home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 6c5f419d7d4e99e8bbb889f15f6d431aa026bfbb
parent 2cb6894f963826bbd29ae60bc83f3d77310ee265
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Sat,  6 Jun 2020 18:31:33 +0200

systems: move modules and hardware to it…

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Dhardware/lenovo-p50.nix | 59-----------------------------------------------------------
Dhardware/thinkpad-t460s.nix | 44--------------------------------------------
Dhardware/thinkpad-x220.nix | 63---------------------------------------------------------------
Dhardware/thinkpad.nix | 64----------------------------------------------------------------
Dmodules/core/default.nix | 12------------
Dmodules/core/nix.nix | 104-------------------------------------------------------------------------------
Dmodules/core/nur.nix | 20--------------------
Dmodules/profiles/default.nix | 32--------------------------------
Dmodules/profiles/fish.nix | 28----------------------------
Dmodules/profiles/mail.nix | 23-----------------------
Dmodules/profiles/nix-config.nix | 92-------------------------------------------------------------------------------
Dmodules/profiles/qemu.nix | 50--------------------------------------------------
Dmodules/profiles/users.nix | 79-------------------------------------------------------------------------------
Dmodules/profiles/wireguard.server.nix | 41-----------------------------------------
Dmodules/programs/default.nix | 7-------
Rhardware/dell-latitude-e6540.nix -> systems/hardware/dell-latitude-e6540.nix | 0
Rhardware/gigabyte-brix.nix -> systems/hardware/gigabyte-brix.nix | 0
Asystems/hardware/lenovo-p50.nix | 59+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Asystems/hardware/thinkpad-t460s.nix | 44++++++++++++++++++++++++++++++++++++++++++++
Asystems/hardware/thinkpad-x220.nix | 63+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Asystems/hardware/thinkpad.nix | 64++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Msystems/hokkaido.nix | 4++--
Msystems/kerkouane.nix | 2+-
Asystems/modules/core/default.nix | 12++++++++++++
Rmodules/core/home-manager.nix -> systems/modules/core/home-manager.nix | 0
Asystems/modules/core/nix.nix | 104+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Asystems/modules/core/nur.nix | 20++++++++++++++++++++
Rmodules/default.nix -> systems/modules/default.nix | 0
Rmodules/hardware/default.nix -> systems/modules/hardware/default.nix | 0
Rmodules/hardware/sane-extra-config.nixos.nix -> systems/modules/hardware/sane-extra-config.nixos.nix | 0
Rmodules/profiles/avahi.nix -> systems/modules/profiles/avahi.nix | 0
Rmodules/profiles/base.nix -> systems/modules/profiles/base.nix | 0
Rmodules/profiles/buildkit.nix -> systems/modules/profiles/buildkit.nix | 0
Rmodules/profiles/containerd.nix -> systems/modules/profiles/containerd.nix | 0
Asystems/modules/profiles/default.nix | 31+++++++++++++++++++++++++++++++
Rmodules/profiles/desktop.nix -> systems/modules/profiles/desktop.nix | 0
Rmodules/profiles/dev.nix -> systems/modules/profiles/dev.nix | 0
Rmodules/profiles/docker.nix -> systems/modules/profiles/docker.nix | 0
Rmodules/profiles/gaming.nix -> systems/modules/profiles/gaming.nix | 0
Rmodules/profiles/git.nix -> systems/modules/profiles/git.nix | 0
Rmodules/profiles/home.nix -> systems/modules/profiles/home.nix | 0
Rmodules/profiles/i18n.nix -> systems/modules/profiles/i18n.nix | 0
Rmodules/profiles/ipfs.nix -> systems/modules/profiles/ipfs.nix | 0
Rmodules/profiles/laptop.nix -> systems/modules/profiles/laptop.nix | 0
Asystems/modules/profiles/mail.nix | 23+++++++++++++++++++++++
Rmodules/profiles/nix-auto-update.nix -> systems/modules/profiles/nix-auto-update.nix | 0
Rmodules/profiles/printing.nix -> systems/modules/profiles/printing.nix | 0
Rmodules/profiles/pulseaudio.nix -> systems/modules/profiles/pulseaudio.nix | 0
Asystems/modules/profiles/qemu.nix | 50++++++++++++++++++++++++++++++++++++++++++++++++++
Rmodules/profiles/scanning.nix -> systems/modules/profiles/scanning.nix | 0
Rmodules/profiles/ssh.nix -> systems/modules/profiles/ssh.nix | 0
Rmodules/profiles/syncthing.nix -> systems/modules/profiles/syncthing.nix | 0
Asystems/modules/profiles/users.nix | 79+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Rmodules/profiles/virtualization.nix -> systems/modules/profiles/virtualization.nix | 0
Asystems/modules/profiles/wireguard.server.nix | 41+++++++++++++++++++++++++++++++++++++++++
Rmodules/profiles/yubikey.nix -> systems/modules/profiles/yubikey.nix | 0
Rmodules/profiles/zsh.nix -> systems/modules/profiles/zsh.nix | 0
Rmodules/programs/crc.nix -> systems/modules/programs/crc.nix | 0
Asystems/modules/programs/default.nix | 6++++++
Rmodules/programs/podman.nix -> systems/modules/programs/podman.nix | 0
Rmodules/services/athens.nix -> systems/modules/services/athens.nix | 0
Rmodules/services/default.nix -> systems/modules/services/default.nix | 0
Rmodules/services/govanityurl.nix -> systems/modules/services/govanityurl.nix | 0
Rmodules/services/nix-binary-cache.nix -> systems/modules/services/nix-binary-cache.nix | 0
Rmodules/services/wireguard.client.nix -> systems/modules/services/wireguard.client.nix | 0
Rmodules/virtualisation/buildkit.nix -> systems/modules/virtualisation/buildkit.nix | 0
Rmodules/virtualisation/containerd.nix -> systems/modules/virtualisation/containerd.nix | 0
Rmodules/virtualisation/default.nix -> systems/modules/virtualisation/default.nix | 0
Msystems/okinawa.nix | 4++--
Msystems/sakhalin.nix | 4++--
Msystems/wakasu.nix | 4++--
71 files changed, 605 insertions(+), 727 deletions(-)

diff --git a/hardware/lenovo-p50.nix b/hardware/lenovo-p50.nix @@ -1,59 +0,0 @@ -{ config, pkgs, lib, ... }: -let - sources = import ../nix/sources.nix; -in -{ - imports = [ - (sources.nixos-hardware + "/common/pc/ssd") - ./thinkpad.nix - ]; - boot = { - initrd.availableKernelModules = [ "nvme" "rtsx_pci_sdmmc" ]; - }; - hardware = { - bluetooth = { - enable = true; - powerOnBoot = true; - }; - nvidia.optimus_prime = { - enable = true; - nvidiaBusId = "PCI:1:0:0"; - intelBusId = "PCI:0:2:0"; - }; - }; - nix.maxJobs = 12; - services.throttled.enable = lib.mkDefault true; - services = { - tlp = { - extraConfig = '' - # CPU optimizations - CPU_SCALING_GOVERNOR_ON_AC=performance - CPU_SCALING_GOVERNOR_ON_BAT=powersave - CPU_MIN_PERF_ON_AC=0 - CPU_MAX_PERF_ON_AC=100 - CPU_MIN_PERF_ON_BAT=0 - CPU_MAX_PERF_ON_BAT=50 - # DEVICES (wifi, ..) - DEVICES_TO_DISABLE_ON_STARTUP="" - DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" - DEVICES_TO_DISABLE_ON_BAT="" - # Network management - DEVICES_TO_DISABLE_ON_LAN_CONNECT="" - DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" - DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" - DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" - DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" - DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" - # Docking - DEVICES_TO_DISABLE_ON_DOCK="wifi" - DEVICES_TO_ENABLE_ON_UNDOCK="wifi" - # Make sure it uses the right hard drive - DISK_DEVICES="nvme0n1p2" - ''; - }; - udev.extraRules = '' - # Rules for Lenovo Thinkpad WS Dock - SUBSYSTEM=="usb", ACTION=="add|remove", ENV{ID_VENDOR}=="17ef", ENV{ID_MODEL}=="305a", RUN+="${pkgs.vde-thinkpad}/bin/dock" - ''; - }; -} diff --git a/hardware/thinkpad-t460s.nix b/hardware/thinkpad-t460s.nix @@ -1,44 +0,0 @@ -{ config, pkgs, ... }: -let - sources = import ../nix/sources.nix; -in -{ - imports = [ - (sources.nixos-hardware + "/lenovo/thinkpad/t460s") - (sources.nixos-hardware + "/common/pc/ssd") - ./thinkpad.nix - ]; - nix.maxJobs = 12; - services = { - tlp = { - extraConfig = '' - # CPU optimizations - CPU_SCALING_GOVERNOR_ON_AC=performance - CPU_SCALING_GOVERNOR_ON_BAT=powersave - CPU_MIN_PERF_ON_AC=0 - CPU_MAX_PERF_ON_AC=100 - CPU_MIN_PERF_ON_BAT=0 - CPU_MAX_PERF_ON_BAT=50 - # DEVICES (wifi, ..) - DEVICES_TO_DISABLE_ON_STARTUP="" - DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" - DEVICES_TO_DISABLE_ON_BAT="" - # Network management - DEVICES_TO_DISABLE_ON_LAN_CONNECT="" - DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" - DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" - DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" - DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" - DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" - # Docking - DEVICES_TO_DISABLE_ON_DOCK="wifi" - DEVICES_TO_ENABLE_ON_UNDOCK="wifi" - # Make sure it uses the right hard drive - DISK_DEVICES="nvme0n1p3" - ''; - }; - xserver = { - dpi = 128; - }; - }; -} diff --git a/hardware/thinkpad-x220.nix b/hardware/thinkpad-x220.nix @@ -1,63 +0,0 @@ -{ config, pkgs, ... }: -let - sources = import ../nix/sources.nix; -in -{ - imports = [ - ./thinkpad.nix - (sources.nixos-hardware + "/lenovo/thinkpad/tp-smapi.nix") - (sources.nixos-hardware + "/common/cpu/intel") - (sources.nixos-hardware + "/common/pc/ssd") - ]; - boot = { - kernelParams = [ "i915.enable_psr=1" ]; - extraModprobeConfig = '' - options iwlwifi 11n_disable=1 - ''; - }; - nix.maxJobs = 8; - security = { - pam.services = { - slimlock.fprintAuth = false; - slim.fprintAuth = false; - login.fprintAuth = false; - xscreensaver.fprintAuth = false; - }; - }; - services = { - fprintd.enable = true; - tlp = { - extraConfig = '' - # CPU optimizations - CPU_SCALING_GOVERNOR_ON_AC=performance - CPU_SCALING_GOVERNOR_ON_BAT=powersave - CPU_MIN_PERF_ON_AC=0 - CPU_MAX_PERF_ON_AC=100 - CPU_MIN_PERF_ON_BAT=0 - CPU_MAX_PERF_ON_BAT=50 - CPU_BOOST_ON_AC=1 - CPU_BOOST_ON_BAT=0 - # DEVICES (wifi, ..) - DEVICES_TO_DISABLE_ON_STARTUP="bluetooth" - DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" - DEVICES_TO_DISABLE_ON_BAT="bluetooth" - # Network management - DEVICES_TO_DISABLE_ON_LAN_CONNECT="" - DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" - DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" - DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" - DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" - DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" - DISK_IDLE_SECS_ON_AC=0 - DISK_IDLE_SECS_ON_BAT=2 - MAX_LOST_WORK_SECS_ON_AC=15 - MAX_LOST_WORK_SECS_ON_BAT=60 - DISK_DEVICES="ata-Corsair_Force_LX_SSD_15256501000102160059" - SOUND_POWER_SAVE_ON_AC=0 - SOUND_POWER_SAVE_ON_BAT=1 - USB_AUTOSUSPEND=1 - USB_BLACKLIST_BTUSB=1 - ''; - }; - }; -} diff --git a/hardware/thinkpad.nix b/hardware/thinkpad.nix @@ -1,64 +0,0 @@ -{ config, pkgs, ... }: -let - sources = import ../nix/sources.nix; -in -{ - imports = [ (sources.nixos-hardware + "/lenovo/thinkpad") ]; - boot = { - blacklistedKernelModules = [ - # Kernel GPU Savings Options (NOTE i915 chipset only) - "sierra_net" - "cdc_mbim" - "cdc_ncm" - ]; - extraModprobeConfig = '' - options snd_hda_intel power_save=1 - ''; - initrd = { - availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" "aesni-intel" "aes_x86_64" "cryptd" ]; - }; - kernelModules = [ "kvm_intel" ]; - kernelParams = [ - # Kernel GPU Savings Options (NOTE i915 chipset only) - "i915.enable_rc6=1" - "i915.enable_fbc=1" - "i915.lvds_use_ssc=0" - "drm.debug=0" - "drm.vblankoffdelay=1" - "kvm_intel.nested=1" - "intel_iommu=on" - ]; - loader.efi.canTouchEfiVariables = true; - }; - hardware = { - trackpoint.enable = false; - cpu.intel.updateMicrocode = true; - }; - services = { - acpid = { - enable = true; - }; - xserver = { - synaptics.enable = false; - config = - '' - Section "InputClass" - Identifier "Enable libinput for TrackPoint" - MatchIsPointer "on" - Driver "libinput" - Option "ScrollMethod" "button" - Option "ScrollButton" "8" - EndSection - ''; - inputClassSections = [ - '' - Identifier "evdev touchpad off" - MatchIsTouchpad "on" - MatchDevicePath "/dev/input/event*" - Driver "evdev" - Option "Ignore" "true" - '' - ]; - }; - }; -} diff --git a/modules/core/default.nix b/modules/core/default.nix @@ -1,12 +0,0 @@ -{ - imports = [ - (import ../../nix).home-manager - ./home-manager.nix - ./nix.nix - ./nur.nix - ]; - - boot = { - cleanTmpDir = true; - }; -} diff --git a/modules/core/nix.nix b/modules/core/nix.nix @@ -1,104 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - dummyConfig = pkgs.writeText "configuration.nix" '' - # assert builtins.trace "This is a dummy config, use switch!" false; - {} - ''; - cfg = config.core.nix; -in -{ - options = { - core.nix = { - enable = mkOption { type = types.bool; default = true; description = "Enable core.nix"; }; - gcDates = mkOption { - default = "weekly"; - description = "Specification (in the format described by systemd.time(7)) of the time at which the garbage collector will run. "; - type = types.str; - }; - olderThan = mkOption { - default = "15d"; - description = "Number of day to keep when garbage collect"; - type = types.str; - }; - buildCores = mkOption { - type = types.int; - default = 2; - example = 4; - description = '' - Maximum number of concurrent tasks during one build. - ''; - }; - localCaches = mkOption { - default = [ "http://nix.cache.home" ]; - description = "List of local nix caches"; - type = types.listOf types.str; - }; - }; - }; - config = mkIf cfg.enable { - nix = { - allowedUsers = [ "@wheel" ]; - binaryCaches = cfg.localCaches ++ [ - "https://cache.nixos.org/" - "https://r-ryantm.cachix.org" - "https://vdemeester.cachix.org" - "https://shortbrain.cachix.org" - ]; - binaryCachePublicKeys = [ - "r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c=" - "vdemeester.cachix.org-1:uCECG6so7v1rs77c5NFz2dCePwd+PGNeZ6E5DrkT7F0=" - "shortbrain.cachix.org-1:dqXcXzM0yXs3eo9ChmMfmob93eemwNyhTx7wCR4IjeQ=" - "mic92.cachix.org-1:gi8IhgiT3CYZnJsaW7fxznzTkMUOn1RY4GmXdT/nXYQ=" - ]; - buildCores = cfg.buildCores; - daemonIONiceLevel = 5; - daemonNiceLevel = 10; - # if hydra is down, don't wait forever - extraOptions = '' - connect-timeout = 20 - build-cores = 0 - keep-outputs = true - keep-derivations = true - ''; - gc = { - automatic = true; - dates = cfg.gcDates; - options = "--delete-older-than ${cfg.olderThan}"; - }; - nixPath = [ - "nixos-config=${dummyConfig}" - "nixpkgs=/run/current-system/nixpkgs" - "nixpkgs-overlays=/run/current-system/overlays/compat" - ]; - optimise = { - automatic = true; - dates = [ "01:10" "12:10" ]; - }; - nrBuildUsers = config.nix.maxJobs * 2; - trustedUsers = [ "root" "@wheel" ]; - useSandbox = true; - }; - - nixpkgs = { - overlays = [ - (import ../../overlays/mkSecret.nix) - (import ../../overlays/sbr.nix) - (import ../../overlays/unstable.nix) - (import ../../nix).emacs - ]; - config = { - allowUnfree = true; - }; - }; - system = { - extraSystemBuilderCmds = '' - ln -sv ${pkgs.path} $out/nixpkgs - ln -sv ${../../overlays} $out/overlays - ''; - - stateVersion = "20.03"; - }; - }; -} diff --git a/modules/core/nur.nix b/modules/core/nur.nix @@ -1,20 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.core.nur; -in -{ - options = { - core.nur = { - enable = mkOption { type = types.bool; default = true; description = "Enable core.nur"; }; - }; - }; - config = mkIf cfg.enable { - nixpkgs.config = { - packageOverrides = pkgs: { - nur = (import ../../nix).nur { inherit pkgs; }; - }; - }; - }; -} diff --git a/modules/profiles/default.nix b/modules/profiles/default.nix @@ -1,32 +0,0 @@ -{ - imports = [ - # Remove "nixos" from here - ./avahi.nix - ./base.nix - ./buildkit.nix - ./containerd.nix - ./desktop.nix - ./dev.nix - ./docker.nix - ./fish.nix - ./gaming.nix - ./git.nix - ./home.nix - ./i18n.nix - ./ipfs.nix - ./laptop.nix - ./mail.nix - ./nix-auto-update.nix - ./printing.nix - ./pulseaudio.nix - ./qemu.nix - ./scanning.nix - ./ssh.nix - ./syncthing.nix - ./users.nix - ./virtualization.nix - ./wireguard.server.nix - ./yubikey.nix - ./zsh.nix - ]; -} diff --git a/modules/profiles/fish.nix b/modules/profiles/fish.nix @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.profiles.fish; -in -{ - options = { - profiles.fish = { - enable = mkOption { - default = false; - description = "Enable fish profile"; - type = types.bool; - }; - }; - }; - config = mkIf cfg.enable { - programs.fish = { - enable = true; - promptInit = '' - source /etc/fish/functions/fish_prompt.fish - source /etc/fish/functions/fish_right_prompt.fish - ''; - }; - environment.etc."fish/functions/fish_prompt.fish".source = ./assets/fish/fish_prompt.fish; - environment.etc."fish/functions/fish_right_prompt.fish".source = ./assets/fish/fish_right_prompt.fish; - }; -} diff --git a/modules/profiles/mail.nix b/modules/profiles/mail.nix @@ -1,23 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.profiles.mail; - secretPath = ../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); -in -{ - options = { - profiles.mail = { - enable = mkOption { - default = true; - description = "Enable mail profile"; - type = types.bool; - }; - }; - }; - config = mkIf (cfg.enable && secretCondition) { - environment.etc."msmtprc".source = pkgs.mkSecret ../../secrets/msmtprc; - environment.systemPackages = with pkgs; [ msmtp ]; - }; -} diff --git a/modules/profiles/nix-config.nix b/modules/profiles/nix-config.nix @@ -1,92 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - sources = import ../../nix/sources.nix; - cfg = config.profiles.nix-config; -in -{ - options = { - profiles.nix-config = { - enable = mkOption { - default = true; - description = "Enable nix-config profile"; - type = types.bool; - }; - gcDates = mkOption { - default = "weekly"; - description = "Specification (in the format described by systemd.time(7)) of the time at which the garbage collector will run. "; - type = types.str; - }; - olderThan = mkOption { - default = "15d"; - description = "Number of day to keep when garbage collect"; - type = types.str; - }; - buildCores = mkOption { - type = types.int; - default = 2; - example = 4; - description = '' - Maximum number of concurrent tasks during one build. - ''; - }; - localCaches = mkOption { - default = [ "http://nix.cache.home" ]; - description = "List of local nix caches"; - type = types.listOf types.str; - }; - }; - }; - config = mkIf cfg.enable { - nix = { - buildCores = cfg.buildCores; - useSandbox = true; - gc = { - automatic = true; - dates = cfg.gcDates; - options = "--delete-older-than ${cfg.olderThan}"; - }; - nixPath = [ - "nixpkgs=${sources.nixos}" - "nixos-config=/etc/nixos/configuration.nix" - "nixpkgs-overlays=/etc/nixos/overlays/compat" - ]; - # if hydra is down, don't wait forever - extraOptions = '' - connect-timeout = 20 - build-cores = 0 - keep-outputs = true - keep-derivations = true - ''; - binaryCaches = cfg.localCaches ++ [ - "https://cache.nixos.org/" - "https://r-ryantm.cachix.org" - "https://vdemeester.cachix.org" - "https://shortbrain.cachix.org" - ]; - binaryCachePublicKeys = [ - "r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c=" - "vdemeester.cachix.org-1:uCECG6so7v1rs77c5NFz2dCePwd+PGNeZ6E5DrkT7F0=" - "shortbrain.cachix.org-1:dqXcXzM0yXs3eo9ChmMfmob93eemwNyhTx7wCR4IjeQ=" - "mic92.cachix.org-1:gi8IhgiT3CYZnJsaW7fxznzTkMUOn1RY4GmXdT/nXYQ=" - ]; - trustedUsers = [ "root" "vincent" ]; - }; - nixpkgs = { - overlays = [ - (import ../../overlays/sbr.nix) - (import ../../overlays/unstable.nix) - (import ../../nix).emacs - ]; - config = { - allowUnfree = true; - packageOverrides = pkgs: { - nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") { - inherit pkgs; - }; - }; - }; - }; - }; -} diff --git a/modules/profiles/qemu.nix b/modules/profiles/qemu.nix @@ -1,50 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; -let - cfg = config.profiles.qemu-user; - arm = { - interpreter = "${pkgs.qemu-user-arm}/bin/qemu-arm"; - magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00''; - mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; - }; - aarch64 = { - interpreter = "${pkgs.qemu-user-arm64}/bin/qemu-aarch64"; - magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00''; - mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; - }; - riscv64 = { - interpreter = "${pkgs.qemu-riscv64}/bin/qemu-riscv64"; - magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00''; - mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; - }; -in -{ - options = { - profiles.qemu-user = { - arm = mkEnableOption "enable 32bit arm emulation"; - aarch64 = mkEnableOption "enable 64bit arm emulation"; - riscv64 = mkEnableOption "enable 64bit riscv emulation"; - }; - nix.supportedPlatforms = mkOption { - type = types.listOf types.str; - description = "extra platforms that nix will run binaries for"; - default = [ ]; - }; - }; - config = mkIf (cfg.arm || cfg.aarch64) { - nixpkgs = { - overlays = [ (import ../../overlays/qemu/default.nix) ]; - }; - boot.binfmt.registrations = - optionalAttrs cfg.arm { inherit arm; } - // optionalAttrs cfg.aarch64 { inherit aarch64; } - // optionalAttrs cfg.riscv64 { inherit riscv64; }; - nix.supportedPlatforms = (optionals cfg.arm [ "armv6l-linux" "armv7l-linux" ]) - ++ (optional cfg.aarch64 "aarch64-linux"); - nix.extraOptions = '' - extra-platforms = ${toString config.nix.supportedPlatforms} i686-linux - ''; - nix.sandboxPaths = [ "/run/binfmt" ] ++ (optional cfg.arm "${pkgs.qemu-user-arm}") ++ (optional cfg.aarch64 "${pkgs.qemu-user-arm64}"); - }; -} diff --git a/modules/profiles/users.nix b/modules/profiles/users.nix @@ -1,79 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.profiles.users; - secretPath = ../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - isAuthorized = p: builtins.isAttrs p && p.authorized or false; - authorizedKeys = lists.optionals secretCondition ( - attrsets.mapAttrsToList - (name: value: value.key) - (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh) - ); -in -{ - options = { - profiles.users = { - enable = mkOption { - default = true; - description = "Enable users profile"; - type = types.bool; - }; - user = mkOption { - default = "vincent"; - description = "Username to use when creating user"; - type = types.str; - }; - }; - }; - config = mkIf cfg.enable (mkMerge [ - { - users = { - extraUsers = { - ${cfg.user} = { - isNormalUser = true; - uid = 1000; - createHome = true; - extraGroups = [ "wheel" "input" ] ++ optionals config.profiles.desktop.enable [ "audio" "video" "lp" "scanner" "networkmanager" ] - ++ optionals config.profiles.docker.enable [ "docker" ] - ++ optionals config.profiles.buildkit.enable [ "buildkit" ] - ++ optionals config.profiles.virtualization.enable [ "libvirtd" "vboxusers" ]; - shell = if config.programs.fish.enable then pkgs.fish else pkgs.zsh; - initialPassword = "changeMe"; - subUidRanges = [{ startUid = 100000; count = 65536; }]; - subGidRanges = [{ startGid = 100000; count = 65536; }]; - openssh.authorizedKeys.keys = authorizedKeys; - }; - }; - }; - } - ( - mkIf secretCondition { - programs.ssh.extraConfig = with import ../../secrets/machines.nix; '' - Host kerkouane kerkouane.sbr.pm - Hostname kerkouane.sbr.pm - Port ${toString ssh.kerkouane.port} - Host kerkouane.vpn ${wireguard.ips.kerkouane} - Hostname ${wireguard.ips.kerkouane} - Port ${toString ssh.kerkouane.port} - Host carthage carthage.sbr.pm - Hostname carthage.sbr.pm - Port ${toString ssh.carthage.port} - Host carthage.vpn ${wireguard.ips.carthage} - Hostname ${wireguard.ips.carthage} - Port ${toString ssh.carthage.port} - Host hokkaido.vpn ${wireguard.ips.hokkaido} - Hostname ${wireguard.ips.hokkaido} - Host honshu.vpn ${wireguard.ips.honshu} - Hostname ${wireguard.ips.honshu} - Host okinawa.vpn ${wireguard.ips.okinawa} - Hostname ${wireguard.ips.okinawa} - Host wakasu.vpn ${wireguard.ips.wakasu} - Hostname ${wireguard.ips.wakasu} - ''; - } - ) - ]); -} diff --git a/modules/profiles/wireguard.server.nix b/modules/profiles/wireguard.server.nix @@ -1,41 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.profiles.wireguard.server; - - secretPath = ../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs; - listenPort = if secretCondition then (import secretPath).wg.listenPort else 0; - peers = lists.optionals secretCondition (import secretPath).wg.peers; -in -{ - options = { - profiles.wireguard.server = { - enable = mkOption { - default = false; - description = "Enable wireguard.server profile"; - type = types.bool; - }; - }; - }; - config = mkIf cfg.enable { - boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; - environment.systemPackages = [ pkgs.wireguard ]; - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - networking.firewall.extraCommands = '' - iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE - ''; - networking.firewall.allowedUDPPorts = [ 51820 ]; - networking.firewall.trustedInterfaces = [ "wg0" ]; - networking.wireguard.interfaces = { - "wg0" = { - ips = allowedIPs; - listenPort = listenPort; - privateKeyFile = "/etc/nixos/secrets/wireguard/private.key"; - peers = peers; - }; - }; - }; -} diff --git a/modules/programs/default.nix b/modules/programs/default.nix @@ -1,7 +0,0 @@ -{ - imports = [ - ./crc.nix - # Remove "nixos" from here - ./podman.nix - ]; -} diff --git a/hardware/dell-latitude-e6540.nix b/systems/hardware/dell-latitude-e6540.nix diff --git a/hardware/gigabyte-brix.nix b/systems/hardware/gigabyte-brix.nix diff --git a/systems/hardware/lenovo-p50.nix b/systems/hardware/lenovo-p50.nix @@ -0,0 +1,59 @@ +{ config, pkgs, lib, ... }: +let + sources = import ../../nix/sources.nix; +in +{ + imports = [ + (sources.nixos-hardware + "/common/pc/ssd") + ./thinkpad.nix + ]; + boot = { + initrd.availableKernelModules = [ "nvme" "rtsx_pci_sdmmc" ]; + }; + hardware = { + bluetooth = { + enable = true; + powerOnBoot = true; + }; + nvidia.optimus_prime = { + enable = true; + nvidiaBusId = "PCI:1:0:0"; + intelBusId = "PCI:0:2:0"; + }; + }; + nix.maxJobs = 12; + services.throttled.enable = lib.mkDefault true; + services = { + tlp = { + extraConfig = '' + # CPU optimizations + CPU_SCALING_GOVERNOR_ON_AC=performance + CPU_SCALING_GOVERNOR_ON_BAT=powersave + CPU_MIN_PERF_ON_AC=0 + CPU_MAX_PERF_ON_AC=100 + CPU_MIN_PERF_ON_BAT=0 + CPU_MAX_PERF_ON_BAT=50 + # DEVICES (wifi, ..) + DEVICES_TO_DISABLE_ON_STARTUP="" + DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" + DEVICES_TO_DISABLE_ON_BAT="" + # Network management + DEVICES_TO_DISABLE_ON_LAN_CONNECT="" + DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" + DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" + DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" + DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" + DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" + # Docking + DEVICES_TO_DISABLE_ON_DOCK="wifi" + DEVICES_TO_ENABLE_ON_UNDOCK="wifi" + # Make sure it uses the right hard drive + DISK_DEVICES="nvme0n1p2" + ''; + }; + udev.extraRules = '' + # Rules for Lenovo Thinkpad WS Dock + SUBSYSTEM=="usb", ACTION=="add|remove", ENV{ID_VENDOR}=="17ef", ENV{ID_MODEL}=="305a", RUN+="${pkgs.vde-thinkpad}/bin/dock" + ''; + }; +} diff --git a/systems/hardware/thinkpad-t460s.nix b/systems/hardware/thinkpad-t460s.nix @@ -0,0 +1,44 @@ +{ config, pkgs, ... }: +let + sources = import ../../nix/sources.nix; +in +{ + imports = [ + (sources.nixos-hardware + "/lenovo/thinkpad/t460s") + (sources.nixos-hardware + "/common/pc/ssd") + ./thinkpad.nix + ]; + nix.maxJobs = 12; + services = { + tlp = { + extraConfig = '' + # CPU optimizations + CPU_SCALING_GOVERNOR_ON_AC=performance + CPU_SCALING_GOVERNOR_ON_BAT=powersave + CPU_MIN_PERF_ON_AC=0 + CPU_MAX_PERF_ON_AC=100 + CPU_MIN_PERF_ON_BAT=0 + CPU_MAX_PERF_ON_BAT=50 + # DEVICES (wifi, ..) + DEVICES_TO_DISABLE_ON_STARTUP="" + DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" + DEVICES_TO_DISABLE_ON_BAT="" + # Network management + DEVICES_TO_DISABLE_ON_LAN_CONNECT="" + DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" + DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" + DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" + DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" + DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" + # Docking + DEVICES_TO_DISABLE_ON_DOCK="wifi" + DEVICES_TO_ENABLE_ON_UNDOCK="wifi" + # Make sure it uses the right hard drive + DISK_DEVICES="nvme0n1p3" + ''; + }; + xserver = { + dpi = 128; + }; + }; +} diff --git a/systems/hardware/thinkpad-x220.nix b/systems/hardware/thinkpad-x220.nix @@ -0,0 +1,63 @@ +{ config, pkgs, ... }: +let + sources = import ../../nix/sources.nix; +in +{ + imports = [ + ./thinkpad.nix + (sources.nixos-hardware + "/lenovo/thinkpad/tp-smapi.nix") + (sources.nixos-hardware + "/common/cpu/intel") + (sources.nixos-hardware + "/common/pc/ssd") + ]; + boot = { + kernelParams = [ "i915.enable_psr=1" ]; + extraModprobeConfig = '' + options iwlwifi 11n_disable=1 + ''; + }; + nix.maxJobs = 8; + security = { + pam.services = { + slimlock.fprintAuth = false; + slim.fprintAuth = false; + login.fprintAuth = false; + xscreensaver.fprintAuth = false; + }; + }; + services = { + fprintd.enable = true; + tlp = { + extraConfig = '' + # CPU optimizations + CPU_SCALING_GOVERNOR_ON_AC=performance + CPU_SCALING_GOVERNOR_ON_BAT=powersave + CPU_MIN_PERF_ON_AC=0 + CPU_MAX_PERF_ON_AC=100 + CPU_MIN_PERF_ON_BAT=0 + CPU_MAX_PERF_ON_BAT=50 + CPU_BOOST_ON_AC=1 + CPU_BOOST_ON_BAT=0 + # DEVICES (wifi, ..) + DEVICES_TO_DISABLE_ON_STARTUP="bluetooth" + DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" + DEVICES_TO_DISABLE_ON_BAT="bluetooth" + # Network management + DEVICES_TO_DISABLE_ON_LAN_CONNECT="" + DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" + DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" + DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" + DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" + DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" + DISK_IDLE_SECS_ON_AC=0 + DISK_IDLE_SECS_ON_BAT=2 + MAX_LOST_WORK_SECS_ON_AC=15 + MAX_LOST_WORK_SECS_ON_BAT=60 + DISK_DEVICES="ata-Corsair_Force_LX_SSD_15256501000102160059" + SOUND_POWER_SAVE_ON_AC=0 + SOUND_POWER_SAVE_ON_BAT=1 + USB_AUTOSUSPEND=1 + USB_BLACKLIST_BTUSB=1 + ''; + }; + }; +} diff --git a/systems/hardware/thinkpad.nix b/systems/hardware/thinkpad.nix @@ -0,0 +1,64 @@ +{ config, pkgs, ... }: +let + sources = import ../../nix/sources.nix; +in +{ + imports = [ (sources.nixos-hardware + "/lenovo/thinkpad") ]; + boot = { + blacklistedKernelModules = [ + # Kernel GPU Savings Options (NOTE i915 chipset only) + "sierra_net" + "cdc_mbim" + "cdc_ncm" + ]; + extraModprobeConfig = '' + options snd_hda_intel power_save=1 + ''; + initrd = { + availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" "aesni-intel" "aes_x86_64" "cryptd" ]; + }; + kernelModules = [ "kvm_intel" ]; + kernelParams = [ + # Kernel GPU Savings Options (NOTE i915 chipset only) + "i915.enable_rc6=1" + "i915.enable_fbc=1" + "i915.lvds_use_ssc=0" + "drm.debug=0" + "drm.vblankoffdelay=1" + "kvm_intel.nested=1" + "intel_iommu=on" + ]; + loader.efi.canTouchEfiVariables = true; + }; + hardware = { + trackpoint.enable = false; + cpu.intel.updateMicrocode = true; + }; + services = { + acpid = { + enable = true; + }; + xserver = { + synaptics.enable = false; + config = + '' + Section "InputClass" + Identifier "Enable libinput for TrackPoint" + MatchIsPointer "on" + Driver "libinput" + Option "ScrollMethod" "button" + Option "ScrollButton" "8" + EndSection + ''; + inputClassSections = [ + '' + Identifier "evdev touchpad off" + MatchIsTouchpad "on" + MatchDevicePath "/dev/input/event*" + Driver "evdev" + Option "Ignore" "true" + '' + ]; + }; + }; +} diff --git a/systems/hokkaido.nix b/systems/hokkaido.nix @@ -14,8 +14,8 @@ let in { imports = [ - ../hardware/thinkpad-x220.nix - ../modules + ./hardware/thinkpad-x220.nix + ./modules (import ../users).vincent (import ../users).root ]; diff --git a/systems/kerkouane.nix b/systems/kerkouane.nix @@ -16,7 +16,7 @@ in { imports = [ (sources.nixos + "/nixos/modules/profiles/qemu-guest.nix") - ../modules + ./modules (import ../users).vincent (import ../users).root ] diff --git a/systems/modules/core/default.nix b/systems/modules/core/default.nix @@ -0,0 +1,12 @@ +{ + imports = [ + (import ../../../nix).home-manager + ./home-manager.nix + ./nix.nix + ./nur.nix + ]; + + boot = { + cleanTmpDir = true; + }; +} diff --git a/modules/core/home-manager.nix b/systems/modules/core/home-manager.nix diff --git a/systems/modules/core/nix.nix b/systems/modules/core/nix.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + dummyConfig = pkgs.writeText "configuration.nix" '' + # assert builtins.trace "This is a dummy config, use switch!" false; + {} + ''; + cfg = config.core.nix; +in +{ + options = { + core.nix = { + enable = mkOption { type = types.bool; default = true; description = "Enable core.nix"; }; + gcDates = mkOption { + default = "weekly"; + description = "Specification (in the format described by systemd.time(7)) of the time at which the garbage collector will run. "; + type = types.str; + }; + olderThan = mkOption { + default = "15d"; + description = "Number of day to keep when garbage collect"; + type = types.str; + }; + buildCores = mkOption { + type = types.int; + default = 2; + example = 4; + description = '' + Maximum number of concurrent tasks during one build. + ''; + }; + localCaches = mkOption { + default = [ "http://nix.cache.home" ]; + description = "List of local nix caches"; + type = types.listOf types.str; + }; + }; + }; + config = mkIf cfg.enable { + nix = { + allowedUsers = [ "@wheel" ]; + binaryCaches = cfg.localCaches ++ [ + "https://cache.nixos.org/" + "https://r-ryantm.cachix.org" + "https://vdemeester.cachix.org" + "https://shortbrain.cachix.org" + ]; + binaryCachePublicKeys = [ + "r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c=" + "vdemeester.cachix.org-1:uCECG6so7v1rs77c5NFz2dCePwd+PGNeZ6E5DrkT7F0=" + "shortbrain.cachix.org-1:dqXcXzM0yXs3eo9ChmMfmob93eemwNyhTx7wCR4IjeQ=" + "mic92.cachix.org-1:gi8IhgiT3CYZnJsaW7fxznzTkMUOn1RY4GmXdT/nXYQ=" + ]; + buildCores = cfg.buildCores; + daemonIONiceLevel = 5; + daemonNiceLevel = 10; + # if hydra is down, don't wait forever + extraOptions = '' + connect-timeout = 20 + build-cores = 0 + keep-outputs = true + keep-derivations = true + ''; + gc = { + automatic = true; + dates = cfg.gcDates; + options = "--delete-older-than ${cfg.olderThan}"; + }; + nixPath = [ + "nixos-config=${dummyConfig}" + "nixpkgs=/run/current-system/nixpkgs" + "nixpkgs-overlays=/run/current-system/overlays/compat" + ]; + optimise = { + automatic = true; + dates = [ "01:10" "12:10" ]; + }; + nrBuildUsers = config.nix.maxJobs * 2; + trustedUsers = [ "root" "@wheel" ]; + useSandbox = true; + }; + + nixpkgs = { + overlays = [ + (import ../../../overlays/mkSecret.nix) + (import ../../../overlays/sbr.nix) + (import ../../../overlays/unstable.nix) + (import ../../../nix).emacs + ]; + config = { + allowUnfree = true; + }; + }; + system = { + extraSystemBuilderCmds = '' + ln -sv ${pkgs.path} $out/nixpkgs + ln -sv ${../../../overlays} $out/overlays + ''; + + stateVersion = "20.03"; + }; + }; +} diff --git a/systems/modules/core/nur.nix b/systems/modules/core/nur.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.core.nur; +in +{ + options = { + core.nur = { + enable = mkOption { type = types.bool; default = true; description = "Enable core.nur"; }; + }; + }; + config = mkIf cfg.enable { + nixpkgs.config = { + packageOverrides = pkgs: { + nur = (import ../../../nix).nur { inherit pkgs; }; + }; + }; + }; +} diff --git a/modules/default.nix b/systems/modules/default.nix diff --git a/modules/hardware/default.nix b/systems/modules/hardware/default.nix diff --git a/modules/hardware/sane-extra-config.nixos.nix b/systems/modules/hardware/sane-extra-config.nixos.nix diff --git a/modules/profiles/avahi.nix b/systems/modules/profiles/avahi.nix diff --git a/modules/profiles/base.nix b/systems/modules/profiles/base.nix diff --git a/modules/profiles/buildkit.nix b/systems/modules/profiles/buildkit.nix diff --git a/modules/profiles/containerd.nix b/systems/modules/profiles/containerd.nix diff --git a/systems/modules/profiles/default.nix b/systems/modules/profiles/default.nix @@ -0,0 +1,31 @@ +{ + imports = [ + # Remove "nixos" from here + ./avahi.nix + ./base.nix + ./buildkit.nix + ./containerd.nix + ./desktop.nix + ./dev.nix + ./docker.nix + ./gaming.nix + ./git.nix + ./home.nix + ./i18n.nix + ./ipfs.nix + ./laptop.nix + ./mail.nix + ./nix-auto-update.nix + ./printing.nix + ./pulseaudio.nix + ./qemu.nix + ./scanning.nix + ./ssh.nix + ./syncthing.nix + ./users.nix + ./virtualization.nix + ./wireguard.server.nix + ./yubikey.nix + ./zsh.nix + ]; +} diff --git a/modules/profiles/desktop.nix b/systems/modules/profiles/desktop.nix diff --git a/modules/profiles/dev.nix b/systems/modules/profiles/dev.nix diff --git a/modules/profiles/docker.nix b/systems/modules/profiles/docker.nix diff --git a/modules/profiles/gaming.nix b/systems/modules/profiles/gaming.nix diff --git a/modules/profiles/git.nix b/systems/modules/profiles/git.nix diff --git a/modules/profiles/home.nix b/systems/modules/profiles/home.nix diff --git a/modules/profiles/i18n.nix b/systems/modules/profiles/i18n.nix diff --git a/modules/profiles/ipfs.nix b/systems/modules/profiles/ipfs.nix diff --git a/modules/profiles/laptop.nix b/systems/modules/profiles/laptop.nix diff --git a/systems/modules/profiles/mail.nix b/systems/modules/profiles/mail.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.mail; + secretPath = ../../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); +in +{ + options = { + profiles.mail = { + enable = mkOption { + default = true; + description = "Enable mail profile"; + type = types.bool; + }; + }; + }; + config = mkIf (cfg.enable && secretCondition) { + environment.etc."msmtprc".source = pkgs.mkSecret ../../../secrets/msmtprc; + environment.systemPackages = with pkgs; [ msmtp ]; + }; +} diff --git a/modules/profiles/nix-auto-update.nix b/systems/modules/profiles/nix-auto-update.nix diff --git a/modules/profiles/printing.nix b/systems/modules/profiles/printing.nix diff --git a/modules/profiles/pulseaudio.nix b/systems/modules/profiles/pulseaudio.nix diff --git a/systems/modules/profiles/qemu.nix b/systems/modules/profiles/qemu.nix @@ -0,0 +1,50 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + cfg = config.profiles.qemu-user; + arm = { + interpreter = "${pkgs.qemu-user-arm}/bin/qemu-arm"; + magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; + }; + aarch64 = { + interpreter = "${pkgs.qemu-user-arm64}/bin/qemu-aarch64"; + magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; + }; + riscv64 = { + interpreter = "${pkgs.qemu-riscv64}/bin/qemu-riscv64"; + magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; + }; +in +{ + options = { + profiles.qemu-user = { + arm = mkEnableOption "enable 32bit arm emulation"; + aarch64 = mkEnableOption "enable 64bit arm emulation"; + riscv64 = mkEnableOption "enable 64bit riscv emulation"; + }; + nix.supportedPlatforms = mkOption { + type = types.listOf types.str; + description = "extra platforms that nix will run binaries for"; + default = [ ]; + }; + }; + config = mkIf (cfg.arm || cfg.aarch64) { + nixpkgs = { + overlays = [ (import ../../../overlays/qemu/default.nix) ]; + }; + boot.binfmt.registrations = + optionalAttrs cfg.arm { inherit arm; } + // optionalAttrs cfg.aarch64 { inherit aarch64; } + // optionalAttrs cfg.riscv64 { inherit riscv64; }; + nix.supportedPlatforms = (optionals cfg.arm [ "armv6l-linux" "armv7l-linux" ]) + ++ (optional cfg.aarch64 "aarch64-linux"); + nix.extraOptions = '' + extra-platforms = ${toString config.nix.supportedPlatforms} i686-linux + ''; + nix.sandboxPaths = [ "/run/binfmt" ] ++ (optional cfg.arm "${pkgs.qemu-user-arm}") ++ (optional cfg.aarch64 "${pkgs.qemu-user-arm64}"); + }; +} diff --git a/modules/profiles/scanning.nix b/systems/modules/profiles/scanning.nix diff --git a/modules/profiles/ssh.nix b/systems/modules/profiles/ssh.nix diff --git a/modules/profiles/syncthing.nix b/systems/modules/profiles/syncthing.nix diff --git a/systems/modules/profiles/users.nix b/systems/modules/profiles/users.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.users; + secretPath = ../../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + isAuthorized = p: builtins.isAttrs p && p.authorized or false; + authorizedKeys = lists.optionals secretCondition ( + attrsets.mapAttrsToList + (name: value: value.key) + (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh) + ); +in +{ + options = { + profiles.users = { + enable = mkOption { + default = true; + description = "Enable users profile"; + type = types.bool; + }; + user = mkOption { + default = "vincent"; + description = "Username to use when creating user"; + type = types.str; + }; + }; + }; + config = mkIf cfg.enable (mkMerge [ + { + users = { + extraUsers = { + ${cfg.user} = { + isNormalUser = true; + uid = 1000; + createHome = true; + extraGroups = [ "wheel" "input" ] ++ optionals config.profiles.desktop.enable [ "audio" "video" "lp" "scanner" "networkmanager" ] + ++ optionals config.profiles.docker.enable [ "docker" ] + ++ optionals config.profiles.buildkit.enable [ "buildkit" ] + ++ optionals config.profiles.virtualization.enable [ "libvirtd" "vboxusers" ]; + shell = if config.programs.fish.enable then pkgs.fish else pkgs.zsh; + initialPassword = "changeMe"; + subUidRanges = [{ startUid = 100000; count = 65536; }]; + subGidRanges = [{ startGid = 100000; count = 65536; }]; + openssh.authorizedKeys.keys = authorizedKeys; + }; + }; + }; + } + ( + mkIf secretCondition { + programs.ssh.extraConfig = with import ../../../secrets/machines.nix; '' + Host kerkouane kerkouane.sbr.pm + Hostname kerkouane.sbr.pm + Port ${toString ssh.kerkouane.port} + Host kerkouane.vpn ${wireguard.ips.kerkouane} + Hostname ${wireguard.ips.kerkouane} + Port ${toString ssh.kerkouane.port} + Host carthage carthage.sbr.pm + Hostname carthage.sbr.pm + Port ${toString ssh.carthage.port} + Host carthage.vpn ${wireguard.ips.carthage} + Hostname ${wireguard.ips.carthage} + Port ${toString ssh.carthage.port} + Host hokkaido.vpn ${wireguard.ips.hokkaido} + Hostname ${wireguard.ips.hokkaido} + Host honshu.vpn ${wireguard.ips.honshu} + Hostname ${wireguard.ips.honshu} + Host okinawa.vpn ${wireguard.ips.okinawa} + Hostname ${wireguard.ips.okinawa} + Host wakasu.vpn ${wireguard.ips.wakasu} + Hostname ${wireguard.ips.wakasu} + ''; + } + ) + ]); +} diff --git a/modules/profiles/virtualization.nix b/systems/modules/profiles/virtualization.nix diff --git a/systems/modules/profiles/wireguard.server.nix b/systems/modules/profiles/wireguard.server.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.wireguard.server; + + secretPath = ../../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs; + listenPort = if secretCondition then (import secretPath).wg.listenPort else 0; + peers = lists.optionals secretCondition (import secretPath).wg.peers; +in +{ + options = { + profiles.wireguard.server = { + enable = mkOption { + default = false; + description = "Enable wireguard.server profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + environment.systemPackages = [ pkgs.wireguard ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + networking.firewall.extraCommands = '' + iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE + ''; + networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.trustedInterfaces = [ "wg0" ]; + networking.wireguard.interfaces = { + "wg0" = { + ips = allowedIPs; + listenPort = listenPort; + privateKeyFile = "/etc/nixos/secrets/wireguard/private.key"; + peers = peers; + }; + }; + }; +} diff --git a/modules/profiles/yubikey.nix b/systems/modules/profiles/yubikey.nix diff --git a/modules/profiles/zsh.nix b/systems/modules/profiles/zsh.nix diff --git a/modules/programs/crc.nix b/systems/modules/programs/crc.nix diff --git a/systems/modules/programs/default.nix b/systems/modules/programs/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./crc.nix + ./podman.nix + ]; +} diff --git a/modules/programs/podman.nix b/systems/modules/programs/podman.nix diff --git a/modules/services/athens.nix b/systems/modules/services/athens.nix diff --git a/modules/services/default.nix b/systems/modules/services/default.nix diff --git a/modules/services/govanityurl.nix b/systems/modules/services/govanityurl.nix diff --git a/modules/services/nix-binary-cache.nix b/systems/modules/services/nix-binary-cache.nix diff --git a/modules/services/wireguard.client.nix b/systems/modules/services/wireguard.client.nix diff --git a/modules/virtualisation/buildkit.nix b/systems/modules/virtualisation/buildkit.nix diff --git a/modules/virtualisation/containerd.nix b/systems/modules/virtualisation/containerd.nix diff --git a/modules/virtualisation/default.nix b/systems/modules/virtualisation/default.nix diff --git a/systems/okinawa.nix b/systems/okinawa.nix @@ -14,8 +14,8 @@ let in { imports = [ - ../hardware/gigabyte-brix.nix - ../modules + ./hardware/gigabyte-brix.nix + ./modules (import ../users).vincent (import ../users).root ]; diff --git a/systems/sakhalin.nix b/systems/sakhalin.nix @@ -14,8 +14,8 @@ let in { imports = [ - ../hardware/gigabyte-brix.nix - ../modules + ./hardware/gigabyte-brix.nix + ./modules (import ../users).vincent (import ../users).root ]; diff --git a/systems/wakasu.nix b/systems/wakasu.nix @@ -14,8 +14,8 @@ let in { imports = [ - ../hardware/lenovo-p50.nix - ../modules + ./hardware/lenovo-p50.nix + ./modules (import ../users).vincent (import ../users).root ];