72e68a..6ce19de 100644 --- a/flake.nix +++ b/flake.nix @@ -37,11 +37,12 @@ in { devShells.default = pkgs.mkShell { packages = [ - pkgs.colmena - pkgs.nixfmt - pkgs.git - pkgs.update-nix-fetchgit - agenix.packages.${system}.ragenix + pkgs.colmena # remote deployment + pkgs.nixfmt # formatting + pkgs.git # version control + pkgs.update-nix-fetchgit # auto update fetchs + agenix.packages.${system}.ragenix # secrets + pkgs.sbctl # secure boot ]; }; })) // { diff --git a/hosts/neodymium/configuration.nix b/hosts/neodymium/configuration.nix index d3f1896..b7e75f6 100644 --- a/hosts/neodymium/configuration.nix +++ b/hosts/neodymium/configuration.nix @@ -1,138 +1,14 @@ -{ config, pkgs, lib, ... }: { - imports = [ ./hardware-configuration.nix ]; - - # networking - networking.hostName = "neodymium"; - networking.networkmanager.enable = true; - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ ]; - networking.firewall.allowedUDPPorts = [ ]; - - # bluetooth - hardware.bluetooth.enable = true; - services.blueman.enable = true; - - # wireguard vpn - networking.wg-quick.interfaces = { - wg0 = { - privateKeyFile = "/root/wireguard-keys/private"; - address = [ "10.0.0.3/24" "fd02:002:002::3/64" ]; - dns = [ "10.0.0.1" ]; - peers = [{ - publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws="; - allowedIPs = [ "0.0.0.0/0" "::0/0" ]; - endpoint = "fainsin.bzh:5553"; - persistentKeepalive = 30; - }]; - }; - }; - systemd.services.wg-quick-wg0 = { - serviceConfig = { - Type = lib.mkForce "simple"; - Restart = "on-failure"; - RestartSec = "10s"; - }; - unitConfig = { - StartLimitIntervalSec = 0; # ensure Restart= is always honoured - }; - }; - - # This should already be here from switching to bootspec earlier. - # It's not required anymore, but also doesn't do any harm. - boot.bootspec.enable = true; - - environment.systemPackages = [ - # For debugging and troubleshooting Secure Boot. - pkgs.sbctl - ]; - - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - boot.loader.systemd-boot.enable = lib.mkForce false; - - boot.lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - - # enable NTFS disk mounting - boot.loader.efi.canTouchEfiVariables = true; - boot.supportedFilesystems = [ "ntfs" ]; - - # clean /tmp at each boot - boot.tmp.cleanOnBoot = true; - - # use latest kernel - boot.kernelPackages = pkgs.linuxPackages_latest; - - # restrict nix command to sudoers - nix.settings.allowed-users = [ "@wheel" ]; +{ pkgs, ... }: { + imports = [ ./hardware-configuration.nix ./system ]; # shorter timeout for systemd services systemd.extraConfig = '' DefaultTimeoutStopSec=10s ''; - # hardware - hardware = { - enableRedistributableFirmware = true; - opengl = { - enable = true; - driSupport = true; - }; - }; - - # logind configuration - services.logind = { - lidSwitch = "ignore"; - extraConfig = '' - HandlePowerKey=suspend - ''; - }; - - services.tlp.enable = true; - - # greeter - services.greetd = { - enable = true; - settings = { - default_session = { - command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway"; - user = "greeter"; - }; - }; - }; - - # internationalisation - time.timeZone = "Europe/Paris"; - i18n.defaultLocale = "en_DK.UTF-8"; - console.keyMap = "fr"; - - # fonts - fonts.fonts = with pkgs; [ - noto-fonts - noto-fonts-cjk - noto-fonts-extra - noto-fonts-emoji - fira-code - fira-code-symbols - (nerdfonts.override { fonts = [ "FiraCode" ]; }) - ]; - # udev services.udev.packages = [ pkgs.android-udev-rules ]; - # audio - services.pipewire = { - enable = true; - alsa.enable = true; - pulse.enable = true; - }; - - services.gnome.gnome-keyring.enable = true; - services.dbus.enable = true; xdg.portal = { enable = true; @@ -140,96 +16,25 @@ extraPortals = [ pkgs.xdg-desktop-portal-gtk pkgs.xdg-desktop-portal-wlr ]; }; - programs.light.enable = true; + users = { + # disable user creation/deletion + mutableUsers = false; - users.mutableUsers = false; - users.users.laurent = { - isNormalUser = true; - initialPassword = "laurent"; - extraGroups = [ "wheel" "video" "docker" "adbusers" ]; - shell = pkgs.zsh; + # damn, who's this handsome guy? + users.laurent = { + isNormalUser = true; + initialPassword = "laurent"; + extraGroups = [ "wheel" "video" "docker" "adbusers" ]; + shell = pkgs.zsh; + }; }; programs.zsh.enable = true; home-manager = { users.laurent = ./home; }; - # enable docker - virtualisation.docker = { - enable = true; - storageDriver = "btrfs"; - enableOnBoot = false; - autoPrune.enable = true; - }; - # enable gnome virtual file system services.gvfs.enable = true; - # enable gpg agent - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryFlavor = "gnome3"; - }; - - # enable polkit - security.polkit.enable = true; - - # allow swaylock to use pam - security.pam.services.swaylock = { }; - - # enable unfree - nixpkgs.config.allowUnfree = true; - - # experimental features - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - # optimizations - nix.settings.auto-optimise-store = true; - nix.gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; - }; - - age.secrets.borgbackup = { - file = "/home/laurent/infrastructure/secrets/borgbackup.age"; - owner = "laurent"; - group = "users"; - }; - age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ]; - - services.borgbackup.jobs.home = { - paths = "/home/laurent/"; - repo = "/mnt/home_backup"; - exclude = [ - # Largest cache dirs - ".cache" - ".compose-cache" - "*/cache" - "*/cache2" # firefox - "*/Cache" - "*/Code Cache" - ".config/Slack/logs" - ".config/Code/CachedData" - ".container-diff" - ".npm/_cacache" - # Work related dirs - "*/node_modules" - "*/bower_components" - "*/build" - "*/_build" - "*/.tox" - "*/venv" - "*/.venv" - ]; - encryption = { - mode = "repokey"; - passCommand = "cat ${config.age.secrets.borgbackup.path}"; - }; - compression = "auto,zstd"; - startAt = [ ]; - }; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. Itβ€˜s perfectly fine and recommended to leave diff --git a/hosts/neodymium/home/wayland/default.nix b/hosts/neodymium/home/wayland/default.nix index 54a9fb7..5923256 100644 --- a/hosts/neodymium/home/wayland/default.nix +++ b/hosts/neodymium/home/wayland/default.nix @@ -12,6 +12,7 @@ in { defaultTimeout = 5000; extraConfig = builtins.readFile "${catppuccin-mako}/src/mocha"; }; + wayland.windowManager.sway = { enable = true; package = (pkgs.swayfx.overrideAttrs (old: { diff --git a/hosts/neodymium/system/age/default.nix b/hosts/neodymium/system/age/default.nix new file mode 100644 index 0000000..7b0b5d7 --- /dev/null +++ b/hosts/neodymium/system/age/default.nix @@ -0,0 +1,8 @@ +{ ... }: { + age.secrets.borgbackup = { + file = "/home/laurent/infrastructure/secrets/borgbackup.age"; + owner = "laurent"; + group = "users"; + }; + age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ]; +} diff --git a/hosts/neodymium/system/audio/default.nix b/hosts/neodymium/system/audio/default.nix new file mode 100644 index 0000000..0edf1d4 --- /dev/null +++ b/hosts/neodymium/system/audio/default.nix @@ -0,0 +1,7 @@ +{ ... }: { + services.pipewire = { + enable = true; + alsa.enable = true; + pulse.enable = true; + }; +} diff --git a/hosts/neodymium/system/boot/default.nix b/hosts/neodymium/system/boot/default.nix new file mode 100644 index 0000000..5bc534e --- /dev/null +++ b/hosts/neodymium/system/boot/default.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: { + # support for mounting windaube partitions + boot.supportedFilesystems = [ "ntfs" ]; + boot.loader.efi.canTouchEfiVariables = true; + + # clean /tmp at each boot + boot.tmp.cleanOnBoot = true; + + # use latest kernel + boot.kernelPackages = pkgs.linuxPackages_latest; + + imports = [ ./lanzaboot.nix ]; +} diff --git a/hosts/neodymium/system/boot/lanzaboot.nix b/hosts/neodymium/system/boot/lanzaboot.nix new file mode 100644 index 0000000..4b695d2 --- /dev/null +++ b/hosts/neodymium/system/boot/lanzaboot.nix @@ -0,0 +1,16 @@ +{ lib, ... }: { + # This should already be here from switching to bootspec earlier. + # It's not required anymore, but also doesn't do any harm. + boot.bootspec.enable = true; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; +} diff --git a/hosts/neodymium/system/borgbackup/default.nix b/hosts/neodymium/system/borgbackup/default.nix new file mode 100644 index 0000000..290045a --- /dev/null +++ b/hosts/neodymium/system/borgbackup/default.nix @@ -0,0 +1,33 @@ +{ config, ... }: { + services.borgbackup.jobs.home = { + paths = "/home/laurent/"; + repo = "/mnt/home_backup"; + exclude = [ + # Largest cache dirs + ".cache" + ".compose-cache" + "*/cache" + "*/cache2" # firefox + "*/Cache" + "*/Code Cache" + ".config/Slack/logs" + ".config/Code/CachedData" + ".container-diff" + ".npm/_cacache" + # Work related dirs + "*/node_modules" + "*/bower_components" + "*/build" + "*/_build" + "*/.tox" + "*/venv" + "*/.venv" + ]; + encryption = { + mode = "repokey"; + passCommand = "cat ${config.age.secrets.borgbackup.path}"; + }; + compression = "auto,zstd"; + startAt = [ ]; + }; +} diff --git a/hosts/neodymium/system/default.nix b/hosts/neodymium/system/default.nix new file mode 100644 index 0000000..79ce630 --- /dev/null +++ b/hosts/neodymium/system/default.nix @@ -0,0 +1,16 @@ +{ ... }: { + imports = [ + ./age + ./audio + ./boot + ./borgbackup + ./docker + ./fonts + ./greetd + ./hardware + ./i18n + ./networking + ./nix + ./security + ]; +} diff --git a/hosts/neodymium/system/docker/default.nix b/hosts/neodymium/system/docker/default.nix new file mode 100644 index 0000000..51671d9 --- /dev/null +++ b/hosts/neodymium/system/docker/default.nix @@ -0,0 +1,9 @@ +{ ... }: { + virtualisation.docker = { + enable = true; + + storageDriver = "btrfs"; + enableOnBoot = false; + autoPrune.enable = true; + }; +} diff --git a/hosts/neodymium/system/fonts/default.nix b/hosts/neodymium/system/fonts/default.nix new file mode 100644 index 0000000..9577247 --- /dev/null +++ b/hosts/neodymium/system/fonts/default.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: { + fonts.fonts = with pkgs; [ + # https://notofonts.github.io/ + noto-fonts # standard characters + noto-fonts-lgc-plus # latin, greek, and cyrillic + noto-fonts-cjk # chinese, japanese, and korean + noto-fonts-emoji # emojis 🐒 + + # https://github.com/tonsky/FiraCode + fira-code # standard characters + fira-code-symbols # unicode ligature glyphs + + # https://github.com/ryanoasis/nerd-fonts + (nerdfonts.override { fonts = [ "FiraCode" ]; }) + ]; +} diff --git a/hosts/neodymium/system/greetd/default.nix b/hosts/neodymium/system/greetd/default.nix new file mode 100644 index 0000000..5f37a65 --- /dev/null +++ b/hosts/neodymium/system/greetd/default.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: { + services.greetd = { + enable = true; + + settings = { + default_session = { + command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway"; + user = "greeter"; + }; + }; + }; +} diff --git a/hosts/neodymium/system/hardware/default.nix b/hosts/neodymium/system/hardware/default.nix new file mode 100644 index 0000000..8758c21 --- /dev/null +++ b/hosts/neodymium/system/hardware/default.nix @@ -0,0 +1,28 @@ +{ ... }: { + # hardware + hardware = { + enableRedistributableFirmware = true; + opengl = { + enable = true; + driSupport = true; + }; + }; + + # logind configuration + services.logind = { + lidSwitch = "ignore"; + extraConfig = '' + HandlePowerKey=suspend + ''; + }; + + # tlp, power management + services.tlp.enable = true; + + # bluetooth + hardware.bluetooth.enable = true; + services.blueman.enable = true; + + # backlight intensity + programs.light.enable = true; +} diff --git a/hosts/neodymium/system/i18n/default.nix b/hosts/neodymium/system/i18n/default.nix new file mode 100644 index 0000000..d802dc9 --- /dev/null +++ b/hosts/neodymium/system/i18n/default.nix @@ -0,0 +1,10 @@ +{ ... }: { + # FRANCE πŸ‡«πŸ‡· πŸ₯– πŸ₯ + time.timeZone = "Europe/Paris"; + + # azerty keyboard + console.keyMap = "fr"; + + # english ISO metric system + i18n.defaultLocale = "en_DK.UTF-8"; +} diff --git a/hosts/neodymium/system/networking/default.nix b/hosts/neodymium/system/networking/default.nix new file mode 100644 index 0000000..dd994d8 --- /dev/null +++ b/hosts/neodymium/system/networking/default.nix @@ -0,0 +1,17 @@ +{ ... }: { + # set hostname + networking.hostName = "neodymium"; + + # use networkManager, see nmcli + networking.networkmanager.enable = true; + + # firewall + networking.firewall = { + enable = true; + + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; + }; + + imports = [ ./wireguard.nix ]; +} diff --git a/hosts/neodymium/system/networking/wireguard.nix b/hosts/neodymium/system/networking/wireguard.nix new file mode 100644 index 0000000..788d5a2 --- /dev/null +++ b/hosts/neodymium/system/networking/wireguard.nix @@ -0,0 +1,31 @@ +{ lib, ... }: { + networking.wg-quick.interfaces = { + wg0 = { + # client + privateKeyFile = "/root/wireguard-keys/private"; + address = [ "10.0.0.3/24" "fd02:002:002::3/64" ]; + dns = [ "10.0.0.1" ]; + + # server + peers = [{ + publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws="; + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + endpoint = "fainsin.bzh:5553"; + persistentKeepalive = 30; + }]; + }; + }; + + # modify the systemd service to restart on failure every 10 seconds + systemd.services.wg-quick-wg0 = { + serviceConfig = { + Type = lib.mkForce "simple"; + Restart = "on-failure"; + RestartSec = "10s"; + }; + unitConfig = { + # ensures Restart= is always honoured + StartLimitIntervalSec = 0; + }; + }; +} diff --git a/hosts/neodymium/system/nix/default.nix b/hosts/neodymium/system/nix/default.nix new file mode 100644 index 0000000..dd94597 --- /dev/null +++ b/hosts/neodymium/system/nix/default.nix @@ -0,0 +1,20 @@ +{ ... }: { + # restrict nix command to sudoers + nix.settings.allowed-users = [ "@wheel" ]; + + # experimental features + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # optimizations + nix.settings.auto-optimise-store = true; + + # garbage collection + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + # enable unfree + nixpkgs.config.allowUnfree = true; +} diff --git a/hosts/neodymium/system/security/default.nix b/hosts/neodymium/system/security/default.nix new file mode 100644 index 0000000..0c05d44 --- /dev/null +++ b/hosts/neodymium/system/security/default.nix @@ -0,0 +1,17 @@ +{ ... }: { + # enable polkit + security.polkit.enable = true; + + # enable gpg agent + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryFlavor = "gnome3"; + }; + + # secrets keyring + services.gnome.gnome-keyring.enable = true; + + # allow swaylock to use pam + security.pam.services.swaylock = { }; +}