Compare commits
No commits in common. "13057ecc9cb1942492c130ef6f59bb8a548ee7c2" and "4a31208f50aebc91745060752a76ff6c92543b92" have entirely different histories.
13057ecc9c
...
4a31208f50
8
.vscode/extensions.json
vendored
Normal file
8
.vscode/extensions.json
vendored
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
"recommendations": [
|
||||||
|
"editorconfig.editorconfig",
|
||||||
|
"kamadorueda.alejandra",
|
||||||
|
"jnoortheen.nix-ide",
|
||||||
|
"mkhl.direnv",
|
||||||
|
]
|
||||||
|
}
|
13
.vscode/settings.json
vendored
Normal file
13
.vscode/settings.json
vendored
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
{
|
||||||
|
"files.exclude": {
|
||||||
|
// defaults
|
||||||
|
"**/.git": true,
|
||||||
|
"**/.svn": true,
|
||||||
|
"**/.hg": true,
|
||||||
|
"**/CVS": true,
|
||||||
|
"**/.DS_Store": true,
|
||||||
|
"**/Thumbs.db": true,
|
||||||
|
// extras
|
||||||
|
"**/.direnv": true,
|
||||||
|
}
|
||||||
|
}
|
11
.vscode/tasks.json
vendored
Normal file
11
.vscode/tasks.json
vendored
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
{
|
||||||
|
"version": "2.0.0",
|
||||||
|
"tasks": [
|
||||||
|
{
|
||||||
|
"label": "flake upgrade",
|
||||||
|
"type": "shell",
|
||||||
|
"command": "tmux new -s flake-update .vscode/upgrade.sh",
|
||||||
|
"problemMatcher": []
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
26
.vscode/upgrade.sh
vendored
Executable file
26
.vscode/upgrade.sh
vendored
Executable file
|
@ -0,0 +1,26 @@
|
||||||
|
# error handler
|
||||||
|
handle_error() {
|
||||||
|
echo "Upgrade failed."
|
||||||
|
read -p "Press Enter to exit..."
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# stop on error
|
||||||
|
set -euxo pipefail
|
||||||
|
|
||||||
|
# trap any errors and call handle_error
|
||||||
|
trap 'handle_error "$BASH_COMMAND"' ERR
|
||||||
|
|
||||||
|
# update lock file
|
||||||
|
nix flake update
|
||||||
|
|
||||||
|
# update systems
|
||||||
|
sudo nixos-rebuild switch -L --flake .#silicium
|
||||||
|
nixos-rebuild switch -L --flake .#cesium --target-host cesium
|
||||||
|
|
||||||
|
# commit and push lock file
|
||||||
|
git add flake.lock
|
||||||
|
git commit -m "⬆️ nix flake update"
|
||||||
|
git push
|
||||||
|
|
||||||
|
echo "Upgrade successful"
|
|
@ -1,6 +1,9 @@
|
||||||
{
|
{
|
||||||
description = "Laureηt's infrastructure";
|
description = "Laureηt's infrastructure";
|
||||||
|
|
||||||
|
# TODO: luks encrypt cesium (dropbear ?)
|
||||||
|
# TODO: setup disko sur silicium
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
# core stuff
|
# core stuff
|
||||||
nixpkgs = {
|
nixpkgs = {
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
sign_key =
|
sign_key =
|
||||||
{
|
{
|
||||||
"aurum" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItSJTtS7tO0Wz/WgHAFb3xuNFZpm8SOvr/o8uR83zzy laurent@aurum";
|
"aurum" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItSJTtS7tO0Wz/WgHAFb3xuNFZpm8SOvr/o8uR83zzy laurent@aurum";
|
||||||
|
"silicium" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium";
|
||||||
}
|
}
|
||||||
."${osConfig.networking.hostName}";
|
."${osConfig.networking.hostName}";
|
||||||
in {
|
in {
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{...}: {
|
{...}: {
|
||||||
imports = [
|
imports = [
|
||||||
./greetd.nix
|
./greetd
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
boot.supportedFilesystems = ["ntfs"];
|
boot.supportedFilesystems = ["ntfs"];
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
# TODO: replace by lanzaboot
|
# tmp, will be replaced by lanzaboot
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
|
||||||
# clean /tmp at each boot
|
# clean /tmp at each boot
|
||||||
|
@ -20,6 +20,10 @@
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
|
||||||
|
# imports = [
|
||||||
|
# ./lanzaboot.nix
|
||||||
|
# ];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
|
boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
|
||||||
boot.initrd.kernelModules = [""];
|
boot.initrd.kernelModules = [""];
|
||||||
boot.kernelModules = ["kvm-intel"];
|
boot.kernelModules = ["kvm-intel"];
|
|
@ -8,19 +8,17 @@
|
||||||
system.stateVersion = "24.05"; # Did you read the comment?
|
system.stateVersion = "24.05"; # Did you read the comment?
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
./audio.nix
|
./audio
|
||||||
./boot.nix
|
./boot
|
||||||
# ./disko.nix
|
# ./disko
|
||||||
./docker.nix
|
./docker
|
||||||
./fonts.nix
|
./fonts
|
||||||
./hardware.nix
|
./hardware
|
||||||
./i18n.nix
|
./i18n
|
||||||
# ./impermanence.nix
|
# ./impermanence
|
||||||
# ./lanzaboot.nix
|
./networking
|
||||||
./networking.nix
|
./nix
|
||||||
./nix.nix
|
./security
|
||||||
./partitions.nix
|
./users
|
||||||
./security.nix
|
|
||||||
./users.nix
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,10 @@
|
||||||
# backlight intensity
|
# backlight intensity
|
||||||
programs.light.enable = true;
|
programs.light.enable = true;
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
./partitions.nix
|
||||||
|
];
|
||||||
|
|
||||||
# webcam
|
# webcam
|
||||||
# hardware.firmware = [
|
# hardware.firmware = [
|
||||||
# pkgs.ivsc-firmware
|
# pkgs.ivsc-firmware
|
|
@ -12,7 +12,7 @@
|
||||||
files = [
|
files = [
|
||||||
"/etc/machine-id"
|
"/etc/machine-id"
|
||||||
];
|
];
|
||||||
# TODO: move this into home config
|
# TODO: move this into home config, when silicium has impermanence too
|
||||||
users.laurent = {
|
users.laurent = {
|
||||||
directories = [
|
directories = [
|
||||||
"Documents"
|
"Documents"
|
|
@ -1,7 +1,7 @@
|
||||||
{...}: {
|
{...}: {
|
||||||
users.mutableUsers = false;
|
users.mutableUsers = false;
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium" # TODO: remove this
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItSJTtS7tO0Wz/WgHAFb3xuNFZpm8SOvr/o8uR83zzy laurent@aurum"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItSJTtS7tO0Wz/WgHAFb3xuNFZpm8SOvr/o8uR83zzy laurent@aurum"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,25 @@ in {
|
||||||
# desktop would be neon
|
# desktop would be neon
|
||||||
# smartphone would be lithium
|
# smartphone would be lithium
|
||||||
|
|
||||||
|
# personal laptop
|
||||||
|
silicium = nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
specialArgs = {
|
||||||
|
inherit inputs;
|
||||||
|
};
|
||||||
|
modules = [
|
||||||
|
./silicium
|
||||||
|
inputs.home-manager.nixosModules.home-manager
|
||||||
|
inputs.agenix.nixosModules.default
|
||||||
|
inputs.lanzaboote.nixosModules.lanzaboote
|
||||||
|
inputs.nixos-hardware.nixosModules.common-cpu-amd
|
||||||
|
inputs.nixos-hardware.nixosModules.common-gpu-nvidia-disable
|
||||||
|
inputs.nixos-hardware.nixosModules.common-pc-laptop
|
||||||
|
inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd
|
||||||
|
{inherit home-manager;}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
# work laptop
|
# work laptop
|
||||||
aurum = nixpkgs.lib.nixosSystem {
|
aurum = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
|
30
hosts/silicium/default.nix
Normal file
30
hosts/silicium/default.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{pkgs, ...}: {
|
||||||
|
imports = [
|
||||||
|
./system
|
||||||
|
./services
|
||||||
|
];
|
||||||
|
|
||||||
|
# shorter timeout for systemd services
|
||||||
|
systemd.extraConfig = ''
|
||||||
|
DefaultTimeoutStopSec=10s
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.dbus.enable = true;
|
||||||
|
xdg.portal = {
|
||||||
|
enable = true;
|
||||||
|
wlr.enable = true;
|
||||||
|
|
||||||
|
config = {
|
||||||
|
common.default = ["wlr" "gtk"];
|
||||||
|
hyprland.default = ["hyprland"];
|
||||||
|
};
|
||||||
|
extraPortals = [
|
||||||
|
pkgs.xdg-desktop-portal-gtk
|
||||||
|
pkgs.xdg-desktop-portal-wlr
|
||||||
|
pkgs.xdg-desktop-portal-hyprland
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# enable gnome virtual file system
|
||||||
|
services.gvfs.enable = true;
|
||||||
|
}
|
46
hosts/silicium/services/borgbackup/default.nix
Normal file
46
hosts/silicium/services/borgbackup/default.nix
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
{config, ...}: {
|
||||||
|
services.borgbackup.jobs.home = {
|
||||||
|
paths = "/home/laurent/";
|
||||||
|
repo = "/mnt/home_backup";
|
||||||
|
exclude = [
|
||||||
|
# Largest cache dirs
|
||||||
|
".cache"
|
||||||
|
".compose-cache"
|
||||||
|
"*/cache"
|
||||||
|
"*/cache2" # firefox
|
||||||
|
"*/Cache"
|
||||||
|
"*/Code Cache"
|
||||||
|
"*/blob_storage"
|
||||||
|
".config/Slack/logs"
|
||||||
|
".config/Code/CachedData"
|
||||||
|
".container-diff"
|
||||||
|
".npm/_cacache"
|
||||||
|
# Work related dirs
|
||||||
|
"*/node_modules"
|
||||||
|
"*/bower_components"
|
||||||
|
"*/build"
|
||||||
|
"*/_build"
|
||||||
|
"*/.tox"
|
||||||
|
"*/venv"
|
||||||
|
"*/.venv"
|
||||||
|
"*/.direnv"
|
||||||
|
];
|
||||||
|
encryption = {
|
||||||
|
mode = "repokey";
|
||||||
|
passCommand = "cat ${config.age.secrets.borgbackup.path}";
|
||||||
|
};
|
||||||
|
compression = "auto,zstd";
|
||||||
|
startAt = [];
|
||||||
|
};
|
||||||
|
services.borgbackup.jobs.keepass = {
|
||||||
|
paths = "/home/laurent/Documents/db_mdp.kdbx";
|
||||||
|
repo = "ssh://root@fainsin.bzh:624/srv/backup/keepass";
|
||||||
|
user = "laurent";
|
||||||
|
encryption = {
|
||||||
|
mode = "repokey";
|
||||||
|
passCommand = "cat ${config.age.secrets.borgbackup.path}";
|
||||||
|
};
|
||||||
|
compression = "auto,zstd";
|
||||||
|
startAt = "12:00";
|
||||||
|
};
|
||||||
|
}
|
6
hosts/silicium/services/default.nix
Normal file
6
hosts/silicium/services/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
{...}: {
|
||||||
|
imports = [
|
||||||
|
./borgbackup
|
||||||
|
./greetd
|
||||||
|
];
|
||||||
|
}
|
12
hosts/silicium/services/greetd/default.nix
Normal file
12
hosts/silicium/services/greetd/default.nix
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
{pkgs, ...}: {
|
||||||
|
services.greetd = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
default_session = {
|
||||||
|
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd ${pkgs.hyprland}/bin/Hyprland";
|
||||||
|
user = "greeter";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
7
hosts/silicium/system/adb/default.nix
Normal file
7
hosts/silicium/system/adb/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{pkgs, ...}: {
|
||||||
|
# udev rules
|
||||||
|
services.udev.packages = [pkgs.android-udev-rules];
|
||||||
|
|
||||||
|
# adb users
|
||||||
|
users.users.laurent.extraGroups = ["adbusers"];
|
||||||
|
}
|
8
hosts/silicium/system/age/default.nix
Normal file
8
hosts/silicium/system/age/default.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{...}: {
|
||||||
|
age.secrets.borgbackup = {
|
||||||
|
file = ../../../../secrets/borgbackup.age;
|
||||||
|
owner = "laurent";
|
||||||
|
group = "users";
|
||||||
|
};
|
||||||
|
age.identityPaths = ["/home/laurent/.ssh/id_ed25519"];
|
||||||
|
}
|
7
hosts/silicium/system/audio/default.nix
Normal file
7
hosts/silicium/system/audio/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{...}: {
|
||||||
|
services.pipewire = {
|
||||||
|
enable = true;
|
||||||
|
alsa.enable = true;
|
||||||
|
pulse.enable = true;
|
||||||
|
};
|
||||||
|
}
|
24
hosts/silicium/system/boot/default.nix
Normal file
24
hosts/silicium/system/boot/default.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
# support for mounting windaube partitions
|
||||||
|
boot.supportedFilesystems = ["ntfs"];
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
# clean /tmp at each boot
|
||||||
|
boot.tmp.cleanOnBoot = true;
|
||||||
|
|
||||||
|
# use latest kernel
|
||||||
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
./lanzaboot.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
|
||||||
|
boot.initrd.kernelModules = [];
|
||||||
|
boot.kernelModules = ["kvm-amd" "v4l2loopback"];
|
||||||
|
boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
|
||||||
|
}
|
16
hosts/silicium/system/boot/lanzaboot.nix
Normal file
16
hosts/silicium/system/boot/lanzaboot.nix
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
{lib, ...}: {
|
||||||
|
# This should already be here from switching to bootspec earlier.
|
||||||
|
# It's not required anymore, but also doesn't do any harm.
|
||||||
|
boot.bootspec.enable = true;
|
||||||
|
|
||||||
|
# Lanzaboote currently replaces the systemd-boot module.
|
||||||
|
# This setting is usually set to true in configuration.nix
|
||||||
|
# generated at installation time. So we force it to false
|
||||||
|
# for now.
|
||||||
|
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||||
|
|
||||||
|
boot.lanzaboote = {
|
||||||
|
enable = true;
|
||||||
|
pkiBundle = "/etc/secureboot";
|
||||||
|
};
|
||||||
|
}
|
24
hosts/silicium/system/default.nix
Normal file
24
hosts/silicium/system/default.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{...}: {
|
||||||
|
# This value determines the NixOS release from which the default
|
||||||
|
# settings for stateful data, like file locations and database versions
|
||||||
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
# this value at the release version of the first install of this system.
|
||||||
|
# Before changing this value read the documentation for this option
|
||||||
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
|
system.stateVersion = "24.05"; # Did you read the comment?
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
./adb
|
||||||
|
./age
|
||||||
|
./audio
|
||||||
|
./boot
|
||||||
|
./docker
|
||||||
|
./fonts
|
||||||
|
./hardware
|
||||||
|
./i18n
|
||||||
|
./networking
|
||||||
|
./nix
|
||||||
|
./security
|
||||||
|
./users
|
||||||
|
];
|
||||||
|
}
|
12
hosts/silicium/system/docker/default.nix
Normal file
12
hosts/silicium/system/docker/default.nix
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
{...}: {
|
||||||
|
virtualisation.docker = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
storageDriver = "btrfs";
|
||||||
|
enableOnBoot = false;
|
||||||
|
autoPrune.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# docker users
|
||||||
|
users.users.laurent.extraGroups = ["docker"];
|
||||||
|
}
|
16
hosts/silicium/system/fonts/default.nix
Normal file
16
hosts/silicium/system/fonts/default.nix
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
{pkgs, ...}: {
|
||||||
|
fonts.packages = with pkgs; [
|
||||||
|
# https://notofonts.github.io/
|
||||||
|
noto-fonts # standard characters
|
||||||
|
noto-fonts-lgc-plus # latin, greek, and cyrillic
|
||||||
|
noto-fonts-cjk # chinese, japanese, and korean
|
||||||
|
noto-fonts-emoji # emojis 🐢
|
||||||
|
|
||||||
|
# https://github.com/tonsky/FiraCode
|
||||||
|
fira-code # standard characters
|
||||||
|
fira-code-symbols # unicode ligature glyphs
|
||||||
|
|
||||||
|
# https://github.com/ryanoasis/nerd-fonts
|
||||||
|
(nerdfonts.override {fonts = ["FiraCode"];})
|
||||||
|
];
|
||||||
|
}
|
33
hosts/silicium/system/hardware/default.nix
Normal file
33
hosts/silicium/system/hardware/default.nix
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
{...}: {
|
||||||
|
# hardware
|
||||||
|
hardware = {
|
||||||
|
enableRedistributableFirmware = true;
|
||||||
|
graphics.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# logind configuration
|
||||||
|
services.logind = {
|
||||||
|
lidSwitch = "ignore";
|
||||||
|
extraConfig = ''
|
||||||
|
HandlePowerKey=suspend
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# tlp, power management
|
||||||
|
services.tlp.enable = true;
|
||||||
|
|
||||||
|
# thermald, controls temperature
|
||||||
|
services.thermald.enable = true;
|
||||||
|
|
||||||
|
# bluetooth
|
||||||
|
hardware.bluetooth.enable = true;
|
||||||
|
services.blueman.enable = true;
|
||||||
|
|
||||||
|
# backlight intensity
|
||||||
|
programs.light.enable = true;
|
||||||
|
|
||||||
|
# partitions and filesystems
|
||||||
|
imports = [
|
||||||
|
./partitions.nix
|
||||||
|
];
|
||||||
|
}
|
24
hosts/silicium/system/hardware/partitions.nix
Normal file
24
hosts/silicium/system/hardware/partitions.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/disk/by-uuid/b0ea5f1f-104f-4026-840a-4d46f3e827d1";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = ["subvol=nixos"];
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.initrd.luks.devices."nixenc".device = "/dev/disk/by-uuid/93d0b0d8-b586-48cf-acc2-025fba1eaadb";
|
||||||
|
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/disk/by-uuid/6D10-BBAF";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [];
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.amd.updateMicrocode =
|
||||||
|
lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
10
hosts/silicium/system/i18n/default.nix
Normal file
10
hosts/silicium/system/i18n/default.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{...}: {
|
||||||
|
# FRANCE 🇫🇷 🥖 🥐
|
||||||
|
time.timeZone = "Europe/Paris";
|
||||||
|
|
||||||
|
# azerty keyboard
|
||||||
|
console.keyMap = "fr";
|
||||||
|
|
||||||
|
# english ISO metric system
|
||||||
|
i18n.defaultLocale = "en_DK.UTF-8";
|
||||||
|
}
|
18
hosts/silicium/system/networking/default.nix
Normal file
18
hosts/silicium/system/networking/default.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{...}: {
|
||||||
|
networking = {
|
||||||
|
# the name of the machine
|
||||||
|
hostName = "silicium";
|
||||||
|
|
||||||
|
# domain name servers, use clouflare family
|
||||||
|
nameservers = ["1.1.1.2" "1.0.0.2"];
|
||||||
|
|
||||||
|
# use networkManager, see nmcli
|
||||||
|
networkmanager.enable = true;
|
||||||
|
|
||||||
|
# firewall
|
||||||
|
firewall.enable = true;
|
||||||
|
|
||||||
|
# https://github.com/StevenBlack/hosts
|
||||||
|
stevenblack.enable = true;
|
||||||
|
};
|
||||||
|
}
|
47
hosts/silicium/system/nix/default.nix
Normal file
47
hosts/silicium/system/nix/default.nix
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
# restrict nix command to sudoers
|
||||||
|
nix.settings.allowed-users = ["root" "@wheel"];
|
||||||
|
nix.settings.trusted-users = ["root" "@wheel"];
|
||||||
|
|
||||||
|
# experimental features
|
||||||
|
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||||
|
|
||||||
|
# limit number of cores when building
|
||||||
|
nix.settings.max-jobs = 6;
|
||||||
|
|
||||||
|
# optimizations
|
||||||
|
nix.settings.auto-optimise-store = true;
|
||||||
|
nix.optimise = {
|
||||||
|
automatic = true;
|
||||||
|
dates = ["12:00"];
|
||||||
|
};
|
||||||
|
|
||||||
|
# garbage collection
|
||||||
|
nix.gc = {
|
||||||
|
automatic = true;
|
||||||
|
dates = "12:00";
|
||||||
|
options = "--delete-older-than 30d";
|
||||||
|
};
|
||||||
|
|
||||||
|
# pin nixpkgs registry
|
||||||
|
nix.registry.nixpkgs.flake = inputs.nixpkgs;
|
||||||
|
|
||||||
|
# list of allowed unfree packages
|
||||||
|
nixpkgs.config.allowUnfreePredicate = pkg:
|
||||||
|
builtins.elem (lib.getName pkg) [
|
||||||
|
"vscode"
|
||||||
|
"vscode-extension-github-copilot"
|
||||||
|
"vscode-extension-github-copilot-chat"
|
||||||
|
];
|
||||||
|
|
||||||
|
# print diff between two generations
|
||||||
|
system.activationScripts.nvd-report-changes = ''
|
||||||
|
PATH=$PATH:${lib.makeBinPath [pkgs.nvd pkgs.nix]}
|
||||||
|
nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
|
||||||
|
'';
|
||||||
|
}
|
17
hosts/silicium/system/security/default.nix
Normal file
17
hosts/silicium/system/security/default.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
{pkgs, ...}: {
|
||||||
|
# enable polkit
|
||||||
|
security.polkit.enable = true;
|
||||||
|
|
||||||
|
# enable gpg agent
|
||||||
|
programs.gnupg.agent = {
|
||||||
|
enable = true;
|
||||||
|
enableSSHSupport = true;
|
||||||
|
pinentryPackage = pkgs.pinentry-gnome3;
|
||||||
|
};
|
||||||
|
|
||||||
|
# secrets keyring
|
||||||
|
services.gnome.gnome-keyring.enable = true;
|
||||||
|
|
||||||
|
# allow swaylock to use pam
|
||||||
|
security.pam.services.swaylock = {};
|
||||||
|
}
|
13
hosts/silicium/system/users/default.nix
Normal file
13
hosts/silicium/system/users/default.nix
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
{...}: {
|
||||||
|
# disable user creation/deletion
|
||||||
|
users.mutableUsers = false;
|
||||||
|
|
||||||
|
# configure users
|
||||||
|
users = {
|
||||||
|
users.laurent = {
|
||||||
|
isNormalUser = true;
|
||||||
|
initialPassword = "laurent";
|
||||||
|
extraGroups = ["wheel" "video"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,5 +1,5 @@
|
||||||
let
|
let
|
||||||
silicium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium"; # TODO: remove this
|
silicium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium";
|
||||||
cesium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVxpWbNJl+OXe6YImMpsJprfuTd+9UJVTiteiuyx6oP root@cesium";
|
cesium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVxpWbNJl+OXe6YImMpsJprfuTd+9UJVTiteiuyx6oP root@cesium";
|
||||||
in {
|
in {
|
||||||
"borgbackup.age".publicKeys = [silicium];
|
"borgbackup.age".publicKeys = [silicium];
|
||||||
|
|
Loading…
Reference in a new issue