diff --git a/config/default.nix b/config/default.nix index e39b02f..396fefa 100644 --- a/config/default.nix +++ b/config/default.nix @@ -8,7 +8,7 @@ ./groups.nix ./hosts.nix ./networks.nix - ./profile.nix + ./profiles.nix ./sites.nix ./users.nix ./wireless-networks.nix diff --git a/config/profile-config/common-ui.nix b/config/profile-config/common-ui.nix index a8a721d..bf8a511 100644 --- a/config/profile-config/common-ui.nix +++ b/config/profile-config/common-ui.nix @@ -1,4 +1,131 @@ { config, lib, pkgs, ... }: -{ +with lib; +let + hostname = config.instance.hostname; + enable-gui = config.fudo.hosts.${hostname}.enable-gui; + +in { + imports = [ ./common.nix ]; + + boot = { + plymouth.enable = false; + tmpOnTmpfs = true; + }; + + services = { + xserver = mkIf enable-gui { + enable = true; + + desktopManager.gnome.enable = true; + + displayManager.gdm = { + enable = true; + wayland = false; + autoSuspend = false; + }; + + windowManager.stumpwm.enable = true; + + # windowManager.session = pkgs.lib.singleton { + # name = "stumpwm"; + # start = '' + # ${pkgs.lispPackages.stumpwm}/bin/stumpwm & + # waidPID=$! + # ''; + # }; + }; + + trezord.enable = true; + }; + + hardware = { + bluetooth.enable = true; + + opengl = mkIf enable-gui { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; + }; + + sound.enable = true; + hardware.pulseaudio = { + enable = true; + support32Bit = config.hardware.pulseaudio.enable; + }; + + # console.font = + # lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-g18n.psf.gz"; + + services.gnome = mkIf enable-gui { + evolution-data-server.enable = mkForce false; + gnome-user-share.enable = mkForce false; + }; + + services.flatpak.enable = enable-gui; + + fonts = mkIf enable-gui { + fontDir.enable = true; + fontconfig.enable = true; + #fontconfig.antialias = true; + #fontconfig.penultimate.enable = true; + #fontconfig.subpixel.lcdfilter = "default"; + + fonts = with pkgs; [ + cantarell_fonts + dejavu_fonts + dina-font + dosemu_fonts + fira-code + fira-code-symbols + freefont_ttf + liberation_ttf + mplus-outline-fonts + nerdfonts + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + proggyfonts + terminus_font + ubuntu_font_family + ucsFonts + ultimate-oldschool-pc-font-pack + unifont + xorg.fontadobe100dpi + xorg.fontadobe75dpi + xorg.fontadobeutopia100dpi + xorg.fontadobeutopia75dpi + xorg.fontadobeutopiatype1 + xorg.fontarabicmisc + xorg.fontbh100dpi + xorg.fontbh75dpi + xorg.fontbhlucidatypewriter100dpi + xorg.fontbhlucidatypewriter75dpi + xorg.fontbhttf + xorg.fontbhtype1 + xorg.fontbitstream100dpi + xorg.fontbitstream75dpi + xorg.fontbitstreamtype1 + xorg.fontcronyxcyrillic + xorg.fontcursormisc + xorg.fontdaewoomisc + xorg.fontdecmisc + xorg.fontibmtype1 + xorg.fontisasmisc + xorg.fontjismisc + xorg.fontmicromisc + xorg.fontmisccyrillic + xorg.fontmiscethiopic + xorg.fontmiscmeltho + xorg.fontmiscmisc + xorg.fontmuttmisc + xorg.fontschumachermisc + xorg.fontscreencyrillic + xorg.fontsonymisc + xorg.fontsunmisc + xorg.fontwinitzkicyrillic + xorg.fontxfree86type1 + ]; + }; } diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index ae437af..1c486f8 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -1,5 +1,144 @@ { config, lib, pkgs, ... }: with lib; -{ +let + # Available to all users on the system. Keep it minimal. + global-packages = with pkgs; [ + bind + cryptsetup + git + heimdal + openssh_gssapi + tldr + vim + wget + ]; + +in { + environment = { + etc.nixos-live.source = ../../.; + + systemPackages = global-packages; + + # shellInit = '' + # ${pkgs.gnupg}/bin/gpg-connect-agent /bye + # export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) + # ''; + }; + + system.autoUpgrade.enable = false; + + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + nixpkgs.config.allowUnfree = true; + security.acme.acceptTerms = true; + hardware.enableRedistributableFirmware = true; + + krb5 = { + enable = true; + + appdefaults = { + forwardable = true; + proxiable = true; + encrypt = true; + forward = true; + }; + + libdefaults = { + allow_weak_crypto = true; + dns_lookup_kdc = true; + dns_lookup_realm = true; + forwardable = true; + proxiable = true; + }; + + kerberos = pkgs.heimdalFull; + }; + + services = { + openssh = { + enable = true; + startWhenNeeded = true; + useDns = true; + permitRootLogin = "prohibit-password"; + extraConfig = '' + GSSAPIAuthentication yes + GSSAPICleanupCredentials yes + GSSAPIKeyExchange yes + GSSAPIStoreCredentialsOnRekey yes + ''; + }; + + fail2ban = let + domain-name = config.fudo.hosts.${config.instance.hostname}.domain; + in { + enable = config.networking.firewall.enable; + bantime-increment.enable = true; + ignoreIP = config.instance.local-networks; + }; + + xserver = { + layout = "us"; + xkbVariant = "dvp"; + xkbOptions = "ctrl:nocaps"; + }; + + # pcscd.enable = true; + # udev.packages = with pkgs; [ yubikey-personalization ]; + }; + + networking.firewall = { + # Allow mosh connections if the firewall is enabled + allowedUDPPortRanges = [{ + from = 60000; + to = 60100; + }]; + }; + + console.useXkbConfig = true; + + i18n.defaultLocale = "en_US.UTF-8"; + + programs = { + mosh.enable = true; + + bash.enableCompletion = true; + + fish.enable = true; + + gnupg.agent = { + enable = true; + # enableSSHSupport = true; + # pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses"; + }; + + ssh = { + startAgent = true; + + package = pkgs.openssh_gssapi; + + extraConfig = '' + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes + ''; + }; + }; + + security.pam = { + enableSSHAgentAuth = true; + + services = { + sshd = { + makeHomeDir = true; + sshAgentAuth = true; + # This isn't supposed to ask for a code unless ~/.google_authenticator exists...but it does + # googleAuthenticator.enable = true; + }; + }; + }; } diff --git a/config/profile-config/desktop.nix b/config/profile-config/desktop.nix index 231995a..ca0d5d8 100644 --- a/config/profile-config/desktop.nix +++ b/config/profile-config/desktop.nix @@ -1,4 +1,10 @@ { config, lib, pkgs, ... }: -with lib; { +with lib; +{ + imports = [ ./common-ui.nix ]; + + config = { + networking.networkmanager.enable = mkForce false; + }; } diff --git a/config/profile-config/laptop.nix b/config/profile-config/laptop.nix index ae437af..dca0312 100644 --- a/config/profile-config/laptop.nix +++ b/config/profile-config/laptop.nix @@ -2,4 +2,31 @@ with lib; { + imports = [ ./common-ui.nix ]; + + options.fudo.profile.laptop = { + use-network-manager = + mkEnableOption "Use NetworkManager instead of wpa_supplicant."; + }; + + config = { + + environment.systemPackages = with pkgs; [ acpi upower wpa_supplicant ]; + + networking = if (config.fudo.profile.laptop.use-network-manager) then { + networkmanager.enable = true; + } else { + networkmanager.enable = false; + wireless = { + enable = true; + userControlled = { + enable = true; + group = "wheel"; + }; + networks = mapAttrs (network: networkOpts: { + psk = networkOpts.key; + }) config.fudo.wireless-networks; + }; + }; + }; } diff --git a/config/profile-config/server.nix b/config/profile-config/server.nix index ae437af..4183d7c 100644 --- a/config/profile-config/server.nix +++ b/config/profile-config/server.nix @@ -1,5 +1,74 @@ { config, lib, pkgs, ... }: with lib; -{ +let + reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" '' + if [ $# -ne 1 ]; then + echo "FAILED: no sync file provided." + exit 1 + fi + + WALL=${pkgs.utillinux}/bin/wall + + if [ -f $1 ]; then + $WALL "$1 exists, rebooting system" + ${pkgs.systemd}/bin/reboot + else + $WALL "$1 does not exist, switching config." + nixos-rebuild switch + fi + + exit 0 + ''; + + test-config = pkgs.writeShellScriptBin "fudo-test-config" '' + if [ $# -gt 1 ]; then + echo "usage: $0 [timeout]" + exit 1 + elif [ $# -eq 1 ]; then + TIMEOUT=$1 + else + TIMEOUT=15m + fi + + SYNCFILE=$TMP/sync-$(date +"%Y%m%d-%H%M%N") + touch $SYNCFILE + ${pkgs.utillinux}/bin/wall "Launching config. System will restart in $TIMEOUT if $SYNCFILE still exists." + systemd-run --on-active=$TIMEOUT ${reboot-if-necessary} $SYNCFILE + nixos-rebuild test + + exit 0 + ''; + +in { + imports = [ ./common.nix ]; + + config = { + environment = { + serverPackages = with pkgs; + [ emacs-nox reboot-if-necessary test-config ]; + }; + + networking.networkmanager.enable = mkForce false; + + services.xserver.enable = false; + + sound.enable = false; + hardware.pulseaudio.enable = false; + + powerManagement = + if config.fudo.hosts.${config.instance.hostname}.keep-cool then { + enable = true; + cpuFreqGovernor = "ondemand"; + } else { + enable = false; + }; + + systemd.targets = { + sleep.enable = false; + suspend.enable = false; + hibernate.enable = false; + hybrid-sleep.enable = false; + }; + }; } diff --git a/config/profiles.nix b/config/profiles.nix deleted file mode 100644 index b4f6249..0000000 --- a/config/profiles.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - host = config.instance.hostname; - host-profile = config.fudo.hosts.${host}.profile; - -in { imports = [ "./profiles/${host-profile}.nix" ]; } diff --git a/config/profiles/common-ui.nix b/config/profiles/common-ui.nix deleted file mode 100644 index bf8a511..0000000 --- a/config/profiles/common-ui.nix +++ /dev/null @@ -1,131 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - hostname = config.instance.hostname; - enable-gui = config.fudo.hosts.${hostname}.enable-gui; - -in { - imports = [ ./common.nix ]; - - boot = { - plymouth.enable = false; - tmpOnTmpfs = true; - }; - - services = { - xserver = mkIf enable-gui { - enable = true; - - desktopManager.gnome.enable = true; - - displayManager.gdm = { - enable = true; - wayland = false; - autoSuspend = false; - }; - - windowManager.stumpwm.enable = true; - - # windowManager.session = pkgs.lib.singleton { - # name = "stumpwm"; - # start = '' - # ${pkgs.lispPackages.stumpwm}/bin/stumpwm & - # waidPID=$! - # ''; - # }; - }; - - trezord.enable = true; - }; - - hardware = { - bluetooth.enable = true; - - opengl = mkIf enable-gui { - enable = true; - driSupport = true; - driSupport32Bit = true; - }; - }; - - sound.enable = true; - hardware.pulseaudio = { - enable = true; - support32Bit = config.hardware.pulseaudio.enable; - }; - - # console.font = - # lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-g18n.psf.gz"; - - services.gnome = mkIf enable-gui { - evolution-data-server.enable = mkForce false; - gnome-user-share.enable = mkForce false; - }; - - services.flatpak.enable = enable-gui; - - fonts = mkIf enable-gui { - fontDir.enable = true; - fontconfig.enable = true; - #fontconfig.antialias = true; - #fontconfig.penultimate.enable = true; - #fontconfig.subpixel.lcdfilter = "default"; - - fonts = with pkgs; [ - cantarell_fonts - dejavu_fonts - dina-font - dosemu_fonts - fira-code - fira-code-symbols - freefont_ttf - liberation_ttf - mplus-outline-fonts - nerdfonts - noto-fonts - noto-fonts-cjk - noto-fonts-emoji - proggyfonts - terminus_font - ubuntu_font_family - ucsFonts - ultimate-oldschool-pc-font-pack - unifont - xorg.fontadobe100dpi - xorg.fontadobe75dpi - xorg.fontadobeutopia100dpi - xorg.fontadobeutopia75dpi - xorg.fontadobeutopiatype1 - xorg.fontarabicmisc - xorg.fontbh100dpi - xorg.fontbh75dpi - xorg.fontbhlucidatypewriter100dpi - xorg.fontbhlucidatypewriter75dpi - xorg.fontbhttf - xorg.fontbhtype1 - xorg.fontbitstream100dpi - xorg.fontbitstream75dpi - xorg.fontbitstreamtype1 - xorg.fontcronyxcyrillic - xorg.fontcursormisc - xorg.fontdaewoomisc - xorg.fontdecmisc - xorg.fontibmtype1 - xorg.fontisasmisc - xorg.fontjismisc - xorg.fontmicromisc - xorg.fontmisccyrillic - xorg.fontmiscethiopic - xorg.fontmiscmeltho - xorg.fontmiscmisc - xorg.fontmuttmisc - xorg.fontschumachermisc - xorg.fontscreencyrillic - xorg.fontsonymisc - xorg.fontsunmisc - xorg.fontwinitzkicyrillic - xorg.fontxfree86type1 - ]; - }; -} diff --git a/config/profiles/common.nix b/config/profiles/common.nix deleted file mode 100644 index 1c486f8..0000000 --- a/config/profiles/common.nix +++ /dev/null @@ -1,144 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - # Available to all users on the system. Keep it minimal. - global-packages = with pkgs; [ - bind - cryptsetup - git - heimdal - openssh_gssapi - tldr - vim - wget - ]; - -in { - environment = { - etc.nixos-live.source = ../../.; - - systemPackages = global-packages; - - # shellInit = '' - # ${pkgs.gnupg}/bin/gpg-connect-agent /bye - # export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) - # ''; - }; - - system.autoUpgrade.enable = false; - - nix = { - package = pkgs.nixFlakes; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - - nixpkgs.config.allowUnfree = true; - security.acme.acceptTerms = true; - hardware.enableRedistributableFirmware = true; - - krb5 = { - enable = true; - - appdefaults = { - forwardable = true; - proxiable = true; - encrypt = true; - forward = true; - }; - - libdefaults = { - allow_weak_crypto = true; - dns_lookup_kdc = true; - dns_lookup_realm = true; - forwardable = true; - proxiable = true; - }; - - kerberos = pkgs.heimdalFull; - }; - - services = { - openssh = { - enable = true; - startWhenNeeded = true; - useDns = true; - permitRootLogin = "prohibit-password"; - extraConfig = '' - GSSAPIAuthentication yes - GSSAPICleanupCredentials yes - GSSAPIKeyExchange yes - GSSAPIStoreCredentialsOnRekey yes - ''; - }; - - fail2ban = let - domain-name = config.fudo.hosts.${config.instance.hostname}.domain; - in { - enable = config.networking.firewall.enable; - bantime-increment.enable = true; - ignoreIP = config.instance.local-networks; - }; - - xserver = { - layout = "us"; - xkbVariant = "dvp"; - xkbOptions = "ctrl:nocaps"; - }; - - # pcscd.enable = true; - # udev.packages = with pkgs; [ yubikey-personalization ]; - }; - - networking.firewall = { - # Allow mosh connections if the firewall is enabled - allowedUDPPortRanges = [{ - from = 60000; - to = 60100; - }]; - }; - - console.useXkbConfig = true; - - i18n.defaultLocale = "en_US.UTF-8"; - - programs = { - mosh.enable = true; - - bash.enableCompletion = true; - - fish.enable = true; - - gnupg.agent = { - enable = true; - # enableSSHSupport = true; - # pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses"; - }; - - ssh = { - startAgent = true; - - package = pkgs.openssh_gssapi; - - extraConfig = '' - GSSAPIAuthentication yes - GSSAPIDelegateCredentials yes - ''; - }; - }; - - security.pam = { - enableSSHAgentAuth = true; - - services = { - sshd = { - makeHomeDir = true; - sshAgentAuth = true; - # This isn't supposed to ask for a code unless ~/.google_authenticator exists...but it does - # googleAuthenticator.enable = true; - }; - }; - }; -} diff --git a/config/profiles/desktop.nix b/config/profiles/desktop.nix deleted file mode 100644 index ca0d5d8..0000000 --- a/config/profiles/desktop.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -{ - imports = [ ./common-ui.nix ]; - - config = { - networking.networkmanager.enable = mkForce false; - }; -} diff --git a/config/profiles/laptop.nix b/config/profiles/laptop.nix deleted file mode 100644 index dca0312..0000000 --- a/config/profiles/laptop.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -{ - imports = [ ./common-ui.nix ]; - - options.fudo.profile.laptop = { - use-network-manager = - mkEnableOption "Use NetworkManager instead of wpa_supplicant."; - }; - - config = { - - environment.systemPackages = with pkgs; [ acpi upower wpa_supplicant ]; - - networking = if (config.fudo.profile.laptop.use-network-manager) then { - networkmanager.enable = true; - } else { - networkmanager.enable = false; - wireless = { - enable = true; - userControlled = { - enable = true; - group = "wheel"; - }; - networks = mapAttrs (network: networkOpts: { - psk = networkOpts.key; - }) config.fudo.wireless-networks; - }; - }; - }; -} diff --git a/config/profiles/server.nix b/config/profiles/server.nix deleted file mode 100644 index 4183d7c..0000000 --- a/config/profiles/server.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" '' - if [ $# -ne 1 ]; then - echo "FAILED: no sync file provided." - exit 1 - fi - - WALL=${pkgs.utillinux}/bin/wall - - if [ -f $1 ]; then - $WALL "$1 exists, rebooting system" - ${pkgs.systemd}/bin/reboot - else - $WALL "$1 does not exist, switching config." - nixos-rebuild switch - fi - - exit 0 - ''; - - test-config = pkgs.writeShellScriptBin "fudo-test-config" '' - if [ $# -gt 1 ]; then - echo "usage: $0 [timeout]" - exit 1 - elif [ $# -eq 1 ]; then - TIMEOUT=$1 - else - TIMEOUT=15m - fi - - SYNCFILE=$TMP/sync-$(date +"%Y%m%d-%H%M%N") - touch $SYNCFILE - ${pkgs.utillinux}/bin/wall "Launching config. System will restart in $TIMEOUT if $SYNCFILE still exists." - systemd-run --on-active=$TIMEOUT ${reboot-if-necessary} $SYNCFILE - nixos-rebuild test - - exit 0 - ''; - -in { - imports = [ ./common.nix ]; - - config = { - environment = { - serverPackages = with pkgs; - [ emacs-nox reboot-if-necessary test-config ]; - }; - - networking.networkmanager.enable = mkForce false; - - services.xserver.enable = false; - - sound.enable = false; - hardware.pulseaudio.enable = false; - - powerManagement = - if config.fudo.hosts.${config.instance.hostname}.keep-cool then { - enable = true; - cpuFreqGovernor = "ondemand"; - } else { - enable = false; - }; - - systemd.targets = { - sleep.enable = false; - suspend.enable = false; - hibernate.enable = false; - hybrid-sleep.enable = false; - }; - }; -}