home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 12a3da0bfdf80c4c8c29bcb73a55478595789d41
parent 429025d7899e8bff3586563291d7c189e7477894
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Wed,  1 Sep 2021 17:25:05 +0200

Remove *.flake.nix …

It is "history" for now

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Dsystems/hosts/foo.flake.nix | 63---------------------------------------------------------------
Dsystems/hosts/okinawa.flake.nix | 53-----------------------------------------------------
Dsystems/modules/default.flake.nix | 14--------------
Dsystems/modules/profiles/base.flake.nix | 78------------------------------------------------------------------------------
Dsystems/modules/profiles/default.flake.nix | 16----------------
Dsystems/modules/profiles/home.flake.nix | 39---------------------------------------
Dsystems/modules/profiles/laptop.flake.nix | 18------------------
Dsystems/modules/virtualisation/default.flake.nix | 9---------
Dusers/houbeb/default.flake.nix | 13-------------
Dusers/root/default.flake.nix | 11-----------
Dusers/vincent/default.flake.nix | 59-----------------------------------------------------------
11 files changed, 0 insertions(+), 373 deletions(-)

diff --git a/systems/hosts/foo.flake.nix b/systems/hosts/foo.flake.nix @@ -1,63 +0,0 @@ -{ pkgs, lib, ... }: - -with lib; -let - secretPath = ../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; - ips = lists.optionals secretCondition ([ "${ip}/24" ]); - endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; - endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; - endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; -in -{ - modules = { - desktop = { - i3.enable = true; - }; - editors = { - default = "vim"; - vim.enable = true; - }; - hardware = { - bluetooth.enable = true; - audio.enable = true; - yubikey.enable = true; - }; - shell = { - direnv.enable = true; - git.enable = true; - gnupg.enable = true; - tmux.enable = true; - zsh.enable = true; - }; - virtualisation = { - libvirt.enable = true; - libvirt.nested = true; - }; - }; - profiles = { - home.enable = true; - redhat.enable = true; - laptop.enable = true; - }; - - environment.systemPackages = with pkgs; [ tektoncd-cli nyxt ]; - - virtualisation.podman.enable = true; - virtualisation.containers = { - enable = true; - registries = { - search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; - }; - policy = { - default = [{ type = "insecureAcceptAnything"; }]; - transports = { - docker-daemon = { - "" = [{ type = "insecureAcceptAnything"; }]; - }; - }; - }; - }; -} diff --git a/systems/hosts/okinawa.flake.nix b/systems/hosts/okinawa.flake.nix @@ -1,53 +0,0 @@ -{ pkgs, lib, ... }: - -with lib; -let - secretPath = ../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; - ips = lists.optionals secretCondition ([ "${ip}/24" ]); - endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; - endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; - endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; -in -{ - modules = { - editors = { - default = "vim"; - vim.enable = true; - }; - shell = { - direnv.enable = true; - git.enable = true; - gnupg.enable = true; - tmux.enable = true; - zsh.enable = true; - }; - virtualisation = { - libvirt.enable = true; - libvirt.nested = true; - }; - }; - profiles = { - home.enable = true; - }; - - environment.systemPackages = with pkgs; [ tektoncd-cli nyxt ]; - - virtualisation.podman.enable = true; - virtualisation.containers = { - enable = true; - registries = { - search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; - }; - policy = { - default = [{ type = "insecureAcceptAnything"; }]; - transports = { - docker-daemon = { - "" = [{ type = "insecureAcceptAnything"; }]; - }; - }; - }; - }; -} diff --git a/systems/modules/default.flake.nix b/systems/modules/default.flake.nix @@ -1,14 +0,0 @@ -{ ... }: - -{ - imports = [ - ./desktop - ./editors - ./hardware - ./profiles/default.flake.nix - ./programs - ./services - ./shell - ./virtualisation/default.flake.nix - ]; -} diff --git a/systems/modules/profiles/base.flake.nix b/systems/modules/profiles/base.flake.nix @@ -1,78 +0,0 @@ -{ config, inputs, lib, pkgs, ... }: -let - inherit (lib) mkEnableOption mkIf mkDefault mkOverride; - cfg = config.modules.base; -in -{ - imports = [ inputs.home-manager.nixosModules.home-manager ]; - options = { - modules.base = { - enable = mkEnableOption "base configuration"; - }; - }; - config = mkIf cfg.enable { - - boot = { - # Enable running aarch64 binaries using qemu. - binfmt.emulatedSystems = [ "aarch64-linux" ]; - - # Clean temporary directory on boot - cleanTmpDir = true; - - loader = { - # Use systemd-boot by default, can be overridden by configurations - systemd-boot.enable = true; - - # Make memtest available as a boot option. - grub.memtest86.enable = true; - systemd-boot.memtest86.enable = true; - }; - }; - - console = { - keyMap = "fr-bepo"; - font = "Lat2-Terminus16"; - }; - - environment = { - # System packages to install, those are the absolute minimum packages required - systemPackages = with pkgs; [ - file - htop - iotop - lsof - netcat - psmisc - pv - wget - ]; - }; - - # Home manager default configuration - home-manager = { - useUserPackages = true; - useGlobalPkgs = true; - }; - - i18n.defaultLocale = "en_US.UTF-8"; - - # Make sure we never remove SSH_AUTH_SOCK when reseting env through sudo - security.sudo.extraConfig = '' - Defaults env_keep += SSH_AUTH_SOCK - ''; - # `nix-daemon` will hit the stack limit when using `nixFlakes`. - systemd.services.nix-daemon.serviceConfig."LimitSTACK" = "infinity"; - # Setup a *mailer* in case of failure in systemd - systemd.services."status-email-root@" = { - description = "status email for %i to vincent"; - serviceConfig = { - Type = "oneshot"; - ExecStart = '' - ${pkgs.systemd-email}/bin/systemd-email vincent@demeester.fr %i - ''; - User = "root"; - Environment = "PATH=/run/current-system/sw/bin"; - }; - }; - }; -} diff --git a/systems/modules/profiles/default.flake.nix b/systems/modules/profiles/default.flake.nix @@ -1,16 +0,0 @@ -# Profiles are grouping modules so that we don't have to -# specify them for all machines all the time. -{ lib, ... }: - -{ - imports = [ - ./base.flake.nix - ./home.flake.nix - ./laptop.flake.nix - ./redhat.nix - # ./desktop.flake.nix - # FIXME: vpn, server, builder, … - ]; - - modules.base.enable = lib.mkDefault true; -} diff --git a/systems/modules/profiles/home.flake.nix b/systems/modules/profiles/home.flake.nix @@ -1,39 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (lib) mkIf mkEnableOption; - cfg = config.profiles.home; - - secretPath = ../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - machines = lib.optionalAttrs secretCondition (import secretPath); -in -{ - options = { - profiles.home = { - enable = mkEnableOption "home configuration"; - }; - }; - config = mkIf cfg.enable { - - # Mount nfs on all systems at home… - # … if we got the secret file - fileSystems = mkIf secretCondition { - "/net/synodine.home/" = { - device = "${machines.home.ips.synodine}:/"; - fsType = "nfs"; - options = [ "x-systemd.automount" "noauto" ]; - } // mkIf (config.networking.hostName != "sakhalin") { - "/net/sakhalin.home/export/" = { - device = "${machines.home.ips.sakhalin}:/"; - fsType = "nfs"; - options = [ "x-systemd.automount" "noauto" ]; - }; - }; - }; - - # Home is in France/Paris, so set the timezone accordingly - time.timeZone = "Europe/Paris"; - - # Because we are at home, we can make assumption around the network - }; -} diff --git a/systems/modules/profiles/laptop.flake.nix b/systems/modules/profiles/laptop.flake.nix @@ -1,18 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (lib) mkIf mkEnableOption mkForce; - cfg = config.profiles.laptop; -in -{ - options = { - profiles.laptop = { - enable = mkEnableOption "laptop configuration"; - }; - }; - config = mkIf cfg.enable { - modules.desktop.enable = true; - nix = { - sshServe.enable = mkForce false; - }; - }; -} diff --git a/systems/modules/virtualisation/default.flake.nix b/systems/modules/virtualisation/default.flake.nix @@ -1,9 +0,0 @@ -# Virtualisation is grouping modules related to virtualisation, such -# as containers (podman, docker, …), vm (qemu, libvirt, …). -{ lib, ... }: - -{ - imports = [ - ./libvirt.nix - ]; -} diff --git a/users/houbeb/default.flake.nix b/users/houbeb/default.flake.nix @@ -1,13 +0,0 @@ -{ inputs, ... }: { - users.users.houbeb = { - createHome = true; - description = "Houbeb Ben Othmene"; - extraGroups = [ "wheel" ]; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "…" - ]; - }; - # Home-manager "magic" - home-manager.users.houbeb = inputs.self.internal.homeManagerConfigurations."houbeb"; -} diff --git a/users/root/default.flake.nix b/users/root/default.flake.nix @@ -1,11 +0,0 @@ -{ config, inputs, lib, pkgs, ... }: -let - inherit (lib) mkIf; -in -{ - users.users.root = { - shell = mkIf config.programs.zsh.enable pkgs.zsh; - }; - # Home-manager "magic" - home-manager.users.root = inputs.self.internal.homeManagerConfigurations."root"; -} diff --git a/users/vincent/default.flake.nix b/users/vincent/default.flake.nix @@ -1,59 +0,0 @@ -{ config, inputs, lib, pkgs, ... }: -with lib; -let - secretPath = ../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - isAuthorized = p: builtins.isAttrs p && p.authorized or false; - authorizedKeys = lists.optionals secretCondition ( - attrsets.mapAttrsToList - (name: value: value.key) - (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh) - ); - - hasConfigVirtualizationContainers = builtins.hasAttr "containers" config.virtualisation; - isContainersEnabled = if hasConfigVirtualizationContainers then config.virtualisation.containers.enable else false; -in -{ - users.users.vincent = { - createHome = true; - uid = 1000; - description = "Vincent Demeester"; - extraGroups = [ "wheel" "input" ] - ++ optionals config.modules.desktop.enable [ "video" ] - ++ optionals config.modules.hardware.audio.enable [ "audio" ] - #++ optionals config.profiles.scanning.enable [ "lp" "scanner" ] - ++ optionals config.networking.networkmanager.enable [ "networkmanager" ] - ++ optionals config.virtualisation.docker.enable [ "docker" ] - #++ optionals config.virtualisation.buildkitd.enable [ "buildkit" ] - ++ optionals config.virtualisation.libvirtd.enable [ "libvirtd" ]; - shell = mkIf config.programs.zsh.enable pkgs.zsh; - isNormalUser = true; - openssh.authorizedKeys.keys = authorizedKeys; - initialPassword = "changeMe"; - subUidRanges = [{ startUid = 100000; count = 65536; }]; - subGidRanges = [{ startGid = 100000; count = 65536; }]; - }; - - nix = { - trustedUsers = [ "vincent" ]; - sshServe.keys = authorizedKeys; - }; - - security = { - pam = { - # Nix will hit the stack limit when using `nixFlakes`. - loginLimits = [ - { domain = config.users.users.vincent.name; item = "stack"; type = "-"; value = "unlimited"; } - ]; - }; - }; - - # Enable user units to persist after sessions end. - system.activationScripts.loginctl-enable-linger-vincent = lib.stringAfter [ "users" ] '' - ${pkgs.systemd}/bin/loginctl enable-linger ${config.users.users.vincent.name} - ''; - - # Home-manager "magic" - home-manager.users.vincent = inputs.self.internal.homeManagerConfigurations."vincent"; -}