♻️ modularize neodymium system config

This commit is contained in:
Laureηt 2023-05-16 21:10:41 +02:00
parent 4035f285af
commit fff918a2e8
Signed by: Laurent
SSH key fingerprint: SHA256:kZEpW8cMJ54PDeCvOhzreNr4FSh6R13CMGH/POoO8DI
18 changed files with 272 additions and 212 deletions

View file

@ -37,11 +37,12 @@
in {
devShells.default = pkgs.mkShell {
packages = [
pkgs.colmena
pkgs.nixfmt
pkgs.git
pkgs.update-nix-fetchgit
agenix.packages.${system}.ragenix
pkgs.colmena # remote deployment
pkgs.nixfmt # formatting
pkgs.git # version control
pkgs.update-nix-fetchgit # auto update fetchs
agenix.packages.${system}.ragenix # secrets
pkgs.sbctl # secure boot
];
};
})) // {

View file

@ -1,138 +1,14 @@
{ config, pkgs, lib, ... }: {
imports = [ ./hardware-configuration.nix ];
# networking
networking.hostName = "neodymium";
networking.networkmanager.enable = true;
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ ];
networking.firewall.allowedUDPPorts = [ ];
# bluetooth
hardware.bluetooth.enable = true;
services.blueman.enable = true;
# wireguard vpn
networking.wg-quick.interfaces = {
wg0 = {
privateKeyFile = "/root/wireguard-keys/private";
address = [ "10.0.0.3/24" "fd02:002:002::3/64" ];
dns = [ "10.0.0.1" ];
peers = [{
publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
endpoint = "fainsin.bzh:5553";
persistentKeepalive = 30;
}];
};
};
systemd.services.wg-quick-wg0 = {
serviceConfig = {
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "10s";
};
unitConfig = {
StartLimitIntervalSec = 0; # ensure Restart= is always honoured
};
};
# This should already be here from switching to bootspec earlier.
# It's not required anymore, but also doesn't do any harm.
boot.bootspec.enable = true;
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
# enable NTFS disk mounting
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "ntfs" ];
# clean /tmp at each boot
boot.tmp.cleanOnBoot = true;
# use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
# restrict nix command to sudoers
nix.settings.allowed-users = [ "@wheel" ];
{ pkgs, ... }: {
imports = [ ./hardware-configuration.nix ./system ];
# shorter timeout for systemd services
systemd.extraConfig = ''
DefaultTimeoutStopSec=10s
'';
# hardware
hardware = {
enableRedistributableFirmware = true;
opengl = {
enable = true;
driSupport = true;
};
};
# logind configuration
services.logind = {
lidSwitch = "ignore";
extraConfig = ''
HandlePowerKey=suspend
'';
};
services.tlp.enable = true;
# greeter
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
user = "greeter";
};
};
};
# internationalisation
time.timeZone = "Europe/Paris";
i18n.defaultLocale = "en_DK.UTF-8";
console.keyMap = "fr";
# fonts
fonts.fonts = with pkgs; [
noto-fonts
noto-fonts-cjk
noto-fonts-extra
noto-fonts-emoji
fira-code
fira-code-symbols
(nerdfonts.override { fonts = [ "FiraCode" ]; })
];
# udev
services.udev.packages = [ pkgs.android-udev-rules ];
# audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
};
services.gnome.gnome-keyring.enable = true;
services.dbus.enable = true;
xdg.portal = {
enable = true;
@ -140,96 +16,25 @@
extraPortals = [ pkgs.xdg-desktop-portal-gtk pkgs.xdg-desktop-portal-wlr ];
};
programs.light.enable = true;
users = {
# disable user creation/deletion
mutableUsers = false;
users.mutableUsers = false;
users.users.laurent = {
# damn, who's this handsome guy?
users.laurent = {
isNormalUser = true;
initialPassword = "laurent";
extraGroups = [ "wheel" "video" "docker" "adbusers" ];
shell = pkgs.zsh;
};
};
programs.zsh.enable = true;
home-manager = { users.laurent = ./home; };
# enable docker
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
enableOnBoot = false;
autoPrune.enable = true;
};
# enable gnome virtual file system
services.gvfs.enable = true;
# enable gpg agent
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "gnome3";
};
# enable polkit
security.polkit.enable = true;
# allow swaylock to use pam
security.pam.services.swaylock = { };
# enable unfree
nixpkgs.config.allowUnfree = true;
# experimental features
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# optimizations
nix.settings.auto-optimise-store = true;
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
age.secrets.borgbackup = {
file = "/home/laurent/infrastructure/secrets/borgbackup.age";
owner = "laurent";
group = "users";
};
age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];
services.borgbackup.jobs.home = {
paths = "/home/laurent/";
repo = "/mnt/home_backup";
exclude = [
# Largest cache dirs
".cache"
".compose-cache"
"*/cache"
"*/cache2" # firefox
"*/Cache"
"*/Code Cache"
".config/Slack/logs"
".config/Code/CachedData"
".container-diff"
".npm/_cacache"
# Work related dirs
"*/node_modules"
"*/bower_components"
"*/build"
"*/_build"
"*/.tox"
"*/venv"
"*/.venv"
];
encryption = {
mode = "repokey";
passCommand = "cat ${config.age.secrets.borgbackup.path}";
};
compression = "auto,zstd";
startAt = [ ];
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

View file

@ -12,6 +12,7 @@ in {
defaultTimeout = 5000;
extraConfig = builtins.readFile "${catppuccin-mako}/src/mocha";
};
wayland.windowManager.sway = {
enable = true;
package = (pkgs.swayfx.overrideAttrs (old: {

View file

@ -0,0 +1,8 @@
{ ... }: {
age.secrets.borgbackup = {
file = "/home/laurent/infrastructure/secrets/borgbackup.age";
owner = "laurent";
group = "users";
};
age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];
}

View file

@ -0,0 +1,7 @@
{ ... }: {
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
};
}

View file

@ -0,0 +1,13 @@
{ pkgs, ... }: {
# support for mounting windaube partitions
boot.supportedFilesystems = [ "ntfs" ];
boot.loader.efi.canTouchEfiVariables = true;
# clean /tmp at each boot
boot.tmp.cleanOnBoot = true;
# use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
imports = [ ./lanzaboot.nix ];
}

View file

@ -0,0 +1,16 @@
{ lib, ... }: {
# This should already be here from switching to bootspec earlier.
# It's not required anymore, but also doesn't do any harm.
boot.bootspec.enable = true;
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
}

View file

@ -0,0 +1,33 @@
{ config, ... }: {
services.borgbackup.jobs.home = {
paths = "/home/laurent/";
repo = "/mnt/home_backup";
exclude = [
# Largest cache dirs
".cache"
".compose-cache"
"*/cache"
"*/cache2" # firefox
"*/Cache"
"*/Code Cache"
".config/Slack/logs"
".config/Code/CachedData"
".container-diff"
".npm/_cacache"
# Work related dirs
"*/node_modules"
"*/bower_components"
"*/build"
"*/_build"
"*/.tox"
"*/venv"
"*/.venv"
];
encryption = {
mode = "repokey";
passCommand = "cat ${config.age.secrets.borgbackup.path}";
};
compression = "auto,zstd";
startAt = [ ];
};
}

View file

@ -0,0 +1,16 @@
{ ... }: {
imports = [
./age
./audio
./boot
./borgbackup
./docker
./fonts
./greetd
./hardware
./i18n
./networking
./nix
./security
];
}

View file

@ -0,0 +1,9 @@
{ ... }: {
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
enableOnBoot = false;
autoPrune.enable = true;
};
}

View file

@ -0,0 +1,16 @@
{ pkgs, ... }: {
fonts.fonts = with pkgs; [
# https://notofonts.github.io/
noto-fonts # standard characters
noto-fonts-lgc-plus # latin, greek, and cyrillic
noto-fonts-cjk # chinese, japanese, and korean
noto-fonts-emoji # emojis 🐢
# https://github.com/tonsky/FiraCode
fira-code # standard characters
fira-code-symbols # unicode ligature glyphs
# https://github.com/ryanoasis/nerd-fonts
(nerdfonts.override { fonts = [ "FiraCode" ]; })
];
}

View file

@ -0,0 +1,12 @@
{ pkgs, ... }: {
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
user = "greeter";
};
};
};
}

View file

@ -0,0 +1,28 @@
{ ... }: {
# hardware
hardware = {
enableRedistributableFirmware = true;
opengl = {
enable = true;
driSupport = true;
};
};
# logind configuration
services.logind = {
lidSwitch = "ignore";
extraConfig = ''
HandlePowerKey=suspend
'';
};
# tlp, power management
services.tlp.enable = true;
# bluetooth
hardware.bluetooth.enable = true;
services.blueman.enable = true;
# backlight intensity
programs.light.enable = true;
}

View file

@ -0,0 +1,10 @@
{ ... }: {
# FRANCE 🇫🇷 🥖 🥐
time.timeZone = "Europe/Paris";
# azerty keyboard
console.keyMap = "fr";
# english ISO metric system
i18n.defaultLocale = "en_DK.UTF-8";
}

View file

@ -0,0 +1,17 @@
{ ... }: {
# set hostname
networking.hostName = "neodymium";
# use networkManager, see nmcli
networking.networkmanager.enable = true;
# firewall
networking.firewall = {
enable = true;
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
};
imports = [ ./wireguard.nix ];
}

View file

@ -0,0 +1,31 @@
{ lib, ... }: {
networking.wg-quick.interfaces = {
wg0 = {
# client
privateKeyFile = "/root/wireguard-keys/private";
address = [ "10.0.0.3/24" "fd02:002:002::3/64" ];
dns = [ "10.0.0.1" ];
# server
peers = [{
publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
endpoint = "fainsin.bzh:5553";
persistentKeepalive = 30;
}];
};
};
# modify the systemd service to restart on failure every 10 seconds
systemd.services.wg-quick-wg0 = {
serviceConfig = {
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "10s";
};
unitConfig = {
# ensures Restart= is always honoured
StartLimitIntervalSec = 0;
};
};
}

View file

@ -0,0 +1,20 @@
{ ... }: {
# restrict nix command to sudoers
nix.settings.allowed-users = [ "@wheel" ];
# experimental features
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# optimizations
nix.settings.auto-optimise-store = true;
# garbage collection
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
# enable unfree
nixpkgs.config.allowUnfree = true;
}

View file

@ -0,0 +1,17 @@
{ ... }: {
# enable polkit
security.polkit.enable = true;
# enable gpg agent
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "gnome3";
};
# secrets keyring
services.gnome.gnome-keyring.enable = true;
# allow swaylock to use pam
security.pam.services.swaylock = { };
}