nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Nevermind, to import need config defined first

Browse Source
This commit is contained in:
niten 2021-11-02 09:40:51 -07:00
parent 566643e195
commit c31af09ede
12 changed files with 373 additions and 403 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/default.nix
View File

@ -8,7 +8,7 @@
./groups.nix
./hosts.nix
./networks.nix
./profile.nix
./profiles.nix
./sites.nix
./users.nix
./wireless-networks.nix

129
config/profile-config/common-ui.nix
View File

@ -1,4 +1,131 @@
{ config, lib, pkgs, ... }:
{
with lib;
let
hostname = config.instance.hostname;
enable-gui = config.fudo.hosts.${hostname}.enable-gui;
in {
imports = [ ./common.nix ];
boot = {
plymouth.enable = false;
tmpOnTmpfs = true;
};
services = {
xserver = mkIf enable-gui {
enable = true;
desktopManager.gnome.enable = true;
displayManager.gdm = {
enable = true;
wayland = false;
autoSuspend = false;
};
windowManager.stumpwm.enable = true;
# windowManager.session = pkgs.lib.singleton {
# name = "stumpwm";
# start = ''
# ${pkgs.lispPackages.stumpwm}/bin/stumpwm &
# waidPID=$!
# '';
# };
};
trezord.enable = true;
};
hardware = {
bluetooth.enable = true;
opengl = mkIf enable-gui {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
};
sound.enable = true;
hardware.pulseaudio = {
enable = true;
support32Bit = config.hardware.pulseaudio.enable;
};
# console.font =
# lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-g18n.psf.gz";
services.gnome = mkIf enable-gui {
evolution-data-server.enable = mkForce false;
gnome-user-share.enable = mkForce false;
};
services.flatpak.enable = enable-gui;
fonts = mkIf enable-gui {
fontDir.enable = true;
fontconfig.enable = true;
#fontconfig.antialias = true;
#fontconfig.penultimate.enable = true;
#fontconfig.subpixel.lcdfilter = "default";
fonts = with pkgs; [
cantarell_fonts
dejavu_fonts
dina-font
dosemu_fonts
fira-code
fira-code-symbols
freefont_ttf
liberation_ttf
mplus-outline-fonts
nerdfonts
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
proggyfonts
terminus_font
ubuntu_font_family
ucsFonts
ultimate-oldschool-pc-font-pack
unifont
xorg.fontadobe100dpi
xorg.fontadobe75dpi
xorg.fontadobeutopia100dpi
xorg.fontadobeutopia75dpi
xorg.fontadobeutopiatype1
xorg.fontarabicmisc
xorg.fontbh100dpi
xorg.fontbh75dpi
xorg.fontbhlucidatypewriter100dpi
xorg.fontbhlucidatypewriter75dpi
xorg.fontbhttf
xorg.fontbhtype1
xorg.fontbitstream100dpi
xorg.fontbitstream75dpi
xorg.fontbitstreamtype1
xorg.fontcronyxcyrillic
xorg.fontcursormisc
xorg.fontdaewoomisc
xorg.fontdecmisc
xorg.fontibmtype1
xorg.fontisasmisc
xorg.fontjismisc
xorg.fontmicromisc
xorg.fontmisccyrillic
xorg.fontmiscethiopic
xorg.fontmiscmeltho
xorg.fontmiscmisc
xorg.fontmuttmisc
xorg.fontschumachermisc
xorg.fontscreencyrillic
xorg.fontsonymisc
xorg.fontsunmisc
xorg.fontwinitzkicyrillic
xorg.fontxfree86type1
];
};
}

141
config/profile-config/common.nix
View File

@ -1,5 +1,144 @@
{ config, lib, pkgs, ... }:
with lib;
{
let
# Available to all users on the system. Keep it minimal.
global-packages = with pkgs; [
bind
cryptsetup
git
heimdal
openssh_gssapi
tldr
vim
wget
];
in {
environment = {
etc.nixos-live.source = ../../.;
systemPackages = global-packages;
# shellInit = ''
# ${pkgs.gnupg}/bin/gpg-connect-agent /bye
# export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
# '';
};
system.autoUpgrade.enable = false;
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
nixpkgs.config.allowUnfree = true;
security.acme.acceptTerms = true;
hardware.enableRedistributableFirmware = true;
krb5 = {
enable = true;
appdefaults = {
forwardable = true;
proxiable = true;
encrypt = true;
forward = true;
};
libdefaults = {
allow_weak_crypto = true;
dns_lookup_kdc = true;
dns_lookup_realm = true;
forwardable = true;
proxiable = true;
};
kerberos = pkgs.heimdalFull;
};
services = {
openssh = {
enable = true;
startWhenNeeded = true;
useDns = true;
permitRootLogin = "prohibit-password";
extraConfig = ''
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
'';
};
fail2ban = let
domain-name = config.fudo.hosts.${config.instance.hostname}.domain;
in {
enable = config.networking.firewall.enable;
bantime-increment.enable = true;
ignoreIP = config.instance.local-networks;
};
xserver = {
layout = "us";
xkbVariant = "dvp";
xkbOptions = "ctrl:nocaps";
};
# pcscd.enable = true;
# udev.packages = with pkgs; [ yubikey-personalization ];
};
networking.firewall = {
# Allow mosh connections if the firewall is enabled
allowedUDPPortRanges = [{
from = 60000;
to = 60100;
}];
};
console.useXkbConfig = true;
i18n.defaultLocale = "en_US.UTF-8";
programs = {
mosh.enable = true;
bash.enableCompletion = true;
fish.enable = true;
gnupg.agent = {
enable = true;
# enableSSHSupport = true;
# pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses";
};
ssh = {
startAgent = true;
package = pkgs.openssh_gssapi;
extraConfig = ''
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
'';
};
};
security.pam = {
enableSSHAgentAuth = true;
services = {
sshd = {
makeHomeDir = true;
sshAgentAuth = true;
# This isn't supposed to ask for a code unless ~/.google_authenticator exists...but it does
# googleAuthenticator.enable = true;
};
};
};
}

8
config/profile-config/desktop.nix
View File

@ -1,4 +1,10 @@
{ config, lib, pkgs, ... }:
with lib; {
with lib;
{
imports = [ ./common-ui.nix ];
config = {
networking.networkmanager.enable = mkForce false;
};
}

27
config/profile-config/laptop.nix
View File

@ -2,4 +2,31 @@
with lib;
{
imports = [ ./common-ui.nix ];
options.fudo.profile.laptop = {
use-network-manager =
mkEnableOption "Use NetworkManager instead of wpa_supplicant.";
};
config = {
environment.systemPackages = with pkgs; [ acpi upower wpa_supplicant ];
networking = if (config.fudo.profile.laptop.use-network-manager) then {
networkmanager.enable = true;
} else {
networkmanager.enable = false;
wireless = {
enable = true;
userControlled = {
enable = true;
group = "wheel";
};
networks = mapAttrs (network: networkOpts: {
psk = networkOpts.key;
}) config.fudo.wireless-networks;
};
};
};
}

71
config/profile-config/server.nix
View File

@ -1,5 +1,74 @@
{ config, lib, pkgs, ... }:
with lib;
{
let
reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" ''
if [ $# -ne 1 ]; then
echo "FAILED: no sync file provided."
exit 1
fi
WALL=${pkgs.utillinux}/bin/wall
if [ -f $1 ]; then
$WALL "$1 exists, rebooting system"
${pkgs.systemd}/bin/reboot
else
$WALL "$1 does not exist, switching config."
nixos-rebuild switch
fi
exit 0
'';
test-config = pkgs.writeShellScriptBin "fudo-test-config" ''
if [ $# -gt 1 ]; then
echo "usage: $0 [timeout]"
exit 1
elif [ $# -eq 1 ]; then
TIMEOUT=$1
else
TIMEOUT=15m
fi
SYNCFILE=$TMP/sync-$(date +"%Y%m%d-%H%M%N")
touch $SYNCFILE
${pkgs.utillinux}/bin/wall "Launching config. System will restart in $TIMEOUT if $SYNCFILE still exists."
systemd-run --on-active=$TIMEOUT ${reboot-if-necessary} $SYNCFILE
nixos-rebuild test
exit 0
'';
in {
imports = [ ./common.nix ];
config = {
environment = {
serverPackages = with pkgs;
[ emacs-nox reboot-if-necessary test-config ];
};
networking.networkmanager.enable = mkForce false;
services.xserver.enable = false;
sound.enable = false;
hardware.pulseaudio.enable = false;
powerManagement =
if config.fudo.hosts.${config.instance.hostname}.keep-cool then {
enable = true;
cpuFreqGovernor = "ondemand";
} else {
enable = false;
};
systemd.targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
};
}

7
config/profiles.nix
View File

@ -1,7 +0,0 @@
{ config, lib, pkgs, ... }:
let
host = config.instance.hostname;
host-profile = config.fudo.hosts.${host}.profile;
in { imports = [ "./profiles/${host-profile}.nix" ]; }

131
config/profiles/common-ui.nix
View File

@ -1,131 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
enable-gui = config.fudo.hosts.${hostname}.enable-gui;
in {
imports = [ ./common.nix ];
boot = {
plymouth.enable = false;
tmpOnTmpfs = true;
};
services = {
xserver = mkIf enable-gui {
enable = true;
desktopManager.gnome.enable = true;
displayManager.gdm = {
enable = true;
wayland = false;
autoSuspend = false;
};
windowManager.stumpwm.enable = true;
# windowManager.session = pkgs.lib.singleton {
# name = "stumpwm";
# start = ''
# ${pkgs.lispPackages.stumpwm}/bin/stumpwm &
# waidPID=$!
# '';
# };
};
trezord.enable = true;
};
hardware = {
bluetooth.enable = true;
opengl = mkIf enable-gui {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
};
sound.enable = true;
hardware.pulseaudio = {
enable = true;
support32Bit = config.hardware.pulseaudio.enable;
};
# console.font =
# lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-g18n.psf.gz";
services.gnome = mkIf enable-gui {
evolution-data-server.enable = mkForce false;
gnome-user-share.enable = mkForce false;
};
services.flatpak.enable = enable-gui;
fonts = mkIf enable-gui {
fontDir.enable = true;
fontconfig.enable = true;
#fontconfig.antialias = true;
#fontconfig.penultimate.enable = true;
#fontconfig.subpixel.lcdfilter = "default";
fonts = with pkgs; [
cantarell_fonts
dejavu_fonts
dina-font
dosemu_fonts
fira-code
fira-code-symbols
freefont_ttf
liberation_ttf
mplus-outline-fonts
nerdfonts
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
proggyfonts
terminus_font
ubuntu_font_family
ucsFonts
ultimate-oldschool-pc-font-pack
unifont
xorg.fontadobe100dpi
xorg.fontadobe75dpi
xorg.fontadobeutopia100dpi
xorg.fontadobeutopia75dpi
xorg.fontadobeutopiatype1
xorg.fontarabicmisc
xorg.fontbh100dpi
xorg.fontbh75dpi
xorg.fontbhlucidatypewriter100dpi
xorg.fontbhlucidatypewriter75dpi
xorg.fontbhttf
xorg.fontbhtype1
xorg.fontbitstream100dpi
xorg.fontbitstream75dpi
xorg.fontbitstreamtype1
xorg.fontcronyxcyrillic
xorg.fontcursormisc
xorg.fontdaewoomisc
xorg.fontdecmisc
xorg.fontibmtype1
xorg.fontisasmisc
xorg.fontjismisc
xorg.fontmicromisc
xorg.fontmisccyrillic
xorg.fontmiscethiopic
xorg.fontmiscmeltho
xorg.fontmiscmisc
xorg.fontmuttmisc
xorg.fontschumachermisc
xorg.fontscreencyrillic
xorg.fontsonymisc
xorg.fontsunmisc
xorg.fontwinitzkicyrillic
xorg.fontxfree86type1
];
};
}

144
config/profiles/common.nix
View File

@ -1,144 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
# Available to all users on the system. Keep it minimal.
global-packages = with pkgs; [
bind
cryptsetup
git
heimdal
openssh_gssapi
tldr
vim
wget
];
in {
environment = {
etc.nixos-live.source = ../../.;
systemPackages = global-packages;
# shellInit = ''
# ${pkgs.gnupg}/bin/gpg-connect-agent /bye
# export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
# '';
};
system.autoUpgrade.enable = false;
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
nixpkgs.config.allowUnfree = true;
security.acme.acceptTerms = true;
hardware.enableRedistributableFirmware = true;
krb5 = {
enable = true;
appdefaults = {
forwardable = true;
proxiable = true;
encrypt = true;
forward = true;
};
libdefaults = {
allow_weak_crypto = true;
dns_lookup_kdc = true;
dns_lookup_realm = true;
forwardable = true;
proxiable = true;
};
kerberos = pkgs.heimdalFull;
};
services = {
openssh = {
enable = true;
startWhenNeeded = true;
useDns = true;
permitRootLogin = "prohibit-password";
extraConfig = ''
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
'';
};
fail2ban = let
domain-name = config.fudo.hosts.${config.instance.hostname}.domain;
in {
enable = config.networking.firewall.enable;
bantime-increment.enable = true;
ignoreIP = config.instance.local-networks;
};
xserver = {
layout = "us";
xkbVariant = "dvp";
xkbOptions = "ctrl:nocaps";
};
# pcscd.enable = true;
# udev.packages = with pkgs; [ yubikey-personalization ];
};
networking.firewall = {
# Allow mosh connections if the firewall is enabled
allowedUDPPortRanges = [{
from = 60000;
to = 60100;
}];
};
console.useXkbConfig = true;
i18n.defaultLocale = "en_US.UTF-8";
programs = {
mosh.enable = true;
bash.enableCompletion = true;
fish.enable = true;
gnupg.agent = {
enable = true;
# enableSSHSupport = true;
# pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses";
};
ssh = {
startAgent = true;
package = pkgs.openssh_gssapi;
extraConfig = ''
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
'';
};
};
security.pam = {
enableSSHAgentAuth = true;
services = {
sshd = {
makeHomeDir = true;
sshAgentAuth = true;
# This isn't supposed to ask for a code unless ~/.google_authenticator exists...but it does
# googleAuthenticator.enable = true;
};
};
};
}

10
config/profiles/desktop.nix
View File

@ -1,10 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
imports = [ ./common-ui.nix ];
config = {
networking.networkmanager.enable = mkForce false;
};
}

32
config/profiles/laptop.nix
View File

@ -1,32 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
imports = [ ./common-ui.nix ];
options.fudo.profile.laptop = {
use-network-manager =
mkEnableOption "Use NetworkManager instead of wpa_supplicant.";
};
config = {
environment.systemPackages = with pkgs; [ acpi upower wpa_supplicant ];
networking = if (config.fudo.profile.laptop.use-network-manager) then {
networkmanager.enable = true;
} else {
networkmanager.enable = false;
wireless = {
enable = true;
userControlled = {
enable = true;
group = "wheel";
};
networks = mapAttrs (network: networkOpts: {
psk = networkOpts.key;
}) config.fudo.wireless-networks;
};
};
};
}

74
config/profiles/server.nix
View File

@ -1,74 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" ''
if [ $# -ne 1 ]; then
echo "FAILED: no sync file provided."
exit 1
fi
WALL=${pkgs.utillinux}/bin/wall
if [ -f $1 ]; then
$WALL "$1 exists, rebooting system"
${pkgs.systemd}/bin/reboot
else
$WALL "$1 does not exist, switching config."
nixos-rebuild switch
fi
exit 0
'';
test-config = pkgs.writeShellScriptBin "fudo-test-config" ''
if [ $# -gt 1 ]; then
echo "usage: $0 [timeout]"
exit 1
elif [ $# -eq 1 ]; then
TIMEOUT=$1
else
TIMEOUT=15m
fi
SYNCFILE=$TMP/sync-$(date +"%Y%m%d-%H%M%N")
touch $SYNCFILE
${pkgs.utillinux}/bin/wall "Launching config. System will restart in $TIMEOUT if $SYNCFILE still exists."
systemd-run --on-active=$TIMEOUT ${reboot-if-necessary} $SYNCFILE
nixos-rebuild test
exit 0
'';
in {
imports = [ ./common.nix ];
config = {
environment = {
serverPackages = with pkgs;
[ emacs-nox reboot-if-necessary test-config ];
};
networking.networkmanager.enable = mkForce false;
services.xserver.enable = false;
sound.enable = false;
hardware.pulseaudio.enable = false;
powerManagement =
if config.fudo.hosts.${config.instance.hostname}.keep-cool then {
enable = true;
cpuFreqGovernor = "ondemand";
} else {
enable = false;
};
systemd.targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
};
}