commit 91c66ec1e7437df6d9e554e49b6d06da0de9bade parent fb3eb48c17afae2211bae65bcc41ea0bd8f96cf9 Author: Vincent Demeester <vincent@sbr.pm> Date: Sat, 14 Mar 2020 14:57:03 +0100 Add 'tmp/nixos-configuration/' from commit '7df98f318e0ebb3606c54b0ca47437b4a2630f2e' git-subtree-dir: tmp/nixos-configuration git-subtree-mainline: fb3eb48c17afae2211bae65bcc41ea0bd8f96cf9 git-subtree-split: 7df98f318e0ebb3606c54b0ca47437b4a2630f2e Diffstat:
69 files changed, 3318 insertions(+), 0 deletions(-)
diff --git a/tmp/nixos-configuration/.dir-locals.el b/tmp/nixos-configuration/.dir-locals.el @@ -0,0 +1,7 @@ +;;; Directory Local Variables +;;; For more information see (info "(emacs) Directory Variables") + +((nil (eval . (setq projectile-project-compilation-cmd "nixos-rebuild dry-build" + projectile-project-run-cmd "nixos-rebuild switch"))) + (nix-mode + (tab-width . 2))) diff --git a/tmp/nixos-configuration/.gitignore b/tmp/nixos-configuration/.gitignore @@ -0,0 +1,11 @@ +hardware-configuration.nix +result +result-bin +.tramp* +*~ +hostname +accounts.nix +assets/* +networking.nix +wireguard*.key +.envrc diff --git a/tmp/nixos-configuration/.gitmodules b/tmp/nixos-configuration/.gitmodules @@ -0,0 +1,3 @@ +[submodule "pkgs/nix-beautify"] + path = pkgs/nix-beautify + url = git@github.com:vdemeester/nix-beautify diff --git a/tmp/nixos-configuration/Makefile b/tmp/nixos-configuration/Makefile @@ -0,0 +1,22 @@ +all: dry-build + +.PHONY: assets +assets: + mkdir -p assets + cp -Rv /home/vincent/sync/nixos/* assets/ + +.PHONY: update +update: + nix-channel --update + +.PHONY: dry-build +dry-build: assets + nixos-rebuild dry-build + +.PHONY: switch +switch: assets + nixos-rebuild switch + +.PHONY: clean +clean: + nix-env --profile /nix/var/nix/profiles/system --delete-generations 15d diff --git a/tmp/nixos-configuration/README.md b/tmp/nixos-configuration/README.md @@ -0,0 +1,20 @@ +# Nixos configuration 🐸 + +This is my nixos configuration, commonly used on all my +nixos-enabled computers. + +## How to use 🐻 + +## NixOS + +When installing nixos: + +- clone this repository in `/etc/nixos` +- create a `hostname` with the hostname you want (`echo wakasu > /etc/nixos/hostname`) +- create a `machine/${hostname}.nix` file with the thing you want (look at other ones) +- run `nixos-generate-configuration` to have the + `hardware-configuration.nix` generated. + +## On other operating system/distributions + +Use [vdemeester/home](https://github.com/vdemeester/home) instead. diff --git a/tmp/nixos-configuration/assets/machines.nix.example b/tmp/nixos-configuration/assets/machines.nix.example @@ -0,0 +1,37 @@ +let + wireguard = { + ips = { + kerkouane = "10.100.0.1"; + shikoku = "10.100.0.2"; + # […] + }; + kerkouane = { + allowedIPs = [ "${wireguard.ips.kerkouane}/32" ]; + publicKey = "<kerkouane wireguard public key>"; + }; + shikoku = { + allowedIPs = [ "${wireguard.ips.shikoku}/32" ]; + publicKey = "<shikoku wireguard public key>"; + }; + # […] + }; + ssh = { + kerkouane = { + port = <custom ssh port>; + key = "<kerkouane ssh public key>"; + }; + shikoku = { + key = "<shikoku ssh public key>"; + }; + }; +in { + wireguard = wireguard; + wg = { + allowedIPs = "10.100.0.0/24"; + listenPort = <wireguard port to listen to>; + endpointIP = "<public remote address>"; + persistentKeepalive = 25; + peers = [ wireguard.shikoku ]; + }; + ssh = ssh; +} diff --git a/tmp/nixos-configuration/configuration.nix b/tmp/nixos-configuration/configuration.nix @@ -0,0 +1,23 @@ +# This configuration file simply determines the hostname and then import both +# the default configuration (common for all machine) and specific machine +# configuration. + +{ config, pkgs, ... }: + +let + hostName = "${builtins.readFile ./hostname}"; +in +rec { + imports = [ + # Generated hardware configuration + ./hardware-configuration.nix + # Default profile with default configuration + ./modules/module-list.nix + # Machine specific configuration files + (./machine + "/${hostName}.nix") + ]; + + networking.hostName = "${hostName}"; +} + + diff --git a/tmp/nixos-configuration/hardware/dell-latitude-e6540.nix b/tmp/nixos-configuration/hardware/dell-latitude-e6540.nix @@ -0,0 +1,25 @@ +{ config, pkgs, ... }: + +{ + boot = { + loader.efi.canTouchEfiVariables = true; + kernelParams = [ + # Kernel GPU Savings Options (NOTE i915 chipset only) + "i915.enable_rc6=0" "i915.enable_fbc=1" + "i915.lvds_use_ssc=0" + "drm.debug=0" "drm.vblankoffdelay=1" + ]; + blacklistedKernelModules = [ + # Kernel GPU Savings Options (NOTE i915 chipset only) + "sierra_net" "cdc_mbim" "cdc_ncm" + ]; + }; + hardware = { + opengl = { + enable = true; + extraPackages = [ pkgs.vaapiIntel ]; + driSupport32Bit = true; + }; + }; + services.acpid.enable = true; +} diff --git a/tmp/nixos-configuration/hardware/lenovo-p50.nix b/tmp/nixos-configuration/hardware/lenovo-p50.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ...}: + +{ + imports = [ ./thinkpad.nix ]; + hardware = { + bluetooth = { + enable = true; + powerOnBoot = true; + }; + nvidia.optimus_prime = { + enable = true; + nvidiaBusId = "PCI:1:0:0"; + intelBusId = "PCI:0:2:0"; + }; + }; + services = { + tlp = { + extraConfig = '' +# CPU optimizations +CPU_SCALING_GOVERNOR_ON_AC=performance +CPU_SCALING_GOVERNOR_ON_BAT=powersave +CPU_MIN_PERF_ON_AC=0 +CPU_MAX_PERF_ON_AC=100 +CPU_MIN_PERF_ON_BAT=0 +CPU_MAX_PERF_ON_BAT=50 +# DEVICES (wifi, ..) +DEVICES_TO_DISABLE_ON_STARTUP="" +DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" +DEVICES_TO_DISABLE_ON_BAT="" +# Network management +DEVICES_TO_DISABLE_ON_LAN_CONNECT="" +DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" +DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" +DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" +# Docking +DEVICES_TO_DISABLE_ON_DOCK="wifi" +DEVICES_TO_ENABLE_ON_UNDOCK="wifi" +# Make sure it uses the right hard drive +DISK_DEVICES="nvme0n1p2" + ''; + }; + udev.extraRules = '' + # Rules for Lenovo Thinkpad WS Dock + SUBSYSTEM=="usb", ACTION=="add|remove", ENV{ID_VENDOR}=="17ef", ENV{ID_MODEL}=="305a", RUN+="${pkgs.vde-thinkpad}/bin/dock" + ''; + }; +} diff --git a/tmp/nixos-configuration/hardware/thinkpad-t460s.nix b/tmp/nixos-configuration/hardware/thinkpad-t460s.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: + +{ + imports = [ ./thinkpad.nix ]; + services = { + tlp = { + extraConfig = '' +# CPU optimizations +CPU_SCALING_GOVERNOR_ON_AC=performance +CPU_SCALING_GOVERNOR_ON_BAT=powersave +CPU_MIN_PERF_ON_AC=0 +CPU_MAX_PERF_ON_AC=100 +CPU_MIN_PERF_ON_BAT=0 +CPU_MAX_PERF_ON_BAT=50 +# DEVICES (wifi, ..) +DEVICES_TO_DISABLE_ON_STARTUP="" +DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" +DEVICES_TO_DISABLE_ON_BAT="" +# Network management +DEVICES_TO_DISABLE_ON_LAN_CONNECT="" +DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" +DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" +DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" +# Docking +DEVICES_TO_DISABLE_ON_DOCK="wifi" +DEVICES_TO_ENABLE_ON_UNDOCK="wifi" +# Make sure it uses the right hard drive +DISK_DEVICES="nvme0n1p3" + ''; + }; + xserver = { + dpi = 128; + }; + }; +} diff --git a/tmp/nixos-configuration/hardware/thinkpad-x220.nix b/tmp/nixos-configuration/hardware/thinkpad-x220.nix @@ -0,0 +1,55 @@ +{ config, pkgs, ... }: + +{ + imports = [ ./thinkpad.nix ]; + boot = { + kernelParams = [ "i915.enable_psr=1" ]; + extraModprobeConfig = '' + options iwlwifi 11n_disable=1 + ''; + }; + security = { + pam.services = { + slimlock.fprintAuth = false; + slim.fprintAuth = false; + login.fprintAuth = false; + xscreensaver.fprintAuth = false; + }; + }; + services = { + fprintd.enable = true; + tlp = { + extraConfig = '' +# CPU optimizations +CPU_SCALING_GOVERNOR_ON_AC=performance +CPU_SCALING_GOVERNOR_ON_BAT=powersave +CPU_MIN_PERF_ON_AC=0 +CPU_MAX_PERF_ON_AC=100 +CPU_MIN_PERF_ON_BAT=0 +CPU_MAX_PERF_ON_BAT=50 +CPU_BOOST_ON_AC=1 +CPU_BOOST_ON_BAT=0 +# DEVICES (wifi, ..) +DEVICES_TO_DISABLE_ON_STARTUP="bluetooth" +DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" +DEVICES_TO_DISABLE_ON_BAT="bluetooth" +# Network management +DEVICES_TO_DISABLE_ON_LAN_CONNECT="" +DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" +DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" +DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" +DISK_IDLE_SECS_ON_AC=0 +DISK_IDLE_SECS_ON_BAT=2 +MAX_LOST_WORK_SECS_ON_AC=15 +MAX_LOST_WORK_SECS_ON_BAT=60 +DISK_DEVICES="ata-Corsair_Force_LX_SSD_15256501000102160059" +SOUND_POWER_SAVE_ON_AC=0 +SOUND_POWER_SAVE_ON_BAT=1 +USB_AUTOSUSPEND=1 +USB_BLACKLIST_BTUSB=1 + ''; + }; + }; +} diff --git a/tmp/nixos-configuration/hardware/thinkpad.nix b/tmp/nixos-configuration/hardware/thinkpad.nix @@ -0,0 +1,74 @@ +{ config, pkgs, ... }: + +{ + boot = { + blacklistedKernelModules = [ + # Kernel GPU Savings Options (NOTE i915 chipset only) + "sierra_net" "cdc_mbim" "cdc_ncm" + ]; + extraModprobeConfig = '' + options snd_hda_intel power_save=1 + ''; + initrd = { + availableKernelModules = [ "aesni-intel" "aes_x86_64" "cryptd" ]; + }; + kernelModules = [ "kvm_intel" ]; + kernelParams = [ + # Kernel GPU Savings Options (NOTE i915 chipset only) + "i915.enable_rc6=1" "i915.enable_fbc=1" + "i915.lvds_use_ssc=0" + "drm.debug=0" "drm.vblankoffdelay=1" + "kvm_intel.nested=1" + "intel_iommu=on" + ]; + loader.efi.canTouchEfiVariables = true; + }; + environment.systemPackages = with pkgs; [ + linuxPackages.tp_smapi + ]; + hardware = { + trackpoint.enable = false; + cpu.intel.updateMicrocode = true; + opengl = { + #enable = true; + extraPackages = [ pkgs.vaapiIntel ]; + #driSupport32Bit = true; + }; + }; + services = { + acpid = { + enable = true; + lidEventCommands = '' +if grep -q closed /proc/acpi/button/lid/LID/state; then + date >> /tmp/i3lock.log + DISPLAY=":0.0" XAUTHORITY=/home/fadenb/.Xauthority ${pkgs.i3lock}/bin/i3lock &>> /tmp/i3lock.log +fi + ''; + }; + tlp = { + enable = true; + }; + xserver = { + synaptics.enable = false; + config = + '' + Section "InputClass" + Identifier "Enable libinput for TrackPoint" + MatchIsPointer "on" + Driver "libinput" + Option "ScrollMethod" "button" + Option "ScrollButton" "8" + EndSection + ''; + inputClassSections = [ + '' + Identifier "evdev touchpad off" + MatchIsTouchpad "on" + MatchDevicePath "/dev/input/event*" + Driver "evdev" + Option "Ignore" "true" + '' + ]; + }; + }; +} diff --git a/tmp/nixos-configuration/machine/carthage.nix b/tmp/nixos-configuration/machine/carthage.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ + ../networking.nix # generated at runtime by nixos-infect + ]; + time.timeZone = "Europe/Paris"; + boot = { + cleanTmpDir = true; + loader.grub.enable = true; + }; + profiles = { + git.enable = true; + nix-config.localCaches = []; + nix-config.buildCores = 1; + ssh.enable = true; + syncthing.enable = true; + }; + networking.firewall.allowPing = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security = { + acme.certs = { + "sbr.pm".email = "vincent@sbr.pm"; + }; + }; + services = { + nginx = { + enable = true; + virtualHosts."carthage.sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/carthage.sbr.pm"; + locations."/" = { + index = "index.html"; + }; + }; + }; + openssh.ports = [ ssh.carthage.port ]; + openssh.permitRootLogin = "without-password"; + syncthing.guiAddress = "127.0.0.1:8384"; + wireguard = { + enable = true; + ips = [ "${wireguard.ips.carthage}/24" ]; + endpoint = wg.endpointIP; + endpointPort = wg.listenPort; + endpointPublicKey = wireguard.kerkouane.publicKey; + }; + }; +} diff --git a/tmp/nixos-configuration/machine/hokkaido.nix b/tmp/nixos-configuration/machine/hokkaido.nix @@ -0,0 +1,86 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ ../hardware/thinkpad-x220.nix ./home.nix ]; + boot = { + kernel.sysctl = { + "net.bridge.bridge-nf-call-arptables" = 0; + "net.bridge.bridge-nf-call-iptables" = 0; + "net.bridge.bridge-nf-call-ip6tables" = 0; + }; + }; + profiles = { + avahi.enable = true; + dev.enable = true; + ssh.enable = true; + syncthing.enable = true; + nix-config.buildCores = 2; + virtualization = { + enable = true; + nested = true; + listenTCP = true; + }; + }; + services = { + logind = { + lidSwitch = "ignore"; + }; + syncthing.guiAddress = "0.0.0.0:8384"; + wireguard = { + enable = true; + ips = [ "${wireguard.ips.hokkaido}/24" ]; + endpoint = wg.endpointIP; + endpointPort = wg.listenPort; + endpointPublicKey = wireguard.kerkouane.publicKey; + }; + }; + # ----------------------------------- + environment.etc."vrsync".text = '' +/home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/ +/home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/ +/home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/ +/mnt/Toshito/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/ +/mnt/Toshito/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/ + ''; + systemd.services.vrsync = { + description = "vrsync - sync folders to NAS"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + unitConfig.X-StopOnRemoval = false; + restartIfChanged = false; + + path = with pkgs; [ rsync coreutils bash openssh ]; + script = '' + ${pkgs.vrsync}/bin/vrsync + ''; + + startAt = "hourly"; + serviceConfig = { + Type = "oneshot"; + OnFailure = "status-email-root@%n.service"; + }; + }; + # ape – sync git mirrors + systemd.services.ape = { + description = "Ape - sync git mirrors"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%n.service"; + }; + + path = with pkgs; [ git ]; + script = '' + ${pkgs.nur.repos.vdemeester.ape}/bin/ape up /home/vincent/var/mirrors + ''; + + startAt = "hourly"; + }; +} diff --git a/tmp/nixos-configuration/machine/home.nix b/tmp/nixos-configuration/machine/home.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ]; + networking.domain = "synodine.home"; + time.timeZone = "Europe/Paris"; + fileSystems."/mnt/synodine" = { + device = "${home.ips.synodine}:/"; + fsType = "nfs"; + options = ["x-systemd.automount" "noauto"]; + }; +} diff --git a/tmp/nixos-configuration/machine/honshu.nix b/tmp/nixos-configuration/machine/honshu.nix @@ -0,0 +1,84 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ ../hardware/dell-latitude-e6540.nix ./home.nix ]; + networking = { + firewall.enable = false; # we are in safe territory :D + bridges.br1.interfaces = [ "eno1" ]; + interfaces.eno1 = { + useDHCP = true; + }; + }; + profiles = { + avahi.enable = true; + dev.enable = true; + nix-config.buildCores = 4; + ssh.enable = true; + syncthing.enable = true; + virtualization = { + enable = true; + nested = true; + listenTCP = true; + }; + }; + services = { + logind.lidSwitch = "ignore"; + syncthing.guiAddress = "0.0.0.0:8384"; + wireguard = { + enable = true; + ips = [ "${wireguard.ips.honshu}/24" ]; + endpoint = wg.endpointIP; + endpointPort = wg.listenPort; + endpointPublicKey = wireguard.kerkouane.publicKey; + }; + }; + # ----------------------------------- + environment.etc."vrsync".text = '' +/home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/ +/home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/ +/home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/ +/mnt/Toshito/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/ +/mnt/Toshito/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/ + ''; + systemd.services.vrsync = { + description = "vrsync - sync folders to NAS"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + unitConfig.X-StopOnRemoval = false; + restartIfChanged = false; + + path = with pkgs; [ rsync coreutils bash openssh ]; + script = '' + ${pkgs.vrsync}/bin/vrsync + ''; + + startAt = "hourly"; + serviceConfig = { + Type = "oneshot"; + OnFailure = "status-email-root@%n.service"; + }; + }; + # ape – sync git mirrors + systemd.services.ape = { + description = "Ape - sync git mirrors"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%n.service"; + }; + + path = with pkgs; [ git ]; + script = '' + ${pkgs.nur.repos.vdemeester.ape}/bin/ape up /home/vincent/var/mirrors + ''; + + startAt = "hourly"; + }; +} diff --git a/tmp/nixos-configuration/machine/kerkouane.nix b/tmp/nixos-configuration/machine/kerkouane.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ ../networking.nix ]; + time.timeZone = "Europe/Paris"; + boot = { + cleanTmpDir = true; + loader.grub.enable = true; + }; + profiles = { + git.enable = true; + nix-config.localCaches = []; + nix-config.buildCores = 1; + ssh.enable = true; + syncthing.enable = true; + wireguard.server.enable = true; + }; + networking.firewall.allowPing = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security = { + acme.certs = { + "sbr.pm".email = "vincent@sbr.pm"; + }; + }; + services = { + nginx = { + enable = true; + virtualHosts."kerkouane.sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/kerkouane.sbr.pm"; + locations."/" = { + index = "index.html"; + }; + }; + virtualHosts."sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/sbr.pm"; + locations."/" = { + index = "index.html"; + }; + }; + }; + openssh.ports = [ ssh.kerkouane.port ]; + openssh.permitRootLogin = "without-password"; + syncthing.guiAddress = "127.0.0.1:8384"; + }; +} diff --git a/tmp/nixos-configuration/machine/okinawa.nix b/tmp/nixos-configuration/machine/okinawa.nix @@ -0,0 +1,94 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ ./home.nix ]; + boot = { + cleanTmpDir = true; + }; + networking = { + firewall.enable = false; # we are in safe territory :D + bridges.br1.interfaces = [ "enp0s31f6" ]; + interfaces.enp0s31f6 = { + useDHCP = true; + }; + }; + profiles = { + avahi.enable = true; + git.enable = true; + nix-config.buildCores = 4; + ssh.enable = true; + syncthing.enable = true; + virtualization = { + enable = true; + nested = true; + listenTCP = true; + }; + }; + services = { + bind = { + enable = true; + forwarders = [ "8.8.8.8" "8.8.4.4" ]; + cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; + zones = [ + { + # home + name = "home"; + slaves = []; + file = ../assets/db.home; + } + { + # home.reverse + name = "192.168.1.in-addr.arpa"; + slaves = []; + file = ../assets/db.192.168.1; + } + { + # vpn + name = "vpn"; + slaves = []; + file = ../assets/db.vpn; + } + { + # vpn.reverse + name = "10.100.0.in-addr.arpa"; + slaves = []; + file = ../assets/db.10.100.0; + } + ]; + }; + nix-binary-cache = { + enable = true; + domain = "nix.cache.home"; + aliases = ["cache.massimo.home" "nix.okinawa.home"]; + }; + syncthing.guiAddress = "0.0.0.0:8384"; + tarsnap = { + enable = true; + archives = { + documents = { + directories = [ "/home/vincent/desktop/documents" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.documents.key"; + }; + org = { + directories = [ "/home/vincent/desktop/org" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.org.key"; + }; + sites = { + directories = [ "/home/vincent/desktop/sites" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.sites.key"; + }; + }; + }; + wireguard = { + enable = true; + ips = [ "${wireguard.ips.okinawa}/24" ]; + endpoint = wg.endpointIP; + endpointPort = wg.listenPort; + endpointPublicKey = wireguard.kerkouane.publicKey; + }; + }; + security.apparmor.enable = true; +} diff --git a/tmp/nixos-configuration/machine/sakhalin.nix b/tmp/nixos-configuration/machine/sakhalin.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ ./home.nix ]; + boot = { + cleanTmpDir = true; + }; + networking = { + firewall.enable = false; # we are in safe territory :D + bridges.br1.interfaces = [ "enp0s31f6" ]; + interfaces.enp0s31f6 = { + useDHCP = true; + }; + }; + profiles = { + avahi.enable = true; + git.enable = true; + nix-config.buildCores = 4; + ssh.enable = true; + syncthing.enable = true; + virtualization = { + enable = true; + nested = true; + listenTCP = true; + }; + }; + services = { + bind = { + enable = true; + forwarders = [ "8.8.8.8" "8.8.4.4" ]; + cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; + zones = [ + { + # home + name = "home"; + slaves = []; + file = ../assets/db.home; + } + { + # home.reverse + name = "192.168.1.in-addr.arpa"; + slaves = []; + file = ../assets/db.192.168.1; + } + { + # vpn + name = "vpn"; + slaves = []; + file = ../assets/db.vpn; + } + { + # vpn.reverse + name = "10.100.0.in-addr.arpa"; + slaves = []; + file = ../assets/db.10.100.0; + } + ]; + }; + syncthing.guiAddress = "0.0.0.0:8384"; + wireguard = { + enable = true; + ips = [ "${wireguard.ips.sakhalin}/24" ]; + endpoint = wg.endpointIP; + endpointPort = wg.listenPort; + endpointPublicKey = wireguard.kerkouane.publicKey; + }; + }; + security.apparmor.enable = true; +} diff --git a/tmp/nixos-configuration/machine/wakasu.nix b/tmp/nixos-configuration/machine/wakasu.nix @@ -0,0 +1,86 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ ../hardware/lenovo-p50.nix ./home.nix ]; + boot = { + kernelModules = [ "kvm_intel" ]; + kernelParams = [ "kvm_intel.nested=1" ]; + kernel.sysctl = { + "net.bridge.bridge-nf-call-arptables" = 0; + "net.bridge.bridge-nf-call-iptables" = 0; + "net.bridge.bridge-nf-call-ip6tables" = 0; + }; + }; + networking = { + firewall.enable = false; # we are in safe territory :D + hosts = { + "${home.ips.honshu}" = [ "honshu.home" ]; + "${wireguard.ips.honshu}" = [ "honshu.vpn" ]; + "${home.ips.shikoku}" = [ "shikoku.home" ]; + "${wireguard.ips.shikoku}" = [ "shikoku.vpn" ]; + "${home.ips.wakasu}" = [ "wakasu.home" ]; + "${wireguard.ips.wakasu}" = [ "wakasu.vpn" ]; + "${home.ips.hokkaido}" = [ "hokkaido.home" ]; + "${wireguard.ips.hokkaido}" = [ "hokkaido.vpn" ]; + "${home.ips.sakhalin}" = [ "sakhalin.home" ]; + "${wireguard.ips.sakhalin}" = [ "sakhalin.vpn" ]; + "${wireguard.ips.massimo}" = [ "massimo.vpn" ]; + "${home.ips.synodine}" = [ "synodine.home" ]; + "${home.ips.okinawa}" = [ "okinawa.home" "cache.home" "svc.home" "nix.cache.home" "go.cache.home" ]; + "${wireguard.ips.okinawa}" = [ "okinawa.vpn" ]; + "${wireguard.ips.carthage}" = [ "carthage.vpn" ]; + "${wireguard.ips.kerkouane}" = [ "kerkouane.vpn" ]; + }; + }; + profiles = { + dev.enable = true; + laptop.enable = true; + desktop.autoLogin = true; + docker.enable = true; + nix-config.buildCores = 4; + #qemu-user = { arm = true; aarch64 = true; }; + ssh = { + enable = true; + forwardX11 = true; + }; + virtualization = { + enable = true; + nested = true; + listenTCP = true; + }; + yubikey.enable = true; + }; + programs = { + podman.enable = true; + }; + services = { + logind.extraConfig = '' + HandleLidSwitch=ignore + HandleLidSwitchExternalPower=ignore + HandleLidSwitchDocked=ignore + ''; + #syncthing.guiAddress = "${wireguard.ips.wakasu}:8384"; + syncthing.guiAddress = "0.0.0.0:8384"; + smartd = { + enable = true; + devices = [ { device = "/dev/nvme0n1"; } ]; + }; + wireguard = { + enable = true; + ips = [ "${wireguard.ips.wakasu}/24" ]; + endpoint = wg.endpointIP; + endpointPort = wg.listenPort; + endpointPublicKey = wireguard.kerkouane.publicKey; + }; + xserver = { + videoDrivers = [ "nvidia" ]; + dpi = 96; + serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/hardware/sane-extra-config.nix b/tmp/nixos-configuration/modules/hardware/sane-extra-config.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.hardware.sane; + + pkg = if cfg.snapshot + then pkgs.sane-backends-git + else pkgs.sane-backends; + + backends = [ pkg ] ++ cfg.extraBackends; + + saneConfig = pkgs.mkSaneConfig { paths = backends; }; + + saneExtraConfig = pkgs.runCommand "sane-extra-config" {} '' + cp -Lr '${pkgs.mkSaneConfig { paths = [ pkgs.sane-backends ]; }}'/etc/sane.d $out + chmod +w $out + ${concatMapStrings (c: '' + f="$out/${c.name}.conf" + [ ! -e "$f" ] || chmod +w "$f" + cat ${builtins.toFile "" (c.value + "\n")} >>"$f" + chmod -w "$f" + '') (mapAttrsToList nameValuePair cfg.extraConfig)} + chmod -w $out + ''; + +in + +{ + options = { + hardware.sane.extraConfig = mkOption { + type = types.attrsOf types.lines; + default = {}; + example = { "some-backend" = "# some lines to add to its .conf"; }; + }; + }; + + config = mkIf (cfg.enable && cfg.extraConfig != {}) { + hardware.sane.configDir = saneExtraConfig.outPath; + }; +} diff --git a/tmp/nixos-configuration/modules/module-list.nix b/tmp/nixos-configuration/modules/module-list.nix @@ -0,0 +1,40 @@ +{ pkgs, lib, ... }: + +{ + imports = [ + ./hardware/sane-extra-config.nix + ./profiles/avahi.nix + ./profiles/base.nix + ./profiles/buildkit.nix + ./profiles/fish.nix + ./profiles/containerd.nix + ./profiles/desktop.nix + ./profiles/dev.nix + ./profiles/docker.nix + ./profiles/gaming.nix + ./profiles/git.nix + ./profiles/i18n.nix + ./profiles/ipfs.nix + ./profiles/laptop.nix + ./profiles/mail.nix + ./profiles/nix-config.nix + ./profiles/nix-auto-update.nix + ./profiles/printing.nix + ./profiles/pulseaudio.nix + ./profiles/qemu.nix + ./profiles/scanning.nix + ./profiles/ssh.nix + ./profiles/syncthing.nix + ./profiles/users.nix + ./profiles/virtualization.nix + ./profiles/wireguard.server.nix + ./profiles/yubikey.nix + ./profiles/zsh.nix + ./programs/podman.nix + ./services/athens.nix + ./services/nix-binary-cache.nix + ./services/wireguard.client.nix + ./virtualisation/buildkit.nix + ./virtualisation/containerd.nix + ]; +} diff --git a/tmp/nixos-configuration/modules/profiles/assets/fish/fish_prompt.fish b/tmp/nixos-configuration/modules/profiles/assets/fish/fish_prompt.fish @@ -0,0 +1,258 @@ +# name: lambda +function __fish_basename -d 'basically basename, but faster' + string replace -r '^.*/' '' -- $argv +end + +function __fish_dirname -d 'basically dirname, but faster' + string replace -r '/[^/]+/?$' '' -- $argv +end + + +function __fish_prompt_status -S -a last_status -d 'Display flags for non-zero-exit status, root user, and background jobs' + set -l nonzero + set -l superuser + set -l bg_jobs + + # Last exit was nonzero + [ $last_status -ne 0 ] + and set nonzero 1 + + # If superuser (uid == 0) + # + # Note that iff the current user is root and '/' is not writeable by root this + # will be wrong. But I can't think of a single reason that would happen, and + # it is literally 99.5% faster to check it this way, so that's a tradeoff I'm + # willing to make. + [ -w / ] + and [ (id -u) -eq 0 ] + and set superuser 1 + + # Jobs display + jobs -p >/dev/null + and set bg_jobs 1 + + if [ "$nonzero" ] + set_color red + echo -n '! ' + set_color normal + end + + if [ "$superuser" ] + set_color red + echo -n '$ ' + set_color normal + end + + if [ "$bg_jobs" ] + set_color gray + echo -n '% ' + set_color normal + end +end + +function __fish_prompt_user -S -d 'Display current user and hostname' + [ -n "$SSH_CLIENT" ] + and set -l display_user_hostname + + if set -q display_user_hostname + set -l IFS . + hostname | read -l hostname __ + echo -ns (whoami) '@' $hostname + end +end + +function __fish_git_project_dir + set -l git_dir (command git rev-parse --git-dir ^/dev/null) + or return + + pushd $git_dir + set git_dir $PWD + popd + + switch $PWD/ + case $git_dir/\* + # Nothing works quite right if we're inside the git dir + # TODO: fix the underlying issues then re-enable the stuff below + + # # if we're inside the git dir, sweet. just return that. + # set -l toplevel (command git rev-parse --show-toplevel ^/dev/null) + # if [ "$toplevel" ] + # switch $git_dir/ + # case $toplevel/\* + # echo $git_dir + # end + # end + return + end + + set -l project_dir (__fish_dirname $git_dir) + + switch $PWD/ + case $project_dir/\* + echo $project_dir + return + end + + set project_dir (command git rev-parse --show-toplevel ^/dev/null) + switch $PWD/ + case $project_dir/\* + echo $project_dir + end +end + +function __fish_git_ahead -S -d 'Print the ahead/behind state for the current branch' + set -l ahead 0 + set -l behind 0 + for line in (command git rev-list --left-right '@{upstream}...HEAD' ^/dev/null) + switch "$line" + case '>*' + if [ $behind -eq 1 ] + echo '±' + return + end + set ahead 1 + case '<*' + if [ $ahead -eq 1 ] + echo "±" + return + end + set behind 1 + end + end + + if [ $ahead -eq 1 ] + echo "+" + else if [ $behind -eq 1 ] + echo "-" + end +end + +function __fish_git_branch -S -d 'Get the current git branch (or commitish)' + set -l ref (command git symbolic-ref HEAD ^/dev/null) + and begin + string replace 'refs/heads/' "" $ref + and return + end + + set -l tag (command git describe --tags --exact-match ^/dev/null) + and echo "tag:$tag" + and return + + set -l branch (command git show-ref --head -s --abbrev | head -n1 ^/dev/null) + echo "detached:$branch" +end + +function __fish_prompt_git -S -a current_dir -d 'Display the actula git state' + set -l dirty '' + set -l show_dirty (command git config --bool bash.showDirtyState ^/dev/null) + if [ "$show_dirty" != 'false' ] + set dirty (command git diff --no-ext-diff --quiet --exit-code ^/dev/null; or echo -n "*") + end + + set -l staged (command git diff --cached --no-ext-diff --quiet --exit-code ^/dev/null; or echo -n "~") + set -l stashed (command git rev-parse --verify --quiet refs/stash >/dev/null; and echo -n '$') + set -l ahead (__fish_git_ahead) + + set -l new '' + set -l show_untracked (command git config --bool bash.showUntrackedFiles ^/dev/null) + if [ "$show_untracked" != 'false' ] + set new (command git ls-files --other --exclude-standard --directory --no-empty-directory ^/dev/null) + if [ "$new" ] + set new "…" + end + end + + set -l flags "$dirty$staged$stashed$ahead$new" + [ "$flags" ] + and set flags ":$flags" + + __fish_path_segment $current_dir + + set_color green + echo -n '{' + echo -ns (__fish_git_branch) $flags '' + echo -n '}' + set_color normal + + set -l project_pwd (command git rev-parse --show-prefix ^/dev/null | string trim --right --chars=/) + + if [ "$project_pwd" ] + set_color brblack + echo -n "/$project_pwd" + set_color normal + end +end + +function __fish_prompt_dir -S -d 'Display a shortened form of the current directory' + __fish_path_segment "$PWD" +end + +function __fish_path_segment -S -a current_dir -d 'Display a shortened form of a directory' + set -l directory + set -l parent + + switch "$current_dir" + case / + set directory '/' + case "$HOME" + set directory '~' + case '*' + set parent (__fish_pretty_parent "$current_dir") + set directory (__fish_basename "$current_dir") + end + + set_color white + echo -n $parent + set_color --bold + echo -ns $directory '' + set_color normal +end + +function __fish_pretty_parent -S -a current_dir -d 'Print a parent directory, shortened to fit the prompt' + set -q fish_prompt_pwd_dir_length + or set -l fish_prompt_pwd_dir_length 1 + + # Replace $HOME with ~ + set -l real_home ~ + set -l parent_dir (string replace -r '^'"$real_home"'($|/)' '~$1' (__fish_dirname $current_dir)) + + # Must check whether `$parent_dir = /` if using native dirname + if [ -z "$parent_dir" ] + echo -n / + return + end + + if [ $fish_prompt_pwd_dir_length -eq 0 ] + echo -n "$parent_dir/" + return + end + + string replace -ar '(\.?[^/]{'"$fish_prompt_pwd_dir_length"'})[^/]*/' '$1/' "$parent_dir/" +end + +# TODO: handle envs (nix-shell, virtualenv, ...) + +function fish_prompt -d 'vde-lambda, a fish theme optimized for me :D' + if test $TERM = "dumb" + echo "\$ " + return 0 + end + # Save the last status for later + set -l last_status $status + + __fish_prompt_status $last_status + __fish_prompt_user + + # vcs + set -l git_root (__fish_git_project_dir) + + if [ "$git_root" ] + __fish_prompt_git $git_root + else + __fish_prompt_dir + end + + set_color --bold brblack + echo -n " λ " + set_color normal +end diff --git a/tmp/nixos-configuration/modules/profiles/assets/fish/fish_right_prompt.fish b/tmp/nixos-configuration/modules/profiles/assets/fish/fish_right_prompt.fish @@ -0,0 +1,30 @@ +function __fish_prompt_nix_shell + [ -z "$IN_NIX_SHELL" ] + and return + set_color yellow + echo -n -s '🄪 ' + set_color normal +end + +# ⏍ ⧆ ⌗ ⧉ +function __fish_prompt_direnv + [ -z "$DIRENV_DIR" ] + and return + set_color yellow + echo -n -s '⧉ ' + set_color normal +end + +function __fish_prompt_virtualenv + [ -z "$VIRTUAL_ENV" ] + and return + set_color green + echo -ns 'venv:' (basename "$VIRTUAL_ENV") ' ' + set_color normal +end + +function fish_right_prompt + __fish_prompt_direnv + __fish_prompt_nix_shell + __fish_prompt_virtualenv +end diff --git a/tmp/nixos-configuration/modules/profiles/avahi.nix b/tmp/nixos-configuration/modules/profiles/avahi.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.avahi; +in +{ + options = { + profiles.avahi = { + enable = mkOption { + default = false; + description = "Enable avahi profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + services = { + avahi = { + enable = true; + ipv4 = true; + ipv6 = true; + nssmdns = true; + publish = { + enable = true; + userServices = true; + }; + }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/base.nix b/tmp/nixos-configuration/modules/profiles/base.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.base; +in +{ + options = { + profiles.base = { + enable = mkOption { + default = true; + description = "Enable base profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + boot.loader.systemd-boot.enable = true; + environment = { + variables = { + EDITOR = pkgs.lib.mkOverride 0 "vim"; + }; + systemPackages = with pkgs; [ + cachix + direnv + exa + file + htop + iotop + lsof + netcat + psmisc + pv + tmux + tree + vim + vrsync + wget + gnumake + ]; + }; + systemd.services."status-email-root@" = { + description = "status email for %i to vincent"; + serviceConfig = { + Type = "oneshot"; + ExecStart = '' + ${pkgs.nur.repos.vdemeester.systemd-email}/bin/systemd-email vincent@demeester.fr %i + ''; + User = "root"; + Environment = "PATH=/run/current-system/sw/bin"; + }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/buildkit.nix b/tmp/nixos-configuration/modules/profiles/buildkit.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.buildkit; +in +{ + options = { + profiles.buildkit = { + enable = mkOption { + default = false; + description = "Enable buildkit profile"; + type = types.bool; + }; + package = mkOption { + default = pkgs.nur.repos.vdemeester.buildkit; + description = "buildkit package to be used"; + type = types.package; + }; + runcPackage = mkOption { + default = pkgs.nur.repos.vdemeester.runc; + description = "runc package to be used"; + type = types.package; + }; + }; + }; + config = mkIf cfg.enable { + profiles.containerd = { + enable = true; + runcPackage = cfg.runcPackage; + }; + environment.systemPackages = with pkgs; [ + cfg.package + ]; + virtualisation = { + buildkitd= { + enable = true; + package = cfg.package; + packages = [ cfg.runcPackage pkgs.git ]; + extraOptions = "--oci-worker=false --containerd-worker=true"; + }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/containerd.nix b/tmp/nixos-configuration/modules/profiles/containerd.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.containerd; +in +{ + options = { + profiles.containerd = { + enable = mkOption { + default = false; + description = "Enable containerd profile"; + type = types.bool; + }; + package = mkOption { + default = pkgs.nur.repos.vdemeester.containerd; + description = "containerd package to be used"; + type = types.package; + }; + runcPackage = mkOption { + default = pkgs.runc; + description = "runc package to be used"; + type = types.package; + }; + cniPackage = mkOption { + default = pkgs.cni; + description = "cni package to be used"; + type = types.package; + }; + cniPluginsPackage = mkOption { + default = pkgs.cni-plugins; + description = "cni-plugins package to be used"; + type = types.package; + }; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + cfg.cniPackage + cfg.cniPluginsPackage + cfg.package + cfg.runcPackage + ]; + virtualisation = { + containerd = { + enable = true; + package = cfg.package; + packages = [ cfg.runcPackage ]; + }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/desktop.nix b/tmp/nixos-configuration/modules/profiles/desktop.nix @@ -0,0 +1,212 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.desktop; +in +{ + options = { + profiles.desktop = { + enable = mkOption { + default = false; + description = "Enable desktop profile"; + type = types.bool; + }; + avahi = mkOption { + default = true; + description = "Enable avahi with the desktop profile"; + type = types.bool; + }; + pulseaudio = mkOption { + default = true; + description = "Enable pulseaudio with the desktop profile"; + type = types.bool; + }; + flatpak = mkOption { + default = true; + description = "Enable flatpak with the desktop profile"; + type = types.bool; + }; + syncthing = mkOption { + default = true; + description = "Enable syncthing with the desktop profile"; + type = types.bool; + }; + scanning = mkOption { + default = true; + description = "Enable scanning with the desktop profile"; + type = types.bool; + }; + printing = mkOption { + default = true; + description = "Enable printing with the desktop profile"; + type = types.bool; + }; + networkmanager = mkOption { + default = true; + description = "Enable networkmanager with the desktop profile"; + type = types.bool; + }; + autoLogin = mkOption { + default = false; + description = "Enable auto login"; + type = types.bool; + }; + slimTheme = mkOption { + default = { + url = "https://github.com/vdemeester/slim-themes/raw/master/v-theme-0.1.tar.xz"; + sha256 = "1648krzmh6y2khbcf1zyik3znjpa8rckchbq49z1vqcg8zi587xi"; + }; + description = "Slim theme to use"; + }; + }; + }; + config = mkIf cfg.enable { + profiles.avahi.enable = cfg.avahi; + profiles.printing.enable = cfg.printing; + profiles.pulseaudio.enable = cfg.pulseaudio; + profiles.scanning.enable = cfg.scanning; + profiles.syncthing.enable = cfg.syncthing; + + boot = { + tmpOnTmpfs = true; + plymouth.enable = true; + }; + + hardware.bluetooth.enable = true; + + networking.networkmanager = { + enable = cfg.networkmanager; + unmanaged = [ + "interface-name:ve-*" "interface-name:veth*" "interface-name:wg0" "interface-name:docker0" "interface-name:virbr*" + ]; + packages = with pkgs; [ networkmanager-openvpn ]; + }; + + programs.dconf.enable = true; + xdg.portal.enable = cfg.flatpak; + + services = { + flatpak.enable = cfg.flatpak; + dbus.packages = [ pkgs.gnome3.dconf ]; + xserver = { + enable = true; + enableTCP = false; + windowManager.twm.enable = true; + libinput.enable = true; + synaptics.enable = false; + layout = "fr(bepo),fr"; + xkbVariant = "oss"; + xkbOptions = "grp:menu_toggle,grp_led:caps,compose:caps"; + inputClassSections = [ + '' + Identifier "TypeMatrix" + MatchIsKeyboard "on" + MatchVendor "TypeMatrix.com" + MatchProduct "USB Keyboard" + Driver "evdev" + Option "XbkModel" "tm2030USB" + Option "XkbLayout" "fr" + Option "XkbVariant" "bepo" + '' + '' + Identifier "ErgoDox" + #MatchVendor "ErgoDox_EZ" + #MatchProduct "ErgoDox_EZ" + MatchIsKeyboard "on" + MatchUSBID "feed:1307" + Driver "evdev" + Option "XkbLayout" "fr" + Option "XkbVariant" "bepo" + '' + ]; + displayManager = { + slim = { + enable = true; + autoLogin = cfg.autoLogin; + # Probably put this into users instead ? + defaultUser = "vincent"; + theme = pkgs.fetchurl cfg.slimTheme; + }; + }; + }; + }; + + fonts = { + enableFontDir = true; + enableGhostscriptFonts = true; + fonts = with pkgs; [ + corefonts + dejavu_fonts + emojione + feh + fira + fira-code + fira-code-symbols + fira-mono + hasklig + inconsolata + iosevka + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + noto-fonts-extra + overpass + symbola + source-code-pro + twemoji-color-font + ubuntu_font_family + unifont + ]; + }; + + # Polkit. + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" || + action.id == "org.freedesktop.udisks2.encrypted-unlock-system" + ) && + subject.local && subject.active && subject.isInGroup("users")) { + return polkit.Result.YES; + } + var YES = polkit.Result.YES; + var permission = { + // required for udisks1: + "org.freedesktop.udisks.filesystem-mount": YES, + "org.freedesktop.udisks.luks-unlock": YES, + "org.freedesktop.udisks.drive-eject": YES, + "org.freedesktop.udisks.drive-detach": YES, + // required for udisks2: + "org.freedesktop.udisks2.filesystem-mount": YES, + "org.freedesktop.udisks2.encrypted-unlock": YES, + "org.freedesktop.udisks2.eject-media": YES, + "org.freedesktop.udisks2.power-off-drive": YES, + // required for udisks2 if using udiskie from another seat (e.g. systemd): + "org.freedesktop.udisks2.filesystem-mount-other-seat": YES, + "org.freedesktop.udisks2.filesystem-unmount-others": YES, + "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES, + "org.freedesktop.udisks2.eject-media-other-seat": YES, + "org.freedesktop.udisks2.power-off-drive-other-seat": YES + }; + if (subject.isInGroup("wheel")) { + return permission[action.id]; + } + }); + ''; + + environment.systemPackages = with pkgs; [ + cryptsetup + xlibs.xmodmap + xorg.xbacklight + xorg.xdpyinfo + xorg.xhost + xorg.xinit + xss-lock + xorg.xmessage + unzip + gnupg + pinentry + inxi + ]; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/dev.nix b/tmp/nixos-configuration/modules/profiles/dev.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.dev; +in +{ + options = { + profiles.dev = { + enable = mkOption { + default = false; + description = "Enable dev profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + profiles.git.enable = true; + environment.systemPackages = with pkgs; [ + git + tig + grc + ripgrep + gnumake + ]; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/docker.nix b/tmp/nixos-configuration/modules/profiles/docker.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.docker; +in +{ + options = { + profiles.docker = { + enable = mkOption { + default = false; + description = "Enable docker profile"; + type = types.bool; + }; + package = mkOption { + default = pkgs.docker-edge; + description = "docker package to be used"; + type = types.package; + }; + runcPackage = mkOption { + default = pkgs.runc; + description = "runc package to be used"; + type = types.package; + }; + }; + }; + config = mkIf cfg.enable { + profiles.containerd.enable = true; + virtualisation = { + docker = { + enable = true; + package = cfg.package; + liveRestore = false; + storageDriver = "overlay2"; + extraOptions = "--experimental --add-runtime docker-runc=${cfg.runcPackage}/bin/runc --default-runtime=docker-runc --containerd=/run/containerd/containerd.sock"; + }; + }; + environment.etc."docker/daemon.json".text = '' + {"features":{"buildkit": true}, "insecure-registries": ["172.30.0.0/16", "192.168.12.0/16", "massimo.home:5000", "r.svc.home:5000", "r.svc.home" ]} + ''; + networking.firewall.trustedInterfaces = [ "docker0" ]; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/fish.nix b/tmp/nixos-configuration/modules/profiles/fish.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.fish; +in +{ + options = { + profiles.fish = { + enable = mkOption { + default = false; + description = "Enable fish profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + programs.fish = { + enable = true; + promptInit = '' + source /etc/fish/functions/fish_prompt.fish + source /etc/fish/functions/fish_right_prompt.fish + ''; + }; + environment.etc."fish/functions/fish_prompt.fish".source = ./assets/fish/fish_prompt.fish; + environment.etc."fish/functions/fish_right_prompt.fish".source = ./assets/fish/fish_right_prompt.fish; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/gaming.nix b/tmp/nixos-configuration/modules/profiles/gaming.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.gaming; +in +{ + options = { + profiles.gaming = { + enable = mkOption { + default = false; + description = "Enable gaming profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + hardware = { + opengl = { + driSupport32Bit = true; + }; + }; + services.udev.extraRules = '' + # Steam controller + SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666" + KERNEL=="uinput", MODE="0660", GROUP="users", OPTIONS+="static_node=uinput" + ''; + environment.systemPackages = with pkgs; [ steam ]; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/git.nix b/tmp/nixos-configuration/modules/profiles/git.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.git; +in +{ + options = { + profiles.git = { + enable = mkOption { + default = false; + description = "Enable git profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + git + gitAndTools.git-extras + ]; + environment.etc."gitconfig" = rec { text = '' + [alias] + co = checkout + st = status + ci = commit --signoff + ca = commit --amend + b = branc --color -v + br = branch + unstage = reset HEAD + lg = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr)%Creset' --abbrev-commit --date=relative + lga = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr)%Creset' --abbrev-commit --date=relative --branches --remotes + lol = log --pretty=oneline --abbrev-commit --graph --decorate + conflicts = !git ls-files --unmerged | cut -c51- | sort -u | xargs $EDITOR + resolve = !git ls-files --unmerged | cut -c51- | sort -u | xargs git add + [color] + branch = auto + diff = auto + status = auto + [color "branch"] + current = cyan reverse + local = cyan + remote = green + [color "diff"] + meta = white reverse + frag = magenta reverse + old = red + new = green + [color "status"] + added = green + changed = yellow + untracked = red + [core] + #excludesfile = ~/.gitignore.global + [push] + default = matching + [merge] + tool = vimdiff + + [user] + name = Vincent Demeester + email = vincent@sbr.pm + + [http] + cookiefile = /home/vincent/.gitcookies + + [url "git@github.com:"] + pushInsteadOf = git://github.com/ + ''; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/i18n.nix b/tmp/nixos-configuration/modules/profiles/i18n.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.i18n; +in +{ + options = { + profiles.i18n = { + enable = mkOption { + default = true; + description = "Enable i18n profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + i18n = { + consoleFont = "Lat2-Terminus16"; + consoleKeyMap = "fr-bepo"; + defaultLocale = "en_US.UTF-8"; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/ipfs.nix b/tmp/nixos-configuration/modules/profiles/ipfs.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.ipfs; +in +{ + options = { + profiles.ipfs = { + enable = mkOption { + default = false; + description = "Enable ipfs profile"; + type = types.bool; + }; + autoMount = mkOption { + default = true; + description = "Automount /ipfs and /ipns"; + type = types.bool; + }; + localDiscovery = mkOption { + default = true; + description = "Enable local discovery, switch profile to server if disable"; + type = types.bool; + }; + extraConfig = mkOption { + default = { + Datastore.StorageMax = "40GB"; + }; + description = "Extra ipfs daemon configuration"; + type = types.attrs; + }; + }; + }; + config = mkIf cfg.enable { + services.ipfs = { + enable = true; + enableGC = true; + localDiscovery = cfg.localDiscovery; + autoMount = cfg.autoMount; + extraConfig = cfg.extraConfig; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/laptop.nix b/tmp/nixos-configuration/modules/profiles/laptop.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.laptop; +in +{ + options = { + profiles.laptop = { + enable = mkOption { + default = false; + description = "Enable laptop profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + boot.kernel.sysctl = { + "vm.swappiness" = 10; + "vm.dirty_ratio" = 25; + "vm.dirty_background_ratio" = 10; + "vm.dirty_writeback_centisecs" = 5000; + "vm.dirty_expire_centisecs" = 5000; + }; + profiles.desktop.enable = true; + environment.systemPackages = with pkgs; [ + lm_sensors + powertop + acpi + ]; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/mail.nix b/tmp/nixos-configuration/modules/profiles/mail.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ...}: + +with lib; +let + cfg = config.profiles.mail; +in +{ + options = { + profiles.mail = { + enable = mkOption { + default = true; + description = "Enable mail profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + environment.etc."msmtprc".source = ../../assets/msmtprc; + environment.systemPackages = with pkgs; [ msmtp ]; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/nix-auto-update.nix b/tmp/nixos-configuration/modules/profiles/nix-auto-update.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.nix-auto-update; +in +{ + options = { + profiles.nix-auto-update = { + enable = mkOption { + default = true; + description = "Enable nix-auto-update profile"; + type = types.bool; + }; + autoUpgrade = mkOption { + default = true; + description = "Automatically try to upgrade the system"; + type = types.bool; + }; + dates = mkOption { + default = "weekly"; + description = "Specification (in the format described by systemd.time(7)) of the time at which the auto-update will run. "; + type = types.str; + }; + version = mkOption { + default = "19.09"; + description = "System version (NixOS)"; + type = types.str; + }; + }; + }; + config = mkIf cfg.enable (mkMerge [ + { + system = { + stateVersion = cfg.version; + }; + } + (mkIf cfg.autoUpgrade { + systemd.services.nixos-update = { + description = "NixOS Upgrade"; + unitConfig.X-StopOnRemoval = false; + restartIfChanged = false; + serviceConfig.Type = "oneshot"; + environment = config.nix.envVars // + { inherit (config.environment.sessionVariables) NIX_PATH; + HOME = "/root"; + }; + path = [ pkgs.gnutar pkgs.xz pkgs.git pkgs.gnumake config.nix.package.out pkgs.commonsCompress ]; + script = '' + export PATH=/run/current-system/sw/bin + cd /etc/nixos/ + git pull --autostash --rebase + /run/current-system/sw/bin/make update switch + ''; + startAt = cfg.dates; + onFailure = ["status-email-root@%n.service"]; + }; + }) + ]); +} diff --git a/tmp/nixos-configuration/modules/profiles/nix-config.nix b/tmp/nixos-configuration/modules/profiles/nix-config.nix @@ -0,0 +1,82 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.nix-config; +in +{ + options = { + profiles.nix-config = { + enable = mkOption { + default = true; + description = "Enable nix-config profile"; + type = types.bool; + }; + gcDates = mkOption { + default = "weekly"; + description = "Specification (in the format described by systemd.time(7)) of the time at which the garbage collector will run. "; + type = types.str; + }; + olderThan = mkOption { + default = "15d"; + description = "Number of day to keep when garbage collect"; + type = types.str; + }; + buildCores = mkOption { + type = types.int; + default = 2; + example = 4; + description = '' + Maximum number of concurrent tasks during one build. + ''; + }; + localCaches = mkOption { + default = [ "http://nix.cache.home" ]; + description = "List of local nix caches"; + type = types.listOf types.str; + }; + }; + }; + config = mkIf cfg.enable { + nix = { + buildCores = cfg.buildCores; + useSandbox = true; + gc = { + automatic = true; + dates = cfg.gcDates; + options = "--delete-older-than ${cfg.olderThan}"; + }; + # if hydra is down, don't wait forever + extraOptions = '' + connect-timeout = 20 + build-cores = 0 + ''; + binaryCaches = cfg.localCaches ++ [ + "https://cache.nixos.org/" + "https://r-ryantm.cachix.org" + "https://vdemeester.cachix.org" + "https://shortbrain.cachix.org" + ]; + binaryCachePublicKeys = [ + "r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c=" + "vdemeester.cachix.org-1:uCECG6so7v1rs77c5NFz2dCePwd+PGNeZ6E5DrkT7F0=" + "shortbrain.cachix.org-1:dqXcXzM0yXs3eo9ChmMfmob93eemwNyhTx7wCR4IjeQ=" + ]; + trustedUsers = [ "root" "vincent" ]; + }; + nixpkgs = { + overlays = [ + (import ../../overlays/sbr.overlay.nix) + (import ../../overlays/unstable.overlay.nix) + ]; + config = { + allowUnfree = true; + packageOverrides = pkgs: { + nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") { + inherit pkgs; + }; + }; + }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/printing.nix b/tmp/nixos-configuration/modules/profiles/printing.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.printing; +in +{ + options = { + profiles.printing = { + enable = mkOption { + default = false; + description = "Enable printing profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + services = { + printing = { + enable = true; + drivers = [ pkgs.gutenprint ]; + }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/pulseaudio.nix b/tmp/nixos-configuration/modules/profiles/pulseaudio.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.pulseaudio; +in +{ + options = { + profiles.pulseaudio = { + enable = mkOption { + default = false; + description = "Enable pulseaudio profile"; + type = types.bool; + }; + tcp = mkOption { + default = false; + description = "Enable pulseaudio tcp"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + hardware = { + pulseaudio = { + enable = true; + support32Bit = true; + zeroconf = { + discovery.enable = cfg.tcp; + publish.enable = cfg.tcp; + }; + tcp = { + enable = cfg.tcp; + anonymousClients = { + allowAll = true; + allowedIpRanges = [ "127.0.0.1" "192.168.12.0/24" "10.0.0.0/24" ]; + }; + }; + package = pkgs.pulseaudioFull; + }; + }; + sound.mediaKeys.enable = true; + + security.pam.loginLimits = [ + { domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; } + { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; } + { domain = "@audio"; item = "nofile"; type = "-"; value = "99999"; } + ]; + + # spotify & pulseaudio + networking.firewall = { + allowedTCPPorts = [ 57621 57622 4713 ]; + allowedUDPPorts = [ 57621 57622 ]; + }; + environment.systemPackages = with pkgs; [ + apulse # allow alsa application to use pulse + pavucontrol # pulseaudio volume control + pasystray # systray application + playerctl + ]; + # We assume xserver runs when pulseaudio does + services.xserver.displayManager.sessionCommands = "${pkgs.pasystray}/bin/pasystray &"; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/qemu.nix b/tmp/nixos-configuration/modules/profiles/qemu.nix @@ -0,0 +1,49 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + cfg = config.profiles.qemu-user; + arm = { + interpreter = "${pkgs.qemu-user-arm}/bin/qemu-arm"; + magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; + }; + aarch64 = { + interpreter = "${pkgs.qemu-user-arm64}/bin/qemu-aarch64"; + magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; + }; + riscv64 = { + interpreter = "${pkgs.qemu-riscv64}/bin/qemu-riscv64"; + magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; + }; +in { + options = { + profiles.qemu-user = { + arm = mkEnableOption "enable 32bit arm emulation"; + aarch64 = mkEnableOption "enable 64bit arm emulation"; + riscv64 = mkEnableOption "enable 64bit riscv emulation"; + }; + nix.supportedPlatforms = mkOption { + type = types.listOf types.str; + description = "extra platforms that nix will run binaries for"; + default = []; + }; + }; + config = mkIf (cfg.arm || cfg.aarch64) { + nixpkgs = { + overlays = [ (import ../../overlays/qemu/default.nix) ]; + }; + boot.binfmt.registrations = + optionalAttrs cfg.arm { inherit arm; } // + optionalAttrs cfg.aarch64 { inherit aarch64; } // + optionalAttrs cfg.riscv64 { inherit riscv64; }; + nix.supportedPlatforms = (optionals cfg.arm [ "armv6l-linux" "armv7l-linux" ]) + ++ (optional cfg.aarch64 "aarch64-linux"); + nix.extraOptions = '' + extra-platforms = ${toString config.nix.supportedPlatforms} i686-linux + ''; + nix.sandboxPaths = [ "/run/binfmt" ] ++ (optional cfg.arm "${pkgs.qemu-user-arm}") ++ (optional cfg.aarch64 "${pkgs.qemu-user-arm64}"); + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/scanning.nix b/tmp/nixos-configuration/modules/profiles/scanning.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.scanning; +in +{ + options = { + profiles.scanning = { + enable = mkOption { + default = false; + description = "Enable scanning profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + saneFrontends + saneBackends + simple-scan + ]; + hardware.sane = { + enable = true; + extraConfig = { "pixma" = "bjnp://192.168.12.70"; }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/ssh.nix b/tmp/nixos-configuration/modules/profiles/ssh.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.ssh; +in +{ + options = { + profiles.ssh = { + enable = mkOption { + default = false; + description = "Enable ssh profile"; + type = types.bool; + }; + forwardX11 = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow X11 connections to be forwarded. + ''; + }; + }; + }; + config = mkIf cfg.enable { + services = { + openssh = { + enable = true; + startWhenNeeded = false; + forwardX11 = cfg.forwardX11; + }; + }; + programs.mosh.enable = true; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/syncthing.nix b/tmp/nixos-configuration/modules/profiles/syncthing.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.syncthing; +in +{ + options = { + profiles.syncthing = { + enable = mkOption { + default = false; + description = "Enable syncthing profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + services.syncthing = { + enable = true; + user = "vincent"; + dataDir = "/home/vincent/.syncthing"; + configDir = "/home/vincent/.syncthing"; + openDefaultPorts = true; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/users.nix b/tmp/nixos-configuration/modules/profiles/users.nix @@ -0,0 +1,66 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.users; +in +{ + options = { + profiles.users = { + enable = mkOption { + default = true; + description = "Enable users profile"; + type = types.bool; + }; + user = mkOption { + default = "vincent"; + description = "Username to use when creating user"; + type = types.str; + }; + # add more options (like openssh keys and config) + }; + }; + config = mkIf cfg.enable { + users = { + extraUsers = { + ${cfg.user} = { + isNormalUser = true; + uid = 1000; + createHome = true; + extraGroups = [ "wheel" "input" ] ++ optionals config.profiles.desktop.enable ["audio" "video" "lp" "scanner" "networkmanager"] + ++ optionals config.profiles.docker.enable [ "docker" ] + ++ optionals config.profiles.buildkit.enable [ "buildkit" ] + ++ optionals config.profiles.virtualization.enable [ "libvirtd" "vboxusers" ]; + shell = if config.programs.fish.enable then pkgs.fish else pkgs.zsh; + initialPassword = "changeMe"; + openssh.authorizedKeys.keys = + with import ../../assets/machines.nix; [ ssh.yubikey.key ssh.yubikey5.key ssh.wakasu.key ssh.vincent.key ssh.houbeb.key ssh.hokkaido.key ssh.okinawa.key ]; + subUidRanges = [{ startUid = 100000; count = 65536; }]; + subGidRanges = [{ startGid = 100000; count = 65536; }]; + }; + }; + }; + programs.ssh.extraConfig = with import ../../assets/machines.nix; '' + Host kerkouane kerkouane.sbr.pm + Hostname kerkouane.sbr.pm + Port ${toString ssh.kerkouane.port} + Host kerkouane.vpn ${wireguard.ips.kerkouane} + Hostname ${wireguard.ips.kerkouane} + Port ${toString ssh.kerkouane.port} + Host carthage carthage.sbr.pm + Hostname carthage.sbr.pm + Port ${toString ssh.carthage.port} + Host carthage.vpn ${wireguard.ips.carthage} + Hostname ${wireguard.ips.carthage} + Port ${toString ssh.carthage.port} + Host hokkaido.vpn ${wireguard.ips.hokkaido} + Hostname ${wireguard.ips.hokkaido} + Host honshu.vpn ${wireguard.ips.honshu} + Hostname ${wireguard.ips.honshu} + Host okinawa.vpn ${wireguard.ips.okinawa} + Hostname ${wireguard.ips.okinawa} + Host wakasu.vpn ${wireguard.ips.wakasu} + Hostname ${wireguard.ips.wakasu} + ''; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/virtualization.nix b/tmp/nixos-configuration/modules/profiles/virtualization.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.virtualization; +in +{ + options = { + profiles.virtualization = { + enable = mkOption { + default = false; + description = "Enable virtualization profile"; + type = types.bool; + }; + nested = mkOption { + default = false; + description = "Enable nested virtualization"; + type = types.bool; + }; + listenTCP = mkOption { + default = false; + description = "Make libvirt listen to TCP"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable (mkMerge [ + { + virtualisation.libvirtd = { + enable = true; + }; + environment.systemPackages = with pkgs; [ + qemu + vde2 + libosinfo + ]; + } + (mkIf cfg.nested { + environment.etc."modprobe.d/kvm.conf".text = '' +options kvm_intel nested=1 + ''; + }) + (mkIf config.profiles.desktop.enable { + environment.systemPackages = with pkgs; [ virtmanager ]; + }) + (mkIf cfg.listenTCP { + boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; + virtualisation.libvirtd = { + extraConfig = '' + listen_tls = 0 + listen_tcp = 1 + auth_tcp="none" + tcp_port = "16509" + ''; + extraOptions = [ "--listen" ]; + }; + networking.firewall.allowedTCPPorts = [ 16509 ]; + }) + ]); +} diff --git a/tmp/nixos-configuration/modules/profiles/wireguard.server.nix b/tmp/nixos-configuration/modules/profiles/wireguard.server.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.wireguard.server; +in +{ + options = { + profiles.wireguard.server = { + enable = mkOption { + default = false; + description = "Enable wireguard.server profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + environment.systemPackages = [ pkgs.wireguard ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + networking.firewall.extraCommands = '' + iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE + ''; + networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.trustedInterfaces = [ "wg0" ]; + networking.wireguard.interfaces = with import ../../assets/machines.nix; { + "wg0" = { + ips = wireguard.kerkouane.allowedIPs; + listenPort = wg.listenPort; + privateKeyFile = "/etc/nixos/wireguard.private.key"; + peers = wg.peers; + }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/yubikey.nix b/tmp/nixos-configuration/modules/profiles/yubikey.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.yubikey; +in +{ + options = { + profiles.yubikey = { + enable = mkOption { + default = false; + description = "Enable yubikey profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + environment = { + systemPackages = with pkgs; [ + yubico-piv-tool + yubikey-personalization + yubioath-desktop + yubikey-manager + ]; + }; + services = { + pcscd.enable = true; + udev = { + packages = with pkgs; [ yubikey-personalization ]; + extraRules = '' +# Yubico YubiKey +KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel" +# ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" + ''; + }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/profiles/zsh.nix b/tmp/nixos-configuration/modules/profiles/zsh.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.zsh; +in +{ + options = { + profiles.zsh = { + enable = mkOption { + default = true; + description = "Enable zsh profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + programs.zsh = { + enable = true; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/programs/podman.nix b/tmp/nixos-configuration/modules/programs/podman.nix @@ -0,0 +1,111 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.programs.podman; + +in + +{ + options = { + programs.podman = { + enable = mkOption { + default = false; + description = '' + Whether to configure podman + ''; + type = types.bool; + }; + package = mkOption { + default = pkgs.podman; + description = "podman package to be used"; + type = types.package; + }; + runcPackage = mkOption { + default = pkgs.runc; + description = "runc package to be used"; + type = types.package; + }; + conmonPackage = mkOption { + default = pkgs.conmon; + description = "conmon package to be used"; + type = types.package; + }; + cniPackage = mkOption { + default = pkgs.cni; + description = "cni package to be used"; + type = types.package; + }; + cniPluginsPackage = mkOption { + default = pkgs.cni-plugins; + description = "cni-plugins package to be used"; + type = types.package; + }; + }; + }; + + config = mkIf cfg.enable { + + environment.etc."containers/libpod.conf".text = '' + image_default_transport = "docker://" + runtime_path = ["${cfg.runcPackage}/bin/runc"] + conmon_path = ["${cfg.conmonPackage}/bin/conmon"] + cni_plugin_dir = ["${cfg.cniPluginsPackage}/bin/"] + cgroup_manager = "systemd" + cni_config_dir = "/etc/cni/net.d/" + cni_default_network = "podman" + # pause + pause_image = "k8s.gcr.io/pause:3.1" + pause_command = "/pause" + ''; + + environment.etc."containers/registries.conf".text = '' + [registries.search] + registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org'] + + [registries.insecure] + registries = ['massimo.local:5000', '192.168.12.0/16'] + ''; + + environment.etc."containers/policy.json".text = '' + { + "default": [ + { "type": "insecureAcceptAnything" } + ] + } + ''; + + environment.etc."cni/net.d/87-podman-bridge.conflist".text = '' +{ + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] +} + ''; + + environment.systemPackages = with pkgs; [ cfg.package cfg.conmonPackage cfg.runcPackage iptables ]; + + }; +} diff --git a/tmp/nixos-configuration/modules/services/athens.nix b/tmp/nixos-configuration/modules/services/athens.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.athens; +in +{ + options = { + services.athens = { + enable = mkEnableOption '' + Athens is a go module proxy + ''; + package = mkOption { + type = types.package; + default = pkgs.nur.repos.vdemeester.athens; + description = '' + Athens package to use. + ''; + }; + + user = mkOption { + type = types.str; + }; + + group = mkOption { + type = types.str; + default = "nogroup"; + }; + }; + }; + config = mkIf cfg.enable { + networking.firewall = { + allowedTCPPorts = [ 3000 ]; + }; + systemd.packages = [ cfg.package ]; + environment.etc."athens/config.toml".text = '' + GoBinary = "${pkgs.go}/bin/go" + # what is that ? + GoEnv = "development" + GoGetWorkers = 30 + ProtocolWorkers = 30 + LogLevel = "debug" + BuffaloLogLevel = "debug" + Port = ":3000" + ForceSSL = false + CloudRuntime = "none" + Timeout = 300 + StorageType = "disk" + + [Storage] + [Storage.Disk] + RootPath = "/var/lib/athens" + ''; + systemd.services.athens = { + description = "Athens service"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -p /var/lib/athens + ''; + environment = { HOME="/var/lib/athens"; }; + serviceConfig = { + User = cfg.user; + Restart = "on-failure"; + ExecStart = '' + ${cfg.package}/bin/proxy -config_file=/etc/athens/config.toml + ''; + }; + path = [ cfg.package ] ++ [ pkgs.go pkgs.git ]; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/services/nix-binary-cache.nix b/tmp/nixos-configuration/modules/services/nix-binary-cache.nix @@ -0,0 +1,94 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.nix-binary-cache; +in +{ + options = { + services.nix-binary-cache = { + enable = mkOption { + default = false; + description = "Enable nix-binary-cache"; + type = types.bool; + }; + domain = mkOption { + description = "domain to serve"; + type = types.str; + }; + aliases = mkOption { + default = []; + description = "server aliases to serve"; + type = types.listOf types.str; + }; + }; + }; + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 80 443]; + services.nginx = { + enable = true; + appendHttpConfig = '' + proxy_cache_path /var/public-nix-cache/ levels=1:2 keys_zone=cachecache:1200m max_size=20g inactive=365d use_temp_path=off; + # Cache only success status codes; in particular we don't want to cache 404s. + # See https://serverfault.com/a/690258/128321 + map $status $cache_header { + 200 "public"; + 302 "public"; + default "no-cache"; + } + access_log logs/access.log; + ''; + virtualHosts."${cfg.domain}" = { + serverAliases = cfg.aliases; + # enableACME = true; + + locations."/" = { + root = "/var/public-nix-cache/"; + extraConfig = '' + expires max; + add_header Cache-Control $cache_header always; + # Ask the upstream server if a file isn't available locally + error_page 404 = @fallback; + ''; + }; + extraConfig = '' + # Using a variable for the upstream endpoint to ensure that it is + # resolved at runtime as opposed to once when the config file is loaded + # and then cached forever (we don't want that): + # see https://tenzer.dk/nginx-with-dynamic-upstreams/ + # This fixes errors like + # nginx: [emerg] host not found in upstream "upstream.example.com" + # when the upstream host is not reachable for a short time when + # nginx is started. + resolver 8.8.8.8; + set $upstream_endpoint https://cache.nixos.org; + ''; + locations."@fallback" = { + proxyPass = "$upstream_endpoint"; + extraConfig = '' + proxy_cache cachecache; + proxy_cache_valid 200 302 60m; + expires max; + add_header Cache-Control $cache_header always; + ''; + }; + # We always want to copy cache.nixos.org's nix-cache-info file, + # and ignore our own, because `nix-push` by default generates one + # without `Priority` field, and thus that file by default has priority + # 50 (compared to cache.nixos.org's `Priority: 40`), which will make + # download clients prefer `cache.nixos.org` over our binary cache. + locations."= /nix-cache-info" = { + # Note: This is duplicated with the `@fallback` above, + # would be nicer if we could redirect to the @fallback instead. + proxyPass = "$upstream_endpoint"; + extraConfig = '' + proxy_cache cachecache; + proxy_cache_valid 200 302 60m; + expires max; + add_header Cache-Control $cache_header always; + ''; + }; + }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/services/wireguard.client.nix b/tmp/nixos-configuration/modules/services/wireguard.client.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.wireguard; +in +{ + options = { + services.wireguard = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable a reverse SSH proxy. + ''; + }; + ips = mkOption { + type = with types; listOf str; + description = '' + The client IPs + ''; + }; + allowedIPs = mkOption { + default = [ "10.100.0.0/24" ]; + type = with types; listOf str; + description = '' + The peer (server) allowedIPs + ''; + }; + endpoint = mkOption { + type = with types; str; + description = '' + The endpoint IP to target + ''; + }; + endpointPort = mkOption { + default = 51820; + type = with types; int; + description = '' + The endpoint Port to target + ''; + }; + endpointPublicKey = mkOption { + type = with types; str; + description = '' + The peer (server) public key + ''; + }; + }; + }; + config = mkIf cfg.enable { + boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + environment.systemPackages = [ pkgs.wireguard ]; + networking.firewall.trustedInterfaces = [ "wg0" ]; + networking.wireguard.interfaces = { + wg0 = { + ips = cfg.ips; + privateKeyFile = "/etc/nixos/wireguard.private.key"; + peers = [ + { + publicKey = cfg.endpointPublicKey; + allowedIPs = cfg.allowedIPs; + endpoint = "${cfg.endpoint}:${toString cfg.endpointPort}"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/tmp/nixos-configuration/modules/virtualisation/buildkit.nix b/tmp/nixos-configuration/modules/virtualisation/buildkit.nix @@ -0,0 +1,105 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.virtualisation.buildkitd; + +in +{ + ###### interface + + options.virtualisation.buildkitd = { + enable = + mkOption { + type = types.bool; + default = false; + description = + '' + This option enables buildkitd + ''; + }; + + listenOptions = + mkOption { + type = types.listOf types.str; + default = ["/run/buildkitd/buildkitd.sock"]; + description = + '' + A list of unix and tcp buildkitd should listen to. The format follows + ListenStream as described in systemd.socket(5). + ''; + }; + + + + package = mkOption { + default = pkgs.buildkitd; + type = types.package; + example = pkgs.buildkitd; + description = '' + Buildkitd package to be used in the module + ''; + }; + + packages = mkOption { + type = types.listOf types.package; + default = [ pkgs.runc pkgs.git ]; + description = "List of packages to be added to buildkitd service path"; + }; + + extraOptions = + mkOption { + type = types.separatedString " "; + default = ""; + description = + '' + The extra command-line options to pass to + <command>buildkitd</command> daemon. + ''; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + users.groups = [ + { name = "buildkit"; + gid = 350; + } + ]; + environment.systemPackages = [ cfg.package]; + systemd.packages = [ cfg.package ]; + + systemd.services.buildkitd = { + wants = [ "containerd.service" ]; + after = [ "containerd.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = [ + "" + '' + ${cfg.package}/bin/buildkitd \ + ${cfg.extraOptions} + '']; + }; + path = [cfg.package] ++ cfg.packages; + }; + + + systemd.sockets.buildkitd = { + description = "Buildkitd Socket for the API"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = cfg.listenOptions; + SocketMode = "0660"; + SocketUser = "root"; + SocketGroup = "buildkit"; + }; + }; + + }; + + +} diff --git a/tmp/nixos-configuration/modules/virtualisation/containerd.nix b/tmp/nixos-configuration/modules/virtualisation/containerd.nix @@ -0,0 +1,100 @@ +# Systemd services for containerd. + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.virtualisation.containerd; + +in + +{ + ###### interface + + options.virtualisation.containerd = { + enable = + mkOption { + type = types.bool; + default = false; + description = + '' + This option enables containerd, a daemon that manages + linux containers. + ''; + }; + + listenOptions = + mkOption { + type = types.listOf types.str; + default = ["/run/containerd/containerd.sock"]; + description = + '' + A list of unix and tcp containerd should listen to. The format follows + ListenStream as described in systemd.socket(5). + ''; + }; + + package = mkOption { + default = pkgs.containerd; + type = types.package; + example = pkgs.containerd; + description = '' + Containerd package to be used in the module + ''; + }; + + packages = mkOption { + type = types.listOf types.package; + default = [ pkgs.runc ]; + description = "List of packages to be added to containerd service path"; + }; + + extraOptions = + mkOption { + type = types.separatedString " "; + default = ""; + description = + '' + The extra command-line options to pass to + <command>containerd</command> daemon. + ''; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package]; + systemd.packages = [ cfg.package]; + + systemd.services.containerd = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = [ + "" + '' + ${cfg.package}/bin/containerd \ + ${cfg.extraOptions} + '']; + }; + path = [cfg.package] ++ cfg.packages; + }; + + + systemd.sockets.containerd = { + description = "Containerd Socket for the API"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = cfg.listenOptions; + SocketMode = "0660"; + SocketUser = "root"; + SocketGroup = "root"; + }; + }; + + }; + + +} diff --git a/tmp/nixos-configuration/overlays/qemu/default.nix b/tmp/nixos-configuration/overlays/qemu/default.nix @@ -0,0 +1,11 @@ +self: super: + +{ + qemu-user-arm = if self.stdenv.system == "x86_64-linux" + then self.pkgsi686Linux.callPackage ./qemu { user_arch = "arm"; } + else self.callPackage ./qemu { user_arch = "arm"; }; + qemu-user-x86 = self.callPackage ./qemu { user_arch = "x86_64"; }; + qemu-user-arm64 = self.callPackage ./qemu { user_arch = "aarch64"; }; + qemu-user-riscv32 = self.callPackage ./qemu { user_arch = "riscv32"; }; + qemu-user-riscv64 = self.callPackage ./qemu { user_arch = "riscv64"; }; +} diff --git a/tmp/nixos-configuration/overlays/qemu/qemu/default.nix b/tmp/nixos-configuration/overlays/qemu/qemu/default.nix @@ -0,0 +1,43 @@ +{ stdenv, fetchurl, python, pkgconfig, zlib, glib, user_arch, flex, bison, +makeStaticLibraries, glibc, qemu, fetchFromGitHub }: + +let + env2 = makeStaticLibraries stdenv; + myglib = (glib.override { stdenv = env2; }).overrideAttrs (drv: { + mesonFlags = (drv.mesonFlags or []) ++ [ "--default-library both" ]; + }); + riscv_src = fetchFromGitHub { + owner = "riscv"; + repo = "riscv-qemu"; + rev = "7d2d2add16aff0304ab0c279152548dbd04a2138"; # riscv-all + sha256 = "16an7ifi2ifzqnlz0218rmbxq9vid434j98g14141qvlcl7gzsy2"; + }; + is_riscv = (user_arch == "riscv32") || (user_arch == "riscv64"); + arch_map = { + arm = "i386"; + aarch64 = "x86_64"; + riscv64 = "x86_64"; + x86_64 = "x86_64"; + }; +in +stdenv.mkDerivation rec { + name = "qemu-user-${user_arch}-${version}"; + version = "3.1.0"; + src = if is_riscv then riscv_src else qemu.src; + buildInputs = [ python pkgconfig zlib.static myglib flex bison glibc.static ]; + patches = [ ./qemu-stack.patch ]; + configureFlags = [ + "--enable-linux-user" "--target-list=${user_arch}-linux-user" + "--disable-bsd-user" "--disable-system" "--disable-vnc" + "--disable-curses" "--disable-sdl" "--disable-vde" + "--disable-bluez" "--disable-kvm" + "--static" + "--disable-tools" + "--cpu=${arch_map.${user_arch}}" + ]; + NIX_LDFLAGS = [ "-lglib-2.0" ]; + enableParallelBuilding = true; + postInstall = '' + cc -static ${./qemu-wrap.c} -D QEMU_ARM_BIN="\"qemu-${user_arch}"\" -o $out/bin/qemu-wrap + ''; +} diff --git a/tmp/nixos-configuration/overlays/qemu/qemu/qemu-stack.patch b/tmp/nixos-configuration/overlays/qemu/qemu/qemu-stack.patch @@ -0,0 +1,11 @@ +--- a/linux-user/elfload.c 2016-09-02 12:34:22.000000000 -0300 ++++ b/linux-user/elfload.c 2017-07-09 18:44:22.420244038 -0300 +@@ -1419,7 +1419,7 @@ + * dependent on stack size, but guarantee at least 32 pages for + * backwards compatibility. + */ +-#define STACK_LOWER_LIMIT (32 * TARGET_PAGE_SIZE) ++#define STACK_LOWER_LIMIT (128 * TARGET_PAGE_SIZE) + + static abi_ulong setup_arg_pages(struct linux_binprm *bprm, + struct image_info *info) diff --git a/tmp/nixos-configuration/overlays/qemu/qemu/qemu-wrap.c b/tmp/nixos-configuration/overlays/qemu/qemu/qemu-wrap.c @@ -0,0 +1,58 @@ +#include <alloca.h> +#include <malloc.h> +#include <errno.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <libgen.h> + +#if !defined(QEMU_ARM_BIN) + #define QEMU_ARM_BIN "qemu-arm" +#endif + +const char * qemu_arm_bin = QEMU_ARM_BIN; + +// This program takes arguments according to the behavior of binfmt_misc with +// the preserve-argv[0] flag set. +// +// The first value in argv is the name of this executable, uninteresting. +// The second value is the full path of the executable to run with the +// alternate interpreter. +// The third value is the name that executable was called with. +// +// This program passes the third value in to qemu-arm after the -0 flag. +int main(int argc, char const* argv[]) { + // Abort if we don't have sufficient arguments + if(argc < 3){ + fprintf( stderr, "qemu-arm wrapper called with too few arguments.\nEnsure that the 'P' flag is set in binfmt_misc.\n"); + return -1; + } + + char *qemu; + asprintf(&qemu, "%s/%s", dirname(argv[0]), qemu_arm_bin); + + // Allocate the new argc array to pass to qemu-arm + const int new_argc = argc + 1; + char** const new_argv = alloca((new_argc + 1) * sizeof(void *)); + + // Fill this new array + new_argv[0] = qemu; + new_argv[1] = strdup("-0"); + new_argv[2] = strdup(argv[2]); + new_argv[3] = strdup(argv[1]); + for(int i = 4; i < new_argc; ++i){ + new_argv[i] = strdup(argv[i-1]); + } + new_argv[new_argc] = NULL; + + // Run qemu with the new arguments + execvp(new_argv[0], new_argv); + const int ret = errno; + + // Clean up, haha C + for(int i = 0; i < new_argc; ++i){ + free(new_argv[i]); + } + + return ret; +}; diff --git a/tmp/nixos-configuration/overlays/sbr.overlay.nix b/tmp/nixos-configuration/overlays/sbr.overlay.nix @@ -0,0 +1,8 @@ +self: super: { + vrsync = import ../pkgs/vrsync { + inherit (self) stdenv lib; + }; + vde-thinkpad = import ../pkgs/vde-thinkpad { + inherit (self) stdenv lib; + }; +} diff --git a/tmp/nixos-configuration/overlays/unstable.overlay.nix b/tmp/nixos-configuration/overlays/unstable.overlay.nix @@ -0,0 +1,9 @@ +_: _: let + unstableTarball = fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz; + unstable = import unstableTarball { overlays = []; }; +in { + inherit (unstable) + # cachix + #git + ; +} diff --git a/tmp/nixos-configuration/pkgs/default.nix b/tmp/nixos-configuration/pkgs/default.nix @@ -0,0 +1,13 @@ +{ system ? builtins.currentSystem }: + +let + pkgs = import <nixpkgs> { inherit system; }; +in +rec { + vrsync = import ./vrsync { + inherit (pkgs) stdenv lib; + }; + vde-thinkpad = import ./vde-thinkpad { + inherit (pkgs) stdenv lib; + }; +} diff --git a/tmp/nixos-configuration/pkgs/vde-thinkpad/default.nix b/tmp/nixos-configuration/pkgs/vde-thinkpad/default.nix @@ -0,0 +1,14 @@ +{ stdenv, lib }: + +stdenv.mkDerivation rec { + name = "vde-thinkpad"; + src = ./.; + + phases = [ "install" ]; + + install = '' + mkdir -p $out/bin + cp $src/dock $out/bin + chmod +x $out/bin/dock + ''; +} diff --git a/tmp/nixos-configuration/pkgs/vde-thinkpad/dock b/tmp/nixos-configuration/pkgs/vde-thinkpad/dock @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +export DISPLAY=":0.0" +export XAUTHORITY=/home/vincent/.Xauthority +xmessage dock diff --git a/tmp/nixos-configuration/pkgs/vrsync/default.nix b/tmp/nixos-configuration/pkgs/vrsync/default.nix @@ -0,0 +1,14 @@ +{ stdenv, lib }: + +stdenv.mkDerivation rec { + name = "vrsync"; + src = ./.; + + phases = [ "install" ]; + + install = '' + mkdir -p $out/bin + cp $src/vrsync $out/bin + chmod +x $out/bin/vrsync + ''; +} diff --git a/tmp/nixos-configuration/pkgs/vrsync/foo b/tmp/nixos-configuration/pkgs/vrsync/foo @@ -0,0 +1 @@ +/home/vincent/desktop/documents/ vincent@synodine.local:/volume1/documents/+ \ No newline at end of file diff --git a/tmp/nixos-configuration/pkgs/vrsync/vrsync b/tmp/nixos-configuration/pkgs/vrsync/vrsync @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +# Look for /etc/vrsync.conf +# For each line run rsync with on source:target +# and some specials cases +CONF=${CONF:-/etc/vrsync} + +cmd="rsync -ave ssh --progress --size-only --delete --exclude='*~' --exclude=.stfolder" +test -e $CONF || { + echo "$CONF does not exists, bailing…" + exit 1 +} + +while IFS='' read -r line || [[ -n "$line" ]]; do + $cmd $line $@ +done < "$CONF"