commit cb0469b98f88dc2db097def6114d052123d07bde parent 3e10259342cdae0c64d4ffde848ec699f4d9f636 Author: Vincent Demeester <vincent@sbr.pm> Date: Thu, 30 Apr 2020 01:54:19 +0200 Import tmp/nixos-configuration in root This is done the simplest way, aka: modules (profiles, programs, …) are all using nixos.nix extension. The next step will be to de-duplicate common modules and find a way, in modules, to detect in which case we are. Signed-off-by: Vincent Demeester <vincent@sbr.pm> Diffstat:
M | configuration.nix | | | 6 | +++--- |
A | hardware/dell-latitude-e6540.nix | | | 25 | +++++++++++++++++++++++++ |
A | hardware/lenovo-p50.nix | | | 49 | +++++++++++++++++++++++++++++++++++++++++++++++++ |
A | hardware/thinkpad-t460s.nix | | | 37 | +++++++++++++++++++++++++++++++++++++ |
A | hardware/thinkpad-x220.nix | | | 55 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | hardware/thinkpad.nix | | | 74 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
M | home.nix | | | 2 | +- |
A | machines/home.nixos.nix | | | 30 | ++++++++++++++++++++++++++++++ |
A | machines/kerkouane.nixos.nix | | | 86 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | machines/okinawa.nixos.nix | | | 95 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | machines/sakhalin.nixos.nix | | | 154 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | machines/wakasu.nixos.nix | | | 91 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/hardware/sane-extra-config.nixos.nix | | | 43 | +++++++++++++++++++++++++++++++++++++++++++ |
A | modules/module-list.nixos.nix | | | 41 | +++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/avahi.nixos.nix | | | 31 | +++++++++++++++++++++++++++++++ |
A | modules/profiles/base.nixos.nix | | | 54 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/buildkit.nixos.nix | | | 44 | ++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/containerd.nixos.nix | | | 52 | ++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/desktop.nixos.nix | | | 209 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/dev.nixos.nix | | | 27 | +++++++++++++++++++++++++++ |
A | modules/profiles/docker.nixos.nix | | | 43 | +++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/fish.nixos.nix | | | 28 | ++++++++++++++++++++++++++++ |
A | modules/profiles/gaming.nixos.nix | | | 30 | ++++++++++++++++++++++++++++++ |
A | modules/profiles/git.nixos.nix | | | 73 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/i18n.nixos.nix | | | 24 | ++++++++++++++++++++++++ |
A | modules/profiles/ipfs.nixos.nix | | | 43 | +++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/laptop.nixos.nix | | | 32 | ++++++++++++++++++++++++++++++++ |
A | modules/profiles/mail.nixos.nix | | | 21 | +++++++++++++++++++++ |
A | modules/profiles/nix-auto-update.nixos.nix | | | 65 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/nix-config.nixos.nix | | | 83 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/printing.nixos.nix | | | 25 | +++++++++++++++++++++++++ |
A | modules/profiles/pulseaudio.nixos.nix | | | 63 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/qemu.nixos.nix | | | 49 | +++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/scanning.nixos.nix | | | 28 | ++++++++++++++++++++++++++++ |
A | modules/profiles/ssh.nixos.nix | | | 34 | ++++++++++++++++++++++++++++++++++ |
A | modules/profiles/syncthing.nixos.nix | | | 26 | ++++++++++++++++++++++++++ |
A | modules/profiles/users.nixos.nix | | | 66 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/virtualization.nixos.nix | | | 69 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/wireguard.server.nixos.nix | | | 35 | +++++++++++++++++++++++++++++++++++ |
A | modules/profiles/yubikey.nixos.nix | | | 38 | ++++++++++++++++++++++++++++++++++++++ |
A | modules/profiles/zsh.nixos.nix | | | 22 | ++++++++++++++++++++++ |
A | modules/programs/podman.nixos.nix | | | 111 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/services/athens.nixos.nix | | | 72 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/services/govanityurl.nixos.nix | | | 54 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/services/nix-binary-cache.nixos.nix | | | 94 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/services/wireguard.client.nixos.nix | | | 71 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/virtualisation/buildkit.nixos.nix | | | 105 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | modules/virtualisation/containerd.nixos.nix | | | 100 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | overlays/sbr.overlay.nix | | | 8 | ++++++++ |
A | overlays/unstable.overlay.nix | | | 9 | +++++++++ |
M | pkgs/default.nix | | | 10 | ++++++++-- |
A | pkgs/vde-thinkpad/default.nix | | | 14 | ++++++++++++++ |
A | pkgs/vde-thinkpad/dock | | | 4 | ++++ |
A | pkgs/vrsync/default.nix | | | 14 | ++++++++++++++ |
A | pkgs/vrsync/foo | | | 2 | ++ |
A | pkgs/vrsync/vrsync | | | 15 | +++++++++++++++ |
56 files changed, 2779 insertions(+), 6 deletions(-)
diff --git a/configuration.nix b/configuration.nix @@ -4,14 +4,14 @@ let hostName = "${builtins.readFile ./hostname}"; in -rec { +{ imports = [ # Generated hardware configuration ./hardware-configuration.nix # Default profile with default configuration - ./modules/module-list.nix + ./modules/module-list.nixos.nix # Machine specific configuration files - (./machine + "/${hostName}.nix") + (./machines + "/${hostName}.nixos.nix") ]; networking.hostName = "${hostName}"; diff --git a/hardware/dell-latitude-e6540.nix b/hardware/dell-latitude-e6540.nix @@ -0,0 +1,25 @@ +{ config, pkgs, ... }: + +{ + boot = { + loader.efi.canTouchEfiVariables = true; + kernelParams = [ + # Kernel GPU Savings Options (NOTE i915 chipset only) + "i915.enable_rc6=0" "i915.enable_fbc=1" + "i915.lvds_use_ssc=0" + "drm.debug=0" "drm.vblankoffdelay=1" + ]; + blacklistedKernelModules = [ + # Kernel GPU Savings Options (NOTE i915 chipset only) + "sierra_net" "cdc_mbim" "cdc_ncm" + ]; + }; + hardware = { + opengl = { + enable = true; + extraPackages = [ pkgs.vaapiIntel ]; + driSupport32Bit = true; + }; + }; + services.acpid.enable = true; +} diff --git a/hardware/lenovo-p50.nix b/hardware/lenovo-p50.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ...}: + +{ + imports = [ ./thinkpad.nix ]; + hardware = { + bluetooth = { + enable = true; + powerOnBoot = true; + }; + nvidia.optimus_prime = { + enable = true; + nvidiaBusId = "PCI:1:0:0"; + intelBusId = "PCI:0:2:0"; + }; + }; + services = { + tlp = { + extraConfig = '' +# CPU optimizations +CPU_SCALING_GOVERNOR_ON_AC=performance +CPU_SCALING_GOVERNOR_ON_BAT=powersave +CPU_MIN_PERF_ON_AC=0 +CPU_MAX_PERF_ON_AC=100 +CPU_MIN_PERF_ON_BAT=0 +CPU_MAX_PERF_ON_BAT=50 +# DEVICES (wifi, ..) +DEVICES_TO_DISABLE_ON_STARTUP="" +DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" +DEVICES_TO_DISABLE_ON_BAT="" +# Network management +DEVICES_TO_DISABLE_ON_LAN_CONNECT="" +DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" +DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" +DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" +# Docking +DEVICES_TO_DISABLE_ON_DOCK="wifi" +DEVICES_TO_ENABLE_ON_UNDOCK="wifi" +# Make sure it uses the right hard drive +DISK_DEVICES="nvme0n1p2" + ''; + }; + udev.extraRules = '' + # Rules for Lenovo Thinkpad WS Dock + SUBSYSTEM=="usb", ACTION=="add|remove", ENV{ID_VENDOR}=="17ef", ENV{ID_MODEL}=="305a", RUN+="${pkgs.vde-thinkpad}/bin/dock" + ''; + }; +} diff --git a/hardware/thinkpad-t460s.nix b/hardware/thinkpad-t460s.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: + +{ + imports = [ ./thinkpad.nix ]; + services = { + tlp = { + extraConfig = '' +# CPU optimizations +CPU_SCALING_GOVERNOR_ON_AC=performance +CPU_SCALING_GOVERNOR_ON_BAT=powersave +CPU_MIN_PERF_ON_AC=0 +CPU_MAX_PERF_ON_AC=100 +CPU_MIN_PERF_ON_BAT=0 +CPU_MAX_PERF_ON_BAT=50 +# DEVICES (wifi, ..) +DEVICES_TO_DISABLE_ON_STARTUP="" +DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" +DEVICES_TO_DISABLE_ON_BAT="" +# Network management +DEVICES_TO_DISABLE_ON_LAN_CONNECT="" +DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" +DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" +DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" +# Docking +DEVICES_TO_DISABLE_ON_DOCK="wifi" +DEVICES_TO_ENABLE_ON_UNDOCK="wifi" +# Make sure it uses the right hard drive +DISK_DEVICES="nvme0n1p3" + ''; + }; + xserver = { + dpi = 128; + }; + }; +} diff --git a/hardware/thinkpad-x220.nix b/hardware/thinkpad-x220.nix @@ -0,0 +1,55 @@ +{ config, pkgs, ... }: + +{ + imports = [ ./thinkpad.nix ]; + boot = { + kernelParams = [ "i915.enable_psr=1" ]; + extraModprobeConfig = '' + options iwlwifi 11n_disable=1 + ''; + }; + security = { + pam.services = { + slimlock.fprintAuth = false; + slim.fprintAuth = false; + login.fprintAuth = false; + xscreensaver.fprintAuth = false; + }; + }; + services = { + fprintd.enable = true; + tlp = { + extraConfig = '' +# CPU optimizations +CPU_SCALING_GOVERNOR_ON_AC=performance +CPU_SCALING_GOVERNOR_ON_BAT=powersave +CPU_MIN_PERF_ON_AC=0 +CPU_MAX_PERF_ON_AC=100 +CPU_MIN_PERF_ON_BAT=0 +CPU_MAX_PERF_ON_BAT=50 +CPU_BOOST_ON_AC=1 +CPU_BOOST_ON_BAT=0 +# DEVICES (wifi, ..) +DEVICES_TO_DISABLE_ON_STARTUP="bluetooth" +DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan" +DEVICES_TO_DISABLE_ON_BAT="bluetooth" +# Network management +DEVICES_TO_DISABLE_ON_LAN_CONNECT="" +DEVICES_TO_DISABLE_ON_WIFI_CONNECT="" +DEVICES_TO_DISABLE_ON_WWAN_CONNECT="" +DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT="" +DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT="" +DISK_IDLE_SECS_ON_AC=0 +DISK_IDLE_SECS_ON_BAT=2 +MAX_LOST_WORK_SECS_ON_AC=15 +MAX_LOST_WORK_SECS_ON_BAT=60 +DISK_DEVICES="ata-Corsair_Force_LX_SSD_15256501000102160059" +SOUND_POWER_SAVE_ON_AC=0 +SOUND_POWER_SAVE_ON_BAT=1 +USB_AUTOSUSPEND=1 +USB_BLACKLIST_BTUSB=1 + ''; + }; + }; +} diff --git a/hardware/thinkpad.nix b/hardware/thinkpad.nix @@ -0,0 +1,74 @@ +{ config, pkgs, ... }: + +{ + boot = { + blacklistedKernelModules = [ + # Kernel GPU Savings Options (NOTE i915 chipset only) + "sierra_net" "cdc_mbim" "cdc_ncm" + ]; + extraModprobeConfig = '' + options snd_hda_intel power_save=1 + ''; + initrd = { + availableKernelModules = [ "aesni-intel" "aes_x86_64" "cryptd" ]; + }; + kernelModules = [ "kvm_intel" ]; + kernelParams = [ + # Kernel GPU Savings Options (NOTE i915 chipset only) + "i915.enable_rc6=1" "i915.enable_fbc=1" + "i915.lvds_use_ssc=0" + "drm.debug=0" "drm.vblankoffdelay=1" + "kvm_intel.nested=1" + "intel_iommu=on" + ]; + loader.efi.canTouchEfiVariables = true; + }; + environment.systemPackages = with pkgs; [ + linuxPackages.tp_smapi + ]; + hardware = { + trackpoint.enable = false; + cpu.intel.updateMicrocode = true; + opengl = { + #enable = true; + extraPackages = [ pkgs.vaapiIntel ]; + #driSupport32Bit = true; + }; + }; + services = { + acpid = { + enable = true; + lidEventCommands = '' +if grep -q closed /proc/acpi/button/lid/LID/state; then + date >> /tmp/i3lock.log + DISPLAY=":0.0" XAUTHORITY=/home/fadenb/.Xauthority ${pkgs.i3lock}/bin/i3lock &>> /tmp/i3lock.log +fi + ''; + }; + tlp = { + enable = true; + }; + xserver = { + synaptics.enable = false; + config = + '' + Section "InputClass" + Identifier "Enable libinput for TrackPoint" + MatchIsPointer "on" + Driver "libinput" + Option "ScrollMethod" "button" + Option "ScrollButton" "8" + EndSection + ''; + inputClassSections = [ + '' + Identifier "evdev touchpad off" + MatchIsTouchpad "on" + MatchDevicePath "/dev/input/event*" + Driver "evdev" + Option "Ignore" "true" + '' + ]; + }; + }; +} diff --git a/home.nix b/home.nix @@ -4,7 +4,7 @@ let hostName = "${builtins.readFile ./hostname}"; in -rec { +{ imports = [ # Default profile with default configuration ./modules/module-list.nix diff --git a/machines/home.nixos.nix b/machines/home.nixos.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ]; + networking.domain = "synodine.home"; + time.timeZone = "Europe/Paris"; + # To mimic autofs on fedora + fileSystems."/net/synodine.home/" = { + device = "${home.ips.synodine}:/"; + fsType = "nfs"; + options = [ "x-systemd.automount" "noauto" ]; + }; + # FIXME(vdemeester): I think it acts like this because there is only one export + fileSystems."/net/sakhalin.home/export/" = { + device = "${home.ips.sakhalin}:/"; + fsType = "nfs"; + options = [ "x-systemd.automount" "noauto" ]; + }; + # Deprecated + fileSystems."/mnt/synodine" = { + device = "${home.ips.synodine}:/"; + fsType = "nfs"; + options = [ "x-systemd.automount" "noauto" ]; + }; + fileSystems."/mnt/sakhalin" = { + device = "${home.ips.sakhalin}:/"; + fsType = "nfs"; + options = [ "x-systemd.automount" "noauto" ]; + }; +} diff --git a/machines/kerkouane.nixos.nix b/machines/kerkouane.nixos.nix @@ -0,0 +1,86 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ ../networking.nix ]; + time.timeZone = "Europe/Paris"; + boot = { + cleanTmpDir = true; + loader.grub.enable = true; + }; + profiles = { + git.enable = true; + nix-config.localCaches = []; + nix-config.buildCores = 1; + ssh.enable = true; + syncthing.enable = true; + wireguard.server.enable = true; + }; + networking.firewall.allowPing = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security = { + acme.certs = { + "sbr.pm".email = "vincent@sbr.pm"; + }; + }; + services = { + govanityurl = { + enable = true; + user = "nginx"; + host = "go.sbr.pm"; + config = '' + paths: + /ape: + repo: https://gitlab.com/vdemeester/ape + /nr: + repo: https://gitlab.com/vdemeester/nr + /ram: + repo: https://gitlab.com/vdemeester/ram + /sec: + repo: https://gitlab.com/vdemeester/sec + ''; + }; + nginx = { + enable = true; + virtualHosts."dl.sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/dl.sbr.pm"; + locations."/" = { + index = "index.html"; + }; + }; + virtualHosts."paste.sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/paste.sbr.pm"; + locations."/" = { + index = "index.html"; + }; + }; + virtualHosts."go.sbr.pm" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://127.0.0.1:8080"; }; + }; + virtualHosts."sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/sbr.pm"; + locations."/" = { + index = "index.html"; + }; + }; + virtualHosts."vincent.demeester.fr" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/vincent.demeester.fr"; + locations."/" = { + index = "index.html"; + }; + }; + }; + openssh.ports = [ ssh.kerkouane.port ]; + openssh.permitRootLogin = "without-password"; + syncthing.guiAddress = "127.0.0.1:8384"; + }; +} diff --git a/machines/okinawa.nixos.nix b/machines/okinawa.nixos.nix @@ -0,0 +1,95 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ ./home.nix ]; + boot = { + cleanTmpDir = true; + }; + networking = { + firewall.enable = false; # we are in safe territory :D + bridges.br1.interfaces = [ "enp0s31f6" ]; + useDHCP = false; + interfaces.br1 = { + useDHCP = true; + }; + }; + profiles = { + avahi.enable = true; + git.enable = true; + nix-config.buildCores = 4; + ssh.enable = true; + syncthing.enable = true; + virtualization = { + enable = true; + nested = true; + listenTCP = true; + }; + }; + services = { + bind = { + enable = true; + forwarders = [ "8.8.8.8" "8.8.4.4" ]; + cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; + zones = [ + { + # home + name = "home"; + slaves = []; + file = ../assets/db.home; + } + { + # home.reverse + name = "192.168.1.in-addr.arpa"; + slaves = []; + file = ../assets/db.192.168.1; + } + { + # vpn + name = "vpn"; + slaves = []; + file = ../assets/db.vpn; + } + { + # vpn.reverse + name = "10.100.0.in-addr.arpa"; + slaves = []; + file = ../assets/db.10.100.0; + } + ]; + }; + nix-binary-cache = { + enable = true; + domain = "nix.cache.home"; + aliases = [ "cache.massimo.home" "nix.okinawa.home" ]; + }; + syncthing.guiAddress = "0.0.0.0:8384"; + tarsnap = { + enable = true; + archives = { + documents = { + directories = [ "/home/vincent/desktop/documents" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.documents.key"; + }; + org = { + directories = [ "/home/vincent/desktop/org" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.org.key"; + }; + sites = { + directories = [ "/home/vincent/desktop/sites" ]; + period = "daily"; + keyfile = "/etc/nixos/assets/tarsnap.sites.key"; + }; + }; + }; + wireguard = { + enable = true; + ips = [ "${wireguard.ips.okinawa}/24" ]; + endpoint = wg.endpointIP; + endpointPort = wg.listenPort; + endpointPublicKey = wireguard.kerkouane.publicKey; + }; + }; + security.apparmor.enable = true; +} diff --git a/machines/sakhalin.nixos.nix b/machines/sakhalin.nixos.nix @@ -0,0 +1,154 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ ./home.nix ]; + boot = { + cleanTmpDir = true; + }; + networking = { + firewall.enable = false; # we are in safe territory :D + bridges.br1.interfaces = [ "enp0s31f6" ]; + useDHCP = false; + interfaces.br1 = { + useDHCP = true; + }; + }; + profiles = { + avahi.enable = true; + git.enable = true; + nix-config.buildCores = 4; + ssh.enable = true; + syncthing.enable = true; + virtualization = { + enable = true; + nested = true; + listenTCP = true; + }; + }; + fileSystems."/export/gaia" = { device = "/mnt/gaia"; options = [ "bind" ]; }; + fileSystems."/export/toshito" = { device = "/mnt/toshito"; options = [ "bind" ]; }; + services = { + nfs.server = { + enable = true; + exports = '' + /export 192.168.1.0/24(rw,fsid=0,no_subtree_check) 10.100.0.0/24(rw,fsid=0,no_subtree_check) + /export/gaia 192.168.1.0/24(rw,fsid=1,no_subtree_check) 10.100.0.0/24(rw,fsid=1,no_subtree_check) + /export/toshito 192.168.1.0/24(rw,fsid=2,no_subtree_check) 10.100.0.0/24(rw,fsid=2,no_subtree_check) + ''; + }; + bind = { + enable = true; + forwarders = [ "8.8.8.8" "8.8.4.4" ]; + cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; + zones = [ + { + # home + name = "home"; + slaves = []; + file = ../assets/db.home; + } + { + # home.reverse + name = "192.168.1.in-addr.arpa"; + slaves = []; + file = ../assets/db.192.168.1; + } + { + # vpn + name = "vpn"; + slaves = []; + file = ../assets/db.vpn; + } + { + # vpn.reverse + name = "10.100.0.in-addr.arpa"; + slaves = []; + file = ../assets/db.10.100.0; + } + ]; + }; + syncthing.guiAddress = "0.0.0.0:8384"; + wireguard = { + enable = true; + ips = [ "${wireguard.ips.sakhalin}/24" ]; + endpoint = wg.endpointIP; + endpointPort = wg.listenPort; + endpointPublicKey = wireguard.kerkouane.publicKey; + }; + }; + security.apparmor.enable = true; + # ----------------------------------- + environment.etc."vrsync".text = '' + /home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/ + /home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/ + /home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/ + /mnt/gaia/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/ + /mnt/gaia/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/ + ''; + systemd.services.vrsync = { + description = "vrsync - sync folders to NAS"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + unitConfig.X-StopOnRemoval = false; + restartIfChanged = false; + + path = with pkgs; [ rsync coreutils bash openssh ]; + script = '' + ${pkgs.vrsync}/bin/vrsync + ''; + + startAt = "hourly"; + serviceConfig = { + Type = "oneshot"; + OnFailure = "status-email-root@%n.service"; + }; + }; + # ape – sync git mirrors + systemd.services.ape = { + description = "Ape - sync git mirrors"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%n.service"; + }; + + path = with pkgs; [ git ]; + script = '' + ${pkgs.nur.repos.vdemeester.ape}/bin/ape up /home/vincent/var/mirrors + ''; + + startAt = "hourly"; + }; + # mr -i u daily + systemd.services.mr = { + description = "Update configs daily"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%n.service"; + }; + + path = with pkgs; [ git mr ]; + script = '' + set -e + cd /mnt/gaia/src/configs/ + mr -t run git reset --hard + mr -t u + ''; + + startAt = "daily"; + }; +} diff --git a/machines/wakasu.nixos.nix b/machines/wakasu.nixos.nix @@ -0,0 +1,91 @@ +{ config, pkgs, ... }: + +with import ../assets/machines.nix; { + imports = [ ../hardware/lenovo-p50.nix ./home.nix ]; + boot = { + kernelModules = [ "kvm_intel" ]; + kernelParams = [ "kvm_intel.nested=1" ]; + kernel.sysctl = { + "net.bridge.bridge-nf-call-arptables" = 0; + "net.bridge.bridge-nf-call-iptables" = 0; + "net.bridge.bridge-nf-call-ip6tables" = 0; + }; + }; + networking = { + firewall.enable = false; # we are in safe territory :D + hosts = { + "${home.ips.honshu}" = [ "honshu.home" ]; + "${wireguard.ips.honshu}" = [ "honshu.vpn" ]; + "${home.ips.shikoku}" = [ "shikoku.home" ]; + "${wireguard.ips.shikoku}" = [ "shikoku.vpn" ]; + "${home.ips.wakasu}" = [ "wakasu.home" ]; + "${wireguard.ips.wakasu}" = [ "wakasu.vpn" ]; + "${home.ips.hokkaido}" = [ "hokkaido.home" ]; + "${wireguard.ips.hokkaido}" = [ "hokkaido.vpn" ]; + "${home.ips.sakhalin}" = [ "sakhalin.home" ]; + "${wireguard.ips.sakhalin}" = [ "sakhalin.vpn" ]; + "${wireguard.ips.massimo}" = [ "massimo.vpn" ]; + "${home.ips.synodine}" = [ "synodine.home" ]; + "${home.ips.okinawa}" = [ "okinawa.home" "cache.home" "svc.home" "nix.cache.home" "go.cache.home" ]; + "${wireguard.ips.okinawa}" = [ "okinawa.vpn" ]; + "${wireguard.ips.carthage}" = [ "carthage.vpn" ]; + "${wireguard.ips.kerkouane}" = [ "kerkouane.vpn" ]; + }; + }; + profiles = { + dev.enable = true; + laptop.enable = true; + desktop.autoLogin = true; + docker.enable = true; + nix-config.buildCores = 4; + #qemu-user = { arm = true; aarch64 = true; }; + ssh = { + enable = true; + forwardX11 = true; + }; + virtualization = { + enable = true; + nested = true; + listenTCP = true; + }; + yubikey.enable = true; + }; + programs = { + podman.enable = true; + }; + security.sudo = { + extraConfig = '' + %users ALL = (root) NOPASSWD: /home/vincent/.nix-profile/bin/kubernix + ''; + }; + services = { + logind.extraConfig = '' + HandleLidSwitch=ignore + HandleLidSwitchExternalPower=ignore + HandleLidSwitchDocked=ignore + ''; + #syncthing.guiAddress = "${wireguard.ips.wakasu}:8384"; + syncthing.guiAddress = "0.0.0.0:8384"; + smartd = { + enable = true; + devices = [ { device = "/dev/nvme0n1"; } ]; + }; + wireguard = { + enable = true; + ips = [ "${wireguard.ips.wakasu}/24" ]; + endpoint = wg.endpointIP; + endpointPort = wg.listenPort; + endpointPublicKey = wireguard.kerkouane.publicKey; + }; + xserver = { + videoDrivers = [ "nvidia" ]; + dpi = 96; + serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + }; + }; +} diff --git a/modules/hardware/sane-extra-config.nixos.nix b/modules/hardware/sane-extra-config.nixos.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.hardware.sane; + + pkg = if cfg.snapshot + then pkgs.sane-backends-git + else pkgs.sane-backends; + + backends = [ pkg ] ++ cfg.extraBackends; + + saneConfig = pkgs.mkSaneConfig { paths = backends; }; + + saneExtraConfig = pkgs.runCommand "sane-extra-config" {} '' + cp -Lr '${pkgs.mkSaneConfig { paths = [ pkgs.sane-backends ]; }}'/etc/sane.d $out + chmod +w $out + ${concatMapStrings (c: '' + f="$out/${c.name}.conf" + [ ! -e "$f" ] || chmod +w "$f" + cat ${builtins.toFile "" (c.value + "\n")} >>"$f" + chmod -w "$f" + '') (mapAttrsToList nameValuePair cfg.extraConfig)} + chmod -w $out + ''; + +in + +{ + options = { + hardware.sane.extraConfig = mkOption { + type = types.attrsOf types.lines; + default = {}; + example = { "some-backend" = "# some lines to add to its .conf"; }; + }; + }; + + config = mkIf (cfg.enable && cfg.extraConfig != {}) { + hardware.sane.configDir = saneExtraConfig.outPath; + }; +} diff --git a/modules/module-list.nixos.nix b/modules/module-list.nixos.nix @@ -0,0 +1,41 @@ +{ pkgs, lib, ... }: + +{ + imports = [ + ./hardware/sane-extra-config.nixos.nix + ./profiles/avahi.nixos.nix + ./profiles/base.nixos.nix + ./profiles/buildkit.nixos.nix + ./profiles/fish.nixos.nix + ./profiles/containerd.nixos.nix + ./profiles/desktop.nixos.nix + ./profiles/dev.nixos.nix + ./profiles/docker.nixos.nix + ./profiles/gaming.nixos.nix + ./profiles/git.nixos.nix + ./profiles/i18n.nixos.nix + ./profiles/ipfs.nixos.nix + ./profiles/laptop.nixos.nix + ./profiles/mail.nixos.nix + ./profiles/nix-config.nixos.nix + ./profiles/nix-auto-update.nixos.nix + ./profiles/printing.nixos.nix + ./profiles/pulseaudio.nixos.nix + ./profiles/qemu.nixos.nix + ./profiles/scanning.nixos.nix + ./profiles/ssh.nixos.nix + ./profiles/syncthing.nixos.nix + ./profiles/users.nixos.nix + ./profiles/virtualization.nixos.nix + ./profiles/wireguard.server.nixos.nix + ./profiles/yubikey.nixos.nix + ./profiles/zsh.nixos.nix + ./programs/podman.nixos.nix + ./services/athens.nixos.nix + ./services/govanityurl.nixos.nix + ./services/nix-binary-cache.nixos.nix + ./services/wireguard.client.nixos.nix + ./virtualisation/buildkit.nixos.nix + ./virtualisation/containerd.nixos.nix + ]; +} diff --git a/modules/profiles/avahi.nixos.nix b/modules/profiles/avahi.nixos.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.avahi; +in +{ + options = { + profiles.avahi = { + enable = mkOption { + default = false; + description = "Enable avahi profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + services = { + avahi = { + enable = true; + ipv4 = true; + ipv6 = true; + nssmdns = true; + publish = { + enable = true; + userServices = true; + }; + }; + }; + }; +} diff --git a/modules/profiles/base.nixos.nix b/modules/profiles/base.nixos.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.base; +in +{ + options = { + profiles.base = { + enable = mkOption { + default = true; + description = "Enable base profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + boot.loader.systemd-boot.enable = true; + environment = { + variables = { + EDITOR = pkgs.lib.mkOverride 0 "vim"; + }; + systemPackages = with pkgs; [ + cachix + direnv + exa + file + htop + iotop + lsof + netcat + psmisc + pv + tmux + tree + vim + vrsync + wget + gnumake + ]; + }; + systemd.services."status-email-root@" = { + description = "status email for %i to vincent"; + serviceConfig = { + Type = "oneshot"; + ExecStart = '' + ${pkgs.nur.repos.vdemeester.systemd-email}/bin/systemd-email vincent@demeester.fr %i + ''; + User = "root"; + Environment = "PATH=/run/current-system/sw/bin"; + }; + }; + }; +} diff --git a/modules/profiles/buildkit.nixos.nix b/modules/profiles/buildkit.nixos.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.buildkit; +in +{ + options = { + profiles.buildkit = { + enable = mkOption { + default = false; + description = "Enable buildkit profile"; + type = types.bool; + }; + package = mkOption { + default = pkgs.nur.repos.vdemeester.buildkit; + description = "buildkit package to be used"; + type = types.package; + }; + runcPackage = mkOption { + default = pkgs.nur.repos.vdemeester.runc; + description = "runc package to be used"; + type = types.package; + }; + }; + }; + config = mkIf cfg.enable { + profiles.containerd = { + enable = true; + runcPackage = cfg.runcPackage; + }; + environment.systemPackages = with pkgs; [ + cfg.package + ]; + virtualisation = { + buildkitd= { + enable = true; + package = cfg.package; + packages = [ cfg.runcPackage pkgs.git ]; + extraOptions = "--oci-worker=false --containerd-worker=true"; + }; + }; + }; +} diff --git a/modules/profiles/containerd.nixos.nix b/modules/profiles/containerd.nixos.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.containerd; +in +{ + options = { + profiles.containerd = { + enable = mkOption { + default = false; + description = "Enable containerd profile"; + type = types.bool; + }; + package = mkOption { + default = pkgs.nur.repos.vdemeester.containerd; + description = "containerd package to be used"; + type = types.package; + }; + runcPackage = mkOption { + default = pkgs.runc; + description = "runc package to be used"; + type = types.package; + }; + cniPackage = mkOption { + default = pkgs.cni; + description = "cni package to be used"; + type = types.package; + }; + cniPluginsPackage = mkOption { + default = pkgs.cni-plugins; + description = "cni-plugins package to be used"; + type = types.package; + }; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + cfg.cniPackage + cfg.cniPluginsPackage + cfg.package + cfg.runcPackage + ]; + virtualisation = { + containerd = { + enable = true; + package = cfg.package; + packages = [ cfg.runcPackage ]; + }; + }; + }; +} diff --git a/modules/profiles/desktop.nixos.nix b/modules/profiles/desktop.nixos.nix @@ -0,0 +1,209 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.desktop; +in +{ + options = { + profiles.desktop = { + enable = mkOption { + default = false; + description = "Enable desktop profile"; + type = types.bool; + }; + avahi = mkOption { + default = true; + description = "Enable avahi with the desktop profile"; + type = types.bool; + }; + pulseaudio = mkOption { + default = true; + description = "Enable pulseaudio with the desktop profile"; + type = types.bool; + }; + flatpak = mkOption { + default = true; + description = "Enable flatpak with the desktop profile"; + type = types.bool; + }; + syncthing = mkOption { + default = true; + description = "Enable syncthing with the desktop profile"; + type = types.bool; + }; + scanning = mkOption { + default = true; + description = "Enable scanning with the desktop profile"; + type = types.bool; + }; + printing = mkOption { + default = true; + description = "Enable printing with the desktop profile"; + type = types.bool; + }; + networkmanager = mkOption { + default = true; + description = "Enable networkmanager with the desktop profile"; + type = types.bool; + }; + autoLogin = mkOption { + default = false; + description = "Enable auto login"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + profiles.avahi.enable = cfg.avahi; + profiles.printing.enable = cfg.printing; + profiles.pulseaudio.enable = cfg.pulseaudio; + profiles.scanning.enable = cfg.scanning; + profiles.syncthing.enable = cfg.syncthing; + + boot = { + tmpOnTmpfs = true; + plymouth.enable = true; + }; + + hardware.bluetooth.enable = true; + + networking.networkmanager = { + enable = cfg.networkmanager; + unmanaged = [ + "interface-name:ve-*" + "interface-name:veth*" + "interface-name:wg0" + "interface-name:docker0" + "interface-name:virbr*" + ]; + packages = with pkgs; [ networkmanager-openvpn ]; + }; + + programs.dconf.enable = true; + xdg.portal.enable = cfg.flatpak; + + services = { + flatpak.enable = cfg.flatpak; + dbus.packages = [ pkgs.gnome3.dconf ]; + xserver = { + enable = true; + enableTCP = false; + windowManager.twm.enable = true; + libinput.enable = true; + synaptics.enable = false; + layout = "fr(bepo),fr"; + xkbVariant = "oss"; + xkbOptions = "grp:menu_toggle,grp_led:caps,compose:caps"; + inputClassSections = [ + '' + Identifier "TypeMatrix" + MatchIsKeyboard "on" + MatchVendor "TypeMatrix.com" + MatchProduct "USB Keyboard" + Driver "evdev" + Option "XbkModel" "tm2030USB" + Option "XkbLayout" "fr" + Option "XkbVariant" "bepo" + '' + '' + Identifier "ErgoDox" + #MatchVendor "ErgoDox_EZ" + #MatchProduct "ErgoDox_EZ" + MatchIsKeyboard "on" + MatchUSBID "feed:1307" + Driver "evdev" + Option "XkbLayout" "fr" + Option "XkbVariant" "bepo" + '' + ]; + displayManager = { + # defaultSession = "none+i3"; + lightdm = { + enable = true; + autoLogin = { + enable = true; + user = "vincent"; + }; + }; + }; + }; + }; + fonts = { + enableFontDir = true; + enableGhostscriptFonts = true; + fonts = with pkgs; [ + corefonts + dejavu_fonts + emojione + feh + fira + fira-code + fira-code-symbols + fira-mono + hasklig + inconsolata + iosevka + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + noto-fonts-extra + overpass + symbola + source-code-pro + twemoji-color-font + ubuntu_font_family + unifont + ]; + }; + + # Polkit. + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" || + action.id == "org.freedesktop.udisks2.encrypted-unlock-system" + ) && + subject.local && subject.active && subject.isInGroup("users")) { + return polkit.Result.YES; + } + var YES = polkit.Result.YES; + var permission = { + // required for udisks1: + "org.freedesktop.udisks.filesystem-mount": YES, + "org.freedesktop.udisks.luks-unlock": YES, + "org.freedesktop.udisks.drive-eject": YES, + "org.freedesktop.udisks.drive-detach": YES, + // required for udisks2: + "org.freedesktop.udisks2.filesystem-mount": YES, + "org.freedesktop.udisks2.encrypted-unlock": YES, + "org.freedesktop.udisks2.eject-media": YES, + "org.freedesktop.udisks2.power-off-drive": YES, + // required for udisks2 if using udiskie from another seat (e.g. systemd): + "org.freedesktop.udisks2.filesystem-mount-other-seat": YES, + "org.freedesktop.udisks2.filesystem-unmount-others": YES, + "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES, + "org.freedesktop.udisks2.eject-media-other-seat": YES, + "org.freedesktop.udisks2.power-off-drive-other-seat": YES + }; + if (subject.isInGroup("wheel")) { + return permission[action.id]; + } + }); + ''; + + environment.systemPackages = with pkgs; [ + cryptsetup + xlibs.xmodmap + xorg.xbacklight + xorg.xdpyinfo + xorg.xhost + xorg.xinit + xss-lock + xorg.xmessage + unzip + gnupg + pinentry + inxi + ]; + }; +} diff --git a/modules/profiles/dev.nixos.nix b/modules/profiles/dev.nixos.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.dev; +in +{ + options = { + profiles.dev = { + enable = mkOption { + default = false; + description = "Enable dev profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + profiles.git.enable = true; + environment.systemPackages = with pkgs; [ + git + tig + grc + ripgrep + gnumake + ]; + }; +} diff --git a/modules/profiles/docker.nixos.nix b/modules/profiles/docker.nixos.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.docker; +in +{ + options = { + profiles.docker = { + enable = mkOption { + default = false; + description = "Enable docker profile"; + type = types.bool; + }; + package = mkOption { + default = pkgs.docker-edge; + description = "docker package to be used"; + type = types.package; + }; + runcPackage = mkOption { + default = pkgs.runc; + description = "runc package to be used"; + type = types.package; + }; + }; + }; + config = mkIf cfg.enable { + profiles.containerd.enable = true; + virtualisation = { + docker = { + enable = true; + package = cfg.package; + liveRestore = false; + storageDriver = "overlay2"; + extraOptions = "--experimental --add-runtime docker-runc=${cfg.runcPackage}/bin/runc --default-runtime=docker-runc --containerd=/run/containerd/containerd.sock"; + }; + }; + environment.etc."docker/daemon.json".text = '' + {"features":{"buildkit": true}, "insecure-registries": ["172.30.0.0/16", "192.168.12.0/16", "massimo.home:5000", "r.svc.home:5000", "r.svc.home" ]} + ''; + networking.firewall.trustedInterfaces = [ "docker0" ]; + }; +} diff --git a/modules/profiles/fish.nixos.nix b/modules/profiles/fish.nixos.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.fish; +in +{ + options = { + profiles.fish = { + enable = mkOption { + default = false; + description = "Enable fish profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + programs.fish = { + enable = true; + promptInit = '' + source /etc/fish/functions/fish_prompt.fish + source /etc/fish/functions/fish_right_prompt.fish + ''; + }; + environment.etc."fish/functions/fish_prompt.fish".source = ./assets/fish/fish_prompt.fish; + environment.etc."fish/functions/fish_right_prompt.fish".source = ./assets/fish/fish_right_prompt.fish; + }; +} diff --git a/modules/profiles/gaming.nixos.nix b/modules/profiles/gaming.nixos.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.gaming; +in +{ + options = { + profiles.gaming = { + enable = mkOption { + default = false; + description = "Enable gaming profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + hardware = { + opengl = { + driSupport32Bit = true; + }; + }; + services.udev.extraRules = '' + # Steam controller + SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666" + KERNEL=="uinput", MODE="0660", GROUP="users", OPTIONS+="static_node=uinput" + ''; + environment.systemPackages = with pkgs; [ steam ]; + }; +} diff --git a/modules/profiles/git.nixos.nix b/modules/profiles/git.nixos.nix @@ -0,0 +1,73 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.git; +in +{ + options = { + profiles.git = { + enable = mkOption { + default = false; + description = "Enable git profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + gitAndTools.gitFull + gitAndTools.git-annex + gitAndTools.git-extras + ]; + environment.etc."gitconfig" = rec { text = '' + [alias] + co = checkout + st = status + ci = commit --signoff + ca = commit --amend + b = branc --color -v + br = branch + unstage = reset HEAD + lg = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr)%Creset' --abbrev-commit --date=relative + lga = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr)%Creset' --abbrev-commit --date=relative --branches --remotes + lol = log --pretty=oneline --abbrev-commit --graph --decorate + conflicts = !git ls-files --unmerged | cut -c51- | sort -u | xargs $EDITOR + resolve = !git ls-files --unmerged | cut -c51- | sort -u | xargs git add + [color] + branch = auto + diff = auto + status = auto + [color "branch"] + current = cyan reverse + local = cyan + remote = green + [color "diff"] + meta = white reverse + frag = magenta reverse + old = red + new = green + [color "status"] + added = green + changed = yellow + untracked = red + [core] + #excludesfile = ~/.gitignore.global + [push] + default = matching + [merge] + tool = vimdiff + + [user] + name = Vincent Demeester + email = vincent@sbr.pm + + [http] + cookiefile = /home/vincent/.gitcookies + + [url "git@github.com:"] + pushInsteadOf = git://github.com/ + ''; + }; + }; +} diff --git a/modules/profiles/i18n.nixos.nix b/modules/profiles/i18n.nixos.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.i18n; +in +{ + options = { + profiles.i18n = { + enable = mkOption { + default = true; + description = "Enable i18n profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + console.keyMap = "fr-bepo"; + console.font = "Lat2-Terminus16"; + i18n = { + defaultLocale = "en_US.UTF-8"; + }; + }; +} diff --git a/modules/profiles/ipfs.nixos.nix b/modules/profiles/ipfs.nixos.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.ipfs; +in +{ + options = { + profiles.ipfs = { + enable = mkOption { + default = false; + description = "Enable ipfs profile"; + type = types.bool; + }; + autoMount = mkOption { + default = true; + description = "Automount /ipfs and /ipns"; + type = types.bool; + }; + localDiscovery = mkOption { + default = true; + description = "Enable local discovery, switch profile to server if disable"; + type = types.bool; + }; + extraConfig = mkOption { + default = { + Datastore.StorageMax = "40GB"; + }; + description = "Extra ipfs daemon configuration"; + type = types.attrs; + }; + }; + }; + config = mkIf cfg.enable { + services.ipfs = { + enable = true; + enableGC = true; + localDiscovery = cfg.localDiscovery; + autoMount = cfg.autoMount; + extraConfig = cfg.extraConfig; + }; + }; +} diff --git a/modules/profiles/laptop.nixos.nix b/modules/profiles/laptop.nixos.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.laptop; +in +{ + options = { + profiles.laptop = { + enable = mkOption { + default = false; + description = "Enable laptop profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + boot.kernel.sysctl = { + "vm.swappiness" = 10; + "vm.dirty_ratio" = 25; + "vm.dirty_background_ratio" = 10; + "vm.dirty_writeback_centisecs" = 5000; + "vm.dirty_expire_centisecs" = 5000; + }; + profiles.desktop.enable = true; + environment.systemPackages = with pkgs; [ + lm_sensors + powertop + acpi + ]; + }; +} diff --git a/modules/profiles/mail.nixos.nix b/modules/profiles/mail.nixos.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ...}: + +with lib; +let + cfg = config.profiles.mail; +in +{ + options = { + profiles.mail = { + enable = mkOption { + default = true; + description = "Enable mail profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + environment.etc."msmtprc".source = ../../assets/msmtprc; + environment.systemPackages = with pkgs; [ msmtp ]; + }; +} diff --git a/modules/profiles/nix-auto-update.nixos.nix b/modules/profiles/nix-auto-update.nixos.nix @@ -0,0 +1,65 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.nix-auto-update; +in +{ + options = { + profiles.nix-auto-update = { + enable = mkOption { + default = true; + description = "Enable nix-auto-update profile"; + type = types.bool; + }; + autoUpgrade = mkOption { + default = true; + description = "Automatically try to upgrade the system"; + type = types.bool; + }; + dates = mkOption { + default = "weekly"; + description = "Specification (in the format described by systemd.time(7)) of the time at which the auto-update will run. "; + type = types.str; + }; + version = mkOption { + default = "20.03"; + description = "System version (NixOS)"; + type = types.str; + }; + }; + }; + config = mkIf cfg.enable ( + mkMerge [ + { + system = { + stateVersion = cfg.version; + }; + } + ( + mkIf cfg.autoUpgrade { + systemd.services.nixos-update = { + description = "NixOS Upgrade"; + unitConfig.X-StopOnRemoval = false; + restartIfChanged = false; + serviceConfig.Type = "oneshot"; + environment = config.nix.envVars + // { + inherit (config.environment.sessionVariables) NIX_PATH; + HOME = "/root"; + }; + path = [ pkgs.gnutar pkgs.xz pkgs.git pkgs.gnumake config.nix.package.out pkgs.commonsCompress ]; + script = '' + export PATH=/run/current-system/sw/bin + cd /etc/nixos/ + git pull --autostash --rebase + /run/current-system/sw/bin/make update switch + ''; + startAt = cfg.dates; + onFailure = [ "status-email-root@%n.service" ]; + }; + } + ) + ] + ); +} diff --git a/modules/profiles/nix-config.nixos.nix b/modules/profiles/nix-config.nixos.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.nix-config; +in +{ + options = { + profiles.nix-config = { + enable = mkOption { + default = true; + description = "Enable nix-config profile"; + type = types.bool; + }; + gcDates = mkOption { + default = "weekly"; + description = "Specification (in the format described by systemd.time(7)) of the time at which the garbage collector will run. "; + type = types.str; + }; + olderThan = mkOption { + default = "15d"; + description = "Number of day to keep when garbage collect"; + type = types.str; + }; + buildCores = mkOption { + type = types.int; + default = 2; + example = 4; + description = '' + Maximum number of concurrent tasks during one build. + ''; + }; + localCaches = mkOption { + default = [ "http://nix.cache.home" ]; + description = "List of local nix caches"; + type = types.listOf types.str; + }; + }; + }; + config = mkIf cfg.enable { + nix = { + buildCores = cfg.buildCores; + useSandbox = true; + gc = { + automatic = true; + dates = cfg.gcDates; + options = "--delete-older-than ${cfg.olderThan}"; + }; + # if hydra is down, don't wait forever + extraOptions = '' + connect-timeout = 20 + build-cores = 0 + ''; + binaryCaches = cfg.localCaches ++ [ + "https://cache.nixos.org/" + "https://r-ryantm.cachix.org" + "https://vdemeester.cachix.org" + "https://shortbrain.cachix.org" + ]; + binaryCachePublicKeys = [ + "r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c=" + "vdemeester.cachix.org-1:uCECG6so7v1rs77c5NFz2dCePwd+PGNeZ6E5DrkT7F0=" + "shortbrain.cachix.org-1:dqXcXzM0yXs3eo9ChmMfmob93eemwNyhTx7wCR4IjeQ=" + "mic92.cachix.org-1:gi8IhgiT3CYZnJsaW7fxznzTkMUOn1RY4GmXdT/nXYQ=" + ]; + trustedUsers = [ "root" "vincent" ]; + }; + nixpkgs = { + overlays = [ + (import ../../overlays/sbr.overlay.nix) + (import ../../overlays/unstable.overlay.nix) + ]; + config = { + allowUnfree = true; + packageOverrides = pkgs: { + nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") { + inherit pkgs; + }; + }; + }; + }; + }; +} diff --git a/modules/profiles/printing.nixos.nix b/modules/profiles/printing.nixos.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.printing; +in +{ + options = { + profiles.printing = { + enable = mkOption { + default = false; + description = "Enable printing profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + services = { + printing = { + enable = true; + drivers = [ pkgs.gutenprint ]; + }; + }; + }; +} diff --git a/modules/profiles/pulseaudio.nixos.nix b/modules/profiles/pulseaudio.nixos.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.pulseaudio; +in +{ + options = { + profiles.pulseaudio = { + enable = mkOption { + default = false; + description = "Enable pulseaudio profile"; + type = types.bool; + }; + tcp = mkOption { + default = false; + description = "Enable pulseaudio tcp"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + hardware = { + pulseaudio = { + enable = true; + support32Bit = true; + zeroconf = { + discovery.enable = cfg.tcp; + publish.enable = cfg.tcp; + }; + tcp = { + enable = cfg.tcp; + anonymousClients = { + allowAll = true; + allowedIpRanges = [ "127.0.0.1" "192.168.12.0/24" "10.0.0.0/24" ]; + }; + }; + package = pkgs.pulseaudioFull; + }; + }; + sound.mediaKeys.enable = true; + + security.pam.loginLimits = [ + { domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; } + { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; } + { domain = "@audio"; item = "nofile"; type = "-"; value = "99999"; } + ]; + + # spotify & pulseaudio + networking.firewall = { + allowedTCPPorts = [ 57621 57622 4713 ]; + allowedUDPPorts = [ 57621 57622 ]; + }; + environment.systemPackages = with pkgs; [ + apulse # allow alsa application to use pulse + pavucontrol # pulseaudio volume control + pasystray # systray application + playerctl + ]; + # We assume xserver runs when pulseaudio does + services.xserver.displayManager.sessionCommands = "${pkgs.pasystray}/bin/pasystray &"; + }; +} diff --git a/modules/profiles/qemu.nixos.nix b/modules/profiles/qemu.nixos.nix @@ -0,0 +1,49 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + cfg = config.profiles.qemu-user; + arm = { + interpreter = "${pkgs.qemu-user-arm}/bin/qemu-arm"; + magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; + }; + aarch64 = { + interpreter = "${pkgs.qemu-user-arm64}/bin/qemu-aarch64"; + magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; + }; + riscv64 = { + interpreter = "${pkgs.qemu-riscv64}/bin/qemu-riscv64"; + magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00''; + mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff''; + }; +in { + options = { + profiles.qemu-user = { + arm = mkEnableOption "enable 32bit arm emulation"; + aarch64 = mkEnableOption "enable 64bit arm emulation"; + riscv64 = mkEnableOption "enable 64bit riscv emulation"; + }; + nix.supportedPlatforms = mkOption { + type = types.listOf types.str; + description = "extra platforms that nix will run binaries for"; + default = []; + }; + }; + config = mkIf (cfg.arm || cfg.aarch64) { + nixpkgs = { + overlays = [ (import ../../overlays/qemu/default.nix) ]; + }; + boot.binfmt.registrations = + optionalAttrs cfg.arm { inherit arm; } // + optionalAttrs cfg.aarch64 { inherit aarch64; } // + optionalAttrs cfg.riscv64 { inherit riscv64; }; + nix.supportedPlatforms = (optionals cfg.arm [ "armv6l-linux" "armv7l-linux" ]) + ++ (optional cfg.aarch64 "aarch64-linux"); + nix.extraOptions = '' + extra-platforms = ${toString config.nix.supportedPlatforms} i686-linux + ''; + nix.sandboxPaths = [ "/run/binfmt" ] ++ (optional cfg.arm "${pkgs.qemu-user-arm}") ++ (optional cfg.aarch64 "${pkgs.qemu-user-arm64}"); + }; +} diff --git a/modules/profiles/scanning.nixos.nix b/modules/profiles/scanning.nixos.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.scanning; +in +{ + options = { + profiles.scanning = { + enable = mkOption { + default = false; + description = "Enable scanning profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + saneFrontends + saneBackends + simple-scan + ]; + hardware.sane = { + enable = true; + extraConfig = { "pixma" = "bjnp://192.168.12.70"; }; + }; + }; +} diff --git a/modules/profiles/ssh.nixos.nix b/modules/profiles/ssh.nixos.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.ssh; +in +{ + options = { + profiles.ssh = { + enable = mkOption { + default = false; + description = "Enable ssh profile"; + type = types.bool; + }; + forwardX11 = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow X11 connections to be forwarded. + ''; + }; + }; + }; + config = mkIf cfg.enable { + services = { + openssh = { + enable = true; + startWhenNeeded = false; + forwardX11 = cfg.forwardX11; + }; + }; + programs.mosh.enable = true; + }; +} diff --git a/modules/profiles/syncthing.nixos.nix b/modules/profiles/syncthing.nixos.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.syncthing; +in +{ + options = { + profiles.syncthing = { + enable = mkOption { + default = false; + description = "Enable syncthing profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + services.syncthing = { + enable = true; + user = "vincent"; + dataDir = "/home/vincent/.syncthing"; + configDir = "/home/vincent/.syncthing"; + openDefaultPorts = true; + }; + }; +} diff --git a/modules/profiles/users.nixos.nix b/modules/profiles/users.nixos.nix @@ -0,0 +1,66 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.users; +in +{ + options = { + profiles.users = { + enable = mkOption { + default = true; + description = "Enable users profile"; + type = types.bool; + }; + user = mkOption { + default = "vincent"; + description = "Username to use when creating user"; + type = types.str; + }; + # add more options (like openssh keys and config) + }; + }; + config = mkIf cfg.enable { + users = { + extraUsers = { + ${cfg.user} = { + isNormalUser = true; + uid = 1000; + createHome = true; + extraGroups = [ "wheel" "input" ] ++ optionals config.profiles.desktop.enable ["audio" "video" "lp" "scanner" "networkmanager"] + ++ optionals config.profiles.docker.enable [ "docker" ] + ++ optionals config.profiles.buildkit.enable [ "buildkit" ] + ++ optionals config.profiles.virtualization.enable [ "libvirtd" "vboxusers" ]; + shell = if config.programs.fish.enable then pkgs.fish else pkgs.zsh; + initialPassword = "changeMe"; + openssh.authorizedKeys.keys = + with import ../../assets/machines.nix; [ ssh.yubikey.key ssh.yubikey5.key ssh.wakasu.key ssh.vincent.key ssh.houbeb.key ssh.hokkaido.key ssh.okinawa.key ]; + subUidRanges = [{ startUid = 100000; count = 65536; }]; + subGidRanges = [{ startGid = 100000; count = 65536; }]; + }; + }; + }; + programs.ssh.extraConfig = with import ../../assets/machines.nix; '' + Host kerkouane kerkouane.sbr.pm + Hostname kerkouane.sbr.pm + Port ${toString ssh.kerkouane.port} + Host kerkouane.vpn ${wireguard.ips.kerkouane} + Hostname ${wireguard.ips.kerkouane} + Port ${toString ssh.kerkouane.port} + Host carthage carthage.sbr.pm + Hostname carthage.sbr.pm + Port ${toString ssh.carthage.port} + Host carthage.vpn ${wireguard.ips.carthage} + Hostname ${wireguard.ips.carthage} + Port ${toString ssh.carthage.port} + Host hokkaido.vpn ${wireguard.ips.hokkaido} + Hostname ${wireguard.ips.hokkaido} + Host honshu.vpn ${wireguard.ips.honshu} + Hostname ${wireguard.ips.honshu} + Host okinawa.vpn ${wireguard.ips.okinawa} + Hostname ${wireguard.ips.okinawa} + Host wakasu.vpn ${wireguard.ips.wakasu} + Hostname ${wireguard.ips.wakasu} + ''; + }; +} diff --git a/modules/profiles/virtualization.nixos.nix b/modules/profiles/virtualization.nixos.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.virtualization; +in +{ + options = { + profiles.virtualization = { + enable = mkOption { + default = false; + description = "Enable virtualization profile"; + type = types.bool; + }; + nested = mkOption { + default = false; + description = "Enable nested virtualization"; + type = types.bool; + }; + listenTCP = mkOption { + default = false; + description = "Make libvirt listen to TCP"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable ( + mkMerge [ + { + virtualisation.libvirtd = { + enable = true; + }; + environment.systemPackages = with pkgs; [ + qemu + vde2 + libosinfo + ]; + } + ( + mkIf cfg.nested { + environment.etc."modprobe.d/kvm.conf".text = '' + options kvm_intel nested=1 + ''; + } + ) + ( + mkIf config.profiles.desktop.enable { + environment.systemPackages = with pkgs; [ virtmanager ]; + } + ) + ( + mkIf cfg.listenTCP { + boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; + virtualisation.libvirtd = { + allowedBridges = [ "br1" ]; + extraConfig = '' + listen_tls = 0 + listen_tcp = 1 + auth_tcp="none" + tcp_port = "16509" + ''; + # extraOptions = [ "--listen" ]; + }; + networking.firewall.allowedTCPPorts = [ 16509 ]; + } + ) + ] + ); +} diff --git a/modules/profiles/wireguard.server.nixos.nix b/modules/profiles/wireguard.server.nixos.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.wireguard.server; +in +{ + options = { + profiles.wireguard.server = { + enable = mkOption { + default = false; + description = "Enable wireguard.server profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + environment.systemPackages = [ pkgs.wireguard ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + networking.firewall.extraCommands = '' + iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE + ''; + networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.trustedInterfaces = [ "wg0" ]; + networking.wireguard.interfaces = with import ../../assets/machines.nix; { + "wg0" = { + ips = wireguard.kerkouane.allowedIPs; + listenPort = wg.listenPort; + privateKeyFile = "/etc/nixos/wireguard.private.key"; + peers = wg.peers; + }; + }; + }; +} diff --git a/modules/profiles/yubikey.nixos.nix b/modules/profiles/yubikey.nixos.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.yubikey; +in +{ + options = { + profiles.yubikey = { + enable = mkOption { + default = false; + description = "Enable yubikey profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + environment = { + systemPackages = with pkgs; [ + yubico-piv-tool + yubikey-personalization + yubioath-desktop + yubikey-manager + ]; + }; + services = { + pcscd.enable = true; + udev = { + packages = with pkgs; [ yubikey-personalization ]; + extraRules = '' +# Yubico YubiKey +KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel" +# ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" + ''; + }; + }; + }; +} diff --git a/modules/profiles/zsh.nixos.nix b/modules/profiles/zsh.nixos.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.profiles.zsh; +in +{ + options = { + profiles.zsh = { + enable = mkOption { + default = true; + description = "Enable zsh profile"; + type = types.bool; + }; + }; + }; + config = mkIf cfg.enable { + programs.zsh = { + enable = true; + }; + }; +} diff --git a/modules/programs/podman.nixos.nix b/modules/programs/podman.nixos.nix @@ -0,0 +1,111 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.programs.podman; + +in + +{ + options = { + programs.podman = { + enable = mkOption { + default = false; + description = '' + Whether to configure podman + ''; + type = types.bool; + }; + package = mkOption { + default = pkgs.podman; + description = "podman package to be used"; + type = types.package; + }; + runcPackage = mkOption { + default = pkgs.runc; + description = "runc package to be used"; + type = types.package; + }; + conmonPackage = mkOption { + default = pkgs.conmon; + description = "conmon package to be used"; + type = types.package; + }; + cniPackage = mkOption { + default = pkgs.cni; + description = "cni package to be used"; + type = types.package; + }; + cniPluginsPackage = mkOption { + default = pkgs.cni-plugins; + description = "cni-plugins package to be used"; + type = types.package; + }; + }; + }; + + config = mkIf cfg.enable { + + environment.etc."containers/libpod.conf".text = '' + image_default_transport = "docker://" + runtime_path = ["${cfg.runcPackage}/bin/runc"] + conmon_path = ["${cfg.conmonPackage}/bin/conmon"] + cni_plugin_dir = ["${cfg.cniPluginsPackage}/bin/"] + cgroup_manager = "systemd" + cni_config_dir = "/etc/cni/net.d/" + cni_default_network = "podman" + # pause + pause_image = "k8s.gcr.io/pause:3.1" + pause_command = "/pause" + ''; + + environment.etc."containers/registries.conf".text = '' + [registries.search] + registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org'] + + [registries.insecure] + registries = ['massimo.local:5000', '192.168.12.0/16'] + ''; + + environment.etc."containers/policy.json".text = '' + { + "default": [ + { "type": "insecureAcceptAnything" } + ] + } + ''; + + environment.etc."cni/net.d/87-podman-bridge.conflist".text = '' +{ + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] +} + ''; + + environment.systemPackages = with pkgs; [ cfg.package cfg.conmonPackage cfg.runcPackage iptables ]; + + }; +} diff --git a/modules/services/athens.nixos.nix b/modules/services/athens.nixos.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.athens; +in +{ + options = { + services.athens = { + enable = mkEnableOption '' + Athens is a go module proxy + ''; + package = mkOption { + type = types.package; + default = pkgs.nur.repos.vdemeester.athens; + description = '' + Athens package to use. + ''; + }; + + user = mkOption { + type = types.str; + }; + + group = mkOption { + type = types.str; + default = "nogroup"; + }; + }; + }; + config = mkIf cfg.enable { + networking.firewall = { + allowedTCPPorts = [ 3000 ]; + }; + systemd.packages = [ cfg.package ]; + environment.etc."athens/config.toml".text = '' + GoBinary = "${pkgs.go}/bin/go" + # what is that ? + GoEnv = "development" + GoGetWorkers = 30 + ProtocolWorkers = 30 + LogLevel = "debug" + BuffaloLogLevel = "debug" + Port = ":3000" + ForceSSL = false + CloudRuntime = "none" + Timeout = 300 + StorageType = "disk" + + [Storage] + [Storage.Disk] + RootPath = "/var/lib/athens" + ''; + systemd.services.athens = { + description = "Athens service"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -p /var/lib/athens + ''; + environment = { HOME="/var/lib/athens"; }; + serviceConfig = { + User = cfg.user; + Restart = "on-failure"; + ExecStart = '' + ${cfg.package}/bin/proxy -config_file=/etc/athens/config.toml + ''; + }; + path = [ cfg.package ] ++ [ pkgs.go pkgs.git ]; + }; + }; +} diff --git a/modules/services/govanityurl.nixos.nix b/modules/services/govanityurl.nixos.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.govanityurl; +in +{ + options = { + services.govanityurl = { + enable = mkEnableOption '' + govanityurl is a go canonical path server + ''; + package = mkOption { + type = types.package; + default = pkgs.nur.repos.vdemeester.govanityurl; + description = '' + govanityurl package to use. + ''; + }; + + user = mkOption { + type = types.str; + }; + + host = mkOption { + type = types.str; + }; + + config = mkOption { + type = types.lines; + }; + }; + }; + config = mkIf cfg.enable { + systemd.packages = [ cfg.package ]; + environment.etc."govanityurl/config.yaml".text = '' + host: ${cfg.host} + ${cfg.config} + ''; + systemd.services.govanityurl = { + description = "Govanity service"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Restart = "on-failure"; + ExecStart = '' + ${cfg.package}/bin/vanityurl /etc/govanityurl/config.yaml + ''; + }; + path = [ cfg.package ]; + }; + }; +} diff --git a/modules/services/nix-binary-cache.nixos.nix b/modules/services/nix-binary-cache.nixos.nix @@ -0,0 +1,94 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.nix-binary-cache; +in +{ + options = { + services.nix-binary-cache = { + enable = mkOption { + default = false; + description = "Enable nix-binary-cache"; + type = types.bool; + }; + domain = mkOption { + description = "domain to serve"; + type = types.str; + }; + aliases = mkOption { + default = []; + description = "server aliases to serve"; + type = types.listOf types.str; + }; + }; + }; + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 80 443]; + services.nginx = { + enable = true; + appendHttpConfig = '' + proxy_cache_path /var/public-nix-cache/ levels=1:2 keys_zone=cachecache:1200m max_size=20g inactive=365d use_temp_path=off; + # Cache only success status codes; in particular we don't want to cache 404s. + # See https://serverfault.com/a/690258/128321 + map $status $cache_header { + 200 "public"; + 302 "public"; + default "no-cache"; + } + access_log logs/access.log; + ''; + virtualHosts."${cfg.domain}" = { + serverAliases = cfg.aliases; + # enableACME = true; + + locations."/" = { + root = "/var/public-nix-cache/"; + extraConfig = '' + expires max; + add_header Cache-Control $cache_header always; + # Ask the upstream server if a file isn't available locally + error_page 404 = @fallback; + ''; + }; + extraConfig = '' + # Using a variable for the upstream endpoint to ensure that it is + # resolved at runtime as opposed to once when the config file is loaded + # and then cached forever (we don't want that): + # see https://tenzer.dk/nginx-with-dynamic-upstreams/ + # This fixes errors like + # nginx: [emerg] host not found in upstream "upstream.example.com" + # when the upstream host is not reachable for a short time when + # nginx is started. + resolver 8.8.8.8; + set $upstream_endpoint https://cache.nixos.org; + ''; + locations."@fallback" = { + proxyPass = "$upstream_endpoint"; + extraConfig = '' + proxy_cache cachecache; + proxy_cache_valid 200 302 60m; + expires max; + add_header Cache-Control $cache_header always; + ''; + }; + # We always want to copy cache.nixos.org's nix-cache-info file, + # and ignore our own, because `nix-push` by default generates one + # without `Priority` field, and thus that file by default has priority + # 50 (compared to cache.nixos.org's `Priority: 40`), which will make + # download clients prefer `cache.nixos.org` over our binary cache. + locations."= /nix-cache-info" = { + # Note: This is duplicated with the `@fallback` above, + # would be nicer if we could redirect to the @fallback instead. + proxyPass = "$upstream_endpoint"; + extraConfig = '' + proxy_cache cachecache; + proxy_cache_valid 200 302 60m; + expires max; + add_header Cache-Control $cache_header always; + ''; + }; + }; + }; + }; +} diff --git a/modules/services/wireguard.client.nixos.nix b/modules/services/wireguard.client.nixos.nix @@ -0,0 +1,71 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.wireguard; +in +{ + options = { + services.wireguard = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable a reverse SSH proxy. + ''; + }; + ips = mkOption { + type = with types; listOf str; + description = '' + The client IPs + ''; + }; + allowedIPs = mkOption { + default = [ "10.100.0.0/24" ]; + type = with types; listOf str; + description = '' + The peer (server) allowedIPs + ''; + }; + endpoint = mkOption { + type = with types; str; + description = '' + The endpoint IP to target + ''; + }; + endpointPort = mkOption { + default = 51820; + type = with types; int; + description = '' + The endpoint Port to target + ''; + }; + endpointPublicKey = mkOption { + type = with types; str; + description = '' + The peer (server) public key + ''; + }; + }; + }; + config = mkIf cfg.enable { + boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + environment.systemPackages = [ pkgs.wireguard ]; + networking.firewall.trustedInterfaces = [ "wg0" ]; + networking.wireguard.enable = true; + networking.wireguard.interfaces = { + wg0 = { + ips = cfg.ips; + privateKeyFile = "/etc/nixos/wireguard.private.key"; + peers = [ + { + publicKey = cfg.endpointPublicKey; + allowedIPs = cfg.allowedIPs; + endpoint = "${cfg.endpoint}:${toString cfg.endpointPort}"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/modules/virtualisation/buildkit.nixos.nix b/modules/virtualisation/buildkit.nixos.nix @@ -0,0 +1,105 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.virtualisation.buildkitd; + +in +{ + ###### interface + + options.virtualisation.buildkitd = { + enable = + mkOption { + type = types.bool; + default = false; + description = + '' + This option enables buildkitd + ''; + }; + + listenOptions = + mkOption { + type = types.listOf types.str; + default = ["/run/buildkitd/buildkitd.sock"]; + description = + '' + A list of unix and tcp buildkitd should listen to. The format follows + ListenStream as described in systemd.socket(5). + ''; + }; + + + + package = mkOption { + default = pkgs.buildkitd; + type = types.package; + example = pkgs.buildkitd; + description = '' + Buildkitd package to be used in the module + ''; + }; + + packages = mkOption { + type = types.listOf types.package; + default = [ pkgs.runc pkgs.git ]; + description = "List of packages to be added to buildkitd service path"; + }; + + extraOptions = + mkOption { + type = types.separatedString " "; + default = ""; + description = + '' + The extra command-line options to pass to + <command>buildkitd</command> daemon. + ''; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + users.groups = [ + { name = "buildkit"; + gid = 350; + } + ]; + environment.systemPackages = [ cfg.package]; + systemd.packages = [ cfg.package ]; + + systemd.services.buildkitd = { + wants = [ "containerd.service" ]; + after = [ "containerd.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = [ + "" + '' + ${cfg.package}/bin/buildkitd \ + ${cfg.extraOptions} + '']; + }; + path = [cfg.package] ++ cfg.packages; + }; + + + systemd.sockets.buildkitd = { + description = "Buildkitd Socket for the API"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = cfg.listenOptions; + SocketMode = "0660"; + SocketUser = "root"; + SocketGroup = "buildkit"; + }; + }; + + }; + + +} diff --git a/modules/virtualisation/containerd.nixos.nix b/modules/virtualisation/containerd.nixos.nix @@ -0,0 +1,100 @@ +# Systemd services for containerd. + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.virtualisation.containerd; + +in + +{ + ###### interface + + options.virtualisation.containerd = { + enable = + mkOption { + type = types.bool; + default = false; + description = + '' + This option enables containerd, a daemon that manages + linux containers. + ''; + }; + + listenOptions = + mkOption { + type = types.listOf types.str; + default = ["/run/containerd/containerd.sock"]; + description = + '' + A list of unix and tcp containerd should listen to. The format follows + ListenStream as described in systemd.socket(5). + ''; + }; + + package = mkOption { + default = pkgs.containerd; + type = types.package; + example = pkgs.containerd; + description = '' + Containerd package to be used in the module + ''; + }; + + packages = mkOption { + type = types.listOf types.package; + default = [ pkgs.runc ]; + description = "List of packages to be added to containerd service path"; + }; + + extraOptions = + mkOption { + type = types.separatedString " "; + default = ""; + description = + '' + The extra command-line options to pass to + <command>containerd</command> daemon. + ''; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package]; + systemd.packages = [ cfg.package]; + + systemd.services.containerd = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = [ + "" + '' + ${cfg.package}/bin/containerd \ + ${cfg.extraOptions} + '']; + }; + path = [cfg.package] ++ cfg.packages; + }; + + + systemd.sockets.containerd = { + description = "Containerd Socket for the API"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = cfg.listenOptions; + SocketMode = "0660"; + SocketUser = "root"; + SocketGroup = "root"; + }; + }; + + }; + + +} diff --git a/overlays/sbr.overlay.nix b/overlays/sbr.overlay.nix @@ -0,0 +1,8 @@ +self: super: { + vrsync = import ../pkgs/vrsync { + inherit (self) stdenv lib; + }; + vde-thinkpad = import ../pkgs/vde-thinkpad { + inherit (self) stdenv lib; + }; +} diff --git a/overlays/unstable.overlay.nix b/overlays/unstable.overlay.nix @@ -0,0 +1,9 @@ +_: _: let + unstableTarball = fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz; + unstable = import unstableTarball { overlays = []; }; +in { + inherit (unstable) + # cachix + #git + ; +} diff --git a/pkgs/default.nix b/pkgs/default.nix @@ -1,8 +1,8 @@ { system ? builtins.currentSystem }: - let pkgs = import <nixpkgs> { inherit system; }; -in rec { +in +rec { scripts = import ./scripts { inherit (pkgs) stdenv; }; @@ -10,4 +10,10 @@ in rec { inherit (pkgs) stdenv lib fetchFromGitHub; }; + vrsync = import ./vrsync { + inherit (pkgs) stdenv lib; + }; + vde-thinkpad = import ./vde-thinkpad { + inherit (pkgs) stdenv lib; + }; } diff --git a/pkgs/vde-thinkpad/default.nix b/pkgs/vde-thinkpad/default.nix @@ -0,0 +1,14 @@ +{ stdenv, lib }: + +stdenv.mkDerivation rec { + name = "vde-thinkpad"; + src = ./.; + + phases = [ "install" ]; + + install = '' + mkdir -p $out/bin + cp $src/dock $out/bin + chmod +x $out/bin/dock + ''; +} diff --git a/pkgs/vde-thinkpad/dock b/pkgs/vde-thinkpad/dock @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +export DISPLAY=":0.0" +export XAUTHORITY=/home/vincent/.Xauthority +xmessage dock diff --git a/pkgs/vrsync/default.nix b/pkgs/vrsync/default.nix @@ -0,0 +1,14 @@ +{ stdenv, lib }: + +stdenv.mkDerivation rec { + name = "vrsync"; + src = ./.; + + phases = [ "install" ]; + + install = '' + mkdir -p $out/bin + cp $src/vrsync $out/bin + chmod +x $out/bin/vrsync + ''; +} diff --git a/pkgs/vrsync/foo b/pkgs/vrsync/foo @@ -0,0 +1 @@ +/home/vincent/desktop/documents/ vincent@synodine.local:/volume1/documents/+ \ No newline at end of file diff --git a/pkgs/vrsync/vrsync b/pkgs/vrsync/vrsync @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +# Look for /etc/vrsync.conf +# For each line run rsync with on source:target +# and some specials cases +CONF=${CONF:-/etc/vrsync} + +cmd="rsync -ave ssh --progress --size-only --delete --exclude='*~' --exclude=.stfolder" +test -e $CONF || { + echo "$CONF does not exists, bailing…" + exit 1 +} + +while IFS='' read -r line || [[ -n "$line" ]]; do + $cmd $line $@ +done < "$CONF"