♻️ modularize neodymium system config
This commit is contained in:
parent
4035f285af
commit
fff918a2e8
11
flake.nix
11
flake.nix
|
@ -37,11 +37,12 @@
|
|||
in {
|
||||
devShells.default = pkgs.mkShell {
|
||||
packages = [
|
||||
pkgs.colmena
|
||||
pkgs.nixfmt
|
||||
pkgs.git
|
||||
pkgs.update-nix-fetchgit
|
||||
agenix.packages.${system}.ragenix
|
||||
pkgs.colmena # remote deployment
|
||||
pkgs.nixfmt # formatting
|
||||
pkgs.git # version control
|
||||
pkgs.update-nix-fetchgit # auto update fetchs
|
||||
agenix.packages.${system}.ragenix # secrets
|
||||
pkgs.sbctl # secure boot
|
||||
];
|
||||
};
|
||||
})) // {
|
||||
|
|
|
@ -1,138 +1,14 @@
|
|||
{ config, pkgs, lib, ... }: {
|
||||
imports = [ ./hardware-configuration.nix ];
|
||||
|
||||
# networking
|
||||
networking.hostName = "neodymium";
|
||||
networking.networkmanager.enable = true;
|
||||
networking.firewall.enable = true;
|
||||
networking.firewall.allowedTCPPorts = [ ];
|
||||
networking.firewall.allowedUDPPorts = [ ];
|
||||
|
||||
# bluetooth
|
||||
hardware.bluetooth.enable = true;
|
||||
services.blueman.enable = true;
|
||||
|
||||
# wireguard vpn
|
||||
networking.wg-quick.interfaces = {
|
||||
wg0 = {
|
||||
privateKeyFile = "/root/wireguard-keys/private";
|
||||
address = [ "10.0.0.3/24" "fd02:002:002::3/64" ];
|
||||
dns = [ "10.0.0.1" ];
|
||||
peers = [{
|
||||
publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
|
||||
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||
endpoint = "fainsin.bzh:5553";
|
||||
persistentKeepalive = 30;
|
||||
}];
|
||||
};
|
||||
};
|
||||
systemd.services.wg-quick-wg0 = {
|
||||
serviceConfig = {
|
||||
Type = lib.mkForce "simple";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
};
|
||||
unitConfig = {
|
||||
StartLimitIntervalSec = 0; # ensure Restart= is always honoured
|
||||
};
|
||||
};
|
||||
|
||||
# This should already be here from switching to bootspec earlier.
|
||||
# It's not required anymore, but also doesn't do any harm.
|
||||
boot.bootspec.enable = true;
|
||||
|
||||
environment.systemPackages = [
|
||||
# For debugging and troubleshooting Secure Boot.
|
||||
pkgs.sbctl
|
||||
];
|
||||
|
||||
# Lanzaboote currently replaces the systemd-boot module.
|
||||
# This setting is usually set to true in configuration.nix
|
||||
# generated at installation time. So we force it to false
|
||||
# for now.
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
|
||||
boot.lanzaboote = {
|
||||
enable = true;
|
||||
pkiBundle = "/etc/secureboot";
|
||||
};
|
||||
|
||||
# enable NTFS disk mounting
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.supportedFilesystems = [ "ntfs" ];
|
||||
|
||||
# clean /tmp at each boot
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
|
||||
# use latest kernel
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
|
||||
# restrict nix command to sudoers
|
||||
nix.settings.allowed-users = [ "@wheel" ];
|
||||
{ pkgs, ... }: {
|
||||
imports = [ ./hardware-configuration.nix ./system ];
|
||||
|
||||
# shorter timeout for systemd services
|
||||
systemd.extraConfig = ''
|
||||
DefaultTimeoutStopSec=10s
|
||||
'';
|
||||
|
||||
# hardware
|
||||
hardware = {
|
||||
enableRedistributableFirmware = true;
|
||||
opengl = {
|
||||
enable = true;
|
||||
driSupport = true;
|
||||
};
|
||||
};
|
||||
|
||||
# logind configuration
|
||||
services.logind = {
|
||||
lidSwitch = "ignore";
|
||||
extraConfig = ''
|
||||
HandlePowerKey=suspend
|
||||
'';
|
||||
};
|
||||
|
||||
services.tlp.enable = true;
|
||||
|
||||
# greeter
|
||||
services.greetd = {
|
||||
enable = true;
|
||||
settings = {
|
||||
default_session = {
|
||||
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
|
||||
user = "greeter";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# internationalisation
|
||||
time.timeZone = "Europe/Paris";
|
||||
i18n.defaultLocale = "en_DK.UTF-8";
|
||||
console.keyMap = "fr";
|
||||
|
||||
# fonts
|
||||
fonts.fonts = with pkgs; [
|
||||
noto-fonts
|
||||
noto-fonts-cjk
|
||||
noto-fonts-extra
|
||||
noto-fonts-emoji
|
||||
fira-code
|
||||
fira-code-symbols
|
||||
(nerdfonts.override { fonts = [ "FiraCode" ]; })
|
||||
];
|
||||
|
||||
# udev
|
||||
services.udev.packages = [ pkgs.android-udev-rules ];
|
||||
|
||||
# audio
|
||||
services.pipewire = {
|
||||
enable = true;
|
||||
alsa.enable = true;
|
||||
pulse.enable = true;
|
||||
};
|
||||
|
||||
services.gnome.gnome-keyring.enable = true;
|
||||
|
||||
services.dbus.enable = true;
|
||||
xdg.portal = {
|
||||
enable = true;
|
||||
|
@ -140,96 +16,25 @@
|
|||
extraPortals = [ pkgs.xdg-desktop-portal-gtk pkgs.xdg-desktop-portal-wlr ];
|
||||
};
|
||||
|
||||
programs.light.enable = true;
|
||||
users = {
|
||||
# disable user creation/deletion
|
||||
mutableUsers = false;
|
||||
|
||||
users.mutableUsers = false;
|
||||
users.users.laurent = {
|
||||
# damn, who's this handsome guy?
|
||||
users.laurent = {
|
||||
isNormalUser = true;
|
||||
initialPassword = "laurent";
|
||||
extraGroups = [ "wheel" "video" "docker" "adbusers" ];
|
||||
shell = pkgs.zsh;
|
||||
};
|
||||
};
|
||||
programs.zsh.enable = true;
|
||||
|
||||
home-manager = { users.laurent = ./home; };
|
||||
|
||||
# enable docker
|
||||
virtualisation.docker = {
|
||||
enable = true;
|
||||
storageDriver = "btrfs";
|
||||
enableOnBoot = false;
|
||||
autoPrune.enable = true;
|
||||
};
|
||||
|
||||
# enable gnome virtual file system
|
||||
services.gvfs.enable = true;
|
||||
|
||||
# enable gpg agent
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
pinentryFlavor = "gnome3";
|
||||
};
|
||||
|
||||
# enable polkit
|
||||
security.polkit.enable = true;
|
||||
|
||||
# allow swaylock to use pam
|
||||
security.pam.services.swaylock = { };
|
||||
|
||||
# enable unfree
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
# experimental features
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
|
||||
# optimizations
|
||||
nix.settings.auto-optimise-store = true;
|
||||
nix.gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
options = "--delete-older-than 30d";
|
||||
};
|
||||
|
||||
age.secrets.borgbackup = {
|
||||
file = "/home/laurent/infrastructure/secrets/borgbackup.age";
|
||||
owner = "laurent";
|
||||
group = "users";
|
||||
};
|
||||
age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];
|
||||
|
||||
services.borgbackup.jobs.home = {
|
||||
paths = "/home/laurent/";
|
||||
repo = "/mnt/home_backup";
|
||||
exclude = [
|
||||
# Largest cache dirs
|
||||
".cache"
|
||||
".compose-cache"
|
||||
"*/cache"
|
||||
"*/cache2" # firefox
|
||||
"*/Cache"
|
||||
"*/Code Cache"
|
||||
".config/Slack/logs"
|
||||
".config/Code/CachedData"
|
||||
".container-diff"
|
||||
".npm/_cacache"
|
||||
# Work related dirs
|
||||
"*/node_modules"
|
||||
"*/bower_components"
|
||||
"*/build"
|
||||
"*/_build"
|
||||
"*/.tox"
|
||||
"*/venv"
|
||||
"*/.venv"
|
||||
];
|
||||
encryption = {
|
||||
mode = "repokey";
|
||||
passCommand = "cat ${config.age.secrets.borgbackup.path}";
|
||||
};
|
||||
compression = "auto,zstd";
|
||||
startAt = [ ];
|
||||
};
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
|
|
|
@ -12,6 +12,7 @@ in {
|
|||
defaultTimeout = 5000;
|
||||
extraConfig = builtins.readFile "${catppuccin-mako}/src/mocha";
|
||||
};
|
||||
|
||||
wayland.windowManager.sway = {
|
||||
enable = true;
|
||||
package = (pkgs.swayfx.overrideAttrs (old: {
|
||||
|
|
8
hosts/neodymium/system/age/default.nix
Normal file
8
hosts/neodymium/system/age/default.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{ ... }: {
|
||||
age.secrets.borgbackup = {
|
||||
file = "/home/laurent/infrastructure/secrets/borgbackup.age";
|
||||
owner = "laurent";
|
||||
group = "users";
|
||||
};
|
||||
age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];
|
||||
}
|
7
hosts/neodymium/system/audio/default.nix
Normal file
7
hosts/neodymium/system/audio/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ ... }: {
|
||||
services.pipewire = {
|
||||
enable = true;
|
||||
alsa.enable = true;
|
||||
pulse.enable = true;
|
||||
};
|
||||
}
|
13
hosts/neodymium/system/boot/default.nix
Normal file
13
hosts/neodymium/system/boot/default.nix
Normal file
|
@ -0,0 +1,13 @@
|
|||
{ pkgs, ... }: {
|
||||
# support for mounting windaube partitions
|
||||
boot.supportedFilesystems = [ "ntfs" ];
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
# clean /tmp at each boot
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
|
||||
# use latest kernel
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
|
||||
imports = [ ./lanzaboot.nix ];
|
||||
}
|
16
hosts/neodymium/system/boot/lanzaboot.nix
Normal file
16
hosts/neodymium/system/boot/lanzaboot.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ lib, ... }: {
|
||||
# This should already be here from switching to bootspec earlier.
|
||||
# It's not required anymore, but also doesn't do any harm.
|
||||
boot.bootspec.enable = true;
|
||||
|
||||
# Lanzaboote currently replaces the systemd-boot module.
|
||||
# This setting is usually set to true in configuration.nix
|
||||
# generated at installation time. So we force it to false
|
||||
# for now.
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
|
||||
boot.lanzaboote = {
|
||||
enable = true;
|
||||
pkiBundle = "/etc/secureboot";
|
||||
};
|
||||
}
|
33
hosts/neodymium/system/borgbackup/default.nix
Normal file
33
hosts/neodymium/system/borgbackup/default.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{ config, ... }: {
|
||||
services.borgbackup.jobs.home = {
|
||||
paths = "/home/laurent/";
|
||||
repo = "/mnt/home_backup";
|
||||
exclude = [
|
||||
# Largest cache dirs
|
||||
".cache"
|
||||
".compose-cache"
|
||||
"*/cache"
|
||||
"*/cache2" # firefox
|
||||
"*/Cache"
|
||||
"*/Code Cache"
|
||||
".config/Slack/logs"
|
||||
".config/Code/CachedData"
|
||||
".container-diff"
|
||||
".npm/_cacache"
|
||||
# Work related dirs
|
||||
"*/node_modules"
|
||||
"*/bower_components"
|
||||
"*/build"
|
||||
"*/_build"
|
||||
"*/.tox"
|
||||
"*/venv"
|
||||
"*/.venv"
|
||||
];
|
||||
encryption = {
|
||||
mode = "repokey";
|
||||
passCommand = "cat ${config.age.secrets.borgbackup.path}";
|
||||
};
|
||||
compression = "auto,zstd";
|
||||
startAt = [ ];
|
||||
};
|
||||
}
|
16
hosts/neodymium/system/default.nix
Normal file
16
hosts/neodymium/system/default.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ ... }: {
|
||||
imports = [
|
||||
./age
|
||||
./audio
|
||||
./boot
|
||||
./borgbackup
|
||||
./docker
|
||||
./fonts
|
||||
./greetd
|
||||
./hardware
|
||||
./i18n
|
||||
./networking
|
||||
./nix
|
||||
./security
|
||||
];
|
||||
}
|
9
hosts/neodymium/system/docker/default.nix
Normal file
9
hosts/neodymium/system/docker/default.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{ ... }: {
|
||||
virtualisation.docker = {
|
||||
enable = true;
|
||||
|
||||
storageDriver = "btrfs";
|
||||
enableOnBoot = false;
|
||||
autoPrune.enable = true;
|
||||
};
|
||||
}
|
16
hosts/neodymium/system/fonts/default.nix
Normal file
16
hosts/neodymium/system/fonts/default.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ pkgs, ... }: {
|
||||
fonts.fonts = with pkgs; [
|
||||
# https://notofonts.github.io/
|
||||
noto-fonts # standard characters
|
||||
noto-fonts-lgc-plus # latin, greek, and cyrillic
|
||||
noto-fonts-cjk # chinese, japanese, and korean
|
||||
noto-fonts-emoji # emojis 🐢
|
||||
|
||||
# https://github.com/tonsky/FiraCode
|
||||
fira-code # standard characters
|
||||
fira-code-symbols # unicode ligature glyphs
|
||||
|
||||
# https://github.com/ryanoasis/nerd-fonts
|
||||
(nerdfonts.override { fonts = [ "FiraCode" ]; })
|
||||
];
|
||||
}
|
12
hosts/neodymium/system/greetd/default.nix
Normal file
12
hosts/neodymium/system/greetd/default.nix
Normal file
|
@ -0,0 +1,12 @@
|
|||
{ pkgs, ... }: {
|
||||
services.greetd = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
default_session = {
|
||||
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
|
||||
user = "greeter";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
28
hosts/neodymium/system/hardware/default.nix
Normal file
28
hosts/neodymium/system/hardware/default.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{ ... }: {
|
||||
# hardware
|
||||
hardware = {
|
||||
enableRedistributableFirmware = true;
|
||||
opengl = {
|
||||
enable = true;
|
||||
driSupport = true;
|
||||
};
|
||||
};
|
||||
|
||||
# logind configuration
|
||||
services.logind = {
|
||||
lidSwitch = "ignore";
|
||||
extraConfig = ''
|
||||
HandlePowerKey=suspend
|
||||
'';
|
||||
};
|
||||
|
||||
# tlp, power management
|
||||
services.tlp.enable = true;
|
||||
|
||||
# bluetooth
|
||||
hardware.bluetooth.enable = true;
|
||||
services.blueman.enable = true;
|
||||
|
||||
# backlight intensity
|
||||
programs.light.enable = true;
|
||||
}
|
10
hosts/neodymium/system/i18n/default.nix
Normal file
10
hosts/neodymium/system/i18n/default.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ ... }: {
|
||||
# FRANCE 🇫🇷 🥖 🥐
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
# azerty keyboard
|
||||
console.keyMap = "fr";
|
||||
|
||||
# english ISO metric system
|
||||
i18n.defaultLocale = "en_DK.UTF-8";
|
||||
}
|
17
hosts/neodymium/system/networking/default.nix
Normal file
17
hosts/neodymium/system/networking/default.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ ... }: {
|
||||
# set hostname
|
||||
networking.hostName = "neodymium";
|
||||
|
||||
# use networkManager, see nmcli
|
||||
networking.networkmanager.enable = true;
|
||||
|
||||
# firewall
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
|
||||
allowedTCPPorts = [ ];
|
||||
allowedUDPPorts = [ ];
|
||||
};
|
||||
|
||||
imports = [ ./wireguard.nix ];
|
||||
}
|
31
hosts/neodymium/system/networking/wireguard.nix
Normal file
31
hosts/neodymium/system/networking/wireguard.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
{ lib, ... }: {
|
||||
networking.wg-quick.interfaces = {
|
||||
wg0 = {
|
||||
# client
|
||||
privateKeyFile = "/root/wireguard-keys/private";
|
||||
address = [ "10.0.0.3/24" "fd02:002:002::3/64" ];
|
||||
dns = [ "10.0.0.1" ];
|
||||
|
||||
# server
|
||||
peers = [{
|
||||
publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
|
||||
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||
endpoint = "fainsin.bzh:5553";
|
||||
persistentKeepalive = 30;
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
# modify the systemd service to restart on failure every 10 seconds
|
||||
systemd.services.wg-quick-wg0 = {
|
||||
serviceConfig = {
|
||||
Type = lib.mkForce "simple";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
};
|
||||
unitConfig = {
|
||||
# ensures Restart= is always honoured
|
||||
StartLimitIntervalSec = 0;
|
||||
};
|
||||
};
|
||||
}
|
20
hosts/neodymium/system/nix/default.nix
Normal file
20
hosts/neodymium/system/nix/default.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{ ... }: {
|
||||
# restrict nix command to sudoers
|
||||
nix.settings.allowed-users = [ "@wheel" ];
|
||||
|
||||
# experimental features
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
|
||||
# optimizations
|
||||
nix.settings.auto-optimise-store = true;
|
||||
|
||||
# garbage collection
|
||||
nix.gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
options = "--delete-older-than 30d";
|
||||
};
|
||||
|
||||
# enable unfree
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
}
|
17
hosts/neodymium/system/security/default.nix
Normal file
17
hosts/neodymium/system/security/default.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ ... }: {
|
||||
# enable polkit
|
||||
security.polkit.enable = true;
|
||||
|
||||
# enable gpg agent
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
pinentryFlavor = "gnome3";
|
||||
};
|
||||
|
||||
# secrets keyring
|
||||
services.gnome.gnome-keyring.enable = true;
|
||||
|
||||
# allow swaylock to use pam
|
||||
security.pam.services.swaylock = { };
|
||||
}
|
Loading…
Reference in a new issue