home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

default.nix (4439B)


      1 { config, lib, pkgs, ... }:
      2 
      3 let
      4   inherit (lib) importTOML attrsets hasAttr optionals versionAtLeast mkIf;
      5   metadata = importTOML ../../ops/hosts.toml;
      6   hasSSHAttr = name: value: hasAttr "ssh" value;
      7   authorizedKeys = attrsets.mapAttrsToList
      8     (name: value: value.ssh.pubkey)
      9     (attrsets.filterAttrs hasSSHAttr metadata.hosts);
     10 
     11   hasConfigVirtualizationContainers = builtins.hasAttr "containers" config.virtualisation;
     12   isContainersEnabled = if hasConfigVirtualizationContainers then config.virtualisation.containers.enable else false;
     13 in
     14 {
     15   warnings = if (versionAtLeast config.system.nixos.release "21.11") then [ ] else [ "NixOS release: ${config.system.nixos.release}" ];
     16   sops.secrets.u2f_keys = mkIf (config.modules.hardware.yubikey.enable && config.modules.hardware.yubikey.u2f) {
     17     path = "/home/vincent/.config/Yubico/u2f_keys";
     18     owner = "vincent";
     19   };
     20   users.users.vincent = {
     21     createHome = true;
     22     uid = 1000;
     23     description = "Vincent Demeester";
     24     extraGroups = [ "wheel" "input" ]
     25       ++ optionals config.networking.networkmanager.enable [ "networkmanager" ]
     26       ++ optionals config.modules.desktop.enable [ "audio" "video" ]
     27       # ++ optionals config.profiles.scanning.enable [ "lp" "scanner" ]
     28       ++ optionals config.networking.networkmanager.enable [ "networkmanager" ]
     29       ++ optionals config.virtualisation.docker.enable [ "docker" ]
     30       ++ optionals config.virtualisation.buildkitd.enable [ "buildkit" ]
     31       ++ optionals config.modules.virtualisation.libvirt.enable [ "libvirtd" ]
     32       ++ optionals config.services.nginx.enable [ "nginx" ];
     33     shell = mkIf config.programs.zsh.enable pkgs.zsh;
     34     isNormalUser = true;
     35     openssh.authorizedKeys.keys = authorizedKeys
     36       ++ metadata.ssh.keys.vincent
     37       ++ metadata.ssh.keys.root;
     38     initialPassword = "changeMe";
     39     subUidRanges = [{ startUid = 100000; count = 65536; }];
     40     subGidRanges = [{ startGid = 100000; count = 65536; }];
     41   };
     42 
     43   nix = {
     44     settings = {
     45       trusted-users = [ "vincent" ];
     46     };
     47     sshServe.keys = authorizedKeys;
     48   };
     49 
     50   security = {
     51     pam = {
     52       # Nix will hit the stack limit when using `nixFlakes`.
     53       loginLimits = [
     54         { domain = config.users.users.vincent.name; item = "stack"; type = "-"; value = "unlimited"; }
     55       ];
     56     };
     57   };
     58 
     59   # Enable user units to persist after sessions end.
     60   system.activationScripts.loginctl-enable-linger-vincent = lib.stringAfter [ "users" ] ''
     61     ${pkgs.systemd}/bin/loginctl enable-linger ${config.users.users.vincent.name}
     62   '';
     63 
     64   # To use nixos config in home-manager configuration, use the nixosConfig attr.
     65   # This make it possible to import the whole configuration, and let each module
     66   # load their own.
     67   # FIXME(vdemeester) using nixosConfig, we can get the NixOS configuration from
     68   # the home-manager configuration. This should help play around the conditions
     69   # inside each "home-manager" modules instead of here.
     70   home-manager.users.vincent = lib.mkMerge
     71     (
     72       [
     73         (import ./core)
     74         (import ./mails { hostname = config.networking.hostName; pkgs = pkgs; })
     75       ]
     76       ++ optionals config.modules.editors.emacs.enable [
     77         (import ./dev/emacs.nix)
     78       ]
     79       ++ optionals config.modules.dev.enable [
     80         (import ./dev)
     81         # TODO Move it elsewhere ? 
     82         (import ./containers/kubernetes.nix)
     83         (import ./containers/openshift.nix)
     84         (import ./containers/tekton.nix)
     85         {
     86           # Enable only on dev, could do something better than this longterm 😀
     87           services.keybase.enable = true;
     88         }
     89       ]
     90       ++ optionals config.modules.dev.containers.enable [
     91         (import ./containers)
     92       ]
     93       ++ optionals config.modules.desktop.enable [ (import ./desktop) ]
     94       ++ optionals (config.networking.hostName == "wakasu" || config.networking.hostName == "aomi") [
     95         {
     96           home.packages = with pkgs; [
     97             libosinfo
     98             asciinema
     99             oathToolkit
    100             p7zip
    101           ];
    102         }
    103       ]
    104       # ++ optionals config.virtualisation.docker.enable [
    105       #   {
    106       #     home.packages = with pkgs; [ docker docker-compose dive ];
    107       #   }
    108       # ]
    109       #++ optionals config.profiles.redhat.enable [{
    110       #  home.file.".local/share/applications/redhat-vpn.desktop".source = ./redhat/redhat-vpn.desktop;
    111       #  home.packages = with pkgs; [ gnome3.zenity oathToolkit ];
    112       #}]
    113     );
    114 }